chromium: doh-private-ecs.json was supposed to be automatic

Revert "chromium/recommended/{duckduckgo,ecosia}.json: trick Brave & Edge into complying by NewTabPageLocation"
This reverts commit 7bab72fb3cf3e4dc4f6c5385e234c35b6ee60acd.
2025-08-19 04:47:19 +02:00 · 2024-05-18 16:55:38 +03:00 · 2024-05-18 16:36:46 +03:00 · 2024-05-18 16:14:57 +03:00 · 2024-05-18 16:12:58 +03:00 · 2024-05-18 16:08:17 +03:00
17 changed files with 204 additions and 17 deletions
--- a/conf/librewolf.overrides.cfg
+++ b/conf/librewolf.overrides.cfg
@ -12,7 +12,7 @@

 // Firefox autoconfig
 pref("autoadmin.global_config_url", "https://gitea.blesmrt.net/mikaela/shell-things/raw/branch/master/conf/librewolf.overrides.cfg");
-pref("general.config.obscure_value", 0);
+//pref("general.config.obscure_value", 0);
 pref("autoadmin.refresh_interval", 120);
 pref("autoadmin.offline_failover", true);
 pref("autoadmin.failover_to_cached", true);
@ -31,7 +31,7 @@ pref("cookiebanners.service.mode.privateBrowsing", 2);
 pref("cookiebanners.bannerClicking.enabled", true);

 // https://globalprivacycontrol.org/ the successor of DNT
-pref("privacy.globalprivacycontrol.enabled", true);
+//pref("privacy.globalprivacycontrol.enabled", true);
 pref("privacy.globalprivacycontrol.functionality.enabled", true);
 pref("privacy.donottrackheader.enabled", true);
 pref("privacy.donottrackheader.value", 1);
@ -62,7 +62,7 @@ pref("javascript.use_us_english_locale", true);
 // the fingerprinting game. Then again as sending empty accept-language is
 // valid ("just give me any"), what if I request only Finnish considering the
 // RFC discourages sending rejection if no language matches.
-defaultPref("intl.accept_languages", "fi, en");
+//defaultPref("intl.accept_languages", "fi, en");
 // Apparently even not sending accept-language is more common than Finnish,
 // so let's do that. Any language is fine, at least I am not promoting English
 // to every web site I visit.
@ -75,7 +75,7 @@ defaultPref("intl.accept_languages", "fi, en");

 // Dark mode
 //pref("ui.systemUsesDarkTheme", 1);
-pref("prefers-color-scheme", "dark");
+//pref("prefers-color-scheme", "dark");
 //pref("pdfjs.viewerCssTheme", 2);

 // Enable Firefox accounts
@ -125,7 +125,7 @@ pref("reader.parse-on-load.force-enabled", true);
 //pref("network.trr.excluded-domains", "http.badssl.com,norwegianwifi.com,mywifiext.net,tplinkrepeater.net,router.asus.com");

 // Default UI scale
-defaultPref("layout.css.devPixelsPerPx", "1.5");
+//defaultPref("layout.css.devPixelsPerPx", "1.5");

 // Keep cache on both disk & memory. This is required for
 // https://github.com/JimmXinu/FanFicFare/wiki/BrowserCacheFeature
@ -143,8 +143,8 @@ pref("browser.cache.memory.enable", true);
 /** [SECTION] CONTAINERS
 * enable containers and show the settings to control them in the stock ui
 */
-pref("privacy.userContext.enabled", true);
-pref("privacy.userContext.ui.enabled", true);
+//pref("privacy.userContext.enabled", true);
+//pref("privacy.userContext.ui.enabled", true);

