Mozilla Firefox Privacy and Security (about:config)
Posted: Wed Jun 16, 2021 6:21 pm
In this Topic i am gonna share some about:config settings for Mozilla Firefox version 89.0 for better privacy and security broswing.
1.SSL configuration for Secure Browsing, disable weak Cipher Suites.
Enable Forward Secrecy
security.ssl3.rsa_aes_128_gcm_sha256 -> False
security.ssl3.rsa_aes_256_gcm_sha384 -> False
security.ssl3.ecdhe_ecdsa_aes_128_sha -> False
security.ssl3.ecdhe_rsa_aes_128_sha -> False
security.ssl3.rsa_aes_128_sha -> False
security.ssl3.rsa_des_ede3_sha -> False
security.ssl3.ecdhe_ecdsa_aes_256_sha -> False
security.ssl3.ecdhe_rsa_aes_256_sha -> False
security.ssl3.rsa_aes_256_sha -> False
2.Require Safe Negotiation – This setting is for preventing a serious code injection attack related to how clients and servers negotiate which encryption settings to use. This setting forces only safe negotiation methods to be used. ( https://cve.mitre.org/cgi-bin/cvename.c ... -2009-3555 )
security.ssl.require_safe_negotiation -> True
3.Disable 0-RTT – Zero Round Trip Time Resumption (0-RTT) is a feature that is new in TLS 1.3 that allows a client and server to negotiate a connection with fewer steps, allowing https websites to load more quickly. There are two problems with this. First, in order to do this you lose forward secrecy (generating a new key for every session and throwing away the key when the session is over). Secondly, 0-RTT requires special implementation in order to prevent replay attacks, which some web developers will certainly fail to protect from. Disabling 0-RTT enhances security and privacy.
(https://datatracker.ietf.org/doc/html/d ... #section-8 )
security.tls.enable_0rtt_data -> False
4.Disable TLS False Start
This is because it does not allow the client to fully complete its handshake before starting the actual session. There is more info here from the IETF: https://tools.ietf.org/html/rfc7918#section-4 (See section 5. Security Considerations)
security.ssl.enable_false_start -> False
5.Disable Session Identifiers (HIDDEN FEATURE)
https://www.zdnet.com/article/advertise ... esumption/
security.ssl.disable_session_identifiers -> True
6.The Delegated Credentials mechanism decentralizes the problem by allowing a TLS server to issue short-lived authentication credentials (with a validity period of no longer than 7 days) that are cryptographically bound to a CA-issued certificate. These short-lived credentials then serve as the authentication keys in a regular TLS 1.3 connection between a Firefox client and a CDN edge server situated in a low-trust zone (where the risk of compromise might be higher than usual and perhaps go undetected). This way, performance isn’t hindered and the compromise window is limited.
Mozilla, in partnership with Facebook, Cloudflare, and other IETF community members, has announced technical specifications for a new cryptographic protocol called "Delegated Credentials for TLS."
Delegated Credentials for TLS is a new simplified way to implement "short-lived" certificates without sacrificing the reliability of secure connections.
In short, the new TLS protocol extension aims to effectively prevent the misuse of stolen certificates by reducing their maximum validity period to a very short span of time, such as a few days or even hours.
security.tls.enable_delegated_credentials -> True
security.tls.enable_post_handshake_auth -> True
Find TLS Hello Downgrade check and make sure to deactivate it hence your online surfing does not need encryption downgrade when the site you try to visit uses low grade encryption hence this can ultimately also be used as downgrade attack ie. using low encryption attack and don't accept it hence it will send Hello bounces when in fact this is waste of network bounces just to get tls queries.
security.tls.hello_downgrade_check -> False
7.Disable All Disk Caching – Websites can write temporary information to hard drives such as access tokens, security keys, browsing data, secure scripts, and more. This information is usually deleted after a secure session is terminated, however, deleted information is trivially recoverable if it is not overwritten. Complicated firmware and drivers for flash memory based devices like SSDs introduce features like wear leveling that hide components of the storage from the OS entirely, making it very hard to verify that deleted information is actually deleted in an unrecoverable way.
browser.cache.offline.enable -> False
browser.cache.disk.enable -> False
browser.cache.disk_cache_ssl -> False
browser.cache.memory.enable -> False
browser.cache.insecure.enable -> False
Disable Plugin Scanning – Plugins can query what extensions and plugins that you have installed on Firefox to profile users. Disabling this feature improves both privacy and functionality while browsing privately.
