Fix open issues/PRs #197 #108 #111 #236 #238 #239
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Other references: #111 https://hacks.mozilla.org/2016/01/web-push-arrives-in-firefox-44/ https://developer.mozilla.org/en-US/docs/Archive/Firefox_OS/API/Simple_Push_API https://support.mozilla.org/t5/Firefox/How-to-disable-web-push-notifications-in-Firefox/m-p/1281001 https://en.wikipedia.org/wiki/Push_technology https://trac.torproject.org/projects/tor/ticket/18801 https://support.mozilla.org/t5/Basic-Browsing/Web-Push-notifications-in-Firefox/ta-p/28744 https://support.mozilla.org/t5/Firefox/How-to-stop-the-webpush-notifications/m-p/1292770 https://developer.mozilla.org/en/docs/Web/API/Push_API https://github.com/chrisdavidmills/push-api-demo Closes #111
set password storage lock timeout to 1 minute fixes #235
… NOTICE: fields, prepapre work on #238 (automate section generation)
nodiscc
changed the title
This was referenced Mar 14, 2017
…fing: Users wanting to disable referer spoofing to workaround listed problems will still be protected against disclosing previously visited pages to target domains when clicking on a link
|
@pyllyukko ping, waiting for review. |
Pong. Sorry about that. I've been quite busy this week and have had zero time to look into these. Will get working on these ASAP, but it might still take few days. |
|
I seem to be unable to figure out how the review functionality works 😛 Tried to do one commit at a time but failed. |
pyllyukko
reviewed
Mar 18, 2017
user.js
Outdated
| user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true); | ||
|
|
||
| // PREF: ?? (disabled) | ||
| // PREF: Disallow connection to servers not supporting safe renegotiation |
There was a problem hiding this comment.
Shouldn't this have the "(disabled)" suffix, as the setting is still disabled.
pyllyukko
reviewed
Mar 18, 2017
README.md
Outdated
| @@ -596,6 +596,12 @@ For more information, see [CONTRIBUTING](https://github.com/pyllyukko/user.js/bl | |||
|
|
|||
| -------------------------------------------------------------------------- | |||
|
|
|||
| ## License | |||
There was a problem hiding this comment.
This is already quite evident at least when browsing the README through GitHub:
pyllyukko
reviewed
Mar 18, 2017
user.js
Outdated
| @@ -506,19 +506,19 @@ user_pref("security.sri.enable", true); | |||
| // https://en.wikipedia.org/wiki/Do_not_track_header | |||
| // https://dnt-dashboard.mozilla.org | |||
| // https://github.com/pyllyukko/user.js/issues/11 | |||
| // NOTICE: DNT must be enabled manually | |||
| // NOTICE: Do No Track must be enabled manually | |||
pyllyukko
reviewed
Mar 18, 2017
user.js
Outdated
| // TODO: https://github.com/pyllyukko/user.js/issues/94, commented-out XOriginPolicy/XOriginTrimmingPolicy = 2 prefs | ||
| user_pref("network.http.referer.spoofSource", true); | ||
|
|
||
| // PREF: Accept Only 1st Party Cookies | ||
| // http://kb.mozillazine.org/Network.cookie.cookieBehavior#1 | ||
| // NOTICE: Breaks a number of payment gateways | ||
| // NOTICE: Blocking 3rd-party cookies breaks a number of payment gateways |
There was a problem hiding this comment.
We should have some refs to back this up
pyllyukko
reviewed
Mar 18, 2017
README.md
Outdated
|
|
||
| * Disabling DOM storage is known to cause`TypeError: localStorage is null` errors | ||
| * IndexedDB could be used for tracking purposes, but is required for some add-ons to work (notably uBlock), so is left enabled | ||
| * Firefox Hello requires setting `media.peerconnection.enabled` and `media.getusermedia.screensharing.enabled` to true, `security.OCSP.require` to false to work. |
There was a problem hiding this comment.
Maybe we should get rid of this, as Firefox Hello is no more?
pyllyukko
reviewed
Mar 18, 2017
| * OCSP leaks your IP and domains you visit to the CA when OCSP Stapling is not available on visited host | ||
| * OCSP is vulnerable to replay attacks when nonce is not configured on the OCSP responder | ||
| * OCSP adds latency (performance) | ||
| * Short-lived certificates are not checked for revocation (security.pki.cert_short_lifetime_in_days, default:10) |
pyllyukko
reviewed
Mar 18, 2017
user.js
Outdated
| // TODO: https://github.com/pyllyukko/user.js/issues/94, commented-out XOriginPolicy/XOriginTrimmingPolicy = 2 prefs | ||
| user_pref("network.http.referer.spoofSource", true); | ||
|
|
||
| // PREF: Don't send referer headers when following links across different domains | ||
| // https://github.com/pyllyukko/user.js/issues/227 | ||
| user_pref("network.http.referer.XOriginPolicy", 2); |
pyllyukko
reviewed
Mar 18, 2017
README.md
Outdated
| @@ -369,13 +370,11 @@ See also: | |||
|
|
|||
| ## Known problems | |||
|
|
|||
| There are plenty! Hardening your browser will break your interwebs. Here's some examples: | |||
| Hardening your often implies a trade-off with ease-of-use and comes with reduced functionality. Here is a list of known problems/limitations: | |||
pyllyukko
reviewed
Mar 18, 2017
README.md
Outdated
| * Spoofing referers breaks visualisation of 3rd-party sites on the Lightbeam addon | ||
| * Blocking 3rd-party cookies breaks a number of payment gateways | ||
| * You can not view or inspect cookies when in private browsing: https://bugzilla.mozilla.org/show_bug.cgi?id=823941 | ||
| * Installing user.js will **remove your saved passwords** (https://github.com/pyllyukko/user.js/issues/27) |
There was a problem hiding this comment.
Maybe we should have similar refs parsing as in "what does it do" section?
add missing (disabled) suffix remove license section from readme add notice about serviceworkers breakage
|
Fixed all points mentioned in the review f14e293 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Incomplete PR in the current state (#238 work still going on) but thefirst commits can be reviewed/merged independently (see commit messages):