browser-extensions: note ECS & /etc/hosts

Resolves: #286

pages/browser-extensions.markdown

@@ -142,7 +142,7 @@ TODO: Sort this list.
 
 -->
 
-## Chromium flags
+# Chromium flags
 
 These can generally be found from `about:flags` on Chromium based browsers, for Vivaldi explicit `vivaldi://flags` is required and it also has `chrome://settings` for the usual Chromium settings.
 
@@ -151,7 +151,7 @@ These can generally be found from `about:flags` on Chromium based browsers, for
 * `#force-color-profile` - sRGB
 * `#trust-tokens` - enabled
 
-### Vendor-prefixed
+## Vendor-prefixed
 
 These likely also exist, but just without the `vendor-` part when searhcing.
 
@@ -161,17 +161,15 @@ These likely also exist, but just without the `vendor-` part when searhcing.
 * `#edge-tab-groups-auto-create` - enabled
 * `#edge-tab-groups-collapse-freezing` - enabled
 
-## Firefox about:config
+# Firefox about:config
 
 * `privacy.firstparty.isolate` to `true` for preventing domains from
   accessing each other's data.
-* `browser.newtabpage.activity-stream.showSponsored` & `browser.newtabpage.activity-stream.showSponsored` to `false` to stop sponsored links.
 * `dom.security.https_only_mode` to `true` to force HTTPS and not need HTTPS Everywhere
-  * [Breaks IPFS companion subdomain gateway redirect](https://github.com/ipfs-shipyard/ipfs-companion/issues/855), see also [Firefox bug 1220810 Consider hardcoding localhost names to the loopback address](https://bugzilla.mozilla.org/show_bug.cgi?id=1220810#c23)
 * `security.certerrors.mitm.auto_enable_enterprise_roots` to `false` in order to not trust system CA store in case of enterprise MITM
 * `security.OCSP.require` to `true` in order to not allow [OCSP](https://en.wikipedia.org/wiki/OCSP_stapling) soft fail. This may be a bit paranoid, but *only the paranoid survive.*
-* (`privacy.resistFingerprinting.letterboxing` = `true` so letterboxing is
-  used to hide real browser size. [Tor Browser support](https://support.torproject.org/tbb/maximized-torbrowser-window/))
+* `privacy.resistFingerprinting.letterboxing` = `true` so letterboxing is
+  used to hide real browser size. [Tor Browser support](https://support.torproject.org/tbb/maximized-torbrowser-window/)
 * (On Linux `widget.content.gtk-theme-override` (a string that has to be created by
   user) to `Adwaita:light` so text boxes in dark themes become readable,
   thank you [Dovydas Venckus](https://www.dovydasvenckus.com/linux/2018/08/20/fix-firefox-dark-input-fields-on-gnome/)
@@ -181,40 +179,37 @@ These likely also exist, but just without the `vendor-` part when searhcing.
  * `geo.provider.network.url` to `https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%` in order to send nearby WiFi networks to Mozilla instead of Google. See also [MLS Software](https://wiki.mozilla.org/CloudServices/Location/Software).
 * `network.IDN_show_punycode` to `true` in order to see punycode instead of UTF-8 in case of spoofing attempt. However makes reading non-ASCII domains painful. E.g. Cyrillic alphabet
 * `reader.parse-on-load.force-enabled` to `true` in order to allow reader use to be used on ~all websites and devices (regardless of low RAM?)
-*  (`toolkit.telemetry.server` to empty in order to not send telemetry (which may be blocked by filtering DNS providers such as AdGuard or NextDNS resulting high amount of failing queries))
 
 Future note: [`network.dns.blockDotOnion;false`](https://bugzilla.mozilla.org/show_bug.cgi?id=1497263) ?
 