plugin.scan.plid.all -> False
8.Enable HTTPS
dom.security.https_only_mode -> True
dom.security.https_only_mode.upgrade_local -> True
dom.security.https_only_mode_ever_enabled -> True
dom.security.https_only_mode_ever_enabled_pbm -> True
dom.security.https_only_mode_pbm -> True
dom.security.https_only_mode_send_http_background_request -> False
9.Disable WebGL – WebGL is an application interface that allows websites direct access to your graphics card. This introduces a huge attack surface for potential security risks as well as unique types of fingerprinting. It should be disabled.**** NoScript can also block WebGL***
webgl.disabled -> True
webgl.disable-wgl -> True
10.Disable Prefetching – Firefox by default will pre-load all linked pages on pages that you visit. This becomes a privacy issue because this leads to your browser broadcasting a list of the links that are on the page you are currently visiting, which can allow outside parties to profile your browsing habits from your DNS traffic, or, if you’re not on a VPN it can allow your ISP to infer what web pages you visit within secure sites by looking at the prefetch resources.
network.dns.disablePrefetch -> True
network.predictor.enabled -> False
network.prefetch-next -> False
11.Disable WebRTC – WebRTC is a protocol related to digital rights management that helps content websites track users. It has the capability to give up your real IP address even while connected to a VPN or Tor.
media.peerconnection.video.vp9_enabled -> False
media.peerconnection.identity.enabled -> False
media.peerconnection.dtmf.enabled -> False
media.peerconnection.enabled -> False
media.peerconnection.use_document_iceservers -> False
media.peerconnection.video.enabled -> False
media.peerconnection.identity.timeout -> 1
media.getusermedia.screensharing.enabled -> False
media.peerconnection.turn.disable -> True
media.peerconnection.ice.default_address_only -> True
12.Disable ALL Telemetry Features / Data report / Additional analytics
browser.newtabpage.activity-stream.feeds.telemetry -> Falsee
browser.newtabpage.activity-stream.telemetry -> False + Blank Url Pages
browser.newtabpage.activity-stream.filterAdult -> False
browser.newtabpage.activity-stream.feeds.section.topstories -> False
browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts -> False
browser.newtabpage.activity-stream.showSponsored -> False
browser.newtabpage.activity-stream.feeds.discoverystreamfeed -> False
browser.tabs.crashReporting.sendReport -> False
toolkit.telemetry.archive.enabled -> False
toolkit.telemetry.bhrPing.enabled -> False
toolkit.telemetry.firstShutdownPing.enabled -> False
toolkit.telemetry.newProfilePing.enabled -> False
toolkit.telemetry.pioneer-new-studies-available -> False
toolkit.telemetry.reportingpolicy.firstRun -> False
toolkit.telemetry.shutdownPingSender.enabled -> False
toolkit.telemetry.server -> Blank Url
toolkit.telemetry.unified -> False
toolkit.telemetry.updatePing.enabled -> False
breakpad.reportURL -> Blank Url
browser.ping-centre.telemetry -> False
dom.ipc.plugins.flash.subprocess.crashreporter.enabled -> False
dom.ipc.plugins.reportCrashURL -> False
datareporting.healthreport.uploadEnabled -> False
datareporting.policy.dataSubmissionEnabled -> False
datareporting.healthreport.infoURL -> Blank Url
browser.tabs.crashReporting.sendReport -> False
beacon.enabled -> False
13.Perhaps you have come across some bad sites that has images embedded codes hence news of these are becoming the norm of legacy hacking and digital world has brought you attention to this and offers only hardship for those who has fallen victim for these heinous act to rob people of their devices just because nothing is secure on the site or the bad actors are now aware these vulnerabilities can be exploited to harm or overtake your device with,
It's good that there are always improvements and that we demand we need healthier internet and fight these circumstances and ask those who has these site to keep up with the healthier internet surfing by asking developers and any site owner to implement to stop using mixed contents, and it's good that Firefox offers this option to block mixed contents to fight it hence no need to use third-party extensions for these.
security.mixed_content.block_display_content -> True
security.mixed_content.block_object_subrequest -> True
security.mixed_content.upgrade_display_content -> True
14.Encrypted Client Hello if u use DNS
https://blog.mozilla.org/security/2021/ ... n-firefox/
network.dns.echconfig.enabled -> True
network.dns.use_https_rr_as_altsvc -> True
15.This limits the amount of entries in your DNS cache which can give someone who has access to your computer a list of websites you visited. http://kb.mozillazine.org/About:config_entries#Network.
