Opened 2 years ago

Closed 2 years ago

Last modified 2 years ago

#27059 closed enhancement (invalid)

Use sane about:config values

Reported by: floweb Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


While reading through various about:config security hardening guides, I found several bad default values for the Tor Browser:

  1. dom.event.clipboardevents.enabled = false
    • Disable that websites can get notifications if you copy, paste, or cut something from a web page, and it lets them know which part of the page had been selected.
  1. network.http.referer.trimmingPolicy = 2
    • Send only the scheme, host, and port in the Referer header
      • 0 = Send the full URL in the Referer header
      • 1 = Send the URL without its query string in the Referer header
      • 2 = Send only the scheme, host, and port in the Referer header
  1. network.http.referer.XOriginPolicy = 2
    • Only send Referer header when the full hostnames match. (Note: if you notice significant breakage, you might try 1 combined with an XOriginTrimmingPolicy tweak below.) Source
      • 0 = Send Referer in all cases
      • 1 = Send Referer to same eTLD sites
      • 2 = Send Referer only when the full hostnames match
  1. network.http.referer.XOriginTrimmingPolicy = 2
    • When sending Referer across origins, only send scheme, host, and port in the Referer header of cross-origin requests. Source
      • 0 = Send full url in Referer
      • 1 = Send url without query string in Referer
      • 2 = Only send scheme, host, and port in Referer
  1. webgl.disabled = true
    • WebGL is a potential security risk. Source
  1. network.IDN_show_punycode = true
    • Not rendering IDNs as their punycode equivalent leaves you open to phishing attacks that can be very difficult to notice. Source
  1. dom.event.contextmenu.enabled = false
    • Don't allow websites to prevent use of right-click, or otherwise messing with the context menu.
  1. network.http.speculative-parallel-limit = 0
    • Disable prefetch link on hover.
  1. extensions.pocket.enabled = false
    • Disable Firefox pocket

Child Tickets

Change History (6)

comment:1 Changed 2 years ago by ProTipGuyFWIWWeLoveARMA

lol trying to keep up with the TB folks ;-* looks like you just took them from, but anyway

Just to address some:


webgl.disabled = true

Quote from the Tor Browser Design Document [DRAFT]:


WebGL is fingerprintable both through information that is exposed about the underlying driver and optimizations, as well as through performance fingerprinting.

Because of the large amount of potential fingerprinting vectors and the previously unexposed vulnerability surface, we deploy a similar strategy against WebGL as for plugins. First, WebGL Canvases have click-to-play placeholders (provided by NoScript), and do not run until authorized by the user. Second, we obfuscate driver information by setting the Firefox preferences webgl.disable-extensions, webgl.min_capability_mode, and webgl.disable-fail-if-major-performance-caveat to true which reduces the information provided by the following WebGL API calls: getParameter(), getSupportedExtensions(), and getExtension(). Furthermore, WebGL2 is disabled by setting webgl.enable-webgl2 to false. To make the minimal WebGL mode usable we additionally normalize its properties with a Firefox patch.

Another option for WebGL might be to use software-only rendering, using a library such as Mesa. The use of such a library would avoid hardware-specific rendering differences. 

network.IDN_show_punycode = true

That's the default Firefox value.

extensions.pocket.enabled = false

Firefox Pocket is non-existent in the Tor Browser.

comment:2 Changed 2 years ago by teor

Component: - Select a componentApplications/Tor Browser
Owner: set to tbb-team

comment:3 Changed 2 years ago by gk

Resolution: worksforme
Status: newclosed

Please file separate tickets for the particular issues if you still think they should get addressed. Dumping just a bunch of preference changes implying the defaults we currently have are unsane is not easy to deal with in a single ticket. Note though, that at least he majority of those things you suggested got WONTFIXED or has already open tickets in our bug tracker.

comment:4 Changed 2 years ago by traumschule

Priority: HighMedium
Resolution: worksforme
Status: closedreopened

I went through the whole list and found that none of the suggested values is set already. These are valid concerns and we can discuss them in this issue. I am willing to create PR when we reached consensus.

  1. valid
  2. valid
  3. valid
  4. valid
  5. valid (webgl is disabled in TB, but it should not hurt to set this value)
  6. valid
  7. valid (pocket may be disabled at a another place but also there's no harm in setting this)

Also i throw this in for consideration:

comment:5 Changed 2 years ago by brade

Resolution: invalid
Status: reopenedclosed

Please do not reopen this bug.
In comment 3 gk asked that separate tickets be filed for specific issues.

Before filing a bug, please check for an existing bug. For example, there are several bugs about punycode and discussion should continue there rather than getting lost in a conversation about webgl and pocket and contextmenus and http referer and ...

Re-resolving this bug, but as invalid, because it is not manageable to discuss so many diverse preferences in one bug.

comment:6 Changed 2 years ago by floweb

Split into 9 separate issues:

  1. Use sane about:config value: dom.event.clipboardevents.enabled = false :
  2. Use sane about:config value: network.http.referer.trimmingPolicy = 2 :
  3. Use sane about:config value: network.http.referer.XOriginPolicy = 2 :
  4. Use sane about:config value: network.http.referer.XOriginTrimmingPolicy = 2 :
  5. Use sane about:config value: webgl.disabled = true :
  6. Use sane about:config value: network.IDN_show_punycode = true :
  7. Use sane about:config value: dom.event.contextmenu.enabled = false :
  8. Use sane about:config value: network.http.speculative-parallel-limit = 0 :
  9. Use sane about:config value: extensions.pocket.enabled = false :
Note: See TracTickets for help on using tickets.