nix-config/home/browsers/firefox/arkenfox/2600.nix

{
  /*** [SECTION 2600]: MISCELLANEOUS ***/
  /* 2601: prevent accessibility services from accessing your browser [RESTART]
   * [SETTING] Privacy & Security>Permissions>Prevent accessibility services from accessing your browser (FF80 or lower)
   * [1] https://support.mozilla.org/kb/accessibility-services ***/
  "accessibility.force_disabled" = 1;
  /* 2602: disable sending additional analytics to web servers
   * [1] https://developer.mozilla.org/docs/Web/API/Navigator/sendBeacon ***/
  "beacon.enabled" = false;
  /* 2603: remove temp files opened with an external application
   * [1] https://bugzilla.mozilla.org/302433 ***/
  "browser.helperApps.deleteTempFileOnExit" = true;
  /* 2604: disable page thumbnail collection ***/
  "browser.pagethumbnails.capturing_disabled" = true;  # [HIDDEN PREF]
  /* 2606: disable UITour backend so there is no chance that a remote page can use it ***/
  "browser.uitour.enabled" = false;
  "browser.uitour.url" = "";
  /* 2607: disable various developer tools in browser context
   * [SETTING] Devtools>Advanced Settings>Enable browser chrome and add-on debugging toolboxes
   * [1] https://github.com/pyllyukko/user.js/issues/179#issuecomment-246468676 ***/
  "devtools.chrome.enabled" = false;
  /* 2608: reset remote debugging to disabled
   * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16222 ***/
  "devtools.debugger.remote-enabled" = false;  # [DEFAULT: false]
  /* 2609: disable MathML (Mathematical Markup Language) [FF51+] [SETUP-HARDEN]
   * [TEST] https://arkenfox.github.io/TZP/tzp.html#misc
   * [1] https://bugzilla.mozilla.org/1173199 ***/
  #  // user_pref("mathml.disabled", true);
  /* 2610: disable in-content SVG (Scalable Vector Graphics) [FF53+]
   * [WARNING] Expect breakage incl. youtube player controls. Best left for a "hardened" profile.
   * [1] https://bugzilla.mozilla.org/1216893 ***/
  #  // user_pref("svg.disabled", true);
  /* 2611: disable middle mouse click opening links from clipboard
   * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/10089 ***/
  "middlemouse.contentLoadURL" = false;
  /* 2615: disable websites overriding Firefox's keyboard shortcuts [FF58+]
   * 0 (default) or 1=allow, 2=block
   * [SETTING] to add site exceptions: Ctrl+I>Permissions>Override Keyboard Shortcuts ***/
  #  // user_pref("permissions.default.shortcuts", 2);
  /* 2616: remove special permissions for certain mozilla domains [FF35+]
   * [1] resource://app/defaults/permissions ***/
  "permissions.manager.defaultsUrl" = "";
  /* 2617: remove webchannel whitelist ***/
  "webchannel.allowObject.urlWhitelist" = "";
  /* 2619: use Punycode in Internationalized Domain Names to eliminate possible spoofing
   * Firefox has *some* protections, but it is better to be safe than sorry
   * [SETUP-WEB] Might be undesirable for non-latin alphabet users since legitimate IDN's are also punycoded
   * [TEST] https://www.xn--80ak6aa92e.com/ (www.apple.com)
   * [1] https://wiki.mozilla.org/IDN_Display_Algorithm
   * [2] https://en.wikipedia.org/wiki/IDN_homograph_attack
   * [3] CVE-2017-5383: https://www.mozilla.org/security/advisories/mfsa2017-02/
   * [4] https://www.xudongz.com/blog/2017/idn-phishing/ ***/
  "network.IDN_show_punycode" = true;
  /* 2620: enforce PDFJS, disable PDFJS scripting [SETUP-CHROME]
   * This setting controls if the option "Display in Firefox" is available in the setting below
   *   and by effect controls whether PDFs are handled in-browser or externally ("Ask" or "Open With")
   * PROS: pdfjs is lightweight, open source, and as secure/vetted as any pdf reader out there (more than most)
   *   Exploits are rare (one serious case in seven years), treated seriously and patched quickly.
   *   It doesn't break "state separation" of browser content (by not sharing with OS, independent apps).
   *   It maintains disk avoidance and application data isolation. It's convenient. You can still save to disk.
   * CONS: You may prefer a different pdf reader for security reasons
   * CAVEAT: JS can still force a pdf to open in-browser by bundling its own code (rare)
   * [SETTING] General>Applications>Portable Document Format (PDF) ***/
  "pdfjs.disabled" = false;  # [DEFAULT: false]
  "pdfjs.enableScripting" = false;  # [FF86+]
  /* 2621: disable links launching Windows Store on Windows 8/8.1/10 [WINDOWS] ***/
  "network.protocol-handler.external.ms-windows-store" = false;
  /* 2622: enforce no system colors; they can be fingerprinted
   * [SETTING] General>Language and Appearance>Fonts and Colors>Colors>Use system colors ***/
  "browser.display.use_system_colors" = false;  # [DEFAULT: false]
  /* 2623: disable permissions delegation [FF73+]
   * Currently applies to cross-origin geolocation, camera, mic and screen-sharing
   * permissions, and fullscreen requests. Disabling delegation means any prompts
   * for these will show/use their correct 3rd party origin
   * [1] https://groups.google.com/forum/#!topic/mozilla.dev.platform/BdFOMAuCGW8/discussion ***/
  "permissions.delegation.enabled" = false;
  /* 2624: enable "window.name" protection [FF82+]
   * If a new page from another domain is loaded into a tab, then window.name is set to an empty string. The original
   * string is restored if the tab reverts back to the original page. This change prevents some cross-site attacks
   * [TEST] https://arkenfox.github.io/TZP/tests/windownamea.html ***/
  "privacy.window.name.update.enabled" = true;  # [DEFAULT: true FF86+]
  /* 2625: disable bypassing 3rd party extension install prompts [FF82+]
   * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1659530,1681331 ***/
  "extensions.postDownloadThirdPartyPrompt" = false;
  /* 2626: enforce non-native widget theme
   * Security: removes/reduces system API calls, e.g. win32k API [1]
   * Fingerprinting: provides a uniform look and feel across platforms [2]
   * [1] https://bugzilla.mozilla.org/1381938
   * [2] https://bugzilla.mozilla.org/1411425 ***/
  "widget.non-native-theme.enabled" = true;  # [DEFAULT: true FF89+]
  