network.dnsCacheEntries --> 100 or 200
16.Disable link-mouseover opening connection to linked server
https://news.slashdot.org/story/15/08/1 ... t-requests
network.http.speculative-parallel-limit --> 0
17.This renders IDNs as punycode (https://en.wikipedia.org/wiki/Punycode) which if not set, may make you vulnerable to hard to notice phishing attacks (https://krebsonsecurity.com/2018/03/loo ... more-42636).
network.IDN_show_punycode -->true
18.This makes websites only able to see "English" and not your set language for enhanced privacy.
privacy.spoof_english --> 2
19.This prevents accessibility services from accessing your browser.
https://wiki.mozilla.org/Electrolysis/A ... references
accessibility.force_disabled --> 1
20.This makes Firefox send the target URL as the referer. https://wiki.mozilla.org/Security/Referrer
network.http.referer.spoofSource --> true
21.Controls how much referrer to send across origins
values:
0 = (default) send the full URL
1 = send the URL without its query string
2 = only send the origin
network.http.referer.XOriginTrimmingPolicy --> 2
22.Controls whether or not to send a referrer across origins
values:
0 = (default) send the referrer in all cases
1 = send a referrer only when the base domains are the same
2 = send a referrer only on same-origin
network.http.referer.XOriginPolicy -> 1
23.This clears cookies at the end of each browser session. https://developer.mozilla.org/en-US/doc ... references
network.cookie.lifetimePolicy --> 2
24.This preference controls when to store extra information about a session: contents of forms, scrollbar positions, cookies, and POST data. http://kb.mozillazine.org/Browser.sessi ... vacy_level
0 = Store extra session data for any site. (Default starting with Firefox 4.)
1 = Store extra session data for unencrypted (non-HTTPS) sites only. (Default before Firefox 4.)
2 = Never store extra session data.
browser.sessionstore.privacy_level --> 2
25.This prevents websites from messing with the context menu.
dom.event.contextmenu.enabled --> false
26.This disables playback of DRM controlled content which automatically downloads the Widevine Content Decryption Module by Google. https://support.mozilla.org/en-US/kb/en ... -downloads
media.eme.enabled --> false
27.Disable preloading of autocomplete URLs. Firefox preloads URLs that autocomplete when a user types into the address bar, which is a concern if URLs are suggested that the user does not want to connect to.
https://www.ghacks.net/2017/07/24/disab ... lete-urls/
browser.urlbar.speculativeConnect.enabled --> false
28.Disable that websites can get notifications if you copy, paste, or cut something from a web page, and it lets them know which part of the page had been selected.
dom.event.clipboardevents.enabled -> false
29.This disables the Widevine Content Decryption Module.
media.gmp-widevinecdm.enabled --> false
30.This prevents websites from being able to track your webcam and microphone status.
media.navigator.enabled --> false
31.Display all parts of the url in the location bar
browser.urlbar.trimURLs --> False
32.Disable location bar domain guessing
browser.fixup.alternate.enabled --> False
33.Even with Firefox set to not remember history, your closed tabs are stored temporarily at Menu -> History -> Recently Closed Tabs.
browser.sessionstore.max_tabs_undo --> 0
34.Limit (or disable) HTTP authentication credentials dialogs triggered by sub-resources hardens against potential credentials phishing
0=don't allow sub-resources to open HTTP authentication credentials dialogs
1=don't allow cross-origin sub-resources to open HTTP authentication credentials dialogs
2=allow sub-resources to open HTTP authentication credentials dialogs
network.auth.subresource-http-auth-allow --> 1
35.Limit events that can cause a popup
dom.popup_allowed_events --> click dblclick mousedown pointerdown
36.Disable UITour backend so there is no chance that a remote page can use it
browser.uitour.enabled --> False
37.Disable that websites can get notifications if you copy, paste, or cut something from a web page, and it lets them know which part of the page had been selected.
https://developer.mozilla.org/en-US/doc ... ts.enabled
dom.event.clipboardevents.enabled --> False
38.This setting controls if the option "Display in Firefox" is available in the setting below
and by effect controls whether PDFs are handled in-browser or externally ("Ask" or "Open With")
PROS: pdfjs is lightweight, open source, and as secure/vetted as any pdf reader out there (more than most)
Exploits are rare (one serious case in seven years), treated seriously and patched quickly.
It doesn't break "state separation" of browser content (by not sharing with OS, independent apps).
