firefox: comment browser.tabs.inTitlebar

conf/firefox-forbidden-policies.js

@@ -22,27 +22,27 @@ lockPref("cookiebanners.service.mode.privateBrowsing", 2);
 // but obviously this is forbidden in policies.json!
 lockPref(
 	"font.name-list.monospace.x-cyrillic",
-	"ui-monospace, Roboto Mono, Liberation Mono, Noto Sans Mono, monospace",
+	"Comic Shanns Mono, Roboto Mono, Liberation Mono, Noto Sans Mono, monospace",
 );
 lockPref(
 	"font.name-list.monospace.x-western",
-	"ui-monospace, Roboto Mono, Liberation Mono, Noto Sans Mono, monospace",
+	"Comic Shanns Mono, Roboto Mono, Liberation Mono, Noto Sans Mono, monospace",
 );
 lockPref(
 	"font.name-list.sans-serif.x-cyrillic",
-	"ui-sans-serif, system-ui, Inclusive Sans, Roboto, Liberation Sans, Noto Sans, sans-serif",
+	"Inclusive Sans, Roboto, Liberation Sans, Noto Sans, sans-serif",
 );
 lockPref(
 	"font.name-list.sans-serif.x-western",
-	"ui-sans-serif, system-ui, Inclusive Sans, Liberation Sans, Comic Neue, Roboto, Noto Sans, sans-serif",
+	"Inclusive Sans, Liberation Sans, Comic Neue, Roboto, Noto Sans, sans-serif",
 );
 lockPref(
 	"font.name-list.serif.x-cyrillic",
-	"ui-serif, Liberation Serif, Roboto Serif, Noto Serif, serif",
+	"Inclusive Sans, Liberation Serif, Roboto Serif, Noto Serif, serif",
 );
 lockPref(
 	"font.name-list.serif.x-western",
-	"ui-serif, Liberation Serif, Roboto Serif, Noto Serif, serif",
+	"Inclusive Sans, Liberation Serif, Roboto Serif, Noto Serif, serif",
 );
 // clearPref("font.name-list.monospace.x-cyrillic");
 // clearPref("font.name-list.monospace.x-western");
@@ -50,50 +50,25 @@ lockPref(
 // clearPref("font.name-list.sans-serif.x-western");
 // clearPref("font.name-list.serif.x-cyrillic");
 // clearPref("font.name-list.serif.x-western");
-//
-// Allow these fonts regardless of the fingerprinting resistance
-// lockPref(
-// 	"font.system.whitelist",
-// 	"Arimo, Comic Neue, Comic Neue Angular, Comic Neue Angular Light, Comic Neue Angular Light Italic, Comic Neue Light, Cousine, Inclusive Sans, Liberation Mono, Liberation Sans, Liberation Serif, Noto Color Emoji, Noto Emoji, Noto Math, Noto Mono, Noto Sans, Noto Sans CJK JP, Noto Music, Roboto, Roboto Flex, Roboto Mono, Roboto Serif, Tinos, Twemoji Mozilla",
-// );
-clearPref("font.system.whitelist");
 
-// Play animated images only once, accessibility. TODO: Which is the correct one? Update policies.json too!
+// Play animated images only once, accessibility.
-lockPref("image.animation.mode", "once");
 lockPref("image.animation_mode", "once");
 
 // Spoof en-US as language to scripts
 lockPref("javascript.use_us_english_locale", true);
 
