nix-config/home/browsers/firefox/arkenfox/2600.nix

131 lines
8.2 KiB
Nix

{
/*** [SECTION 2600]: MISCELLANEOUS ***/
/* 2601: prevent accessibility services from accessing your browser [RESTART]
* [SETTING] Privacy & Security>Permissions>Prevent accessibility services from accessing your browser (FF80 or lower)
* [1] https://support.mozilla.org/kb/accessibility-services ***/
"accessibility.force_disabled" = 1;
/* 2602: disable sending additional analytics to web servers
* [1] https://developer.mozilla.org/docs/Web/API/Navigator/sendBeacon ***/
"beacon.enabled" = false;
/* 2603: remove temp files opened with an external application
* [1] https://bugzilla.mozilla.org/302433 ***/
"browser.helperApps.deleteTempFileOnExit" = true;
/* 2604: disable page thumbnail collection ***/
"browser.pagethumbnails.capturing_disabled" = true; # [HIDDEN PREF]
/* 2606: disable UITour backend so there is no chance that a remote page can use it ***/
"browser.uitour.enabled" = false;
"browser.uitour.url" = "";
/* 2607: disable various developer tools in browser context
* [SETTING] Devtools>Advanced Settings>Enable browser chrome and add-on debugging toolboxes
* [1] https://github.com/pyllyukko/user.js/issues/179#issuecomment-246468676 ***/
"devtools.chrome.enabled" = false;
/* 2608: reset remote debugging to disabled
* [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16222 ***/
"devtools.debugger.remote-enabled" = false; # [DEFAULT: false]
/* 2609: disable MathML (Mathematical Markup Language) [FF51+] [SETUP-HARDEN]
* [TEST] https://arkenfox.github.io/TZP/tzp.html#misc
* [1] https://bugzilla.mozilla.org/1173199 ***/
# // user_pref("mathml.disabled", true);
/* 2610: disable in-content SVG (Scalable Vector Graphics) [FF53+]
* [WARNING] Expect breakage incl. youtube player controls. Best left for a "hardened" profile.
* [1] https://bugzilla.mozilla.org/1216893 ***/
# // user_pref("svg.disabled", true);
/* 2611: disable middle mouse click opening links from clipboard
* [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/10089 ***/
"middlemouse.contentLoadURL" = false;
/* 2615: disable websites overriding Firefox's keyboard shortcuts [FF58+]
* 0 (default) or 1=allow, 2=block
* [SETTING] to add site exceptions: Ctrl+I>Permissions>Override Keyboard Shortcuts ***/
# // user_pref("permissions.default.shortcuts", 2);
/* 2616: remove special permissions for certain mozilla domains [FF35+]
* [1] resource://app/defaults/permissions ***/
"permissions.manager.defaultsUrl" = "";
/* 2617: remove webchannel whitelist ***/
"webchannel.allowObject.urlWhitelist" = "";
/* 2619: use Punycode in Internationalized Domain Names to eliminate possible spoofing
* Firefox has *some* protections, but it is better to be safe than sorry
* [SETUP-WEB] Might be undesirable for non-latin alphabet users since legitimate IDN's are also punycoded
* [TEST] https://www.xn--80ak6aa92e.com/ (www.apple.com)
* [1] https://wiki.mozilla.org/IDN_Display_Algorithm
* [2] https://en.wikipedia.org/wiki/IDN_homograph_attack
* [3] CVE-2017-5383: https://www.mozilla.org/security/advisories/mfsa2017-02/
* [4] https://www.xudongz.com/blog/2017/idn-phishing/ ***/
"network.IDN_show_punycode" = true;
/* 2620: enforce PDFJS, disable PDFJS scripting [SETUP-CHROME]
* This setting controls if the option "Display in Firefox" is available in the setting below
* and by effect controls whether PDFs are handled in-browser or externally ("Ask" or "Open With")
* PROS: pdfjs is lightweight, open source, and as secure/vetted as any pdf reader out there (more than most)
* Exploits are rare (one serious case in seven years), treated seriously and patched quickly.
* It doesn't break "state separation" of browser content (by not sharing with OS, independent apps).
* It maintains disk avoidance and application data isolation. It's convenient. You can still save to disk.