It maintains disk avoidance and application data isolation. It's convenient. You can still save to disk.
pdfjs.enableScripting --> False
1.SSL configuration for Secure Browsing, disable weak Cipher Suites.
Enable Forward Secrecy
security.ssl3.rsa_aes_128_gcm_sha256 -> False
security.ssl3.rsa_aes_256_gcm_sha384 -> False
security.ssl3.ecdhe_ecdsa_aes_128_sha -> False
security.ssl3.ecdhe_rsa_aes_128_sha -> False
security.ssl3.rsa_aes_128_sha -> False
security.ssl3.rsa_des_ede3_sha -> False
security.ssl3.ecdhe_ecdsa_aes_256_sha -> False
security.ssl3.ecdhe_rsa_aes_256_sha -> False
security.ssl3.rsa_aes_256_sha -> False
2.Require Safe Negotiation – This setting is for preventing a serious code injection attack related to how clients and servers negotiate which encryption settings to use. This setting forces only safe negotiation methods to be used. ( https://cve.mitre.org/cgi-bin/cvename.c ... -2009-3555 )
security.ssl.require_safe_negotiation -> True
3.Disable 0-RTT – Zero Round Trip Time Resumption (0-RTT) is a feature that is new in TLS 1.3 that allows a client and server to negotiate a connection with fewer steps, allowing https websites to load more quickly. There are two problems with this. First, in order to do this you lose forward secrecy (generating a new key for every session and throwing away the key when the session is over). Secondly, 0-RTT requires special implementation in order to prevent replay attacks, which some web developers will certainly fail to protect from. Disabling 0-RTT enhances security and privacy.
(https://datatracker.ietf.org/doc/html/d ... #section-8 )
security.tls.enable_0rtt_data -> False
4.Disable TLS False Start
This is because it does not allow the client to fully complete its handshake before starting the actual session. There is more info here from the IETF: https://tools.ietf.org/html/rfc7918#section-4 (See section 5. Security Considerations)
security.ssl.enable_false_start -> False
5.Disable Session Identifiers (HIDDEN FEATURE)
https://www.zdnet.com/article/advertise ... esumption/
security.ssl.disable_session_identifiers -> True
6.The Delegated Credentials mechanism decentralizes the problem by allowing a TLS server to issue short-lived authentication credentials (with a validity period of no longer than 7 days) that are cryptographically bound to a CA-issued certificate. These short-lived credentials then serve as the authentication keys in a regular TLS 1.3 connection between a Firefox client and a CDN edge server situated in a low-trust zone (where the risk of compromise might be higher than usual and perhaps go undetected). This way, performance isn’t hindered and the compromise window is limited.
Mozilla, in partnership with Facebook, Cloudflare, and other IETF community members, has announced technical specifications for a new cryptographic protocol called "Delegated Credentials for TLS."
Delegated Credentials for TLS is a new simplified way to implement "short-lived" certificates without sacrificing the reliability of secure connections.
In short, the new TLS protocol extension aims to effectively prevent the misuse of stolen certificates by reducing their maximum validity period to a very short span of time, such as a few days or even hours.
security.tls.enable_delegated_credentials -> True
security.tls.enable_post_handshake_auth -> True
Find TLS Hello Downgrade check and make sure to deactivate it hence your online surfing does not need encryption downgrade when the site you try to visit uses low grade encryption hence this can ultimately also be used as downgrade attack ie. using low encryption attack and don't accept it hence it will send Hello bounces when in fact this is waste of network bounces just to get tls queries.
security.tls.hello_downgrade_check -> False
7.Disable All Disk Caching – Websites can write temporary information to hard drives such as access tokens, security keys, browsing data, secure scripts, and more. This information is usually deleted after a secure session is terminated, however, deleted information is trivially recoverable if it is not overwritten. Complicated firmware and drivers for flash memory based devices like SSDs introduce features like wear leveling that hide components of the storage from the OS entirely, making it very hard to verify that deleted information is actually deleted in an unrecoverable way.
browser.cache.offline.enable -> False
browser.cache.disk.enable -> False
browser.cache.disk_cache_ssl -> False
browser.cache.memory.enable -> False
browser.cache.insecure.enable -> False
Disable Plugin Scanning – Plugins can query what extensions and plugins that you have installed on Firefox to profile users. Disabling this feature improves both privacy and functionality while browsing privately.