-#### DNS over HTTPS
+## Advertising
 
-* `network.trr.bootstrapAddress` DNS server to use for resolving the DoH
-  name, e.g. `149.112.112.112` (Resolver 2 of [Quad9](https://quad9.net))
-* `network.trr.mode` depends, 2 to prefer DoH, but fallback to system resolver (or 3 to enforce DoH without fallback). ***If there is system encrypted DNS, just take 5 to at least benefit from the system DNS cache.***
+Firefox seems to contain a lot of advertising or sponsoring nowadays, whether to other Mozilla products or whoever pays them. See also [Bug 1773860: Provide global long-term "disable all promos" flag](https://bugzilla.mozilla.org/show_bug.cgi?id=1773860).
+
+* `browser.newtabpage.activity-stream.showSponsored` & `browser.newtabpage.activity-stream.showSponsored` to `false` to stop sponsored links.
+* `browser.vpn_promo.enabled` to `false` to hopefully stop Mozilla VPN advertisements
+* `browser.promo.focus.enabled` to `false` to stop Firefox Focus advertisements?
+* `browser.preferences.moreFromMozilla` to `false` to not hear from other Mozilla products?
+
+## DNS over HTTPS
+
+* `network.trr.mode` depends, `2` to prefer DoH, but fallback to system resolver, `3` to enforce DoH without fallback) or `5` to explicitly disable.
     * [DoH is required by Firefox ESNI support](https://bugzilla.mozilla.org/show_bug.cgi?id=1500289) which encrypts SNI which would still leak which
       sites you visit. [Another bug about ESNI + Android DoT](https://bugzilla.mozilla.org/show_bug.cgi?id=1542754#c3)
-    * I have ended up to recommending 2 as otherwise the DoH server going
-      down stops DNS from working on your Firefox entirely, which may be
-      more of a problem than unencrypted SNI as not everyone supports it.
-        * since then I have decided that 5 is the best option, because otherwise it goes past ***my*** Unbound setup. I hope Mozilla/Firefox will fix the two bugs linked above, so I don't have to choose between DNS under my control vs encrypted SNI.
-    * Are you using a VPN? Do they provide a DoH server? If yes, maybe the answer is 5 for eSNI?
+    * Are you using a VPN? Do they provide a DoH server? If yes, maybe the answer is 3 for eSNI?
 * `network.trr.early-AAAA` `true` to hopefully prefer IPv6
 * `network.trr.uri` for the actual resolver address, e.g.
-  `https://dns.quad9.net/dns-query` or `https://149.112.112.112/dns-query` (removes the need for `network.trr.bootstrapAddress` and allows `network.trr.mode` `3`?) or
-  [Privacy Guides list of Encrypted DNS Resolvers](https://privacyguides.org/providers/dns/)
+  `https://doh.mullvad.net/dns-query`
+* `network.trr.disable-ECS` to `false` if preferring speed over privacy or using NextDNS private ECS.
+  * [Wikipedia: EDNS Client Subnet](https://en.wikipedia.org/wiki/EDNS_Client_Subnet)
 
 Some notes:
+* There is also `network.trr.exclude-etc-hosts` for those using `/etc/hosts` for blocking.
 * You can confirm TRR working by visiting `about:networking#dns` where
 you should be seeing DNS cache of Firefox and a lot of `TRR: true`.
-* Quad9 became my preferred resolver through anxiety about other options
-  being small (and possibly more likely to go down) or commercial while
-  Quad9 is non-profit organization and 2019-03-20 apparently the default
-  fallback resolver of dnscrypt-proxy (at least in Debian).
-* Quad9 while having filtering of malicious domains should be easy to figure
-  out as the problem if something doesn't work on my computers as due to the
-  previously mentioned bug I am mainly using it on Firefox.
-* [While investingating how Android 9 Private DNS works, I also wrote a DNS provider comparsion here]({% post_url blog/2019-07-11-android-private-dns-in-practice %})
+* [While investingating how Android 9 Private DNS works, I also wrote a DNS provider comparsion here on 2019-07-11]({% post_url blog/2019-07-11-android-private-dns-in-practice %})
 
-#### SSDs
+## SSDs
 
 This information is from [Arch Wiki on Firefox tweaks](https://wiki.archlinux.org/index.php/Firefox/Tweaks)