Build Phoenix 2024.01.24.1

Signed-off-by: celenity <[email protected]>
celenityy · Jan 24, 2025 · c13774f · c13774f
1 parent b5da4d2
commit c13774f
Show file tree

Hide file tree

Showing 6 changed files with 185 additions and 34 deletions.
diff --git a/archives/phoenix.zip b/archives/phoenix.zip
diff --git a/build/prefs/phoenix-core.js b/build/prefs/phoenix-core.js
@@ -4,7 +4,7 @@
 // Welcome to the heart of the Phoenix.
 // This file contains preferences shared across all Phoenix configs, platforms (Desktop & Android), and Dove.
 
-pref("browser.phoenix.version", "2025.01.22.2", locked);
+pref("browser.phoenix.version", "2025.01.24.1", locked);
 
 // 000 ABOUT:CONFIG
 

diff --git a/phoenix.cfg b/phoenix.cfg
@@ -4,7 +4,7 @@
 // Welcome to the heart of the Phoenix.
 // This file contains preferences shared across all Phoenix configs, platforms (Desktop & Android), and Dove.
 
-lockPref("browser.phoenix.version", "2025.01.22.2");
+lockPref("browser.phoenix.version", "2025.01.24.1");
 
 // 000 ABOUT:CONFIG
 
@@ -652,11 +652,27 @@ defaultPref("network.trr.mode", 3);
 
 defaultPref("doh-rollout.provider-list", '[{"UIName":"Quad9 - Real-time Malware Protection","uri":"https://dns.quad9.net/dns-query"}, {"UIName":"DNS0 (ZERO) - Hardened Real-time Malware Protection","uri":"https://zero.dns0.eu"}, {"UIName":"DNS0 - Real-time Malware Protection","uri":"https://dns0.eu"}, {"UIName":"Mullvad - Ad/Tracking/Limited Malware Protection","uri":"https://base.dns.mullvad.net/dns-query"}, {"UIName":"AdGuard (Public) - Ad/Tracking Protection","uri":"https://dns.adguard-dns.com/dns-query"}, {"UIName":"Mullvad - No Filtering","uri":"https://dns.mullvad.net/dns-query"}, {"UIName":"Wikimedia - No Filtering","uri":"https://wikimedia-dns.org/dns-query"}, {"UIName":"AdGuard (Public) - No Filtering","uri":"https://unfiltered.adguard-dns.com/dns-query"}, {"UIName":"DNS0 - Kids","uri":"https://kids.dns0.eu"}, {"UIName":"Mullvad - Family","uri":"https://family.dns.mullvad.net/dns-query"}, {"UIName":"AdGuard (Public) - Family Protection","uri":"https://family.adguard-dns.com/dns-query"}, {"UIName":"Mullvad - Ad/Tracking/Limited Malware/Social Media Protection","uri":"https://extended.dns.mullvad.net/dns-query"}, {"UIName":"Mullvad - Ad/Tracking/Limited Malware/Social Media/Adult/Gambling Protection","uri":"https://all.dns.mullvad.net/dns-query"}]');
 
+/// Explicitly disable EDNS Client Subnet (ECS) to prevent leaking general location data to authoritative DNS servers...
+// https://wikipedia.org/wiki/EDNS_Client_Subnet
+
+defaultPref("network.trr.disable-ECS", true); // [DEFAULT]
+
+/// Disable sending headers for DoH requests...
+
+defaultPref("network.trr.send_accept-language_headers", false); // [DEFAULT]
+defaultPref("network.trr.send_empty_accept-encoding_headers", true); // [DEFAULT]
+defaultPref("network.trr.send_user-agent_headers", false); // [DEFAULT]
+
 /// Skip DoH Connectivity Checks
 
 defaultPref("network.connectivity-service.DNS_HTTPS.domain", "");
 defaultPref("network.trr.confirmationNS", "skip");
 
+/// Always warn before falling back from DoH to native DNS...
+
+defaultPref("network.trr.display_fallback_warning", true);
+defaultPref("network.trr_ui.show_fallback_warning_option", true);
+
 /// Never disable DoH from registry checks
 // https://searchfox.org/mozilla-central/source/modules/libpref/init/StaticPrefList.yaml
 
@@ -673,6 +689,12 @@ defaultPref("network.dns.http3_echconfig.enabled", true); // [DEFAULT]
 
 defaultPref("network.dns.native_https_query", true); // [DEFAULT]
 
+/// Disable falling back to native DNS...
+// https://searchfox.org/mozilla-central/source/modules/libpref/init/StaticPrefList.yaml#13855
+
+defaultPref("network.trr.retry_on_recoverable_errors", true); // [DEFAULT]
+defaultPref("network.trr.strict_native_fallback", true); // https://searchfox.org/mozilla-central/source/toolkit/components/telemetry/docs/data/environment.rst#438
+
 /// Fix IPv6 connectivity when DoH is enabled
 // https://codeberg.org/divested/brace/pulls/5
 
@@ -757,10 +779,19 @@ defaultPref("browser.phoenix.core.status", "008");
 
 defaultPref("browser.safebrowsing.blockedURIs.enabled", true); // [DEFAULT]
 defaultPref("browser.safebrowsing.downloads.enabled", true);
+defaultPref("browser.safebrowsing.downloads.remote.url", "https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY%"); // [DEFAULT]
 defaultPref("browser.safebrowsing.malware.enabled", true); // [DEFAULT]
 defaultPref("browser.safebrowsing.phishing.enabled", true); // [DEFAULT]
-defaultPref("browser.safebrowsing.provider.google.gethashURL", "https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2"); // [DEFAULT]
-defaultPref("browser.safebrowsing.provider.google.updateURL", "https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2&key=%GOOGLE_SAFEBROWSING_API_KEY%"); // [DEFAULT]
+
+/// Disable the legacy Safe Browsing API (v2.2...)
+// https://code.google.com/archive/p/google-safe-browsing/wikis/Protocolv2Spec.wiki
+// Has been nonfunctional since October 2018
+// https://security.googleblog.com/2018/01/announcing-turndown-of-deprecated.html
+// Let's make sure it's not used for defense in depth (and attack surface reduction...)
+
+defaultPref("browser.safebrowsing.provider.google.advisoryName", "Google Safe Browsing (Legacy)"); // Label it so it's clearly distinguishable if it is ever enabled for whatever reason...
+defaultPref("browser.safebrowsing.provider.google.gethashURL", "");
+defaultPref("browser.safebrowsing.provider.google.updateURL", "");
 
 /// Proxy Safe Browsing
 // These are using the servers we've set up for IronFox, hosted on our Cloudflare storage bucket (in EU jurisdiction)
@@ -773,7 +804,6 @@ defaultPref("browser.safebrowsing.provider.google4.updateURL", "https://safebrow
 // https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/
 
 defaultPref("browser.safebrowsing.downloads.remote.enabled", false);
-defaultPref("browser.safebrowsing.downloads.remote.url", "https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY%"); // [DEFAULT]
 
 /// Enforce that no data is shared with Google
 // https://bugzilla.mozilla.org/show_bug.cgi?id=1351147
@@ -1363,6 +1393,7 @@ lockPref("browser.contentanalysis.show_blocked_result", true); // [DEFAULT] - Al
 /// Enforce Site Isolation & Isolate all websites
 // https://wiki.mozilla.org/Project_Fission
 
+defaultPref("browser.sessionstore.disable_platform_collection", false); // [DEFAULT - except Thunderbird :/] https://searchfox.org/mozilla-central/source/modules/libpref/init/StaticPrefList.yaml#1737
 defaultPref("dom.ipc.processCount.webIsolated", 1);
 defaultPref("fission.autostart", true); // [DEFAULT]
 defaultPref("fission.autostart.session", true); // [DEFAULT]
@@ -1504,9 +1535,11 @@ defaultPref("browser.phoenix.core.status", "020");
 
 // 021 BLOCK COOKIE BANNERS
 
+defaultPref("cookiebanners.cookieInjector.enabled", true); // [DEFAULT]
 defaultPref("cookiebanners.service.mode", 1);
 defaultPref("cookiebanners.service.mode.privateBrowsing", 1);
-defaultPref("cookiebanners.service.enableGlobalRules", true);
+defaultPref("cookiebanners.service.enableGlobalRules", true); // [DEFAULT]
+defaultPref("cookiebanners.service.enableGlobalRules.subFrames", true); // [DEFAULT]
 defaultPref("cookiebanners.ui.desktop.enabled", true);
 
 defaultPref("browser.phoenix.core.status", "021");
@@ -2116,7 +2149,9 @@ defaultPref("app.releaseNotesURL.aboutDialog", "https://www.mozilla.org/%LOCALE%
 defaultPref("app.releaseNotesURL.prompt", "https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes");
 defaultPref("browser.contentblocking.report.monitor.sign_in_url", "https://monitor.firefox.com/oauth/init");
 defaultPref("browser.contentblocking.report.monitor.url", "https://monitor.firefox.com/");
+defaultPref("browser.contentblocking.report.vpn.url", "https://vpn.mozilla.org/");
 defaultPref("extensions.getAddons.search.browseURL", "https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%");
+defaultPref("signon.firefoxRelay.manage_url", "https://relay.firefox.com/accounts/profile/");
 
 defaultPref("browser.phoenix.desktop.status", "001");
 

diff --git a/policies.json b/policies.json
@@ -733,12 +733,16 @@
         "Value": true,
         "Status": "default"
       },
+      "browser.safebrowsing.provider.google.advisoryName": {
+        "Value": "Google Safe Browsing (Legacy)",
+        "Status": "default"
+      },
       "browser.safebrowsing.provider.google.dataSharing.enabled": {
         "Value": false,
         "Status": "locked"
       },
       "browser.safebrowsing.provider.google.gethashURL": {
-        "Value": "https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2",
+        "Value": "",
         "Status": "default"
       },
       "browser.safebrowsing.provider.google.reportMalwareMistakeURL": {
@@ -754,7 +758,7 @@
         "Status": "default"
       },
       "browser.safebrowsing.provider.google.updateURL": {
-        "Value": "https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2&key=%GOOGLE_SAFEBROWSING_API_KEY%",
+        "Value": "",
         "Status": "default"
       },
       "browser.safebrowsing.provider.google4.dataSharing.enabled": {
@@ -841,6 +845,10 @@
         "Value": 7,
         "Status": "default"
       },
+      "browser.sessionstore.disable_platform_collection": {
+        "Value": false,
+        "Status": "default"
+      },
       "browser.sessionstore.interval": {
         "Value": 60000,
         "Status": "default"
@@ -1589,22 +1597,6 @@
         "Value": true,
         "Status": "default"
       },
-      "geo.provider.ms-windows-location": {
-        "Value": false,
-        "Status": "default"
-      },
-      "geo.provider.network.url": {
-        "Value": "https://api.beacondb.net/v1/geolocate",
-        "Status": "default"
-      },
-      "geo.provider.use_corelocation": {
-        "Value": true,
-        "Status": "default"
-      },
-      "geo.provider.use_geoclue": {
-        "Value": true,
-        "Status": "default"
-      },
       "geo.wifi.scan": {
         "Value": false,
         "Status": "default"
@@ -2033,10 +2025,42 @@
         "Value": "https://dns.quad9.net/dns-query",
         "Status": "default"
       },
+      "network.trr.disable-ECS": {
+        "Value": true,
+        "Status": "default"
+      },
+      "network.trr.display_fallback_warning": {
+        "Value": true,
+        "Status": "default"
+      },
       "network.trr.mode": {
         "Value": 3,
         "Status": "default"
       },
+      "network.trr.retry_on_recoverable_errors": {
+        "Value": true,
+        "Status": "default"
+      },
+      "network.trr.send_accept-language_headers": {
+        "Value": false,
+        "Status": "default"
+      },
+      "network.trr.send_empty_accept-encoding_headers": {
+        "Value": true,
+        "Status": "default"
+      },
+      "network.trr.send_user-agent_headers": {
+        "Value": false,
+        "Status": "default"
+      },
+      "network.trr.strict_native_fallback": {
+        "Value": true,
+        "Status": "default"
+      },
+      "network.trr_ui.show_fallback_warning_option": {
+        "Value": true,
+        "Status": "default"
+      },
       "network.websocket.allowInsecureFromHTTPS": {
         "Value": false,
         "Status": "default"
@@ -2201,6 +2225,10 @@
         "Value": "https://monitor.firefox.com/",
         "Status": "default"
       },
+      "browser.contentblocking.report.vpn.url": {
+        "Value": "https://vpn.mozilla.org/",
+        "Status": "default"
+      },
       "browser.geolocation.warning.infoURL": {
         "Value": "https://phoenix.celenity.dev/geo",
         "Status": "default"
@@ -2209,6 +2237,26 @@
         "Value": "https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%",
         "Status": "default"
       },
+      "geo.provider.ms-windows-location": {
+        "Value": false,
+        "Status": "default"
+      },
+      "geo.provider.network.url": {
+        "Value": "https://api.beacondb.net/v1/geolocate",
+        "Status": "default"
+      },
+      "geo.provider.use_corelocation": {
+        "Value": true,
+        "Status": "default"
+      },
+      "geo.provider.use_geoclue": {
+        "Value": true,
+        "Status": "default"
+      },
+      "signon.firefoxRelay.manage_url": {
+        "Value": "https://relay.firefox.com/accounts/profile/",
+        "Status": "default"
+      },
       "xpinstall.signatures.required": {
         "Value": true,
         "Status": "locked"