 //pref("browser.contentblocking.category", "strict");
 pref("privacy.partition.always_partition_third_party_non_cookie_storage", true);
--- a/etc/firefox/policies/policies.json
+++ b/etc/firefox/policies/policies.json
@ -37,7 +37,10 @@
              "eff-dnt-whitelist",
              "ublock-quick-fixes",
              "FIN-0",
-              "https://big.oisd.nl"
+              "https://big.oisd.nl",
+              "ublock-annoyances",
+              "adguard-mobile-app-banners",
+              "curben-phishing"
            ]
          }
        },
@ -236,6 +239,30 @@
      "Enabled": true
    },
    "Preferences": {
+      "autoadmin.failover_to_cached": {
+        "Comment": "Preference not allowed for stability reasons. :(",
+        "Status": "locked",
+        "Type": "boolean",
+        "Value": true
+      },
+      "autoadmin.global_config_url": {
+        "Comment": "Preference not allowed for stability reasons. :(",
+        "Status": "locked",
+        "Type": "string",
+        "Value": "https://gitea.blesmrt.net/mikaela/shell-things/raw/branch/master/conf/librewolf.overrides.cfg"
+      },
+      "autoadmin.offline_failover": {
+        "Comment": "Preference not allowed for stability reasons. :(",
+        "Status": "locked",
+        "Type": "boolean",
+        "Value": true
+      },
+      "autoadmin.refresh_interval": {
+        "Comment": "Preference not allowed for stability reasons. :(",
+        "Status": "locked",
+        "Type": "number",
+        "Value": 120
+      },
      "browser.aboutConfig.showWarning": {
        "Status": "locked",
        "Type": "boolean",
@ -266,6 +293,24 @@
        "Type": "boolean",
        "Value": false
      },
+      "cookiebanners.bannerClicking.enabled": {
+        "Comment": "Preference not allowed for stability reasons. :(",
+        "Status": "locked",
+        "Type": "boolean",
+        "Value": true
+      },
+      "cookiebanners.service.mode": {
+        "Comment": "Preference not allowed for stability reasons. :(",
+        "Status": "locked",
+        "Type": "number",
+        "Value": 2
+      },
+      "cookiebanners.service.mode.privateBrowsing": {
+        "Comment": "Preference not allowed for stability reasons. :(",
+        "Status": "locked",
+        "Type": "number",
+        "Value": 2
+      },
      "dom.block_download_insecure": {
        "Status": "locked",
        "Type": "boolean",
@ -281,7 +326,17 @@
        "Type": "string",
        "Value": ""
      },
+      "general.config.obscure_value": {
+        "Status": "locked",
+        "Type": "number",
+        "Value": 0
+      },
+      "geo.provider.network.url": {
+        "Comment": "This might point to discontinued Mozilla Location Services, so better to restore it to default.",
+        "Status": "clear"
+      },
      "image.animation.mode": {
+        "Comment": "Preference not allowed for stability reasons. :(",
        "Status": "default",
        "Type": "string",
        "Value": "once"
@ -291,11 +346,22 @@
        "Type": "string",
        "Value": "fi, en"
      },
+      "javascript.use_us_english_locale": {
+        "Comment": "Preference not allowed for stability reasons. :(",
+        "Status": "default",
+        "Type": "boolean",
+        "Value": true
+      },
      "layout.css.devPixelsPerPx": {
        "Status": "default",
        "Type": "string",
        "Value": "1.5"
      },
+      "layout.css.prefers-color-scheme.content-override": {
+        "Status": "default",
+        "Type": "number",
+        "Value": 0
+      },
      "media.autoplay.default": {
        "Status": "default",
        "Type": "number",
@ -311,6 +377,11 @@
        "Type": "boolean",
        "Value": true
      },
+      "network.dns.http3_echconfig.enabled": {
+        "Status": "locked",
+        "Type": "boolean",
+        "Value": true
+      },
      "network.dns.native_https_query": {
        "Status": "locked",
        "Type": "boolean",
@ -322,9 +393,8 @@
        "Value": true
      },
      "network.dns.native_https_query_win10": {
-        "Status": "locked",
-        "Type": "boolean",
-        "Value": true