  /** DOWNLOADS ***/
  /* 2650: discourage downloading to desktop
   * 0=desktop, 1=downloads (default), 2=last used
   * [SETTING] To set your default "downloads": General>Downloads>Save files to ***/
  #  // user_pref("browser.download.folderList", 2);
  /* 2651: enable user interaction for security by always asking where to download
   * [SETUP-CHROME] On Android this blocks longtapping and saving images
   * [SETTING] General>Downloads>Always ask you where to save files ***/
  "browser.download.useDownloadDir" = false;
  /* 2652: disable adding downloads to the system's "recent documents" list ***/
  "browser.download.manager.addToRecentDocs" = false;
  /* 2654: disable "open with" in download dialog [FF50+] [SETUP-HARDEN]
   * This is very useful to enable when the browser is sandboxed (e.g. via AppArmor)
   * in such a way that it is forbidden to run external applications.
   * [WARNING] This may interfere with some users' workflow or methods
   * [1] https://bugzilla.mozilla.org/1281959 ***/
  #  // user_pref("browser.download.forbid_open_with", true);
  
  /** EXTENSIONS ***/
  /* 2660: lock down allowed extension directories
   * [SETUP-CHROME] This will break extensions, language packs, themes and any other
   * XPI files which are installed outside of profile and application directories
   * [1] https://mike.kaply.com/2012/02/21/understanding-add-on-scopes/
   * [1] archived: https://archive.is/DYjAM ***/
  "extensions.enabledScopes" = 5;  # [HIDDEN PREF]
  "extensions.autoDisableScopes" = 15;  # [DEFAULT: 15]
  /* 2662: disable webextension restrictions on certain mozilla domains (you also need 4503) [FF60+]
   * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/
  #  // user_pref("extensions.webextensions.restrictedDomains", "");
  
