diff --git a/conf/.gitignore b/conf/.gitignore index a7436356..78dd72de 100644 --- a/conf/.gitignore +++ b/conf/.gitignore @@ -1,3 +1,4 @@ +librewolf.overrides.cfg librewolf.overrides.cfg.js wireplumber autostart diff --git a/conf/librewolf.overrides.cfg b/conf/librewolf.overrides.cfg deleted file mode 100644 index 087966aa..00000000 --- a/conf/librewolf.overrides.cfg +++ /dev/null @@ -1,441 +0,0 @@ -/** @format */ - -// ~/.{librewolf,var/app/io.gitlab.librewolf-community/.librewolf}/librewolf.overrides.cfg -// The first line of this file is supposed to be empty. - -// This was originally a LibreWolf overrides config beginning with samples from -// https://librewolf.net/docs/settings/ -// later eating https://aminda.eu/browser-extensions#firefox-aboutconfig -// and finally becoming Firefox autoconfig file copied from -// https://codeberg.org/librewolf/settings/src/branch/cxefa/librewolf.cfg - -// NOTE! A lot is commented either for being a note, wrong, TODO, whatever, or most likely in my /etc/firefox/policies/policies.json - -// Firefox autoconfig -pref( - "autoadmin.global_config_url", - "https://codeberg.org/Aminda/shell-things/raw/branch/cxefa/conf/librewolf.overrides.cfg", -); -//pref("general.config.obscure_value", 0); -pref("autoadmin.refresh_interval", 120); -pref("autoadmin.offline_failover", true); -pref("autoadmin.failover_to_cached", true); - -// Interface language -//pref("intl.locale.requested", "eo"); -//pref("intl.regional_prefs.use_os_locales", false); - -// via https://www.ghacks.net/2017/10/27/how-to-enable-firefox-webextensions-on-mozilla-websites/ -//pref("extensions.webextensions.restrictedDomains", ""); -//pref("privacy.resistFingerprinting.block_mozAddonManage", true); -// Block cookie banners. Warning: may result to auto-accepting cookies. -// https://www.ghacks.net/2022/12/24/configure-firefox-to-reject-cookie-banners-automatically/ -pref("cookiebanners.service.mode", 2); -pref("cookiebanners.service.mode.privateBrowsing", 2); -pref("cookiebanners.bannerClicking.enabled", true); - -// https://globalprivacycontrol.org/ the successor of DNT -//pref("privacy.globalprivacycontrol.enabled", true); -pref("privacy.globalprivacycontrol.functionality.enabled", true); -pref("privacy.donottrackheader.enabled", true); -pref("privacy.donottrackheader.value", 1); - -// Conflicts with fingerprintingProtection -pref("privacy.resistFingerprinting", false); -pref("privacy.resistFingerprinting.pbmode", false); -// Enable letterboxing -pref("privacy.resistFingerprinting.letterboxing", true); -// Timezone spoofing. I cannot handle it with many pages. -//pref("privacy.resistFingerprinting.spoofTimezone", false); - -// Fingerprinting protection and what to not protect. Via https://superuser.com/questions/1610744/how-do-i-get-around-resistfingerprinting-setting-my-preferred-firefox-theme-to-l/1815927#1815927 -pref("privacy.fingerprintingProtection", true); -pref("privacy.fingerprintingProtection.pbmode", true); -// Use all protections, except make compromises for accessibility, -// usability and reveal the real platform (voting for Linux -// existing in statistics). https://searchfox.org/mozilla-central/source/toolkit/components/resistfingerprinting/RFPTargets.inc -// It's not like I have any uniqueness with `intl.accept_languages` below... -pref( - "privacy.fingerprintingProtection.overrides", - "+AllTargets,-KeyboardEvents,-SpeechSynthesis,-CSSPrefersColorScheme,-CSSPrefersReducedMotion,-NavigatorPlatform,-NavigatorUserAgent,-JSDateTimeUTC,-HttpUserAgent,-FontVisibilityRestrictGenerics,-FontVisibilityBaseSystem,-FontVisibilityLangPack", -); - -// :( but fingerprintability -pref("javascript.use_us_english_locale", true); -// This is the privacy.resistfingerprinting value and probably most common -//pref("intl.accept_languages", "en-US, en"); -// Then again I already lost the fingerprintability game. The default on -// Firefox Android for me is `fi-FI,en-FI` which looks like even more losing -// the fingerprinting game. Then again as sending empty accept-language is -// valid ("just give me any"), what if I request only Finnish considering the -// RFC discourages sending rejection if no language matches. -//defaultPref("intl.accept_languages", "fi, en"); -// Apparently even not sending