-
Notifications
You must be signed in to change notification settings - Fork 527
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ToDo: compare vs pyllyukko user.js, decide on additions #10
Comments
I am almost 100% sure that "browser.newtab.url" is deprecated for FF 41 on. |
I am wrong, but default for "browser.ssl_override_behavior" is now 2, at least in FF 51. |
You already have setting "devtools.debugger.remote-enabled" set to false ;) |
Deprecated (taken from "linux" list"): ;) |
All... I am sure that "browser.newtab.url" if not linux pecific, but it is removed/deprecated over all. I will try to find some good source for deprecated stuff, if you don't have any already? |
Noted... thx for source... will do better next time. :) |
@pants, ROFL, even the syntax error pref is now properly sourced, gj! xD
I disagree about
|
I have |
|
@crssi Thank you!! @Atavic but doesn't the browser have the cert loaded and checked already at that point? |
There's a crypto key exchange before accepting SSL certificates. A long read here. |
|
True, the |
@Thorin-Oakenpants The other "my modus operandy": I like to see the error message provided without clicking "advanced" first. |
It's a proposed security implementation, it's there, scroll down to: |
The hashing improves security when sites are using e.g. third party JS scripts. As the site owner has no visibility on what kind of scripts the users have had at any given moment, the site owner can validate/verify certain version of the script, include it's hash and make sure the users only use the whitelisted one if any. There has been many cases for instance where ad sites have had malicious content because of some breach and the site owners have had zero control over that and of course the users experience that those sites are attacking your browser. Does this answer your question? |
I feel like there have to be downsides to this or it would have been enabled by now, right? |
3.2.5.17.1
Once randomly generated, they stay in the HTML meta Element. |
Right now, I don't think there's a lot of risk in enabling it because it's probably not used very much. For that same reason, there's probably not much point in enabling it either. |
Pants, I'd say we disable it again and wait until mozilla enables it by default, if ever. |
/******
user.js * date: 18 Feb 2017 vs pyllyukko user.js
what pyllyukko has that we doesn't
******/
user_pref("network.IDN_show_punycode", true);
user_pref("browser.ssl_override_behavior", 1);
user_pref("security.csp.enable", true);
user_pref("dom.mozTCPSocket.enabled", false);
user_pref("security.csp.experimentalEnabled", true);
==
// user_pref("browser.search.defaultenginename", "DuckDuckGo");
user_pref("browser.sessionstore.postdata", 0);
user_pref("network.seer.enabled", false);
user_pref("plugins.hide_infobar_for_outdated_plugin", false);
user_pref("network.negotiate-auth.allow-insecure-ntlm-v1", false);
user_pref("network.negotiate-auth.allow-insecure-ntlm-v1-https", false);
user_pref("browser.newtab.url", "about:blank");
user_pref("browser.sessionstore.enabled", false);
user_pref("devtools.debugger.force-local", true);
user_pref("plugin.state.libgnome-shell-browser-plugin", 0);
user_pref("browser.formfill.expire_days", 1);
user_pref("browser.download.manager.retention", 0); // (hidden pref)
---original post--
See: pyllyukko/user.js#205 (comment)
I will compare us to pyllyukko and output
Results given to each party to work through.
Then we can decide what to add/discard
The text was updated successfully, but these errors were encountered: