aylac.top / nixcfg-own-knot
forked from aylac.top/nixcfg
this repo has no description
fork atom
nixcfg-own-knot / modules / home / snippets / firefox-based / betterfox / securefox.nix
at 9733aeac5facf4e27004e00698f0b9cf8034de09 21 kB view raw
1{ 2 # **************************************************************************** 3 # Securefox 4 # "Natura non contristatur" 5 # priority: provide sensible security and privacy 6 # version: 137 7 # url: https://github.com/yokoffing/Betterfox 8 # credit: Most prefs are reproduced and adapted from the arkenfox project 9 # credit urL: https://github.com/arkenfox/user.js 10 # **************************************************************************** 11 12 ############################################################# 13 # SECTION: TRACKING PROTECTION 14 ############################################################# 15 16 ## Enhanced Tracking Protection (ETP) 17 "browser.contentblocking.category" = "strict"; # [HIDDEN] 18 # "privacy.trackingprotection.enabled" = true; # enabled with "Strict" 19 # "privacy.trackingprotection.pbmode.enabled" = true; # DEFAULT 20 # "browser.contentblocking.customBlockList.preferences.ui.enabled" = false; # DEFAULT 21 # "privacy.trackingprotection.socialtracking.enabled" = true; # enabled with "Strict" 22 # "privacy.socialtracking.block_cookies.enabled" = true; # DEFAULT 23 # "privacy.trackingprotection.cryptomining.enabled" = true; # DEFAULT 24 # "privacy.trackingprotection.fingerprinting.enabled" = true; # DEFAULT 25 # "privacy.trackingprotection.emailtracking.enabled" = true; # enabled with "Strict" 26 # "network.http.referer.disallowCrossSiteRelaxingDefault" = true; # DEFAULT 27 # "network.http.referer.disallowCrossSiteRelaxingDefault.pbmode" = true; # DEFAULT 28 # "network.http.referer.disallowCrossSiteRelaxingDefault.pbmode.top_navigation" = true; # DEFAULT 29 # "network.http.referer.disallowCrossSiteRelaxingDefault.top_navigation" = true; # enabled with "Strict" 30 # "privacy.annotate_channels.strict_list.enabled" = true; # enabled with "Strict" 31 # "privacy.annotate_channels.strict_list.pbmode.enabled" = true; # DEFAULT 32 # "privacy.fingerprintingProtection" = true; # [FF114+] [ETP FF119+] enabled with "Strict" 33 # "privacy.fingerprintingProtection.pbmode" = true; # DEFAULT 34 # "privacy.bounceTrackingProtection.mode" = 1; # [FF131+] [ETP FF133+] 35 36 ## Query Stripping 37 # "privacy.query_stripping.enabled" = true; # enabled with "Strict" 38 # "privacy.query_stripping.enabled.pbmode" = true; # enabled with "Strict" 39 # "privacy.query_stripping.strip_list" = ""; # DEFAULT 40 # "privacy.query_stripping.strip_on_share.enabled" = true; 41 42 ## Smartblock 43 # "extensions.webcompat.enable_shims" = true; # [HIDDEN] enabled with "Strict" 44 # "extensions.webcompat.smartblockEmbeds.enabled" = true; # enabled with "Strict" 45 46 ## Embedded Social Content 47 # "urlclassifier.trackingSkipURLs" = "embed.reddit.com, *.twitter.com, *.twimg.com"; # MANUAL [FF136+] 48 # "urlclassifier.features.socialtracking.skipURLs" = "*.twitter.com, *.twimg.com"; # MANUAL [FF136+] 49 # "urlclassifier.trackingSkipURLs" = "*.reddit.com, *.twitter.com, *.twimg.com, *.tiktok.com"; # MANUAL 50 # "urlclassifier.features.socialtracking.skipURLs" = "*.instagram.com, *.twitter.com, *.twimg.com"; # MANUAL 51 52 ## Lower Network Priority for Trackers 53 # "privacy.trackingprotection.lower_network_priority" = true; 54 55 ## Site Isolation (Fission) 56 # "fission.autostart" = true; # DEFAULT [DO NOT TOUCH] 57 # "fission.webContentIsolationStrategy" = 1; # DEFAULT 58 59 ## GPU Sandboxing [WINDOWS] 60 # "security.sandbox.gpu.level" = 1; # DEFAULT WINDOWS 61 62 ## State Partitioning & Cookie Behavior 63 # "network.cookie.cookieBehavior" = 5; # DEFAULT FF103+ 64 # "network.cookie.cookieBehavior.optInPartitioning" = true; # [ETP FF132+] 65 # "browser.contentblocking.reject-and-isolate-cookies.preferences.ui.enabled" = true; # DEFAULT 66 67 ## Network Partitioning 68 # "privacy.partition.network_state" = true; # DEFAULT 69 # "privacy.partition.serviceWorkers" = true; # DEFAULT: true FF105+ 70 # "privacy.partition.network_state.ocsp_cache" = true; # DEFAULT: true FF123+ 71 # "privacy.partition.bloburl_per_partition_key" = true; # FF118+ 72 # "privacy.partition.always_partition_third_party_non_cookie_storage" = true; # DEFAULT: true FF109+ 73 # "privacy.partition.always_partition_third_party_non_cookie_storage.exempt_sessionstorage" = false; # DEFAULT: false FF109+ 74 75 ## Redirect Tracking Prevention 76 # "privacy.purge_trackers.enabled" = true; # DEFAULT 77 78 ## SameSite Cookies 79 # "network.cookie.sameSite.laxByDefault" = true; 80 # "network.cookie.sameSite.noneRequiresSecure" = true; # DEFAULT FF131+ 81 # "network.cookie.sameSite.schemeful" = true; 82 83 ## Hyperlink Auditing 84 # "browser.send_pings" = false; # DEFAULT 85 86 ## Beacon API 87 # "beacon.enabled" = false; 88 89 ## Battery Status API 90 # "dom.battery.enabled" = false; 91 92 ## Temporary-File Handling 93 "browser.download.start_downloads_in_tmp_dir" = true; # [FF102+] 94 "browser.helperApps.deleteTempFileOnExit" = true; 95 96 ## UITour 97 "browser.uitour.enabled" = false; 98 # "browser.uitour.url" = ""; 99 100 ## Remote Debugging 101 # "devtools.debugger.remote-enabled" = false; # DEFAULT 102 103 ## Global Privacy Control (GPC) 104 "privacy.globalprivacycontrol.enabled" = true; 105 # "privacy.globalprivacycontrol.functionality.enabled" = true; # [FF120+] 106 # "privacy.globalprivacycontrol.pbmode.enabled" = true; # [FF120+] 107 108 ############################################################# 109 # SECTION: OSCP & CERTS / HPKP 110 ############################################################# 111 112 ## OCSP 113 "security.OCSP.enabled" = 0; 114 # "security.OCSP.require" = true; 115 116 ## CRLite 117 # "security.remote_settings.crlite_filters.enabled" = true; # DEFAULT: true FF137+ 118 "security.pki.crlite_mode" = 2; 119 120 ## HPKP 121 # "security.cert_pinning.enforcement_level" = 2; 122 123 ## Enterprise Roots 124 # "security.enterprise_roots.enabled" = false; 125 # "security.certerrors.mitm.auto_enable_enterprise_roots" = false; 126 127 ## DLP Content Analysis 128 # "browser.contentanalysis.enabled" = false; # [FF121+] [DEFAULT] 129 # "browser.contentanalysis.default_result" = 0; # [FF127+] [DEFAULT] 130 131 ############################################################# 132 # SECTION: SSL / TLS 133 ############################################################# 134 135 "security.ssl.treat_unsafe_negotiation_as_broken" = true; 136 # "security.ssl.require_safe_negotiation" = true; 137 138 "browser.xul.error_pages.expert_bad_cert" = true; 139 "security.tls.enable_0rtt_data" = false; 140 # "security.tls.enable_kyber" = true; 141 # "network.http.http3.enable_kyber" = true; 142 143 ############################################################# 144 # SECTION: FINGERPRINT PROTECTION (FPP) 145 ############################################################# 146 147 # "privacy.resistFingerprinting.randomization.daily_reset.enabled" = true; 148 # "privacy.resistFingerprinting.randomization.daily_reset.private.enabled" = true; 149 150 ############################################################# 151 # SECTION: RESIST FINGERPRINTING (RFP) 152 ############################################################# 153 154 # "privacy.resistFingerprinting" = true; 155 # "privacy.window.maxInnerWidth" = 1600; 156 # "privacy.window.maxInnerHeight" = 900; 157 # "browser.startup.blankWindow" = false; 158 # "browser.display.use_system_colors" = false; 159 160 ############################################################# 161 # SECTION: DISK AVOIDANCE 162 ############################################################# 163 164 "browser.privatebrowsing.forceMediaMemoryCache" = true; 165 "browser.sessionstore.interval" = 60000; # 1 min; default=15000 166 167 # "browser.sessionstore.privacy_level" = 2; 168 # "toolkit.winRegisterApplicationRestart" = false; 169 # "browser.shell.shortcutFavicons" = false; 170 # "browser.helperApps.deleteTempFileOnExit" = true; 171 # "browser.pagethumbnails.capturing_disabled" = true; 172 173 ############################################################# 174 # SECTION: SANITIZE HISTORY 175 ############################################################# 176 177 # "privacy.sanitize.timeSpan" = 0; 178 # "privacy.clearSiteData.cache" = true; 179 # "privacy.clearSiteData.cookiesAndStorage" = false; 180 # "privacy.clearSiteData.historyFormDataAndDownloads" = true; 181 "browser.privatebrowsing.resetPBM.enabled" = true; 182 183 ############################################################# 184 # SECTION: SHUTDOWN & SANITIZING 185 ############################################################# 186 187 "privacy.history.custom" = true; 188 # "privacy.sanitize.sanitizeOnShutdown" = true; 189 # "privacy.clearOnShutdown.cache" = true; 190 # "privacy.clearOnShutdown_v2.cache" = true; 191 # "privacy.clearOnShutdown.downloads" = true; 192 # "privacy.clearOnShutdown.formdata" = true; 193 # "privacy.clearOnShutdown.history" = true; 194 # "privacy.clearOnShutdown_v2.historyFormDataAndDownloads" = true; 195 # "privacy.clearOnShutdown.siteSettings" = false; 196 # "privacy.clearOnShutdown_v2.siteSettings" = false; 197 # "privacy.clearOnShutdown.cookies" = true; 198 # "privacy.clearOnShutdown.offlineApps" = true; 199 # "privacy.clearOnShutdown.sessions" = true; 200 # "privacy.clearOnShutdown_v2.cookiesAndStorage" = true; 201 # "privacy.clearOnShutdown.openWindows" = true; 202 203 ############################################################# 204 # SECTION: SEARCH / URL BAR 205 ############################################################# 206 207 # "browser.urlbar.trimURLs" = true; 208 "browser.urlbar.trimHttps" = true; 209 "browser.urlbar.untrimOnUserInteraction.featureGate" = true; 210 # "security.insecure_connection_text.enabled" = true; 211 # "security.insecure_connection_text.pbmode.enabled" = true; 212 213 # "browser.search.separatePrivateDefault.ui.enabled" = true; 214 # "browser.search.separatePrivateDefault" = true; 215 216 "browser.urlbar.update2.engineAliasRefresh" = true; 217 "browser.search.suggest.enabled" = false; 218 # "browser.search.suggest.enabled.private" = false; 219 220 "browser.urlbar.quicksuggest.enabled" = false; 221 # "browser.urlbar.suggest.quicksuggest.sponsored" = false; 222 # "browser.urlbar.suggest.quicksuggest.nonsponsored" = false; 223 224 "browser.urlbar.groupLabels.enabled" = false; 225 "browser.formfill.enable" = false; 226 227 # "browser.fixup.alternate.enabled" = false; 228 # "browser.urlbar.autoFill" = false; 229 "network.IDN_show_punycode" = true; 230 231 ############################################################# 232 # SECTION: HTTPS-FIRST POLICY 233 ############################################################# 234 235 # "dom.security.https_first" = true; 236 # "dom.security.https_first_pbm" = true; 237 # "dom.security.https_first_schemeless" = true; 238 239 ############################################################# 240 # SECTION: HTTPS-ONLY MODE 241 ############################################################# 242 243 # "dom.security.https_only_mode_pbm" = true; 244 # "dom.security.https_only_mode" = true; 245 # "dom.security.https_only_mode_error_page_user_suggestions" = true; 246 # "dom.security.https_only_mode_send_http_background_request" = true; 247 # "dom.security.https_only_fire_http_request_background_timer_ms" = 3000; 248 # "dom.security.https_only_mode.upgrade_local" = false; 249 250 ############################################################# 251 # SECTION: DNS-over-HTTPS 252 ############################################################# 253 254 # "network.trr.mode" = 0; 255 # "network.trr.max-fails" = 5; 256 # "network.trr_ui.show_fallback_warning_option" = false; 257 # "network.trr.display_fallback_warning" = false; 258 # "network.trr.uri" = "https://xxxx/dns-query"; 259 # "network.trr.custom_uri" = "https://xxxx/dns-query"; 260 # "network.trr.bootstrapAddr" = "10.0.0.1"; 261 # "network.trr.resolvers" = '[{"name":"Cloudflare","url":"https://mozilla.cloudflare-dns.com/dns-query"}, …]'; 262 # "network.trr.disable-ECS" = true; 263 # "network.trr.allow-rfc1918" = false; 264 # "network.trr.confirmationNS" = "skip"; 265 # "network.trr.skip-AAAA-when-not-supported" = true; 266 # "network.trr.clear-cache-on-pref-change" = true; 267 # "network.trr.wait-for-portal" = false; 268 # "network.trr.excluded-domains" = ""; 269 # "network.trr.builtin-excluded-domains" = "localhost,local"; 270 # "network.trr.ohttp.config_uri" = "https://dooh.cloudflare-dns.com/.well-known/doohconfig"; 271 # "network.trr.ohttp.uri" = "https://dooh.cloudflare-dns.com/dns-query"; 272 # "network.trr.ohttp.relay_uri" = ""; 273 # "network.trr.use_ohttp" = true; 274 # "network.dns.echconfig.enabled" = true; 275 # "network.dns.http3_echconfig.enabled" = true; 276 # "network.dns.echconfig.fallback_to_origin_when_all_failed" = false; 277 278 ############################################################# 279 # SECTION: PROXY / SOCKS / IPv6 280 ############################################################# 281 282 # "network.dns.disableIPv6" = true; 283 # "network.proxy.socks_remote_dns" = true; 284 # "network.file.disable_unc_paths" = true; 285 # "network.gio.supported-protocols" = ""; 286 # "network.notify.checkForProxies" = false; 287 288 ############################################################# 289 # SECTION: PASSWORDS 290 ############################################################# 291 292 # "signon.rememberSignons" = false; 293 # "signon.schemeUpgrades" = true; 294 # "signon.showAutoCompleteFooter" = true; 295 # "signon.autologin.proxy" = false; 296 297 # "signon.autofillForms" = false; 298 # "signon.autofillForms.autocompleteOff" = true; 299 "signon.formlessCapture.enabled" = false; 300 "signon.privateBrowsingCapture.enabled" = false; 301 "signon.autofillForms.http" = false; 302 "signon.generation.enabled" = false; 303 "signon.management.page.breach-alerts.enabled" = false; 304 "signon.management.page.breachAlertUrl" = ""; 305 "browser.contentblocking.report.lockwise.enabled" = false; 306 "signon.firefoxRelay.feature" = ""; 307 # "signon.storeWhenAutocompleteOff" = false; 308 "network.auth.subresource-http-auth-allow" = 1; 309 "editor.truncate_user_pastes" = false; 310 # "layout.forms.reveal-password-context-menu.enabled" = true; 311 # "layout.forms.reveal-password-button.enabled" = true; 312 313 ############################################################# 314 # SECTION: ADDRESS + CREDIT CARD MANAGER 315 ############################################################# 316 317 # "extensions.formautofill.addresses.enabled" = false; 318 # "extensions.formautofill.creditCards.enabled" = false; 319 320 ############################################################# 321 # SECTION: MIXED CONTENT + CROSS-SITE 322 ############################################################# 323 324 "security.mixed_content.block_display_content" = true; 325 "pdfjs.enableScripting" = false; 326 # "browser.tabs.searchclipboardfor.middleclick" = false; 327 # "network.http.windows-sso.enabled" = false; 328 329 ############################################################# 330 # SECTION: EXTENSIONS 331 ############################################################# 332 333 "extensions.enabledScopes" = 5; 334 # "extensions.autoDisableScopes" = 15; 335 # "extensions.postDownloadThirdPartyPrompt" = false; 336 # "privacy.resistFingerprinting.block_mozAddonManager" = true; 337 # "extensions.webextensions.restrictedDomains" = ""; 338 # "xpinstall.signatures.required" = false; 339 # "extensions.quarantinedDomains.enabled" = false; 340 341 ############################################################# 342 # SECTION: HEADERS / REFERERS 343 ############################################################# 344 345 # "network.http.referer.defaultPolicy" = 2; 346 # "network.http.referer.defaultPolicy.pbmode" = 2; 347 # "network.http.referer.defaultPolicy.trackers" = 1; 348 # "network.http.referer.defaultPolicy.trackers.pbmode" = 1; 349 # "network.http.sendRefererHeader" = 2; 350 # "network.http.referer.XOriginPolicy" = 0; 351 "network.http.referer.XOriginTrimmingPolicy" = 2; 352 353 ############################################################# 354 # SECTION: CONTAINERS 355 ############################################################# 356 357 "privacy.userContext.ui.enabled" = true; 358 # "privacy.userContext.enabled" = true; 359 # "privacy.userContext.newTabContainerOnLeftClick.enabled" = true; 360 # "browser.link.force_default_user_context_id_for_external_opens" = true; 361 362 ############################################################# 363 # SECTION: WEBRTC 364 ############################################################# 365 366 # "media.peerconnection.enabled" = false; 367 # "privacy.webrtc.globalMuteToggles" = true; 368 # "media.peerconnection.ice.proxy_only_if_behind_proxy" = true; 369 # "media.peerconnection.ice.default_address_only" = true; 370 # "media.peerconnection.ice.no_host" = true; 371 372 ############################################################# 373 # SECTION: PLUGINS 374 ############################################################# 375 376 # "media.gmp-provider.enabled" = false; 377 # "media.gmp-widevinecdm.enabled" = false; 378 # "media.eme.enabled" = false; 379 # "browser.eme.ui.enabled" = false; 380 381 ############################################################# 382 # SECTION: VARIOUS 383 ############################################################# 384 385 # "browser.urlbar.decodeURLsOnCopy" = false; 386 # "devtools.selfxss.count" = 5; 387 # "javascript.options.asmjs" = false; 388 # "javascript.options.ion" = false; 389 # "javascript.options.baselinejit" = false; 390 # "javascript.options.jit_trustedprincipals" = true; 391 # "javascript.options.wasm" = false; 392 393 ############################################################# 394 # SECTION: SAFE BROWSING (SB) 395 ############################################################# 396 397 "browser.safebrowsing.malware.enabled" = false; 398 "browser.safebrowsing.phishing.enabled" = false; 399 "browser.safebrowsing.blockedURIs.enabled" = false; 400 "browser.safebrowsing.provider.google4.gethashURL" = ""; 401 "browser.safebrowsing.provider.google4.updateURL" = ""; 402 "browser.safebrowsing.provider.google.gethashURL" = ""; 403 "browser.safebrowsing.provider.google.updateURL" = ""; 404 "browser.safebrowsing.downloads.enabled" = false; 405 "browser.safebrowsing.downloads.remote.enabled" = false; 406 "browser.safebrowsing.downloads.remote.url" = ""; 407 "browser.safebrowsing.downloads.remote.block_potentially_unwanted" = false; 408 "browser.safebrowsing.downloads.remote.block_uncommon" = false; 409 "browser.safebrowsing.allowOverride" = true; 410 411 ############################################################# 412 # SECTION: MOZILLA 413 ############################################################# 414 415 # "accessibility.force_disabled" = 1; 416 # "devtools.accessibility.enabled" = false; 417 # "identity.fxaccounts.enabled" = false; 418 # "identity.fxaccounts.autoconfig.uri" = ""; 419 420 ############################################################# 421 # SECTION: TELEMETRY 422 ############################################################# 423 424 "datareporting.policy.dataSubmissionEnabled" = false; 425 "datareporting.healthreport.uploadEnabled" = false; 426 "toolkit.telemetry.unified" = false; 427 "toolkit.telemetry.enabled" = false; 428 "toolkit.telemetry.server" = "data:,"; 429 "toolkit.telemetry.archive.enabled" = false; 430 "toolkit.telemetry.newProfilePing.enabled" = false; 431 "toolkit.telemetry.shutdownPingSender.enabled" = false; 432 "toolkit.telemetry.updatePing.enabled" = false; 433 "toolkit.telemetry.bhrPing.enabled" = false; 434 "toolkit.telemetry.firstShutdownPing.enabled" = false; 435 # "toolkit.telemetry.dap_enabled" = false; 436 "toolkit.telemetry.coverage.opt-out" = true; 437 "toolkit.coverage.opt-out" = true; 438 "toolkit.coverage.endpoint.base" = ""; 439 "browser.newtabpage.activity-stream.feeds.telemetry" = false; 440 "browser.newtabpage.activity-stream.telemetry" = false; 441 # "datareporting.usage.uploadEnabled" = false; 442 443 ############################################################# 444 # SECTION: EXPERIMENTS 445 ############################################################# 446 447 "app.shield.optoutstudies.enabled" = false; 448 "app.normandy.enabled" = false; 449 "app.normandy.api_url" = ""; 450 451 ############################################################# 452 # SECTION: CRASH REPORTS 453 ############################################################# 454 455 "breakpad.reportURL" = ""; 456 "browser.tabs.crashReporting.sendReport" = false; 457 # "browser.crashReports.unsubmittedCheck.enabled" = false; 458 459 ############################################################# 460 # SECTION: DETECTION 461 ############################################################# 462 463 "captivedetect.canonicalURL" = ""; 464 "network.captive-portal-service.enabled" = false; 465 "network.connectivity-service.enabled" = false; 466 # "dom.private-attribution.submission.enabled" = false; 467 # "toolkit.telemetry.dap_helper" = ""; 468 # "toolkit.telemetry.dap_leader" = ""; 469 # "default-browser-agent.enabled" = false; 470 # "extensions.abuseReport.enabled" = false; 471 # "browser.search.serpEventTelemetryCategorization.enabled" = false; 472 # "doh-rollout.disable-heuristics" = true; 473 # "dom.security.unexpected_system_load_telemetry_enabled" = false; 474 # "messaging-system.rsexperimentloader.enabled" = false; 475 # "network.trr.confirmation_telemetry_enabled" = false; 476 # "security.app_menu.recordEventTelemetry" = false; 477 # "security.certerrors.mitm.priming.enabled" = false; 478 # "security.certerrors.recordEventTelemetry" = false; 479 # "security.protectionspopup.recordEventTelemetry" = false; 480 # "signon.recipes.remoteRecipes.enabled" = false; 481 # "privacy.trackingprotection.emailtracking.data_collection.enabled" = false; 482 # "messaging-system.askForFeedback" = true; # DEFAULT [FF120+] 483}