accept-language is more common than Finnish, -// so let's do that. Any language is fine, at least I am not promoting English -// to every web site I visit. -//pref("intl.accept_languages", ""); -// Mi ne plu pensas ĉi tion estas serioza. -//pref("intl.accept_languages", "eo, fi"); - -// No JavaScript allowed in internal pdf viewer -//pref("pdfjs.enableScripting", false); - -// Dark mode -//pref("ui.systemUsesDarkTheme", 1); -//pref("prefers-color-scheme", "dark"); -//pref("pdfjs.viewerCssTheme", 2); - -// Enable Firefox accounts -pref("identity.fxaccounts.enabled", true); - -// Settings on what to clear on quit -// - Goal: let Element Web & co stay logged in -pref("privacy.clearOnShutdown.cache", false); -pref("privacy.clearOnShutdown.cookies", false); -pref("privacy.clearOnShutdown.history", false); -pref("privacy.clearOnShutdown.offlineApps", false); -pref("privacy.clearOnShutdown.openWindows", false); -pref("privacy.clearOnShutdown.sessions", false); -pref("privacy.clearOnShutdown.siteSettings", false); - -// Don't resume from crash (SSD) -defaultPref("browser.sessionstore.resume_from_crash", false); - -// Click to play. https://wiki.mozilla.org/Media/block-autoplay -//pref("media.autoplay.blocking_policy", 2); - -// No corporate CA MITM -//defaultPref("security.certerrors.mitm.auto_enable_enterprise_roots", false); - -// Decrease animations -pref("image.animation_mode", "once"); - -// Punycode -//pref("network.IDN_show_punycode", true); - -// Enforce reader mode enabling? -pref("reader.parse-on-load.force-enabled", true); - -// TRR & ECH -// Mode 2 allows fallback to system resolver, 3 is TTR-only. -//pref("network.trr.mode", 2); -//defaultPref("network.trr.mode", 3); -//pref("network.trr.early-AAAA", true); -//defaultPref("network.trr.uri", "https://dns0.eu/"); -//defaultPref("network.trr.uri", "https://dns11.quad9.net/dns-query"); -//defaultPref("network.trr.uri", "https://dns.adguard-dns.com/dns-query"); -// NOTE: ECH requires TRR, so mode 2 may not use it. -//defaultPref("network.trr.disable-ECS", false); -//pref("network.dns.echconfig.enabled", true); -//pref("network.dns.use_https_rr_as_altsvc", true); -//pref("network.trr.exclude-etc-hosts", false); -//pref("network.trr.excluded-domains", "http.badssl.com,norwegianwifi.com,mywifiext.net,tplinkrepeater.net,router.asus.com"); - -// Default UI scale -//defaultPref("layout.css.devPixelsPerPx", "1.5"); - -// Keep cache on both disk & memory. This is required for -// https://github.com/JimmXinu/FanFicFare/wiki/BrowserCacheFeature -pref("browser.cache.disk.enable", true); -pref("browser.cache.memory.enable", true); - -// Start from homepage, don't restore the previous session (excluding pinned tabs)' -//pref("browser.startup.page", 1); -// Simplified DDG experience without prompts for extension and all -//pref("browser.startup.homepage", "https://start.duckduckgo.com"); -//defaultPref("browser.startup.homepage", "about:mozilla"); - -// https://codeberg.org/librewolf/settings/src/branch/cxefa/librewolf.cfg begins - -/** [SECTION] CONTAINERS - * enable containers and show the settings to control them in the stock ui - */ -//pref("privacy.userContext.enabled", true); -//pref("privacy.userContext.ui.enabled", true); - -//pref("browser.contentblocking.category", "strict"); -pref( - "privacy.partition.always_partition_third_party_non_cookie_storage", - true, -); -pref( - "privacy.partition.always_partition_third_party_non_cookie_storage.exempt_sessionstorage", - false, -); - -/** prevent media cache from being written to disk in pb, but increase max cache size to avoid playback issues */ -pref("browser.privatebrowsing.forceMediaMemoryCache", true); -pref("media.memory_cache_max_size", 65536); -pref("browser.shell.shortcutFavicons", false); // disable favicons in profile folder -pref("browser.helperApps.deleteTempFileOnExit", true); // delete temporary files opened with external apps - -/** [SECTION] LOGGING - * these prefs are off by default in the official Mozilla builds, - * so it only makes sense that we also disable them. - * See https://gitlab.com/librewolf-community/settings/-/issues/240 - */ -pref("browser.dom.window.dump.enabled", false); -pref("devtools.console.stdout.chrome", false); - -pref("dom.security.https_only_mode", true); // only