nixos-config/config/programs/firefox.nix

297 lines
19 KiB
Nix
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

{ pkgs, ... }: {
programs.firefox = {
package = pkgs.firefox;
enable = true;
extensions = with pkgs.nur.repos.rycee.firefox-addons; [
canvasblocker
clearurls
consent-o-matic
darkreader
decentraleyes
don-t-fuck-with-paste
i-dont-care-about-cookies
keepassxc-browser
privacy-badger
privacy-possum
sponsorblock
stylus
tree-style-tab
ublock-origin
umatrix
unpaywall
];
profiles = {
unhardened = {
id = 1;
};
default = {
userChrome = ''
/* Hide tab bar in FF Quantum */
@-moz-document url("chrome://browser/content/browser.xul") {
#TabsToolbar {
visibility: collapse !important;
margin-bottom: 21px !important;
}
#sidebar-box[sidebarcommand="treestyletab_piro_sakura_ne_jp-sidebar-action"] #sidebar-header {
visibility: collapse !important;
}
}
'';
settings = {
# From https://github.com/pyllyukko/user.js/blob/master/user.js
"dom.serviceWorkers.enabled" = false; # Disable service workers
"dom.webnotifications.enabled" = false; # Disable notifications
"dom.enable_performance" = false; # Disable DOM timing API
"dom.enable_resource_timing" = false; # Disable resource timing API
"dom.enable_user_timing" = false; # Disable user timing API
"geo.enabled" = false; # Disable Geolocation
"geo.wifi.uri" = "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%"; # Use Mozilla geolocation service
"geo.wifi.logging.enabled" = false; # Disable logging for wifi geolocation
"dom.mozTCPSocket.enabled" = false; # Disable raw TCP sockets
"dom.netinfo.enabled" = false; # Disable network information API
"dom.network.enabled" = false; # Disable network API
"media.peerconnection.ice.no_host" = true; # Dont leak internal IP addresses
"dom.battery.enabled" = false; # Disable battery API
"dom.telephony.enabled" = false; # Disable telephony API
"beacon.enabled" = false; # Disable analytics bs
"dom.event.clipboardevents.enabled" = false; # Disable clipboard events
"dom.allow_cut_copy" = false; # Disable cut/copy javascript
"media.webspeech.recognition.enable" = false; # Disable speech recognition
"media.webspeech.synth.enabled" = false; # Disable speech synthesis
"device.sensors.enabled" = false; # Disable device sensors
"browser.send_pings" = false; # Disable analytics bs
"browser.send_pings.require_same_host" = true; # If enabled, only allow same host
"dom.gamepad.enabled" = false; # Prevent USB device enumeration
"dom.vr.enabled" = false; # Disable VR
"dom.vibrator.enabled" = false; # Disable vibrator
"dom.archivereader.enabled" = false; # Disable archive reader
"webgl.disabled" = true; # Disable WebGL
"webgl.min_capability_mode" = true; # If webgl is enabled, use the minimum capability mode
"webgl.disable-extensions" = true; # If webgl is enabled, disable extensions
"webgl.disable-fail-if-major-performance-caveat" = true; # If webgl is enabled, disable the fail-if-major-performance-caveat mode
"webgl.enable-debug-renderer-info" = false; # If webgl is enabled, disable the debug renderer info
"dom.maxHardwareConcurrency" = 2; # Spoof dual-core CPU
"camera.control.face_detection.enabled" = false; # Disable face detection
"browser.search.countryCode" = "US"; # Set default search country
"browser.search.region" = "US"; # Set default search region
"browser.search.geoip.url" = "";
"intl.accept_languages" = "en-US,en"; # Set default language
"intl.locale.matchOS" = false; # Disable OS language matching
"browser.search.geoSpecificDefaults" = false; # Disable geolocation-based search defaults
"clipboard.autocopy" = false; # Disable autocopy
"javascript.use_us_english_locale" = true; # Force US English locale
"browser.urlbar.trimURLs" = false; # Disable URL trimming
"browser.fixup.alternate.enabled" = false; # Dont try to guess domain names
"browser.fixup.hide_user_pass" = true; # Hide passwords in URLs
"network.proxy.socks_remote_dns" = true; # Enable remote DNS
"network.manage-offline-status" = false; # Disable offline status management
"security.mixed_content.block_active_content" = true; # Block mixed content
"security.mixed_content.block_display_content" = true; # Block mixed content
"network.jar.open-unsafe-types" = false; # Disable opening of unsafe types
"security.xpconnect.plugin.unrestricted" = false;
"security.fileuri.strict_origin_policy" = true; # Strict origin policy for file URIs
"browser.urlbar.filter.javascript" = true; # Disable displaying javascript in history urls
"media.video_stats.enabled" = false; # Disable video stats
"general.buildID.override" = "20100101"; # Force Firefox build ID