* CONS: You may prefer a different pdf reader for security reasons
* CAVEAT: JS can still force a pdf to open in-browser by bundling its own code (rare)
* [SETTING] General>Applications>Portable Document Format (PDF) ***/
"pdfjs.disabled" = false; # [DEFAULT: false]
"pdfjs.enableScripting" = false; # [FF86+]
/* 2621: disable links launching Windows Store on Windows 8/8.1/10 [WINDOWS] ***/
"network.protocol-handler.external.ms-windows-store" = false;
/* 2622: enforce no system colors; they can be fingerprinted
* [SETTING] General>Language and Appearance>Fonts and Colors>Colors>Use system colors ***/
"browser.display.use_system_colors" = false; # [DEFAULT: false]
/* 2623: disable permissions delegation [FF73+]
* Currently applies to cross-origin geolocation, camera, mic and screen-sharing
* permissions, and fullscreen requests. Disabling delegation means any prompts
* for these will show/use their correct 3rd party origin
* [1] https://groups.google.com/forum/#!topic/mozilla.dev.platform/BdFOMAuCGW8/discussion ***/
"permissions.delegation.enabled" = false;
/* 2624: enable "window.name" protection [FF82+]
* If a new page from another domain is loaded into a tab, then window.name is set to an empty string. The original
* string is restored if the tab reverts back to the original page. This change prevents some cross-site attacks
* [TEST] https://arkenfox.github.io/TZP/tests/windownamea.html ***/
"privacy.window.name.update.enabled" = true; # [DEFAULT: true FF86+]
/* 2625: disable bypassing 3rd party extension install prompts [FF82+]
* [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1659530,1681331 ***/
"extensions.postDownloadThirdPartyPrompt" = false;
/* 2626: enforce non-native widget theme
* Security: removes/reduces system API calls, e.g. win32k API [1]
* Fingerprinting: provides a uniform look and feel across platforms [2]
* [1] https://bugzilla.mozilla.org/1381938
* [2] https://bugzilla.mozilla.org/1411425 ***/
"widget.non-native-theme.enabled" = true; # [DEFAULT: true FF89+]
/** DOWNLOADS ***/
/* 2650: discourage downloading to desktop
* 0=desktop, 1=downloads (default), 2=last used
* [SETTING] To set your default "downloads": General>Downloads>Save files to ***/
# // user_pref("browser.download.folderList", 2);
/* 2651: enable user interaction for security by always asking where to download
* [SETUP-CHROME] On Android this blocks longtapping and saving images
* [SETTING] General>Downloads>Always ask you where to save files ***/
"browser.download.useDownloadDir" = false;
/* 2652: disable adding downloads to the system's "recent documents" list ***/
"browser.download.manager.addToRecentDocs" = false;
/* 2654: disable "open with" in download dialog [FF50+] [SETUP-HARDEN]
* This is very useful to enable when the browser is sandboxed (e.g. via AppArmor)
* in such a way that it is forbidden to run external applications.
* [WARNING] This may interfere with some users' workflow or methods
* [1] https://bugzilla.mozilla.org/1281959 ***/
# // user_pref("browser.download.forbid_open_with", true);
/** EXTENSIONS ***/
/* 2660: lock down allowed extension directories
* [SETUP-CHROME] This will break extensions, language packs, themes and any other
* XPI files which are installed outside of profile and application directories
* [1] https://mike.kaply.com/2012/02/21/understanding-add-on-scopes/
* [1] archived: https://archive.is/DYjAM ***/
"extensions.enabledScopes" = 5; # [HIDDEN PREF]
"extensions.autoDisableScopes" = 15; # [DEFAULT: 15]
/* 2662: disable webextension restrictions on certain mozilla domains (you also need 4503) [FF60+]
* [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/
# // user_pref("extensions.webextensions.restrictedDomains", "");
/** SECURITY ***/
/* 2680: enforce CSP (Content Security Policy)
* [NOTE] CSP is a very important and widespread security feature. Don't disable it!
* [1] https://developer.mozilla.org/docs/Web/HTTP/CSP ***/
"security.csp.enable" = true; # [DEFAULT: true]
/* 2684: enforce a security delay on some confirmation dialogs such as install, open/save
* [1] https://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/ ***/
"security.dialog_enable_delay" = 1000; # [DEFAULT: 1000]
}