allow https in all windows, including private browsing -pref("network.auth.subresource-http-auth-allow", 1); // block HTTP authentication credential dialogs - -/** [SECTION] REFERERS - * to enhance privacy but keep a certain level of usability we trim cross-origin - * referers to only send scheme, host and port, instead of completely avoid sending them. - * as a general rule, the behavior of referes which are not cross-origin should not - * be changed. - */ -//pref("network.http.referer.XOriginTrimmingPolicy", 2); - -/** [SECTION] WEBRTC - * there is no point in disabling webrtc as mDNS protects the private IP on linux, osx and win10+. - * the private IP address is only used in trusted environments, eg. allowed camera and mic access. - */ -pref("media.peerconnection.ice.default_address_only", true); // use a single interface for ICE candidates, the vpn one when a vpn is used - -/** [SECTION] PROXY */ -pref("network.gio.supported-protocols", ""); // disable gio as it could bypass proxy -pref("network.file.disable_unc_paths", true); // hidden, disable using uniform naming convention to prevent proxy bypass -pref("network.proxy.socks_remote_dns", true); // forces dns query through the proxy when using one -pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); // force webrtc inside proxy when one is used - -/** [SECTION] DNS */ -//pref("network.dns.disablePrefetch", true); // disable dns prefetching -pref("network.dns.skipTRR-when-parental-control-enabled", false); // Arkenfox user.js v117 - -/** [SECTION] PREFETCHING AND SPECULATIVE CONNECTIONS - * disable prefecthing for different things such as links, bookmarks and predictions. - */ -//pref("network.predictor.enabled", false); -//pref("network.prefetch-next", false); -//pref("network.http.speculative-parallel-limit", 0); -//pref("browser.places.speculativeConnect.enabled", false); -// disable speculative connections and domain guessing from the urlbar -pref("browser.urlbar.speculativeConnect.enabled", false); - -// RFP + DarkReader? -Aminda -pref("browser.display.use_system_colors", false); // default, except Win -// RFP I configured by myself before and window size won't affect me due to Sway -// and I manually enabled letterboxing above. -Aminda - -// I am trusting PrivacyBadger and NoScript. -Aminda -pref("webgl.disabled", false); - -/** [SECTION] CERTIFICATES */ -pref("security.cert_pinning.enforcement_level", 2); // enable strict public key pinning, might cause issues with AVs -/** - * enable safe negotiation and show warning when it is not supported. might cause breakage - * if the the server does not support RFC 5746, in tha case SSL_ERROR_UNSAFE_NEGOTIATION - * will be shown. - */ -pref("security.ssl.require_safe_negotiation", true); -pref("security.ssl.treat_unsafe_negotiation_as_broken", true); -/** - * our strategy with revocation is to perform all possible checks with CRL, but when a cert - * cannot be checked with it we use OCSP stapled with hard-fail, to still keep privacy and - * increase security. - * crlite is in mode 3 by default, which allows us to detect false positive with OCSP. - * in v103, when crlite is fully mature, it will switch to mode 2 and no longer double-check. - */ -pref("security.remote_settings.crlite_filters.enabled", true); -//pref("security.OCSP.require", true); // set to hard-fail, might cause SEC_ERROR_OCSP_SERVER_ERROR - -/** [SECTION] TLS/SSL */ -pref("security.tls.enable_0rtt_data", false); // disable 0 RTT to improve tls 1.3 security -pref("security.tls.version.enable-deprecated", false); // make TLS downgrades session only by enforcing it with pref(), default -pref("browser.xul.error_pages.expert_bad_cert", true); // show relevant and advanced issues on warnings and error screens - -/** [SECTION] PERMISSIONS */ -pref("permissions.delegation.enabled", false); // force permission request to show real origin -pref("permissions.manager.defaultsUrl", ""); // revoke special permissions for some mozilla domains - -// Aminda stripped safebrowsing here as even in LibreWolf filtering DNS is used + the extensions. - -// Default (2024-03-29) -//pref("geo.provider.network.url", "https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_LOCATION_SERVICE_API_KEY%"); -// Sunset https://github.com/mozilla/ichnaea/issues/2065 -//pref("geo.provider.network.url", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%"); -// Although I doubt they will improve accuracy, why not? -pref("geo.provider.use_gpsd", true); // [LINUX] -pref("geo.provider.use_geoclue", true); // [LINUX] - -// disable region specific updates from mozilla -pref("browser.region.network.url", ""); -pref("browser.region.update.enabled", false); - -/** [SECTION] SEARCH AND URLBAR - * disable search suggestion and do not update opensearch engines. - */ - -//pref("browser.urlbar.suggest.searches", false); -//pref("browser.search.suggest.enabled", false); -//pref("browser.search.update", false); -//pref("browser.search.separatePrivateDefault", true); // [FF70+] // Arkenfox user.js v119 -pref("browser.search.separatePrivateDefault.ui.enabled", true); // [FF71+] // Arkenfox user.js v119 -pref("browser.urlbar.suggest.mdn", true); - -pref("browser.urlbar.addons.featureGate", false); -pref("browser.urlbar.mdn.featureGate", false); -pref("browser.urlbar.pocket.featureGate", false); -pref("browser.urlbar.trending.featureGate", false); -pref("browser.urlbar.weather.featureGate", false); - -// these are from Arkenfox, I decided to put them here. -pref("browser.download.start_downloads_in_tmp_dir", true); // Arkenfox user.js v118 - -/** - * the pref disables the whole feature and hide it from the ui - * (as noted in https://bugzilla.mozilla.org/show_bug.cgi?id=1755057). - * this also includes the best match feature, as it is part of firefox suggest. - */ -pref("browser.urlbar.quicksuggest.enabled", false); -pref("browser.urlbar.suggest.weather", false); // disable weather suggestions in urlbar once they are no longer behind feature gate - -/** [SECTION] DOWNLOADS - * user interaction should always be required for downloads, as a way to enhance security by asking - * the user to specific a certain save location. - */ -pref("browser.download.useDownloadDir", false); -pref("browser.download.autohideButton", false); // do not hide download button automatically -pref("browser.download.manager.addToRecentDocs", false); // do not add downloads to recents -pref("browser.download.alwaysOpenPanel", false); // do not expand toolbar menu for every download, we already have enough interaction - -/** [SECTION] AUTOPLAY - * block autoplay unless element is right-clicked. this means background videos, videos in a different tab, - * or media opened while other media is played will not start automatically. - * thumbnails will not autoplay unless hovered. exceptions can be set from the UI. - */ -//pref("media.autoplay.default", 5); - -/** [SECTION] POP-UPS AND WINDOWS - * prevent scripts from resizing existing windows and opening new ones, by forcing them into - * new tabs that can't be resized as well. - */ -pref("dom.disable_window_move_resize", true); -pref("browser.link.open_newwindow", 3); -pref("browser.link.open_newwindow.restriction", 0); - -/** [SECTION] MOUSE */ -pref("browser.tabs.searchclipboardfor.middleclick", false); // prevent mouse middle click on new tab button to trigger searches or page loads - -/** [CATEGORY] EXTENSIONS */ - -/** [SECTION] USER INSTALLED - * extensions are allowed to operate on restricted domains, while their scope - * is set to profile+applications (https://mike.kaply.com/2012/02/21/understanding-add-on-scopes/). - * an installation prompt should always be displayed. - */ -//pref("extensions.webextensions.restrictedDomains", ""); -pref("extensions.enabledScopes", 5); // hidden -pref("extensions.postDownloadThirdPartyPrompt", false); -/** - * the pref disables quarantined domains. - * this is a security feature, we should remove it with v116 as there will be a UI to control this per-extension. - * unless we patch remote settings we rely on static dumps. this means even if we did not flip this pref it would - * not make a difference at the moment. - */ -pref("extensions.quarantinedDomains.enabled", false); - -/** [SECTION] SYSTEM - * built-in extension are not allowed to auto-update. additionally the reporter extension - * of webcompat is disabled. urls are stripped for defense in depth. - */ -// Aminda questions the security of not automatically updating built-in