-// DNT although PrivacyBadger from policy handles this
+// More tunable privacy.resistfingerprinting.
-lockPref("privacy.donottrackheader.enabled", true);
+// Refer to https://searchfox.org/mozilla-central/source/toolkit/components/resistfingerprinting/RFPTargets.inc
-lockPref("privacy.donottrackheader.value", 1);
-
-// More tunable privacy.resistfingerprinting. I have lost the privacy game
-// many times before this point, so this is nothing.  For the options,
-// refer to https://searchfox.org/mozilla-central/source/toolkit/components/resistfingerprinting/RFPTargets.inc
 lockPref("privacy.fingerprintingProtection", true);
-// Somehow I cannot clearPref this, so...
-//clearPref("privacy.fingerprintingProtection");
-//lockPref("privacy.fingerprintingProtection", false);
-pref(
-	"privacy.fingerprintingProtection.overrides",
-	"+AllTargets,-KeyboardEvents,-CSSPrefersColorScheme,-CSSPrefersReducedMotion,-JSDateTimeUTC",
-);
-//clearPref("privacy.fingerprintingProtection.overrides");
 lockPref("privacy.fingerprintingProtection.pbmode", true);
-//clearPref("privacy.fingerprintingProtection.pbmode");
+lockPref(
-// (Incompatible with the above)
+	"privacy.fingerprintingProtection.overrides",
-lockPref("privacy.resistFingerprinting", false);
+	"+AllTargets,-KeyboardEvents,-CSSPrefersColorScheme,-CSSPrefersReducedMotion,-JSDateTimeUTC,-FontVisibilityBaseSystem,-FontVisibilityRestrictGenerics",
-//clearPref("privacy.resistFingerprinting");
+);
-// Breaks installing extensions when true at least on Android
+lockPref("browser.display.use_document_fonts", 0);
-//lockPref("privacy.resistFingerprinting.block_mozAddonManager", false);
+
-clearPref("privacy.resistFingerprinting.block_mozAddonManage");
 // Letterboxing from Tor Browser, I like it in general.
 lockPref("privacy.resistFingerprinting.letterboxing", true);
-// Still Incompatible with the above
-//lockPref("privacy.resistFingerprinting.pbmode", false);
-clearPref("privacy.resistFingerprinting.pbmode");
 
 // Enables reading mode for all pages (at least in theory)
 lockPref("reader.parse-on-load.force-enabled", true);
@@ -111,8 +86,5 @@ lockPref("sidebar.revamp", true);
 lockPref("sidebar.verticalTabs", true);
 lockPref("sidebar.visibility", "always-show");
 
-// Tab groups. TODO: Are these allowed? I am on ESR, so it does nothing yet.
-lockPref("browser.tabs.groups.enabled", true);
-
 // No making configuration on the last line of the file!
 //