plugin.scan.plid.all -> False
8.Enable HTTPS
dom.security.https_only_mode -> True
dom.security.https_only_mode.upgrade_local -> True
dom.security.https_only_mode_ever_enabled -> True
dom.security.https_only_mode_ever_enabled_pbm -> True
dom.security.https_only_mode_pbm -> True
dom.security.https_only_mode_send_http_background_request -> False
9.Disable WebGL – WebGL is an application interface that allows websites direct access to your graphics card. This introduces a huge attack surface for potential security risks as well as unique types of fingerprinting. It should be disabled.**** NoScript can also block WebGL***
webgl.disabled -> True
webgl.disable-wgl -> True
10.Disable Prefetching – Firefox by default will pre-load all linked pages on pages that you visit. This becomes a privacy issue because this leads to your browser broadcasting a list of the links that are on the page you are currently visiting, which can allow outside parties to profile your browsing habits from your DNS traffic, or, if you’re not on a VPN it can allow your ISP to infer what web pages you visit within secure sites by looking at the prefetch resources.
network.dns.disablePrefetch -> True
network.predictor.enabled -> False
network.prefetch-next -> False
11.Disable WebRTC – WebRTC is a protocol related to digital rights management that helps content websites track users. It has the capability to give up your real IP address even while connected to a VPN or Tor.
media.peerconnection.video.vp9_enabled -> False
media.peerconnection.identity.enabled -> False
media.peerconnection.dtmf.enabled -> False
media.peerconnection.enabled -> False
media.peerconnection.use_document_iceservers -> False
media.peerconnection.video.enabled -> False
media.peerconnection.identity.timeout -> 1
media.getusermedia.screensharing.enabled -> False
media.peerconnection.turn.disable -> True
media.peerconnection.ice.default_address_only -> True
12.Disable ALL Telemetry Features / Data report / Additional analytics
browser.newtabpage.activity-stream.feeds.telemetry -> Falsee
browser.newtabpage.activity-stream.telemetry -> False + Blank Url Pages
browser.newtabpage.activity-stream.filterAdult -> False
browser.newtabpage.activity-stream.feeds.section.topstories -> False
browser.newtabpage.activity-stream.improvesearch.topSiteSearchShortcuts -> False
browser.newtabpage.activity-stream.showSponsored -> False
browser.newtabpage.activity-stream.feeds.discoverystreamfeed -> False
browser.tabs.crashReporting.sendReport -> False
toolkit.telemetry.archive.enabled -> False
toolkit.telemetry.bhrPing.enabled -> False
toolkit.telemetry.firstShutdownPing.enabled -> False
toolkit.telemetry.newProfilePing.enabled -> False
toolkit.telemetry.pioneer-new-studies-available -> False
toolkit.telemetry.reportingpolicy.firstRun -> False
toolkit.telemetry.shutdownPingSender.enabled -> False
toolkit.telemetry.server -> Blank Url
toolkit.telemetry.unified -> False
toolkit.telemetry.updatePing.enabled -> False
breakpad.reportURL -> Blank Url
browser.ping-centre.telemetry -> False
dom.ipc.plugins.flash.subprocess.crashreporter.enabled -> False
dom.ipc.plugins.reportCrashURL -> False
datareporting.healthreport.uploadEnabled -> False
datareporting.policy.dataSubmissionEnabled -> False
datareporting.healthreport.infoURL -> Blank Url
browser.tabs.crashReporting.sendReport -> False
beacon.enabled -> False
13.Perhaps you have come across some bad sites that has images embedded codes hence news of these are becoming the norm of legacy hacking and digital world has brought you attention to this and offers only hardship for those who has fallen victim for these heinous act to rob people of their devices just because nothing is secure on the site or the bad actors are now aware these vulnerabilities can be exploited to harm or overtake your device with,
It's good that there are always improvements and that we demand we need healthier internet and fight these circumstances and ask those who has these site to keep up with the healthier internet surfing by asking developers and any site owner to implement to stop using mixed contents, and it's good that Firefox offers this option to block mixed contents to fight it hence no need to use third-party extensions for these.
security.mixed_content.block_display_content -> True
security.mixed_content.block_object_subrequest -> True
security.mixed_content.upgrade_display_content -> True
14.Encrypted Client Hello if u use DNS
https://blog.mozilla.org/security/2021/ ... n-firefox/
network.dns.echconfig.enabled -> True
network.dns.use_https_rr_as_altsvc -> True
15.This limits the amount of entries in your DNS cache which can give someone who has access to your computer a list of websites you visited. http://kb.mozillazine.org/About:config_entries#Network.