+        "Comment": "This is here just as a reminder that it exists. I don't have a Windows 10 and it will likely switch to true when it exists.",
+        "Status": "clear"
      },
      "network.dns.preferIPv6": {
        "Status": "locked",
@ -402,25 +472,64 @@
        "Value": "#ffb700"
      },
      "privacy.donottrackheader.enabled": {
+        "Comment": "Preference not allowed for stability reasons. :(",
        "Status": "locked",
        "Type": "boolean",
        "Value": true
      },
      "privacy.donottrackheader.value": {
+        "Comment": "Preference not allowed for stability reasons. :(",
        "Status": "locked",
        "Type": "number",
        "Value": 1
      },
+      "privacy.fingerprintingProtection": {
+        "Comment": "Preference not allowed for stability reasons. :(",
+        "Status": "locked",
+        "Type": "boolean",
+        "Value": true
+      },
+      "privacy.fingerprintingProtection.overrides": {
+        "Comment": "Preference not allowed for stability reasons. :(",
+        "Status": "locked",
+        "Type": "string",
+        "Value": "+AllTargets,-KeyboardEvents,-SpeechSynthesis,-CSSPrefersColorScheme,-CSSPrefersReducedMotion,-NavigatorPlatform,-NavigatorUserAgent,-JSDateTimeUTC,-HttpUserAgent,-FontVisibilityRestrictGenerics,-FontVisibilityBaseSystem,-FontVisibilityLangPack"
+      },
+      "privacy.fingerprintingProtection.pbmode": {
+        "Comment": "Preference not allowed for stability reasons. :(",
+        "Status": "locked",
+        "Type": "boolean",
+        "Value": true
+      },
      "privacy.globalprivacycontrol.enabled": {
        "Status": "locked",
        "Type": "boolean",
        "Value": true
      },
-      "privacy.globalprivacycontrol.functionality.enabled": {
+      "privacy.resistFingerprinting": {
+        "Comment": "Preference not allowed for stability reasons. :(",
+        "Status": "locked",
+        "Type": "boolean",
+        "Value": false
+      },
+      "privacy.resistFingerprinting.block_mozAddonManage": {
+        "Comment": "Preference not allowed for stability reasons. :(",
        "Status": "locked",
        "Type": "boolean",
        "Value": true
      },
+      "privacy.resistFingerprinting.letterboxing": {
+        "Comment": "Preference not allowed for stability reasons. :(",
+        "Status": "locked",
+        "Type": "boolean",
+        "Value": true
+      },
+      "privacy.resistFingerprinting.pbmode": {
+        "Comment": "Preference not allowed for stability reasons. :(",
+        "Status": "locked",
+        "Type": "boolean",
+        "Value": false
+      },
      "privacy.userContext.enabled": {
        "Status": "locked",
        "Type": "boolean",
@ -431,6 +540,12 @@
        "Type": "boolean",
        "Value": true
      },
+      "reader.parse-on-load.force-enabled": {
+        "Comment": "Preference not allowed for stability reasons. :(",
+        "Status": "locked",
+        "Type": "boolean",
+        "Value": true
+      },
      "security.OCSP.require": {
        "Status": "locked",
        "Type": "boolean",
@ -447,6 +562,7 @@
        "Value": true
      },
      "security.ssl.enable_ocsp_must_staple": {
+        "Comment": "Preference not allowed for security reasons. :(",
        "Status": "locked",
        "Type": "boolean",
        "Value": true
@ -456,6 +572,12 @@
        "Type": "boolean",
        "Value": true
      },
+      "security.tls.ech.grease_http3": {
+        "Comment": "Seems to be required for http3. This defaults to true on Nightly 128 and false on 115.11.0esr. However again not allowed to be deployed here for security :()",
+        "Status": "locked",
+        "Type": "boolean",
+        "Value": true
+      },
      "ui.systemUsesDarkTheme": {
        "Status": "default",
        "Type": "number",
--- a/etc/opt/chromium/policies/managed/.gitignore
+++ b/etc/opt/chromium/policies/managed/.gitignore
@ -1 +1,2 @@
 doh-cloudflare-secure.json
+doh-adguard-dns0.json
--- a/etc/opt/chromium/policies/managed/README.md
+++ b/etc/opt/chromium/policies/managed/README.md
@ -149,7 +149,9 @@ yes, it's the second time ,one is edge, one is chrome