etc/firefox/policies/policies.json

@@ -162,6 +162,7 @@
 		"DNSOverHTTPS": {
 			"Comment": "Cloudflare is nowadays the authority on most used domains at radar.cloudflare.com and this also affects everything using most visited domains and I am hoping to boost Finnish domains so PrivacyBadger training will recognise us existing and learn Finnish trackers by default for everyone. Maybe if there are enough Finnish Cloudflare users, this will work.",
 			"Comment2": "On second thought, let's not use DoH. It bypasses encrypted system DNS and DNSSEC validation which the browser won't perform and the other end of DoH cannot be fully trusted. See for example https://notes.valdikss.org.ru/jabber.ru-mitm/",
+			"Comment3": "Yet another concern is lack of private ECS meaning I won't benefit from edge nodes within my ISP resulting in longer paths for data to take and thus higher energy consumption (aminda.eu/n/dns).",
 			"Enabled": false,
 			"ExcludedDomains": [
 				"http.badssl.com",
@@ -186,14 +187,11 @@
 		"DisplayBookmarksToolbar": "never",
 		"DontCheckDefaultBrowser": true,
 		"EnableTrackingProtection": {
-			"Comment": "Managing tracking protection is left for the user unless there is a heavy reason to do otherwise.",
+			"Comment": "Strict mode enforced later in the policy.",
-			"Cryptomining": true,
-			"EmailTracking": true,
 			"Exceptions": [
 				"https://www.ecosia.org",
 				"https://pp-attester-turnstile.research.cloudflare.com"
 			],
-			"Fingerprinting": true,
 			"Locked": false,
 			"Value": true
 		},
@@ -214,6 +212,14 @@
 				"installation_mode": "normal_installed",
 				"private_browsing": false
 			},
+			"CanvasBlocker@kkapsner.de": {
+				"comment": "Requested by LibreAwoo for those who don't have RFP/FPP, neither of which I can specify through this policy. Additionally its own description says compatible with the Firefox integrated one.",
+				"default_area": "menupanel",
+				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/canvasblocker/latest.xpi",
+				"installation_mode": "force_installed",
+				"private_browsing": true,
+				"restricted_domains": []
+			},
 			"addon@darkreader.org": {
 				"default_area": "navbar",
 				"install_url": "https://addons.mozilla.org/firefox/downloads/latest/darkreader/latest.xpi",
@@ -450,8 +456,8 @@
 				"Value": false
 			},
 			"browser.display.use_document_fonts": {
-				"Comment": "Are webpages allowed to set their own fonts by default? 0 forbids them. See also browser.display.use_document_fonts.icon_font_allowlist for what webpages are allowed to set.",
+				"Comment": "Are webpages allowed to set their own fonts by default? 0 forbids them. See also browser.display.use_document_fonts.icon_font_allowlist for what webpages are allowed to set. If changing this, see also fingerprinting overrides",
-				"Status": "user",
+				"Status": "locked",
 				"Type": "number",
 				"Value": 0
 			},
@@ -462,8 +468,8 @@
 				"Value": false
 			},
 			"browser.ml.chat.provider": {
-				"Comment": "While not officially supported, defaulting to Ecosia will at least remind me that AI is a severe concern regarding fighting against climate change.",
+				"Comment": "Ask every time which AI to use, if enabled.",
-				"Status": "user",
+				"Status": "clear",
 				"Type": "string",
 				"Value": "https://www.ecosia.org/chat"
 			},
@@ -478,19 +484,52 @@
 				"Value": false
 			},
 			"browser.safebrowsing.blockedURIs.enabled": {
+				"Comment": "Disable Google Safe Browsing via LibreAwoo. Handled by system DNS or uBlock Origin.",
 				"Status": "locked",
 				"Type": "boolean",
-				"Value": true
+				"Value": false
+			},
+			"browser.safebrowsing.downloads.enabled": {
+				"Comment": "Disable Google Safe Browsing via LibreAwoo. Handled by system DNS or uBlock Origin.",
+				"Status": "locked",
+				"Type": "boolean",
+				"Value": false
 			},
 			"browser.safebrowsing.malware.enabled": {
+				"Comment": "Disable Google Safe Browsing via LibreAwoo. Handled by system DNS or uBlock Origin.",
 				"Status": "locked",
 				"Type": "boolean",
-				"Value": true
+				"Value": false
 			},
 			"browser.safebrowsing.phishing.enabled": {
+				"Comment": "Disable Google Safe Browsing via LibreAwoo. Handled by system DNS or uBlock Origin.",
 				"Status": "locked",
 				"Type": "boolean",
-				"Value": true
+				"Value": false
+			},
+			"browser.safebrowsing.provider.google.gethashURL": {
+				"Comment": "Disable Google Safe Browsing via LibreAwoo. Handled by system DNS or uBlock Origin.",
+				"Status": "locked",
+				"Type": "string",
+				"Value": ""
+			},
+			"browser.safebrowsing.provider.google.updateURL": {
