From 773f83712ef5843c337375c12679a1711b1a5ddb Mon Sep 17 00:00:00 2001
From: Aminda Suomalainen <suomalainen@aminda.eu>
Date: Sat, 8 Mar 2025 09:33:22 +0200
Subject: [PATCH] firefox: cleanup

---
 conf/firefox-forbidden-policies.js | 36 +++--------------
 etc/firefox/policies/policies.json | 64 ++++--------------------------
 2 files changed, 13 insertions(+), 87 deletions(-)

diff --git a/conf/firefox-forbidden-policies.js b/conf/firefox-forbidden-policies.js
index 5ad4fe80..bbe5426e 100644
--- a/conf/firefox-forbidden-policies.js
+++ b/conf/firefox-forbidden-policies.js
@@ -50,51 +50,25 @@ lockPref(
 // clearPref("font.name-list.sans-serif.x-western");
 // clearPref("font.name-list.serif.x-cyrillic");
 // clearPref("font.name-list.serif.x-western");
-//
-// Allow these fonts regardless of the fingerprinting resistance
-// lockPref(
-// 	"font.system.whitelist",
-// 	"Arimo, Comic Neue, Comic Neue Angular, Comic Neue Angular Light, Comic Neue Angular Light Italic, Comic Neue Light, Cousine, Inclusive Sans, Liberation Mono, Liberation Sans, Liberation Serif, Noto Color Emoji, Noto Emoji, Noto Math, Noto Mono, Noto Sans, Noto Sans CJK JP, Noto Music, Roboto, Roboto Flex, Roboto Mono, Roboto Serif, Tinos, Twemoji Mozilla",
-// );
-clearPref("font.system.whitelist");
 
-// Play animated images only once, accessibility. TODO: Which is the correct one? Update policies.json too!
-lockPref("image.animation.mode", "once");
+// Play animated images only once, accessibility.
 lockPref("image.animation_mode", "once");
 
 // Spoof en-US as language to scripts
 lockPref("javascript.use_us_english_locale", true);
 
-// DNT although PrivacyBadger from policy handles this
-lockPref("privacy.donottrackheader.enabled", true);
-lockPref("privacy.donottrackheader.value", 1);
-
-// More tunable privacy.resistfingerprinting. I have lost the privacy game
-// many times before this point, so this is nothing.  For the options,
-// refer to https://searchfox.org/mozilla-central/source/toolkit/components/resistfingerprinting/RFPTargets.inc
+// More tunable privacy.resistfingerprinting.
+// Refer to https://searchfox.org/mozilla-central/source/toolkit/components/resistfingerprinting/RFPTargets.inc
 lockPref("privacy.fingerprintingProtection", true);
-// Somehow I cannot clearPref this, so...
-//clearPref("privacy.fingerprintingProtection");
-//lockPref("privacy.fingerprintingProtection", false);
+lockPref("privacy.fingerprintingProtection.pbmode", true);
 lockPref(
 	"privacy.fingerprintingProtection.overrides",
 	"+AllTargets,-KeyboardEvents,-CSSPrefersColorScheme,-CSSPrefersReducedMotion,-JSDateTimeUTC,-FontVisibilityBaseSystem,-FontVisibilityRestrictGenerics",
 );
 lockPref("browser.display.use_document_fonts", 0);
-//clearPref("privacy.fingerprintingProtection.overrides");
-lockPref("privacy.fingerprintingProtection.pbmode", true);
-//clearPref("privacy.fingerprintingProtection.pbmode");
-// (Incompatible with the above)
-lockPref("privacy.resistFingerprinting", false);
-//clearPref("privacy.resistFingerprinting");
-// Breaks installing extensions when true at least on Android
-//lockPref("privacy.resistFingerprinting.block_mozAddonManager", false);
-clearPref("privacy.resistFingerprinting.block_mozAddonManage");
+
 // Letterboxing from Tor Browser, I like it in general.
 lockPref("privacy.resistFingerprinting.letterboxing", true);
-// Still Incompatible with the above
-//lockPref("privacy.resistFingerprinting.pbmode", false);
-clearPref("privacy.resistFingerprinting.pbmode");
 
