chromium/managed: merge enable-ech-ocsp.json into https-everywhere.json

This will not appear on my blog post. ECH is enough offtopic and OCSP would only bring argument on whether it's useful and is that usefulness more important than privacy leakage to non-ocsp-stapling websites.
firefox & chromium: accidentally silence DuckDuckGo post-install
2025-08-19 04:47:19 +02:00 · 2024-05-17 16:15:34 +03:00 · 2024-05-17 14:28:33 +03:00 · 2024-05-17 11:05:31 +03:00 · 2024-05-17 08:31:13 +03:00
7 changed files with 53 additions and 18 deletions
--- a/etc/firefox/policies/README.md
+++ b/etc/firefox/policies/README.md
@ -15,6 +15,7 @@ per whatever I am doing.
 - [WARNING TO LIBREWOLF USERS](#warning-to-librewolf-users)
 - [General warning](#general-warning)
 - [Extensions](#extensions)
+  - [DuckDuckGo](#duckduckgo)
  - [Privacy Badger](#privacy-badger)
    - [Duplicate](#duplicate)
 - [Search engines](#search-engines)
@ -44,6 +45,13 @@ errors in `about:config` depending on the release channel or even all of them.

 They are mostly self-explanatory.

+### DuckDuckGo
+
+- `jid1-ZAdIEUB7XOzOJw@jetpack`
+
+Although it's not installed, I accidentally learned to manage it to tell it to
+shut up on install, because I know what is DuckDuckGo.
+
 ### Privacy Badger

 - `jid1-MnnxcxisBPnSXQ-eff@jetpack` - Downloaded directly from EFF.
--- a/etc/firefox/policies/policies.json
+++ b/etc/firefox/policies/policies.json
@ -64,6 +64,9 @@
          "showCounter": true,
          "showIntroPage": false,
          "socialWidgetReplacementEnabled": true
+        },
+        "jid1-ZAdIEUB7XOzOJw@jetpack": {
+          "hasSeenPostInstall": true
        }
      }
    },
@ -198,6 +201,10 @@
      "{a6c4a591-f1b2-4f03-b3ff-767e5bedf4e7}": {
        "install_url": "https://addons.mozilla.org/firefox/downloads/latest/user-agent-string-switcher/latest.xpi",
        "installation_mode": "normal_installed"
+      },
+      "{b5501fd1-7084-45c5-9aa6-567c2fcf5dc6}": {
+        "install_url": "https://addons.mozilla.org/firefox/downloads/latest/ruffle_rs/latest.xpi",
+        "installation_mode": "normal_installed"
      }
    },
    "FirefoxHome": {
--- a/etc/init-browser-policies.bash
+++ b/etc/init-browser-policies.bash
@ -29,9 +29,8 @@ printf "WARNING! LibreWolf default profile may be masked!\nhttps://codeberg.org/
 ln -fnsv /etc/firefox /etc/firefox-esr

 # Chromium
-mkdir -vp /etc/opt/chromium/policies/managed
+mkdir -vp /etc/opt/chromium/policies/{managed,recommended}
 chmod -v a+rx /etc/opt/chromium/policies/
-mkdir -vp /etc/opt/chromium/policies/recommended
 chmod -v a+rx /etc/opt/chromium/policies/{managed,recommended}/

 # Brave
--- a/etc/opt/chromium/policies/managed/README.md
+++ b/etc/opt/chromium/policies/managed/README.md
@ -10,9 +10,11 @@

 - [`amber-theme-colour.json.sample`](#amber-theme-colourjsonsample)
 - [`aminda-extensions.json`](#aminda-extensionsjson)
+  - [3rdparty](#3rdparty)
  - [Silk - Privacy Pass Client for the browser](#silk---privacy-pass-client-for-the-browser)
  - [Plasma Integration](#plasma-integration)
  - [uBlock Origin](#ublock-origin)
+  - [Ruffle](#ruffle)
  - [HTTP Indicator](#http-indicator)
  - [Fedora User Agent](#fedora-user-agent)
  - [IPvFooBar](#ipvfoobar)
@ -40,7 +42,6 @@
 - [`edge-newtabapps.json`](#edge-newtabappsjson)
 - [`edge-screenshots.json`](#edge-screenshotsjson)
 - [`enable-chromecast.json`](#enable-chromecastjson)
- [`enable-ech-ocsp.json`](#enable-ech-ocspjson)
 - [`enable-labs.json`](#enable-labsjson)
 - [`enable-passwordleakdetection.json`](#enable-passwordleakdetectionjson)
 - [`enable-tab-suspend.json`](#enable-tab-suspendjson)
@ -74,6 +75,13 @@ even overlapping extensions, but there is an important side goal of _teaching
 users to disable extraneous extensions they don't need_ (unless I decide they
 do need something and thus it's `force_installed`.

+### 3rdparty
+
+- `bkdgflcldnnnapblkhphbgpggdiikppg` - DuckDuckGo
+- `caoacbimdbbljakfhgikoodekdnlcgpk` - DuckDuckGo
+- `mlojlfildnehdpnlmpkeiiglhhkofhpb` - AdNauseam
+- `pkehgijcmpdhfbdbbnkijodmdjhbjlgp` - PrivacyBadger
+
 ### [Silk - Privacy Pass Client for the browser](https://chrome.google.com/webstore/detail/ajhmfdgkijocedmfjonnpjfojldioehi)

 - `ajhmfdgkijocedmfjonnpjfojldioehi`
@ -100,6 +108,12 @@ downloads indicator/control, KDE Connect, alt-f2, etc.

 Blocked for Ad Nauseam

+### [Ruffle](https://chrome.google.com/webstore/detail/donbcfbmhbcapadipfkeojnmajbakjdc)
+
+Actively developed open source extension to revive Flash content on the web.
+It can also be embedded to webpages, but I would prefer my family to use a
+newer version than hope everyone keeps their websites up-to-date.
+
 ### [HTTP Indicator](https://chromewebstore.google.com/detail/http-indicator/hgcomhbcacfkpffiphlmnlhpppcjgmbl)

 - `hgcomhbcacfkpffiphlmnlhpppcjgmbl`
@ -250,16 +264,6 @@ Explicitly enables screenshotting-

 Explicitly enables Chromecast support.

-## `enable-ech-ocsp.json`
-
-Enables encrypted client hello (ECH) and Online Certificate Status Protocol
-(OCSP)/Certificate Revocation List (CRL) checks.
-
-However ECH requires `"DnsOverHttpsMode": "secure"` which will break things
-(and thus my files don't enable it),
-or it will occassionally get disabled (I hope they implement it with system
-resolver soon).
-
 ## `enable-labs.json`

 Enables the beaker button "Experiments" for easier management than `about:flags`.
@ -289,7 +293,14 @@ back to Google about them.

 ## `https-everywhere.json`

-Enforces https and attempts to upgrade http to https.
+This file evolved to merge another one, so now it:
+
+- Online Certificate Status Protocol (OCSP), and Certivicate Revokation List
+  (CRL) checks.
+- Enables Encrypted Client-Hello (ECH), which however requires DNS-Over-HTTPS
+  to be used.
+- Forces HTTPS-only mode to be enabled.
+- Attempts to upgrade `http://` queries to `https://`

 ## `README.md`

--- a/etc/opt/chromium/policies/managed/aminda-extensions.json
+++ b/etc/opt/chromium/policies/managed/aminda-extensions.json
@ -1,6 +1,12 @@
 {
  "3rdparty": {
    "extensions": {
+      "bkdgflcldnnnapblkhphbgpggdiikppg": {
+        "hasSeenPostInstall": true
+      },
+      "caoacbimdbbljakfhgikoodekdnlcgpk": {
+        "hasSeenPostInstall": true
+      },
      "mlojlfildnehdpnlmpkeiiglhhkofhpb": {
        "toAdd": {
          "trustedSiteDirectives": [
@ -83,6 +89,12 @@
      "blocked_install_message": "uBlock Origin on integroitu AdNauseamiin, joka on forkki siitä.",
      "installation_mode": "blocked"
    },
+    "donbcfbmhbcapadipfkeojnmajbakjdc": {
+      "installation_mode": "normal_installed",
+      "override_update_url": true,
+      "toolbar_pin": "default_unpinned",
+      "update_url": "https://clients2.google.com/service/update2/crx"
+    },
    "hgcomhbcacfkpffiphlmnlhpppcjgmbl": {
      "installation_mode": "normal_installed",
      "override_update_url": true,
--- a/etc/opt/chromium/policies/managed/enable-ech-ocsp.json
+++ b/etc/opt/chromium/policies/managed/enable-ech-ocsp.json
@ -1,4 +0,0 @@
-{
-  "EnableOnlineRevocationChecks": true,
-  "EncryptedClientHelloEnabled": true
-}
--- a/etc/opt/chromium/policies/managed/https-everywhere.json
+++ b/etc/opt/chromium/policies/managed/https-everywhere.json
@ -1,4 +1,6 @@
 {
+  "EnableOnlineRevocationChecks": true,
+  "EncryptedClientHelloEnabled": true,
  "HttpsOnlyMode": "force_enabled",
  "HttpsUpgradesEnabled": true
 }
Author	SHA1	Message	Date
Aminda Suomalainen	38c331494c	chromium/managed: merge enable-ech-ocsp.json into https-everywhere.json This will not appear on my blog post. ECH is enough offtopic and OCSP would only bring argument on whether it's useful and is that usefulness more important than privacy leakage to non-ocsp-stapling websites.	2024-05-17 16:15:34 +03:00
Aminda Suomalainen	fb57ae0ea5	firefox & chromium: accidentally silence DuckDuckGo post-install	2024-05-17 14:28:33 +03:00
Aminda Suomalainen	c92ded3ad3	firefox & chromium: add Ruffle.rs	2024-05-17 11:05:31 +03:00
Aminda Suomalainen	9f8eaab73d	init-browser-policies.bash: why am I creating managed & recommended separately? Let's not	2024-05-17 08:31:13 +03:00