+				"Comment": "Disable Google Safe Browsing via LibreAwoo. Handled by system DNS or uBlock Origin.",
+				"Status": "locked",
+				"Type": "string",
+				"Value": ""
+			},
+			"browser.safebrowsing.provider.google4.gethashURL": {
+				"Comment": "Disable Google Safe Browsing via LibreAwoo. Handled by system DNS or uBlock Origin.",
+				"Status": "locked",
+				"Type": "string",
+				"Value": ""
+			},
+			"browser.safebrowsing.provider.google4.updateURL": {
+				"Comment": "Disable Google Safe Browsing via LibreAwoo. Handled by system DNS or uBlock Origin.",
+				"Status": "locked",
+				"Type": "string",
+				"Value": ""
 			},
 			"browser.sessionstore.warnOnQuit": {
 				"Status": "locked",
@@ -508,12 +547,12 @@
 				"Value": false
 			},
 			"browser.tabs.groups.enabled": {
-				"Comment": "TODO: Is this allowed when it lands?",
 				"Status": "default",
 				"Type": "boolean",
 				"Value": true
 			},
-			"browser.tabs.inTitlebar": {
+			"browser.tabs.inTitlebar_commented": {
+				"Comment": "without _commented 0 enables system title bar and 2 is default.",
 				"Status": "default",
 				"Type": "number",
 				"Value": 0
@@ -608,7 +647,7 @@
 				"Value": true
 			},
 			"extensions.htmlaboutaddons.recommendations.enabled": {
-				"Comment": "This means the same, but without personalization.",
+				"Comment": "No personalized add-on recommendations.",
 				"Status": "locked",
 				"Type": "boolean",
 				"Value": false
@@ -717,7 +756,7 @@
 				"Value": false
 			},
 			"network.IDN_show_punycode": {
-				"Comment": "Protection against identically looking unicode domain names",
+				"Comment": "Use punycode when displaying international domain names.",
 				"Status": "locked",
 				"Type": "boolean",
 				"Value": true
@@ -755,7 +794,7 @@
 			"network.trr.disable-ECS": {
 				"Status": "locked",
 				"Type": "boolean",
-				"Value": false
+				"Value": true
 			},
 			"network.trr.display_fallback_warning": {
 				"Status": "locked",
@@ -804,18 +843,6 @@
 				"Type": "string",
 				"Value": "#ffb700"
 			},
-			"privacy.donottrackheader.enabled": {
-				"Comment": "Preference not allowed for stability reasons. :(",
-				"Status": "locked",
-				"Type": "boolean",
-				"Value": true
-			},
-			"privacy.donottrackheader.value": {
-				"Comment": "Preference not allowed for stability reasons. :(",
-				"Status": "locked",
-				"Type": "number",
-				"Value": 1
-			},
 			"privacy.fingerprintingProtection": {
 				"Comment": "Preference not allowed for stability reasons. :(",
 				"Status": "locked",
@@ -823,10 +850,10 @@
 				"Value": true
 			},
 			"privacy.fingerprintingProtection.overrides": {
-				"Comment": "Preference not allowed for stability reasons. :( https://searchfox.org/mozilla-central/source/toolkit/components/resistfingerprinting/RFPTargets.inc",
+				"Comment": "Preference not allowed for stability reasons. :( https://searchfox.org/mozilla-central/source/toolkit/components/resistfingerprinting/RFPTargets.inc - If you adjust this, see also use_document_fonts to not increase fingerprinting surface excessively",
 				"Status": "locked",
 				"Type": "string",
-				"Value": "+AllTargets,-KeyboardEvents,-CSSPrefersColorScheme,-CSSPrefersReducedMotion,-JSDateTimeUTC"
+				"Value": "+AllTargets,-KeyboardEvents,-CSSPrefersColorScheme,-CSSPrefersReducedMotion,-JSDateTimeUTC,-FontVisibilityBaseSystem,-FontVisibilityRestrictGenerics"
 			},
 			"privacy.fingerprintingProtection.pbmode": {
 				"Comment": "Preference not allowed for stability reasons. :(",
@@ -839,36 +866,18 @@
 				"Type": "boolean",
 				"Value": true
 			},
-			"privacy.resistFingerprinting": {
-				"Comment": "Preference not allowed for stability reasons. :(",
-				"Status": "locked",
-				"Type": "boolean",
-				"Value": false
-			},
 			"privacy.resistFingerprinting.letterboxing": {
 				"Comment": "Preference not allowed for stability reasons. :(",
 				"Status": "locked",
 				"Type": "boolean",
 				"Value": true
 			},
-			"privacy.resistFingerprinting.pbmode": {
-				"Comment": "Preference not allowed for stability reasons. :(",
-				"Status": "clear",
-				"Type": "boolean",
-				"Value": false
-			},
 			"privacy.userContext.enabled": {
 				"Comment": "Tab containers",
 				"Status": "locked",
 				"Type": "boolean",
 				"Value": true
 			},
-			"privacy.userContext.extension": {
-				"Comment": "Displays in settings which extension requires container tabs. None. it's this policy. Preference not allowed for stability reasons.",
-				"Status": "locked",
-				"Type": "string",
-				"Value": ""
-			},
 			"privacy.userContext.ui.enabled": {
 				"Comment": "Tab containers UI without extensions",
 				"Status": "locked",