extensions. -pref("extensions.systemAddon.update.enabled", true); -//pref("extensions.systemAddon.update.url", ""); -pref("extensions.webcompat-reporter.enabled", false); -pref("extensions.webcompat-reporter.newIssueEndpoint", ""); - -/** [SECTION] LOCKWISE - * disable the default password manager built into the browser, including its autofill - * capabilities and formless login capture. - */ -//pref("signon.rememberSignons", false); -pref("signon.autofillForms", false); -pref("extensions.formautofill.addresses.enabled", false); -pref("extensions.formautofill.creditCards.enabled", false); -pref("signon.formlessCapture.enabled", false); - -/** [SECTION] DEVTOOLS - * disable remote debugging. - */ -pref("devtools.debugger.remote-enabled", false); // default, but subject to branding so keep it -pref("devtools.selfxss.count", 0); // required for devtools console to work - -// Aminda has no idea what is that. -/** [SECTION] SHOPPING - * disable the fakespot shopping sidebar - */ -pref("browser.shopping.experience2023.enabled", false); -pref("browser.shopping.experience2023.optedIn", 2); -pref("browser.shopping.experience2023.active", false); - -/** [SECTION] OTHERS */ -pref("webchannel.allowObject.urlWhitelist", ""); // remove web channel whitelist -pref("services.settings.server", "https://%.invalid"); // set the remote settings URL (REMOTE_SETTINGS_SERVER_URL in the code) - -/** [SECTION] NEW TAB PAGE - * we want NTP to display nothing but the search bar without anything distracting. - * the three prefs below are just for minimalism and they should be easy to revert for users. - */ -pref( - "browser.newtabpage.activity-stream.section.highlights.includeDownloads", - false, -); -pref( - "browser.newtabpage.activity-stream.section.highlights.includeVisited", - false, -); -pref("browser.newtabpage.activity-stream.feeds.topsites", false); -// hide stories and sponsored content from Firefox Home -pref("browser.newtabpage.activity-stream.feeds.section.topstories", false); -pref("browser.newtabpage.activity-stream.showSponsored", false); -pref("browser.newtabpage.activity-stream.showSponsoredTopSites", false); -// disable telemetry in Firefox Home -pref("browser.newtabpage.activity-stream.feeds.telemetry", false); -pref("browser.newtabpage.activity-stream.telemetry", false); -// hide stories UI in about:preferences#home, empty highlights list -pref( - "browser.newtabpage.activity-stream.feeds.section.topstories.options", - '{"hidden":true}', -); -pref("browser.newtabpage.activity-stream.default.sites", ""); - -/** [SECTION] ABOUT - * remove annoying ui elements from the about pages, including about:protections - */ -//pref("browser.contentblocking.report.lockwise.enabled", false); -//pref("browser.contentblocking.report.hide_vpn_banner", true); -//pref("browser.contentblocking.report.vpn.enabled", false); -//pref("browser.contentblocking.report.show_mobile_app", false); -//pref("browser.vpn_promo.enabled", false); -pref("browser.promo.focus.enabled", false); -// ...about:addons recommendations sections and more -pref("extensions.htmlaboutaddons.recommendations.enabled", false); -pref("extensions.getAddons.showPane", false); -pref("lightweightThemes.getMoreURL", ""); // disable button to get more themes -// ...about:preferences#home -pref("browser.topsites.useRemoteSetting", false); // hide sponsored shortcuts button -// ...and about:config -//pref("browser.aboutConfig.showWarning", false); -// hide about:preferences#moreFromMozilla -pref("browser.preferences.moreFromMozilla", false); - -/** [SECTION] RECOMMENDED - * disable all "recommend as you browse" activity. - */ -pref( - "browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", - false, -); -pref( - "browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", - false, -); - -// Maybe Windows specific, but looks useful. -pref("network.protocol-handler.external.ms-windows-store", false); // prevent links from launching windows store -pref("security.family_safety.mode", 2); // Remove pre-Win10-specific codepath - -// vim: filetype=javascript diff --git a/conf/librewolf.overrides.cfg b/conf/librewolf.overrides.cfg new file mode 120000 index 00000000..1fa3f275 --- /dev/null +++ b/conf/librewolf.overrides.cfg @@ -0,0 +1 @@ +firefox-forbidden-policies.js \ No newline at end of file