  /** SECURITY ***/
  /* 2680: enforce CSP (Content Security Policy)
   * [NOTE] CSP is a very important and widespread security feature. Don't disable it!
   * [1] https://developer.mozilla.org/docs/Web/HTTP/CSP ***/
  "security.csp.enable" = true;  # [DEFAULT: true]
  /* 2684: enforce a security delay on some confirmation dialogs such as install, open/save
   * [1] https://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/ ***/
  "security.dialog_enable_delay" = 1000;  # [DEFAULT: 1000]
}
initial commit 2022-01-18 09:32:55 +01:00			`{`
			`/* [SECTION 2600]: MISCELLANEOUS */`
			`/* 2601: prevent accessibility services from accessing your browser [RESTART]`
			`* [SETTING] Privacy & Security>Permissions>Prevent accessibility services from accessing your browser (FF80 or lower)`
			`* [1] https://support.mozilla.org/kb/accessibility-services ***/`
			`"accessibility.force_disabled" = 1;`
			`/* 2602: disable sending additional analytics to web servers`
			`* [1] https://developer.mozilla.org/docs/Web/API/Navigator/sendBeacon ***/`
			`"beacon.enabled" = false;`
			`/* 2603: remove temp files opened with an external application`
			`* [1] https://bugzilla.mozilla.org/302433 ***/`
			`"browser.helperApps.deleteTempFileOnExit" = true;`
			`/* 2604: disable page thumbnail collection ***/`
			`"browser.pagethumbnails.capturing_disabled" = true; # [HIDDEN PREF]`
			`/* 2606: disable UITour backend so there is no chance that a remote page can use it ***/`
			`"browser.uitour.enabled" = false;`
			`"browser.uitour.url" = "";`
			`/* 2607: disable various developer tools in browser context`
			`* [SETTING] Devtools>Advanced Settings>Enable browser chrome and add-on debugging toolboxes`
			`* [1] https://github.com/pyllyukko/user.js/issues/179#issuecomment-246468676 ***/`
			`"devtools.chrome.enabled" = false;`
			`/* 2608: reset remote debugging to disabled`
			`* [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16222 ***/`
			`"devtools.debugger.remote-enabled" = false; # [DEFAULT: false]`
			`/* 2609: disable MathML (Mathematical Markup Language) [FF51+] [SETUP-HARDEN]`
			`* [TEST] https://arkenfox.github.io/TZP/tzp.html#misc`
			`* [1] https://bugzilla.mozilla.org/1173199 ***/`
			`# // user_pref("mathml.disabled", true);`
			`/* 2610: disable in-content SVG (Scalable Vector Graphics) [FF53+]`
			`* [WARNING] Expect breakage incl. youtube player controls. Best left for a "hardened" profile.`
			`* [1] https://bugzilla.mozilla.org/1216893 ***/`
			`# // user_pref("svg.disabled", true);`
			`/* 2611: disable middle mouse click opening links from clipboard`
			`* [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/10089 ***/`
			`"middlemouse.contentLoadURL" = false;`
			`/* 2615: disable websites overriding Firefox's keyboard shortcuts [FF58+]`
			`* 0 (default) or 1=allow, 2=block`
			`* [SETTING] to add site exceptions: Ctrl+I>Permissions>Override Keyboard Shortcuts ***/`
			`# // user_pref("permissions.default.shortcuts", 2);`
			`/* 2616: remove special permissions for certain mozilla domains [FF35+]`
			`* [1] resource://app/defaults/permissions ***/`
			`"permissions.manager.defaultsUrl" = "";`
			`/* 2617: remove webchannel whitelist ***/`
			`"webchannel.allowObject.urlWhitelist" = "";`
			`/* 2619: use Punycode in Internationalized Domain Names to eliminate possible spoofing`
			`* Firefox has some protections, but it is better to be safe than sorry`
			`* [SETUP-WEB] Might be undesirable for non-latin alphabet users since legitimate IDN's are also punycoded`
			`* [TEST] https://www.xn--80ak6aa92e.com/ (www.apple.com)`
			`* [1] https://wiki.mozilla.org/IDN_Display_Algorithm`
			`* [2] https://en.wikipedia.org/wiki/IDN_homograph_attack`
			`* [3] CVE-2017-5383: https://www.mozilla.org/security/advisories/mfsa2017-02/`
			`* [4] https://www.xudongz.com/blog/2017/idn-phishing/ ***/`
			`"network.IDN_show_punycode" = true;`
			`/* 2620: enforce PDFJS, disable PDFJS scripting [SETUP-CHROME]`
			`* This setting controls if the option "Display in Firefox" is available in the setting below`
			`* and by effect controls whether PDFs are handled in-browser or externally ("Ask" or "Open With")`
			`* PROS: pdfjs is lightweight, open source, and as secure/vetted as any pdf reader out there (more than most)`
			`* Exploits are rare (one serious case in seven years), treated seriously and patched quickly.`
			`* It doesn't break "state separation" of browser content (by not sharing with OS, independent apps).`
			`* It maintains disk avoidance and application data isolation. It's convenient. You can still save to disk.`
			`* CONS: You may prefer a different pdf reader for security reasons`
			`* CAVEAT: JS can still force a pdf to open in-browser by bundling its own code (rare)`
			`* [SETTING] General>Applications>Portable Document Format (PDF) ***/`
			`"pdfjs.disabled" = false; # [DEFAULT: false]`
			`"pdfjs.enableScripting" = false; # [FF86+]`
			`/* 2621: disable links launching Windows Store on Windows 8/8.1/10 [WINDOWS] ***/`
			`"network.protocol-handler.external.ms-windows-store" = false;`
			`/* 2622: enforce no system colors; they can be fingerprinted`
			`* [SETTING] General>Language and Appearance>Fonts and Colors>Colors>Use system colors ***/`
			`"browser.display.use_system_colors" = false; # [DEFAULT: false]`
			`/* 2623: disable permissions delegation [FF73+]`
			`* Currently applies to cross-origin geolocation, camera, mic and screen-sharing`
			`* permissions, and fullscreen requests. Disabling delegation means any prompts`
			`* for these will show/use their correct 3rd party origin`
			`* [1] https://groups.google.com/forum/#!topic/mozilla.dev.platform/BdFOMAuCGW8/discussion ***/`
			`"permissions.delegation.enabled" = false;`
			`/* 2624: enable "window.name" protection [FF82+]`
			`* If a new page from another domain is loaded into a tab, then window.name is set to an empty string. The original`
			`* string is restored if the tab reverts back to the original page. This change prevents some cross-site attacks`
			`* [TEST] https://arkenfox.github.io/TZP/tests/windownamea.html ***/`
			`"privacy.window.name.update.enabled" = true; # [DEFAULT: true FF86+]`
			`/* 2625: disable bypassing 3rd party extension install prompts [FF82+]`
			`* [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1659530,1681331 ***/`
			`"extensions.postDownloadThirdPartyPrompt" = false;`
			`/* 2626: enforce non-native widget theme`
			`* Security: removes/reduces system API calls, e.g. win32k API [1]`
			`* Fingerprinting: provides a uniform look and feel across platforms [2]`
			`* [1] https://bugzilla.mozilla.org/1381938`
			`* [2] https://bugzilla.mozilla.org/1411425 ***/`
			`"widget.non-native-theme.enabled" = true; # [DEFAULT: true FF89+]`