diff --git a/prefs/phoenix-android.js b/prefs/phoenix-android.js
@@ -4,7 +4,7 @@
 // Welcome to the heart of the Phoenix.
 // This file contains preferences shared across all Phoenix configs, platforms (Desktop & Android), and Dove.
 
-pref("browser.phoenix.version", "2025.01.22.2", locked);
+pref("browser.phoenix.version", "2025.01.24.1", locked);
 
 // 000 ABOUT:CONFIG
 
@@ -652,11 +652,27 @@ pref("network.trr.mode", 3);
 
 pref("doh-rollout.provider-list", '[{"UIName":"Quad9 - Real-time Malware Protection","uri":"https://dns.quad9.net/dns-query"}, {"UIName":"DNS0 (ZERO) - Hardened Real-time Malware Protection","uri":"https://zero.dns0.eu"}, {"UIName":"DNS0 - Real-time Malware Protection","uri":"https://dns0.eu"}, {"UIName":"Mullvad - Ad/Tracking/Limited Malware Protection","uri":"https://base.dns.mullvad.net/dns-query"}, {"UIName":"AdGuard (Public) - Ad/Tracking Protection","uri":"https://dns.adguard-dns.com/dns-query"}, {"UIName":"Mullvad - No Filtering","uri":"https://dns.mullvad.net/dns-query"}, {"UIName":"Wikimedia - No Filtering","uri":"https://wikimedia-dns.org/dns-query"}, {"UIName":"AdGuard (Public) - No Filtering","uri":"https://unfiltered.adguard-dns.com/dns-query"}, {"UIName":"DNS0 - Kids","uri":"https://kids.dns0.eu"}, {"UIName":"Mullvad - Family","uri":"https://family.dns.mullvad.net/dns-query"}, {"UIName":"AdGuard (Public) - Family Protection","uri":"https://family.adguard-dns.com/dns-query"}, {"UIName":"Mullvad - Ad/Tracking/Limited Malware/Social Media Protection","uri":"https://extended.dns.mullvad.net/dns-query"}, {"UIName":"Mullvad - Ad/Tracking/Limited Malware/Social Media/Adult/Gambling Protection","uri":"https://all.dns.mullvad.net/dns-query"}]');
 
+/// Explicitly disable EDNS Client Subnet (ECS) to prevent leaking general location data to authoritative DNS servers...
+// https://wikipedia.org/wiki/EDNS_Client_Subnet
+
+pref("network.trr.disable-ECS", true); // [DEFAULT]
+
+/// Disable sending headers for DoH requests...
+
+pref("network.trr.send_accept-language_headers", false); // [DEFAULT]
+pref("network.trr.send_empty_accept-encoding_headers", true); // [DEFAULT]
+pref("network.trr.send_user-agent_headers", false); // [DEFAULT]
+
 /// Skip DoH Connectivity Checks
 
 pref("network.connectivity-service.DNS_HTTPS.domain", "");
 pref("network.trr.confirmationNS", "skip");
 
+/// Always warn before falling back from DoH to native DNS...
+
+pref("network.trr.display_fallback_warning", true);
+pref("network.trr_ui.show_fallback_warning_option", true);
+
 /// Never disable DoH from registry checks
 // https://searchfox.org/mozilla-central/source/modules/libpref/init/StaticPrefList.yaml
 