 - `nngceckbapebfimnlniiiahkandclblb`

-The password manager of my choice.
+The password manager of my choice. For the managed settings
+[see here](https://bitwarden.com/help/deploy-clients/), although that only
+applies to self-hosters.

 ### [Privacy Badger](https://chrome.google.com/webstore/detail/pkehgijcmpdhfbdbbnkijodmdjhbjlgp)

--- a/etc/opt/chromium/policies/managed/aminda-extensions.json
+++ b/etc/opt/chromium/policies/managed/aminda-extensions.json
@ -42,7 +42,10 @@
            "eff-dnt-whitelist",
            "ublock-quick-fixes",
            "FIN-0",
-            "https://big.oisd.nl"
+            "https://big.oisd.nl",
+            "ublock-annoyances",
+            "adguard-mobile-app-banners",
+            "curben-phishing"
          ]
        }
      },
--- a/etc/opt/chromium/policies/managed/doh-adguard-dns0.json
+++ b/etc/opt/chromium/policies/managed/doh-adguard-dns0.json
@ -0,0 +1 @@
+doh-private-ecs.json
--- a/etc/opt/chromium/policies/managed/doh-google.json
+++ b/etc/opt/chromium/policies/managed/doh-google.json
@ -1,4 +1,4 @@
 {
  "DnsOverHttpsMode": "automatic",
-  "DnsOverHttpsTemplates": "https://dns.google/dns-query"
+  "DnsOverHttpsTemplates": "https://dns.google/dns-query?dns"
 }
--- a/etc/opt/chromium/policies/managed/doh-google64.json
+++ b/etc/opt/chromium/policies/managed/doh-google64.json
@ -0,0 +1,4 @@
+{
+  "DnsOverHttpsMode": "automatic",
+  "DnsOverHttpsTemplates": "https://dns64.dns.google/dns-query?dns"
+}
--- a/etc/opt/chromium/policies/managed/doh-private-ecs.json
+++ b/etc/opt/chromium/policies/managed/doh-private-ecs.json
@ -0,0 +1,4 @@
+{
+  "DnsOverHttpsMode": "automatic",
+  "DnsOverHttpsTemplates": "https://unfiltered.adguard-dns.com/dns-query https://open.dns0.eu/"
+}
--- a/etc/opt/chromium/policies/recommended/duckduckgo.json
+++ b/etc/opt/chromium/policies/recommended/duckduckgo.json
@ -6,6 +6,5 @@
  "DefaultSearchProviderNewTabURL": "https://start.duckduckgo.com/chrome_newtab?addon=newext",
  "DefaultSearchProviderSearchURL": "https://start.duckduckgo.com/?q={searchTerms}&addon=newext",
  "DefaultSearchProviderSuggestURL": "https://start.duckduckgo.com/ac/?q={searchTerms}&type=list",
-  "HomepageIsNewTabPage": true,
  "NewTabPageLocation": "https://start.duckduckgo.com/chrome_newtab?addon=newext"
 }
--- a/etc/opt/chromium/policies/recommended/ecosia.json
+++ b/etc/opt/chromium/policies/recommended/ecosia.json
@ -6,6 +6,5 @@
  "DefaultSearchProviderNewTabURL": "https://www.ecosia.org/newtab/?addon=chromegpo",
  "DefaultSearchProviderSearchURL": "https://www.ecosia.org/search?q={searchTerms}&addon=chromegpo",
  "DefaultSearchProviderSuggestURL": "https://ac.ecosia.org/autocomplete?q={searchTerms}",
-  "HomepageIsNewTabPage": true,
  "NewTabPageLocation": "https://www.ecosia.org/newtab/?addon=chromegpo"
 }
--- a/etc/systemd/resolved.conf.d/10-dot-adguard.conf
+++ b/etc/systemd/resolved.conf.d/10-dot-adguard.conf
@ -1,5 +1,6 @@
 [Resolve]
 DNS=94.140.14.14#dns.adguard.com 94.140.15.15#dns.adguard.com 2a10:50c0::ad1:ff#dns.adguard.com 2a10:50c0::ad2:ff#dns.adguard.com
+#DNS=94.140.14.140#unfiltered.adguard-dns.com 94.140.14.141#unfiltered.adguard-dns.com DNS=2a10:50c0::1:ff#unfiltered.adguard-dns.com 2a10:50c0::2:ff#unfiltered.adguard-dns.com
 #DNSOverTLS=true

 # vim: filetype=systemd
--- a/etc/unbound/unbound.conf.d/.gitignore
+++ b/etc/unbound/unbound.conf.d/.gitignore
@ -1,3 +1,4 @@
 dot-nextdns.conf
 dot-trex.conf
 cache.conf
+dot-adguard-dns0.conf
--- a/etc/unbound/unbound.conf.d/dns-over-tls.conf
+++ b/etc/unbound/unbound.conf.d/dns-over-tls.conf
@ -12,6 +12,8 @@ server:
 # This list is for my travel laptop to have at least one DoT443 server
 # which seems to be applied-privacy.net. They advice having multiple DoT servers
 # for redundancy and as they don't filter, it's best I use other non-filtering ones.
+# Since then this expanded to include <https://www.privacyguides.org/en/dns/>.
+# just look at git blame...

 forward-zone:
 	name: "."
@ -49,4 +51,16 @@ forward-zone:
 	forward-addr: 9.9.9.10@853#dns10.quad9.net
 	forward-addr: 9.9.9.10@8853#dns10.quad9.net

+	# https://www.dns0.eu/open https://www.dns0.eu/network - French based. Private ECS
+	forward-addr: 193.110.81.254@853#open.dns0.eu
+	forward-addr: 185.253.5.254@853#open.dns0.eu
+	forward-addr: 2a0f:fc80::ffff@853#open.dns0.eu
+	forward-addr: 2a0f:fc81::ffff@853#open.dns0.eu
+
+	# Adguard DNS Unfiltered Anycast. Malta based. Private ECS.
+	forward-addr: 2a10:50c0::1:ff@853#unfiltered.adguard-dns.com
+	forward-addr: 2a10:50c0::2:ff@853#unfiltered.adguard-dns.com
+	forward-addr: 94.140.14.140@853#unfiltered.adguard-dns.com
+	forward-addr: 94.140.14.141@853#unfiltered.adguard-dns.com
+
 # vim: filetype=unbound.conf
--- a/etc/unbound/unbound.conf.d/dot-adguard-dns0.conf
+++ b/etc/unbound/unbound.conf.d/dot-adguard-dns0.conf
@ -0,0 +1 @@
+dot-private-ecs.conf
--- a/etc/unbound/unbound.conf.d/dot-adguard.conf
+++ b/etc/unbound/unbound.conf.d/dot-adguard.conf
@ -15,10 +15,16 @@ server:
 forward-zone:
 	name: "."
 	forward-tls-upstream: yes
+	# AdGuard with AdBlocking
 	forward-addr: 2a10:50c0::ad1:ff@853#dns.adguard.com
 	forward-addr: 94.140.14.14@853#dns.adguard.com
 	forward-addr: 2a10:50c0::ad2:ff@853#dns.adguard.com
 	forward-addr: 94.140.15.15@853#dns.adguard.com
+	# AdGuard Public DNS without filtering
+	#forward-addr: 2a10:50c0::1:ff@853#unfiltered.adguard-dns.com
+	#forward-addr: 2a10:50c0::2:ff@853#unfiltered.adguard-dns.com
+	#forward-addr: 94.140.14.140@853#unfiltered.adguard-dns.com
+	#forward-addr: 94.140.14.141@853#unfiltered.adguard-dns.com