"browser.startup.homepage_override.buildID" = "20100101"; # Force Firefox build ID
"browser.display.use_document_fonts" = 0; # Disable document fonts
"security.dialog_enable_delay" = 1000; # Add addon install delay
"extensions.getAddons.cache.enabled" = false; # No add-on metadata updates
"lightweightThemes.update.enabled" = false; # Disable lightweight themes
"plugin.state.flash" = 0; # Disable Flash
"plugin.state.java" = 0; # Disable Java
"dom.ipc.plugins.subprocess.crashreporter.enabled" = false; # Disable Flash crash reporting
"dom.ipc.plugins.reportCrashURL" = false; # Disable Flash crash reporting
"browser.safebrowsing.blockedURIs.enabled" = true; # download and use the mozilla blocklist
"plugins.click_to_play" = true; # Enable click-to-play for plugins
"extensions.update.enabled" = true; # Enable extension updates
"extensions.blocklist.enabled" = true; # Enable extension blocklisting
"services.blocklist.update_enabled" = true; # Enable blocklisting updates
"extensions.blocklist.url" = "https://addons.mozilla.org/blocklist/3/%APP_ID%/%APP_VERSION%/"; # Set blocklist URL
"browser.newtabpage.activity-stream.asrouter.userprefs.cfr" = false; # Disable Extension recommendations
"devtools.webide.enabled" = false; # Disable WebIDE
"devtools.webide.autoinstallADBHelper" = false; # Disable WebIDE ADB helper
"devtools.webide.autoinstallFxdtAdapters" = false; # Disable WebIDE ADB helper
"devtools.debugger.remote-enabled" = false; # Disable remote debugging
"devtools.chrome.enabled" = false; # Disable remote debugging
"devtools.debugger.force-local" = true; # Disable remote debugging
"toolkit.telemetry.enabled" = false; # Disable Telemetry
"toolkit.telemetry.unified" = false; # Disable Telemetry
"toolkit.telemetry.archive.enabled" = false; # Disable Telemetry
"experiments.supported" = false; # Disable experiments
"experiments.enabled" = false; # Disable experiments
"experiments.manifest.uri" = ""; # Disable experiments
"breakpad.reportURL" = ""; # Disable breakpad
"browser.tabs.crashReporting.sendReport" = false; # Disable crash reporting
"browser.crashReports.unsubmittedCheck.enabled" = false; # Disable crash reporting
"dom.flyweb.enabled" = false; # Disable FlyWeb
"browser.uitour.enabled" = false; # Disable uitour
"privacy.trackingprotection.enabled" = true; # Enable tracking protection
"privacy.trackingprotection.pbmode.enabled" = true; # Enable tracking protection
"privacy.userContext.enabled" = true; # Enable user context
"privacy.resistFingerprinting" = true; # Enable fingerprinting resistance
"privacy.resistFingerprinting.block_mozAddonManager" = true; # Enable fingerprinting resistance
"extensions.webextensions.restrictedDomains" = "";
"browser.startup.blankWindow" = true; # Start up to about:blank
"datareporting.healthreport.uploadEnabled" = false; # Disable health reports
"datareporting.healthreport.service.enabled" = false; # Disable health reports
"datareporting.policy.dataSubmissionEnabled" = false; # Disable health reports
"browser.discovery.enabled" = false; # Disable discovery
"app.normandy.enabled" = false; # Disable Normandy
"app.normandy.api_url" = ""; # Disable Normandy
"extensions.shield-recipe-client.enabled" = false; # Disable Shield
"app.shield.optoutstudies.enabled" = false; # Disable Shield
"loop.logDomains" = false; # Disable Firefox Hello metrics collection
"browser.safebrowsing.phishing.enabled" = true; # Enable phishing detection
"browser.safebrowsing.malware.enabled" = true; # Enable malware detection
"browser.safebrowsing.downloads.remote.enabled" = false; # Disable application reputation
"browser.pocket.enabled" = false; # Disable Pocket
"extensions.pocket.enabled" = false; # Disable Pocket
"browser.newtabpage.activity-stream.feeds.sections.topstories" = false; # Disable Pocket
"network.prefetch-next" = false; # Disable prefetching
"network.dns.disablePrefetch" = true; # Disable prefetching
"network.dns.disablePrefetchFromHTTPS" = true; # Disable prefetching
"network.predictor.enabled" = false; # Disable predictive actions
"network.dns.blockDotOnion" = true; # Disable dns lookups for dot onion domains
"browser.search.suggest.enabled" = false; # Disable search suggestions
"browser.urlbar.suggest.searches" = false; # Disable search suggestions
"browser.urlbar.suggest.history" = false; # Disable history suggestions
"browser.urlbar.groupLabels.enabled" = false; # Disable firefox suggest
"browser.casting.enabled" = false; # Disable casting
"media.gmp-gmpopenh264.enabled" = false; # Disable H264 codec
"media.gmp-manager.url" = ""; # Disable H264 codec
