#27059: Use sane about:config values --------------------------------------+-------------------- Reporter: floweb | Owner: (none) Type: enhancement | Status: new Priority: High | Milestone: Component: - Select a component | Version: Severity: Normal | Keywords: Actual Points: | Parent ID: Points: | Reviewer: Sponsor: | --------------------------------------+-------------------- While reading through various about:config security hardening guides, I found several bad default values for the Tor Browser:
1. dom.event.clipboardevents.enabled = false - Disable that websites can get notifications if you copy, paste, or cut something from a web page, and it lets them know which part of the page had been selected. 2. network.http.referer.trimmingPolicy = 2 - Send only the scheme, host, and port in the Referer header - 0 = Send the full URL in the Referer header - 1 = Send the URL without its query string in the Referer header - 2 = Send only the scheme, host, and port in the Referer header 3. network.http.referer.XOriginPolicy = 2 - Only send Referer header when the full hostnames match. (Note: if you notice significant breakage, you might try 1 combined with an XOriginTrimmingPolicy tweak below.) Source - 0 = Send Referer in all cases - 1 = Send Referer to same eTLD sites - 2 = Send Referer only when the full hostnames match 4. network.http.referer.XOriginTrimmingPolicy = 2 - When sending Referer across origins, only send scheme, host, and port in the Referer header of cross-origin requests. Source - 0 = Send full url in Referer - 1 = Send url without query string in Referer - 2 = Only send scheme, host, and port in Referer 5. webgl.disabled = true - WebGL is a potential security risk. Source 6. network.IDN_show_punycode = true - Not rendering IDNs as their punycode equivalent leaves you open to phishing attacks that can be very difficult to notice. Source 7. dom.event.contextmenu.enabled = false - Don't allow websites to prevent use of right-click, or otherwise messing with the context menu. 8. network.http.speculative-parallel-limit = 0 - Disable prefetch link on hover. 9. extensions.pocket.enabled = false - Disable Firefox pocket -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27059> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online
_______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs