LibreAwoo: heavily take inspiration and practically fork it?

conf/librewolf.overrides.cfg

@@ -1,8 +1,12 @@
-// ~/.{librewolf,var/app/io.gitlab.librewolf-community/.librewolf}/librewolf.overrides.cfg
 
-// LibreWolf override configuration, begins with samples from
+// ~/.{librewolf,var/app/io.gitlab.librewolf-community/.librewolf}/librewolf.overrides.cfg
+// The first line of this file is supposed to be empty.
+
+// This was originally a LibreWolf overrides config beginning with samples from
 // https://librewolf.net/docs/settings/
-// Also incorporates some of https://aminda.eu/browser-extensions#firefox-aboutconfig
+// later eating https://aminda.eu/browser-extensions#firefox-aboutconfig
+// and finally becoming Firefox autoconfig file copied from
+// https://codeberg.org/librewolf/settings/src/branch/master/librewolf.cfg
 
 // -----
 // I often need to refer to these options which aren't yet remembered by heart
@@ -10,8 +14,8 @@
 // Note to self on disabling protection of Mozilla pages. This may be a
 // LibreWolf default so thus commented:
 // via https://www.ghacks.net/2017/10/27/how-to-enable-firefox-webextensions-on-mozilla-websites/
-//pref("extensions.webextensions.restrictedDomains", "");
-//pref("privacy.resistFingerprinting.block_mozAddonManage", true);
+pref("extensions.webextensions.restrictedDomains", "");
+pref("privacy.resistFingerprinting.block_mozAddonManage", true);
 
 // Block cookie banners. Warning: may result to auto-accepting cookies.
 // https://www.ghacks.net/2022/12/24/configure-firefox-to-reject-cookie-banners-automatically/
@@ -43,8 +47,8 @@ defaultPref(
 // Enable letterboxing
 pref("privacy.resistFingerprinting.letterboxing", true);
 
-// Timezone spoofing
-defaultPref("privacy.resistFingerprinting.spoofTimezone", true);
+// Timezone spoofing. Annoying at times, and thinking of other users.
+defaultPref("privacy.resistFingerprinting.spoofTimezone", false);
 
 // Enable Firefox accounts
 defaultPref("identity.fxaccounts.enabled", true);
@@ -62,7 +66,7 @@ pref("privacy.clearOnShutdown.siteSettings", false);
 // Don't resume from crash (SSD)
 pref("browser.sessionstore.resume_from_crash", false);
 
-// Stricter autoplay
+// Click to play. https://wiki.mozilla.org/Media/block-autoplay
 pref("media.autoplay.blocking_policy", 2);
 
 // No corporate CA MITM
@@ -107,4 +111,285 @@ defaultPref("browser.startup.page", 1);
 // Simplified DDG experience without prompts for extension and all
 defaultPref("browser.startup.homepage", "https://start.duckduckgo.com");
 