network.dnsCacheEntries --> 100 or 200
16.Disable link-mouseover opening connection to linked server
https://news.slashdot.org/story/15/08/1 ... t-requests
network.http.speculative-parallel-limit --> 0
17.This renders IDNs as punycode (https://en.wikipedia.org/wiki/Punycode) which if not set, may make you vulnerable to hard to notice phishing attacks (https://krebsonsecurity.com/2018/03/loo ... more-42636).
network.IDN_show_punycode -->true
18.This makes websites only able to see "English" and not your set language for enhanced privacy.
privacy.spoof_english --> 2
19.This prevents accessibility services from accessing your browser.
https://wiki.mozilla.org/Electrolysis/A ... references
accessibility.force_disabled --> 1
20.This makes Firefox send the target URL as the referer. https://wiki.mozilla.org/Security/Referrer
network.http.referer.spoofSource --> true
21.Controls how much referrer to send across origins
values:
0 = (default) send the full URL
1 = send the URL without its query string
2 = only send the origin
network.http.referer.XOriginTrimmingPolicy --> 2
22.Controls whether or not to send a referrer across origins
values:
0 = (default) send the referrer in all cases
1 = send a referrer only when the base domains are the same
2 = send a referrer only on same-origin
network.http.referer.XOriginPolicy -> 1
23.This clears cookies at the end of each browser session. https://developer.mozilla.org/en-US/doc ... references
network.cookie.lifetimePolicy --> 2
24.This preference controls when to store extra information about a session: contents of forms, scrollbar positions, cookies, and POST data. http://kb.mozillazine.org/Browser.sessi ... vacy_level
0 = Store extra session data for any site. (Default starting with Firefox 4.)
1 = Store extra session data for unencrypted (non-HTTPS) sites only. (Default before Firefox 4.)
2 = Never store extra session data.
browser.sessionstore.privacy_level --> 2
25.This prevents websites from messing with the context menu.
dom.event.contextmenu.enabled --> false
26.This disables playback of DRM controlled content which automatically downloads the Widevine Content Decryption Module by Google. https://support.mozilla.org/en-US/kb/en ... -downloads
media.eme.enabled --> false
27.Disable preloading of autocomplete URLs. Firefox preloads URLs that autocomplete when a user types into the address bar, which is a concern if URLs are suggested that the user does not want to connect to.
https://www.ghacks.net/2017/07/24/disab ... lete-urls/
browser.urlbar.speculativeConnect.enabled --> false
28.Disable that websites can get notifications if you copy, paste, or cut something from a web page, and it lets them know which part of the page had been selected.
dom.event.clipboardevents.enabled -> false
29.This disables the Widevine Content Decryption Module.
media.gmp-widevinecdm.enabled --> false
30.This prevents websites from being able to track your webcam and microphone status.
media.navigator.enabled --> false
31.Display all parts of the url in the location bar
browser.urlbar.trimURLs --> False
32.Disable location bar domain guessing
browser.fixup.alternate.enabled --> False
33.Even with Firefox set to not remember history, your closed tabs are stored temporarily at Menu -> History -> Recently Closed Tabs.
browser.sessionstore.max_tabs_undo --> 0
34.Limit (or disable) HTTP authentication credentials dialogs triggered by sub-resources hardens against potential credentials phishing
0=don't allow sub-resources to open HTTP authentication credentials dialogs
1=don't allow cross-origin sub-resources to open HTTP authentication credentials dialogs
2=allow sub-resources to open HTTP authentication credentials dialogs
network.auth.subresource-http-auth-allow --> 1
35.Limit events that can cause a popup
dom.popup_allowed_events --> click dblclick mousedown pointerdown
36.Disable UITour backend so there is no chance that a remote page can use it
browser.uitour.enabled --> False
37.Disable that websites can get notifications if you copy, paste, or cut something from a web page, and it lets them know which part of the page had been selected.
https://developer.mozilla.org/en-US/doc ... ts.enabled
dom.event.clipboardevents.enabled --> False
38.This setting controls if the option "Display in Firefox" is available in the setting below
and by effect controls whether PDFs are handled in-browser or externally ("Ask" or "Open With")
PROS: pdfjs is lightweight, open source, and as secure/vetted as any pdf reader out there (more than most)
Exploits are rare (one serious case in seven years), treated seriously and patched quickly.
It doesn't break "state separation" of browser content (by not sharing with OS, independent apps).
It maintains disk avoidance and application data isolation. It's convenient. You can still save to disk.
pdfjs.enableScripting --> False