 // Enables reading mode for all pages (at least in theory)
 lockPref("reader.parse-on-load.force-enabled", true);
diff --git a/etc/firefox/policies/policies.json b/etc/firefox/policies/policies.json
index 402c38e5..9de151b8 100644
--- a/etc/firefox/policies/policies.json
+++ b/etc/firefox/policies/policies.json
@@ -162,6 +162,7 @@
 		"DNSOverHTTPS": {
 			"Comment": "Cloudflare is nowadays the authority on most used domains at radar.cloudflare.com and this also affects everything using most visited domains and I am hoping to boost Finnish domains so PrivacyBadger training will recognise us existing and learn Finnish trackers by default for everyone. Maybe if there are enough Finnish Cloudflare users, this will work.",
 			"Comment2": "On second thought, let's not use DoH. It bypasses encrypted system DNS and DNSSEC validation which the browser won't perform and the other end of DoH cannot be fully trusted. See for example https://notes.valdikss.org.ru/jabber.ru-mitm/",
+			"Comment3": "Yet another concern is lack of private ECS meaning I won't benefit from edge nodes within my ISP resulting in longer paths for data to take and thus higher energy consumption (aminda.eu/n/dns).",
 			"Enabled": false,
 			"ExcludedDomains": [
 				"http.badssl.com",
@@ -186,14 +187,11 @@
 		"DisplayBookmarksToolbar": "never",
 		"DontCheckDefaultBrowser": true,
 		"EnableTrackingProtection": {
-			"Comment": "Managing tracking protection is left for the user unless there is a heavy reason to do otherwise.",
-			"Cryptomining": true,
-			"EmailTracking": true,
+			"Comment": "Strict mode enforced later in the policy.",
 			"Exceptions": [
 				"https://www.ecosia.org",
 				"https://pp-attester-turnstile.research.cloudflare.com"
 			],
-			"Fingerprinting": true,
 			"Locked": false,
 			"Value": true
 		},
@@ -470,8 +468,8 @@
 				"Value": false
 			},
 			"browser.ml.chat.provider": {
-				"Comment": "While not officially supported, defaulting to Ecosia will at least remind me that AI is a severe concern regarding fighting against climate change.",
-				"Status": "user",
+				"Comment": "Ask every time which AI to use, if enabled.",
+				"Status": "clear",
 				"Type": "string",
 				"Value": "https://www.ecosia.org/chat"
 			},
@@ -485,21 +483,6 @@
 				"Type": "boolean",
 				"Value": false
 			},
-			"browser.safebrowsing.blockedURIs.enabled": {
-				"Status": "locked",
-				"Type": "boolean",
-				"Value": true
-			},
-			"browser.safebrowsing.malware.enabled": {
-				"Status": "locked",
-				"Type": "boolean",
-				"Value": true
-			},
-			"browser.safebrowsing.phishing.enabled": {
-				"Status": "locked",
-				"Type": "boolean",
-				"Value": true
-			},
 			"browser.sessionstore.warnOnQuit": {
 				"Status": "locked",
 				"Type": "boolean",
@@ -516,13 +499,12 @@
 				"Value": false
 			},
 			"browser.tabs.groups.enabled": {
-				"Comment": "TODO: Is this allowed when it lands?",
 				"Status": "default",
 				"Type": "boolean",
 				"Value": true
 			},
 			"browser.tabs.inTitlebar": {
-				"Status": "default",
+				"Status": "clear",
 				"Type": "number",
 				"Value": 0
 			},
@@ -616,7 +598,7 @@
 				"Value": true
 			},
 			"extensions.htmlaboutaddons.recommendations.enabled": {
-				"Comment": "This means the same, but without personalization.",
+				"Comment": "No personalized add-on recommendations.",
 				"Status": "locked",
 				"Type": "boolean",
 				"Value": false
@@ -725,7 +707,7 @@
 				"Value": false
 			},
 			"network.IDN_show_punycode": {
-				"Comment": "Protection against identically looking unicode domain names",
+				"Comment": "Use punycode when displaying international domain names.",
 				"Status": "locked",
 				"Type": "boolean",
 				"Value": true
@@ -763,7 +745,7 @@
 			"network.trr.disable-ECS": {
 				"Status": "locked",
 				"Type": "boolean",
-				"Value": false
+				"Value": true
 			},
 			"network.trr.display_fallback_warning": {
 				"Status": "locked",
@@ -812,18 +794,6 @@
 				"Type": "string",
 				"Value": "#ffb700"
 			},
-			"privacy.donottrackheader.enabled": {
-				"Comment": "Preference not allowed for stability reasons. :(",
-				"Status": "locked",
-				"Type": "boolean",
-				"Value": true
-			},
-			"privacy.donottrackheader.value": {
-				"Comment": "Preference not allowed for stability reasons. :(",
-				"Status": "locked",
-				"Type": "number",
-				"Value": 1
-			},
 			"privacy.fingerprintingProtection": {
 				"Comment": "Preference not allowed for stability reasons. :(",
 				"Status": "locked",
@@ -847,36 +817,18 @@
 				"Type": "boolean",
 				"Value": true
 			},
-			"privacy.resistFingerprinting": {
-				"Comment": "Preference not allowed for stability reasons. :(",
-				"Status": "locked",
-				"Type": "boolean",
-				"Value": false
-			},
 			"privacy.resistFingerprinting.letterboxing": {
 				"Comment": "Preference not allowed for stability reasons. :(",
 				"Status": "locked",
 				"Type": "boolean",
 				"Value": true
 			},
-			"privacy.resistFingerprinting.pbmode": {
-				"Comment": "Preference not allowed for stability reasons. :(",
-				"Status": "clear",
-				"Type": "boolean",
-				"Value": false
-			},
 			"privacy.userContext.enabled": {
 				"Comment": "Tab containers",
 				"Status": "locked",
 				"Type": "boolean",
 				"Value": true
 			},
-			"privacy.userContext.extension": {
-				"Comment": "Displays in settings which extension requires container tabs. None. it's this policy. Preference not allowed for stability reasons.",
-				"Status": "locked",
-				"Type": "string",
-				"Value": ""
-			},
 			"privacy.userContext.ui.enabled": {
 				"Comment": "Tab containers UI without extensions",
 				"Status": "locked",