 # Updated for https://adguard.com/en/blog/adguard-dns-new-addresses.html

--- a/etc/unbound/unbound.conf.d/dot-private-ecs.conf
+++ b/etc/unbound/unbound.conf.d/dot-private-ecs.conf
@ -0,0 +1,29 @@
+server:
+	# Debian ca-certificates location
+	#tls-cert-bundle: /etc/ssl/certs/ca-certificates.crt
+	# Fedora
+	#tls-cert-bundle: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+	# Use system certificates no matter where they are
+	tls-system-cert: yes
+	# Quad9 says pointless performance impact on forwarders.
+	# https://docs.quad9.net/Quad9_For_Organizations/DNS_Forwarder_Best_Practices/#disable-qname-minimization
+	qname-minimisation: no
+	# Private ECS is more accurate with IPv4 than IPv6.
+	prefer-ip4: yes
+	prefer-ip6: no
+# AdGuard Public DNS without filtering.
+forward-zone:
+	name: "."
+	forward-tls-upstream: yes
+	# AdGuard Public DNS without filtering
+	forward-addr: 2a10:50c0::1:ff@853#unfiltered.adguard-dns.com
+	forward-addr: 2a10:50c0::2:ff@853#unfiltered.adguard-dns.com
+	forward-addr: 94.140.14.140@853#unfiltered.adguard-dns.com
+	forward-addr: 94.140.14.141@853#unfiltered.adguard-dns.com
+	# DNS0.eu without filtering
+	forward-addr: 193.110.81.254@853#open.dns0.eu
+	forward-addr: 185.253.5.254@853#open.dns0.eu
+	forward-addr: 2a0f:fc80::ffff@853#open.dns0.eu
+	forward-addr: 2a0f:fc81::ffff@853#open.dns0.eu
+
+# vim: filetype=unbound.conf
Author	SHA1	Message	Date
Aminda Suomalainen	95671fb32d	chromium: doh-private-ecs.json was supposed to be automatic	2024-05-18 16:55:38 +03:00
Aminda Suomalainen	0a4179df0c	Revert "chromium/recommended/{duckduckgo,ecosia}.json: trick Brave & Edge into complying by NewTabPageLocation" This reverts commit 7bab72fb3cf3e4dc4f6c5385e234c35b6ee60acd.	2024-05-18 16:36:46 +03:00
Aminda Suomalainen	c2e0917c3a	unbound/dns-over-tls.conf: remove Quad9 ECS comments	2024-05-18 16:14:57 +03:00
Aminda Suomalainen	bec86d1344	{systemd-resolved,unbound}: add commented unfiltered adguard to appropiate file	2024-05-18 16:12:58 +03:00
Aminda Suomalainen	a7ef548dab	{chromium,unbound}: experimental dot-private-ecs.conf	2024-05-18 16:08:17 +03:00
Aminda Suomalainen	e6696d22f6	Revert "unbound/dns-over-tls.conf: remove ECS and private ECS" This reverts commit 78fa2b7b9ca4cbb09eb386fcf3693e0e354dc717.	2024-05-18 15:51:13 +03:00
Aminda Suomalainen	5b4f78f5f4	chromium/doh-google{,64}.json: use get requests more as a note that it can be done	2024-05-18 15:35:36 +03:00
Aminda Suomalainen	2ff416d880	{firefox,chromium}: also enable curben-phishing	2024-05-18 14:04:43 +03:00
Aminda Suomalainen	20679e705d	{firefox,chromium}: enable AdNauseam ublock-annoyances & adguard-mobile-app-banners	2024-05-18 13:55:18 +03:00
Aminda Suomalainen	aac0a04564	LibreAwoo: comment the 7 options that policy accepted	2024-05-18 11:04:59 +03:00
Aminda Suomalainen	c68e3f66ab	firefox: attempt to enable http for esr	2024-05-18 10:21:44 +03:00
Aminda Suomalainen	5a88836d59	firefox: Comment/clear network.dns.native_https_query_win10	2024-05-18 09:44:25 +03:00
Aminda Suomalainen	5995ef8f32	firefox/policies.json: attempt to autoconfig, but again not allowed	2024-05-18 09:24:25 +03:00
Aminda Suomalainen	1290db73f5	firefox/policies.json: import more disallowed things from autoconfig, comment disallowed ones, clear location provider	2024-05-18 09:15:10 +03:00
Aminda Suomalainen	c05eedbb78	chromium README: note Bitwarden management options for self-hosters	2024-05-18 08:03:29 +03:00