Use sane about:config values

While reading through various about:config security hardening guides, I found several bad default values for the Tor Browser:

1. dom.event.clipboardevents.enabled = false

   • Disable that websites can get notifications if you copy, paste, or cut something from a web page, and it lets them know which part of the page had been selected.

2. network.http.referer.trimmingPolicy = 2

   • Send only the scheme, host, and port in the Referer header
     • 0 = Send the full URL in the Referer header
     • 1 = Send the URL without its query string in the Referer header
     • 2 = Send only the scheme, host, and port in the Referer header

3. network.http.referer.XOriginPolicy = 2

   • Only send Referer header when the full hostnames match. (Note: if you notice significant breakage, you might try 1 combined with an XOriginTrimmingPolicy tweak below.) Source
     • 0 = Send Referer in all cases
     • 1 = Send Referer to same eTLD sites
     • 2 = Send Referer only when the full hostnames match

4. network.http.referer.XOriginTrimmingPolicy = 2

   • When sending Referer across origins, only send scheme, host, and port in the Referer header of cross-origin requests. Source
     • 0 = Send full url in Referer
     • 1 = Send url without query string in Referer
     • 2 = Only send scheme, host, and port in Referer

5. webgl.disabled = true

   • WebGL is a potential security risk. Source

6. network.IDN_show_punycode = true

   • Not rendering IDNs as their punycode equivalent leaves you open to phishing attacks that can be very difficult to notice. Source

7. dom.event.contextmenu.enabled = false

   • Don't allow websites to prevent use of right-click, or otherwise messing with the context menu.

8. network.http.speculative-parallel-limit = 0

   • Disable prefetch link on hover.

9. extensions.pocket.enabled = false

   • Disable Firefox pocket

Trac:
Username: floweb