+// https://codeberg.org/librewolf/settings/src/branch/master/librewolf.cfg begins
+
+pref("browser.contentblocking.category", "strict");
+pref("privacy.partition.always_partition_third_party_non_cookie_storage", true);
+pref("privacy.partition.always_partition_third_party_non_cookie_storage.exempt_sessionstorage", false);
+
+/** prevent media cache from being written to disk in pb, but increase max cache size to avoid playback issues */
+defaultPref("browser.privatebrowsing.forceMediaMemoryCache", true);
+defaultPref("media.memory_cache_max_size", 65536);
+defaultPref("browser.shell.shortcutFavicons", false); // disable favicons in profile folder
+defaultPref("browser.helperApps.deleteTempFileOnExit", true); // delete temporary files opened with external apps
+
+/** [SECTION] LOGGING
+ * these prefs are off by default in the official Mozilla builds,
+ * so it only makes sense that we also disable them.
+ * See https://gitlab.com/librewolf-community/settings/-/issues/240
+ */
+pref("browser.dom.window.dump.enabled", false);
+pref("devtools.console.stdout.chrome", false);
+
+pref("dom.security.https_only_mode", true); // only allow https in all windows, including private browsing
+pref("network.auth.subresource-http-auth-allow", 1); // block HTTP authentication credential dialogs
+
+/** [SECTION] REFERERS
+ * to enhance privacy but keep a certain level of usability we trim cross-origin
+ * referers to only send scheme, host and port, instead of completely avoid sending them.
+ * as a general rule, the behavior of referes which are not cross-origin should not
+ * be changed.
+ */
+defaultPref("network.http.referer.XOriginTrimmingPolicy", 2);
+
+/** [SECTION] WEBRTC
+ * there is no point in disabling webrtc as mDNS protects the private IP on linux, osx and win10+.
+ * the private IP address is only used in trusted environments, eg. allowed camera and mic access.
+ */
+defaultPref("media.peerconnection.ice.default_address_only", true); // use a single interface for ICE candidates, the vpn one when a vpn is used
+
+/** [SECTION] PROXY */
+defaultPref("network.gio.supported-protocols", ""); // disable gio as it could bypass proxy
+defaultPref("network.file.disable_unc_paths", true); // hidden, disable using uniform naming convention to prevent proxy bypass
+defaultPref("network.proxy.socks_remote_dns", true); // forces dns query through the proxy when using one
+defaultPref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); // force webrtc inside proxy when one is used
+
+/** [SECTION] DNS */
+defaultPref("network.dns.disablePrefetch", true); // disable dns prefetching
+pref("network.dns.skipTRR-when-parental-control-enabled", false);  // Arkenfox user.js v117
+
+/** [SECTION] PREFETCHING AND SPECULATIVE CONNECTIONS
+ * disable prefecthing for different things such as links, bookmarks and predictions.
+ */
+pref("network.predictor.enabled", false);
+pref("network.prefetch-next", false);
+pref("network.http.speculative-parallel-limit", 0);
+defaultPref("browser.places.speculativeConnect.enabled", false);
+// disable speculative connections and domain guessing from the urlbar
+defaultPref("browser.urlbar.speculativeConnect.enabled", false);
+
+// RFP + DarkReader? -Aminda
+defaultPref("browser.display.use_system_colors", false); // default, except Win
+// RFP I configured by myself before and window size won't affect me due to Sway
+// and I manually enabled letterboxing above. -Aminda
+
+// I am trusting PrivacyBadger and NoScript. -Aminda
+pref("webgl.disabled", false);
+
+/** [SECTION] CERTIFICATES */
+defaultPref("security.cert_pinning.enforcement_level", 2); // enable strict public key pinning, might cause issues with AVs
+/**
+ * enable safe negotiation and show warning when it is not supported. might cause breakage
+ * if the the server does not support RFC 5746, in tha case SSL_ERROR_UNSAFE_NEGOTIATION
+ * will be shown.
+ */
+pref("security.ssl.require_safe_negotiation", true);
+pref("security.ssl.treat_unsafe_negotiation_as_broken", true);
+/**
+ * our strategy with revocation is to perform all possible checks with CRL, but when a cert
+ * cannot be checked with it we use OCSP stapled with hard-fail, to still keep privacy and
+ * increase security.
+ * crlite is in mode 3 by default, which allows us to detect false positive with OCSP.
+ * in v103, when crlite is fully mature, it will switch to mode 2 and no longer double-check.
+ */
+defaultPref("security.remote_settings.crlite_filters.enabled", true);
+pref("security.OCSP.require", true); // set to hard-fail, might cause SEC_ERROR_OCSP_SERVER_ERROR
+
+/** [SECTION] TLS/SSL */
+pref("security.tls.enable_0rtt_data", false); // disable 0 RTT to improve tls 1.3 security
+pref("security.tls.version.enable-deprecated", false); // make TLS downgrades session only by enforcing it with pref(), default
+defaultPref("browser.xul.error_pages.expert_bad_cert", true); // show relevant and advanced issues on warnings and error screens
+
+/** [SECTION] PERMISSIONS */
+pref("permissions.delegation.enabled", false); // force permission request to show real origin
+pref("permissions.manager.defaultsUrl", ""); // revoke special permissions for some mozilla domains
+
+// Aminda stripped safebrowsing here as even in LibreWolf filtering DNS is used + the extensions.
+
+pref("pdfjs.enableScripting", false); // disable js scripting in the built-in pdf reader
+
+pref("geo.provider.network.url", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%");
+// Although I doubt they will improve accuracy, why not?
+pref("geo.provider.use_gpsd", true); // [LINUX]
+pref("geo.provider.use_geoclue", true); // [LINUX]
+
+// Aminda: :(
+/** [SECTION] LANGUAGE
+ * show language as en-US for all users, regardless of their OS language and browser language.
+ * both prefs must use pref() and not defaultPref to work.
+ */
+pref("javascript.use_us_english_locale", true);
+pref("intl.accept_languages", "en-US, en");
+// disable region specific updates from mozilla
+pref("browser.region.network.url", "");
+pref("browser.region.update.enabled", false);
+
+/** [SECTION] SEARCH AND URLBAR
+ * disable search suggestion and do not update opensearch engines.
+ */
+
+defaultPref("browser.urlbar.suggest.searches", false);
+defaultPref("browser.search.suggest.enabled", false);
+defaultPref("browser.search.update", false);
+defaultPref("browser.search.separatePrivateDefault", true); // [FF70+] // Arkenfox user.js v119
+defaultPref("browser.search.separatePrivateDefault.ui.enabled", true); // [FF71+]  // Arkenfox user.js v119
+defaultPref("browser.urlbar.suggest.mdn", true);
+
+defaultPref("browser.urlbar.addons.featureGate", false);
+defaultPref("browser.urlbar.mdn.featureGate", false);
+defaultPref("browser.urlbar.pocket.featureGate", false);
+defaultPref("browser.urlbar.trending.featureGate", false);
+defaultPref("browser.urlbar.weather.featureGate", false);
+
+// these are from Arkenfox, I decided to put them here.
+defaultPref("browser.download.start_downloads_in_tmp_dir", true); // Arkenfox user.js v118
+
+
+/**
+ * the pref disables the whole feature and hide it from the ui
+ * (as noted in https://bugzilla.mozilla.org/show_bug.cgi?id=1755057).
+ * this also includes the best match feature, as it is part of firefox suggest.
+ */
+pref("browser.urlbar.quicksuggest.enabled", false);
+defaultPref("browser.urlbar.suggest.weather", false); // disable weather suggestions in urlbar once they are no longer behind feature gate
+
+/** [SECTION] DOWNLOADS
+ * user interaction should always be required for downloads, as a way to enhance security by asking
+ * the user to specific a certain save location.
+ */
+defaultPref("browser.download.useDownloadDir", false);
+defaultPref("browser.download.autohideButton", false); // do not hide download button automatically
+defaultPref("browser.download.manager.addToRecentDocs", false); // do not add downloads to recents
+defaultPref("browser.download.alwaysOpenPanel", false); // do not expand toolbar menu for every download, we already have enough interaction
+
+/** [SECTION] AUTOPLAY
+ * block autoplay unless element is right-clicked. this means background videos, videos in a different tab,
+ * or media opened while other media is played will not start automatically.
+ * thumbnails will not autoplay unless hovered. exceptions can be set from the UI.
+ */
+defaultPref("media.autoplay.default", 5);
+
+/** [SECTION] POP-UPS AND WINDOWS
+ * prevent scripts from resizing existing windows and opening new ones, by forcing them into
+ * new tabs that can't be resized as well.
+ */
+defaultPref("dom.disable_window_move_resize", true);
+defaultPref("browser.link.open_newwindow", 3);
+defaultPref("browser.link.open_newwindow.restriction", 0);
+
+/** [SECTION] MOUSE */
+defaultPref("browser.tabs.searchclipboardfor.middleclick", false); // prevent mouse middle click on new tab button to trigger searches or page loads
+
+
+
+/** [CATEGORY] EXTENSIONS */
+
+/** [SECTION] USER INSTALLED
+ * extensions are allowed to operate on restricted domains, while their scope
+ * is set to profile+applications (https://mike.kaply.com/2012/02/21/understanding-add-on-scopes/).
+ * an installation prompt should always be displayed.
+ */
+//defaultPref("extensions.webextensions.restrictedDomains", "");
+defaultPref("extensions.enabledScopes", 5); // hidden
+defaultPref("extensions.postDownloadThirdPartyPrompt", false);
+/**
+ * the pref disables quarantined domains.
+ * this is a security feature, we should remove it with v116 as there will be a UI to control this per-extension.
+ * unless we patch remote settings we rely on static dumps. this means even if we did not flip this pref it would
