nix-config/home/browsers/firefox/arkenfox/0700.nix

54 lines
3.4 KiB
Nix

{
/*** [SECTION 0700]: HTTP* / TCP/IP / DNS / PROXY / SOCKS etc ***/
/* 0701: disable IPv6
* IPv6 can be abused, especially with MAC addresses, and can leak with VPNs. That's even
* assuming your ISP and/or router and/or website can handle it. Sites will fall back to IPv4
* [STATS] Firefox telemetry (July 2021) shows ~10% of all connections are IPv6
* [NOTE] This is just an application level fallback. Disabling IPv6 is best done at an
* OS/network level, and/or configured properly in VPN setups. If you are not masking your IP,
* then this won't make much difference. If you are masking your IP, then it can only help.
* [NOTE] PHP defaults to IPv6 with "localhost". Use "php -S 127.0.0.1:PORT"
* [TEST] https://ipleak.org/
* [1] https://www.internetsociety.org/tag/ipv6-security/ (see Myths 2,4,5,6) ***/
"network.dns.disableIPv6" = true;
/* 0702: disable HTTP2
* HTTP2 raises concerns with "multiplexing" and "server push", does nothing to
* enhance privacy, and opens up a number of server-side fingerprinting opportunities.
* [WARNING] Don't disable HTTP2. Don't be that one person using HTTP1.1 on HTTP2 sites
* [STATS] ~46% of sites (July 2021) [5]
* [1] https://http2.github.io/faq/
* [2] https://blog.scottlogic.com/2014/11/07/http-2-a-quick-look.html
* [3] https://http2.github.io/http2-spec/#rfc.section.10.8
* [4] https://queue.acm.org/detail.cfm?id=2716278
* [5] https://w3techs.com/technologies/details/ce-http2/all/all ***/
# // user_pref("network.http.spdy.enabled", false);
# // user_pref("network.http.spdy.enabled.deps", false);
# // user_pref("network.http.spdy.enabled.http2", false);
# // user_pref("network.http.spdy.websockets", false); // [FF65+]
/* 0703: disable HTTP Alternative Services [FF37+]
* [SETUP-PERF] Relax this if you have FPI enabled (see 4000) *AND* you understand the
* consequences. FPI isolates these, but it was designed with the Tor protocol in mind,
* and the Tor Browser has extra protection, including enhanced sanitizing per Identity.
* [1] https://tools.ietf.org/html/rfc7838#section-9
* [2] https://www.mnot.net/blog/2016/03/09/alt-svc ***/
"network.http.altsvc.enabled" = false;
"network.http.altsvc.oe" = false;
/* 0704: set the proxy server to do any DNS lookups when using SOCKS
* e.g. in Tor, this stops your local DNS server from knowing your Tor destination
* as a remote Tor node will handle the DNS request
* [1] https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers ***/
"network.proxy.socks_remote_dns" = true;
/* 0709: disable using UNC (Uniform Naming Convention) paths [FF61+]
* [SETUP-CHROME] Can break extensions for profiles on network shares
* [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26424 ***/
"network.file.disable_unc_paths" = true; # [HIDDEN PREF]
/* 0710: disable GIO as a potential proxy bypass vector
* Gvfs/GIO has a set of supported protocols like obex, network, archive, computer, dav, cdda,
* gphoto2, trash, etc. By default only smb and sftp protocols are accepted so far (as of FF64)
* [1] https://bugzilla.mozilla.org/1433507
* [2] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/23044
* [3] https://en.wikipedia.org/wiki/GVfs
* [4] https://en.wikipedia.org/wiki/GIO_(software) ***/
"network.gio.supported-protocols" = ""; # [HIDDEN PREF]
}