@@ -673,6 +689,12 @@ pref("network.dns.http3_echconfig.enabled", true); // [DEFAULT]
 
 pref("network.dns.native_https_query", true); // [DEFAULT]
 
+/// Disable falling back to native DNS...
+// https://searchfox.org/mozilla-central/source/modules/libpref/init/StaticPrefList.yaml#13855
+
+pref("network.trr.retry_on_recoverable_errors", true); // [DEFAULT]
+pref("network.trr.strict_native_fallback", true); // https://searchfox.org/mozilla-central/source/toolkit/components/telemetry/docs/data/environment.rst#438
+
 /// Fix IPv6 connectivity when DoH is enabled
 // https://codeberg.org/divested/brace/pulls/5
 
@@ -757,10 +779,19 @@ pref("browser.phoenix.core.status", "008");
 
 pref("browser.safebrowsing.blockedURIs.enabled", true); // [DEFAULT]
 pref("browser.safebrowsing.downloads.enabled", true);
+pref("browser.safebrowsing.downloads.remote.url", "https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY%"); // [DEFAULT]
 pref("browser.safebrowsing.malware.enabled", true); // [DEFAULT]
 pref("browser.safebrowsing.phishing.enabled", true); // [DEFAULT]
-pref("browser.safebrowsing.provider.google.gethashURL", "https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2"); // [DEFAULT]
-pref("browser.safebrowsing.provider.google.updateURL", "https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2&key=%GOOGLE_SAFEBROWSING_API_KEY%"); // [DEFAULT]
+
+/// Disable the legacy Safe Browsing API (v2.2...)
+// https://code.google.com/archive/p/google-safe-browsing/wikis/Protocolv2Spec.wiki
+// Has been nonfunctional since October 2018
+// https://security.googleblog.com/2018/01/announcing-turndown-of-deprecated.html
+// Let's make sure it's not used for defense in depth (and attack surface reduction...)
+
+pref("browser.safebrowsing.provider.google.advisoryName", "Google Safe Browsing (Legacy)"); // Label it so it's clearly distinguishable if it is ever enabled for whatever reason...
+pref("browser.safebrowsing.provider.google.gethashURL", "");
+pref("browser.safebrowsing.provider.google.updateURL", "");
 
 /// Proxy Safe Browsing
 // These are using the servers we've set up for IronFox, hosted on our Cloudflare storage bucket (in EU jurisdiction)
@@ -773,7 +804,6 @@ pref("browser.safebrowsing.provider.google4.updateURL", "https://safebrowsing.ir
 // https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/
 
 pref("browser.safebrowsing.downloads.remote.enabled", false);
-pref("browser.safebrowsing.downloads.remote.url", "https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY%"); // [DEFAULT]
 
 /// Enforce that no data is shared with Google
 // https://bugzilla.mozilla.org/show_bug.cgi?id=1351147
@@ -1363,6 +1393,7 @@ pref("browser.contentanalysis.show_blocked_result", true, locked); // [DEFAULT]
 /// Enforce Site Isolation & Isolate all websites
 // https://wiki.mozilla.org/Project_Fission
 
+pref("browser.sessionstore.disable_platform_collection", false); // [DEFAULT - except Thunderbird :/] https://searchfox.org/mozilla-central/source/modules/libpref/init/StaticPrefList.yaml#1737
 pref("dom.ipc.processCount.webIsolated", 1);
 pref("fission.autostart", true); // [DEFAULT]
 pref("fission.autostart.session", true); // [DEFAULT]
@@ -1504,9 +1535,11 @@ pref("browser.phoenix.core.status", "020");
 
 // 021 BLOCK COOKIE BANNERS
 
+pref("cookiebanners.cookieInjector.enabled", true); // [DEFAULT]
 pref("cookiebanners.service.mode", 1);
 pref("cookiebanners.service.mode.privateBrowsing", 1);
-pref("cookiebanners.service.enableGlobalRules", true);
+pref("cookiebanners.service.enableGlobalRules", true); // [DEFAULT]
+pref("cookiebanners.service.enableGlobalRules.subFrames", true); // [DEFAULT]
 pref("cookiebanners.ui.desktop.enabled", true);
 
 pref("browser.phoenix.core.status", "021");