			`/ DOWNLOADS */`
			`/* 2650: discourage downloading to desktop`
			`* 0=desktop, 1=downloads (default), 2=last used`
			`* [SETTING] To set your default "downloads": General>Downloads>Save files to ***/`
			`# // user_pref("browser.download.folderList", 2);`
			`/* 2651: enable user interaction for security by always asking where to download`
			`* [SETUP-CHROME] On Android this blocks longtapping and saving images`
			`* [SETTING] General>Downloads>Always ask you where to save files ***/`
			`"browser.download.useDownloadDir" = false;`
			`/* 2652: disable adding downloads to the system's "recent documents" list ***/`
			`"browser.download.manager.addToRecentDocs" = false;`
			`/* 2654: disable "open with" in download dialog [FF50+] [SETUP-HARDEN]`
			`* This is very useful to enable when the browser is sandboxed (e.g. via AppArmor)`
			`* in such a way that it is forbidden to run external applications.`
			`* [WARNING] This may interfere with some users' workflow or methods`
			`* [1] https://bugzilla.mozilla.org/1281959 ***/`
			`# // user_pref("browser.download.forbid_open_with", true);`

			`/ EXTENSIONS */`
			`/* 2660: lock down allowed extension directories`
			`* [SETUP-CHROME] This will break extensions, language packs, themes and any other`
			`* XPI files which are installed outside of profile and application directories`
			`* [1] https://mike.kaply.com/2012/02/21/understanding-add-on-scopes/`
			`* [1] archived: https://archive.is/DYjAM ***/`
			`"extensions.enabledScopes" = 5; # [HIDDEN PREF]`
			`"extensions.autoDisableScopes" = 15; # [DEFAULT: 15]`
			`/* 2662: disable webextension restrictions on certain mozilla domains (you also need 4503) [FF60+]`
			`* [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/`
			`# // user_pref("extensions.webextensions.restrictedDomains", "");`

			`/ SECURITY */`
			`/* 2680: enforce CSP (Content Security Policy)`
			`* [NOTE] CSP is a very important and widespread security feature. Don't disable it!`
			`* [1] https://developer.mozilla.org/docs/Web/HTTP/CSP ***/`
			`"security.csp.enable" = true; # [DEFAULT: true]`
			`/* 2684: enforce a security delay on some confirmation dialogs such as install, open/save`
			`* [1] https://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/ ***/`
			`"security.dialog_enable_delay" = 1000; # [DEFAULT: 1000]`
			`}`