+ * not make a difference at the moment.
+ */
+defaultPref("extensions.quarantinedDomains.enabled", false);
+
+/** [SECTION] SYSTEM
+ * built-in extension are not allowed to auto-update. additionally the reporter extension
+ * of webcompat is disabled. urls are stripped for defense in depth.
+ */
+// Aminda questions the security of not automatically updating built-in extensions.
+pref("extensions.systemAddon.update.enabled", true);
+//defaultPref("extensions.systemAddon.update.url", "");
+lockPref("extensions.webcompat-reporter.enabled", false);
+lockPref("extensions.webcompat-reporter.newIssueEndpoint", "");
+
+/** [SECTION] LOCKWISE
+ * disable the default password manager built into the browser, including its autofill
+ * capabilities and formless login capture.
+ */
+defaultPref("signon.rememberSignons", false);
+defaultPref("signon.autofillForms", false);
+defaultPref("extensions.formautofill.addresses.enabled", false);
+defaultPref("extensions.formautofill.creditCards.enabled", false);
+defaultPref("signon.formlessCapture.enabled", false);
+
+/** [SECTION] CONTAINERS
+ * enable containers and show the settings to control them in the stock ui
+ */
+defaultPref("privacy.userContext.enabled", true);
+defaultPref("privacy.userContext.ui.enabled", true);
+
+/** [SECTION] DEVTOOLS
+ * disable remote debugging.
+ */
+pref("devtools.debugger.remote-enabled", false); // default, but subject to branding so keep it
+defaultPref("devtools.selfxss.count", 0); // required for devtools console to work
+
+// Aminda has no idea what is that.
+/** [SECTION] SHOPPING
+ * disable the fakespot shopping sidebar
+ */
+defaultPref("browser.shopping.experience2023.enabled", false);
+defaultPref("browser.shopping.experience2023.optedIn", 2);
+defaultPref("browser.shopping.experience2023.active", false);
+
+/** [SECTION] OTHERS */
+pref("webchannel.allowObject.urlWhitelist", ""); // remove web channel whitelist
+defaultPref("services.settings.server", "https://%.invalid") // set the remote settings URL (REMOTE_SETTINGS_SERVER_URL in the code)
+
+/** [SECTION] NEW TAB PAGE
+ * we want NTP to display nothing but the search bar without anything distracting.
+ * the three prefs below are just for minimalism and they should be easy to revert for users.
+ */
+defaultPref("browser.newtabpage.activity-stream.section.highlights.includeDownloads", false);
+defaultPref("browser.newtabpage.activity-stream.section.highlights.includeVisited", false);
+defaultPref("browser.newtabpage.activity-stream.feeds.topsites", false);
+// hide stories and sponsored content from Firefox Home
+lockPref("browser.newtabpage.activity-stream.feeds.section.topstories", false);
+lockPref("browser.newtabpage.activity-stream.showSponsored", false);
+lockPref("browser.newtabpage.activity-stream.showSponsoredTopSites", false);
+// disable telemetry in Firefox Home
+lockPref("browser.newtabpage.activity-stream.feeds.telemetry", false);
+lockPref("browser.newtabpage.activity-stream.telemetry", false);
+// hide stories UI in about:preferences#home, empty highlights list
+lockPref("browser.newtabpage.activity-stream.feeds.section.topstories.options", "{\"hidden\":true}");
+lockPref("browser.newtabpage.activity-stream.default.sites", "");
+
+/** [SECTION] ABOUT
+ * remove annoying ui elements from the about pages, including about:protections
+ */
+defaultPref("browser.contentblocking.report.lockwise.enabled", false);
+lockPref("browser.contentblocking.report.hide_vpn_banner", true);
+lockPref("browser.contentblocking.report.vpn.enabled", false);
+lockPref("browser.contentblocking.report.show_mobile_app", false);
+lockPref("browser.vpn_promo.enabled", false);
+lockPref("browser.promo.focus.enabled", false);
+// ...about:addons recommendations sections and more
+defaultPref("extensions.htmlaboutaddons.recommendations.enabled", false);
+defaultPref("extensions.getAddons.showPane", false);
+defaultPref("lightweightThemes.getMoreURL", ""); // disable button to get more themes
+// ...about:preferences#home
+defaultPref("browser.topsites.useRemoteSetting", false); // hide sponsored shortcuts button
+// ...and about:config
+defaultPref("browser.aboutConfig.showWarning", false);
+// hide about:preferences#moreFromMozilla
+defaultPref("browser.preferences.moreFromMozilla", false);
+
+/** [SECTION] RECOMMENDED
+ * disable all "recommend as you browse" activity.
+ */
+lockPref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false);
+lockPref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false);
+
+// Maybe Windows specific, but looks useful.
+defaultPref("network.protocol-handler.external.ms-windows-store", false); // prevent links from launching windows store
+lockPref("security.family_safety.mode", 2); // Remove pre-Win10-specific codepath
+
 // vim: filetype=javascript