"network.http.speculative-parallel-limit" = 0; # Disable speculative parallel requests
"browser.aboutHomeSnippets.updateUrl" = ""; # Disable snippets
"browser.search.update" = false; # Disable search updates
"network.captive-portal-service.enabled" = false; # Disable captive portal
"network-negotiate-auth.allow-insecure-ntlm-v1" = false; # Disable NTLM
"security.csp.experimentalEnabled" = true; # Enable CSP 1.1 script-nonce directive support
"security.csp.enable" = true; # Enable CSP 1.1
"security.sri.enable" = true; # Enable SRI
"network.http.referer.spoofSource" = true; # Enable referer spoofing
"network.http.referer.XOriginPolicy" = 2; # Enable referer spoofing
"network.cookie.cookieBehavior" = 1; # Only allow 1st-party cookies
"privacy.firstparty.isolate" = true; # Enable 1st-party isolation
"network.cookie.thirdparty.sessionOnly" = true; # Never persist 3rd-party cookies
"privacy.sanitize.sanitizeOnShutdown" = true; # Clear cookies on shutdown
"privacy.clearOnShutdown.cache" = true; # Clear cache on shutdown
"privacy.clearOnShutdown.cookies" = true; # Clear cookies on shutdown
"privacy.clearOnShutdown.downloads" = true; # Clear downloads on shutdown
"privacy.clearOnShutdown.formdata" = true; # Clear form data on shutdown
"privacy.clearOnShutdown.history" = true; # Clear history on shutdown
"privacy.clearOnShutdown.offlineApps" = true; # Clear offline apps on shutdown
"privacy.clearOnShutdown.sessions" = true; # Clear sessions on shutdown
"privacy.clearOnShutdown.openWindows" = true; # Clear open windows on shutdown
"privacy.sanitize.timeSpan" = 0; # Clear everything when clearing history
"privacy.cpd.offlineApps" = true; # Clear offline apps when clearing recent history
"privacy.cpd.cache" = true; # Clear cache when clearing recent history
"privacy.cpd.cookies" = true; # Clear cookies when clearing recent history
"privacy.cpd.downloads" = true; # Clear downloads when clearing recent history
"privacy.cpd.formdata" = true; # Clear form data when clearing recent history
"privacy.cpd.history" = true; # Clear history when clearing recent history
"privacy.cpd.sessions" = true; # Clear sessions when clearing recent history
"places.history.enabled" = false; # Disable history
"browser.download.manager.retention" = 0; # Disable download manager
"signon.rememberSignons" = false; # Disable password manager
"browser.formfill.enable" = false; # Disable form autofill
"network.cookie.lifetimePolicy" = 2; # Make all cookies temporary
"signon.autofillForms" = false; # Disable autofill
"signon.formlessCapture.enabled" = false; # Disable formless login capture
"signon.autofillForms.http" = false; # Disable autofill
"security.insecure_field_warning.contextual.enabled" = true; # Enable contextual insecure warnings
"browser.formfill.expire_days" = 0; # Disable form autofill
"browser.sessionstore.privacy_level" = 2; # Disable session data
"browser.sessionstore.resume_from_crash" = false; # Disable session data
"browser.helperApps.deleteTempFileOnExit" = true; # Delete temporary files on exit
"browser.pagethumbnails.capturing_disabled" = true; # Disable thumbnails
"browser.shell.shortcutFavicons" = false; # Disable favicons
"browser.bookmarks.max_backups" = 0; # Disable bookmarks backups
"browser.chrome.site_icons" = false; # Disable site icons
"security.insecure_password.ui.enabled" = true; # Enable insecure password warnings
"browser.newtabpage.enabled" = false; # Disable new tab page
"browser.newtab.url" = "about:blank"; # Disable new tab page
"browser.newtabpage.activity-stream.enabled" = false; # Disable new tab page
"browser.newtabpage.enhanced" = false; # Disable new tab page
"browser.newtab.preload" = false; # Disable new tab page
"browser.newtabpage.directory.ping" = ""; # Disable new tab page
"browser.newtabpage.directory.source" = "data:text/plain,{}"; # Disable new tab page
"plugins.update.notifyUser" = true; # Enable plugin notifications
"network.IDN_show_punycode" = true; # Show IDN in Unicode
"browser.urlbar.autoFill" = false; # Disable urlbar autocomplete
"browser.urlbar.autoFill.typed" = false; # Disable urlbar autocomplete
"layout.css.visited_links_enabled" = false; # Disable visited links
"browser.urlbar.autocomplete.enabled" = false; # Disable urlbar autocomplete
"browser.shell.checkDefaultBrowser" = false; # Disable default browser check
"browser.offline-apps.notify" = false; # Disable offline app notifications
"dom.security.https_only_mode" = true; # Enable https-only mode
"network.stricttransportsecurity.preloadlist" = true; # Enable HSTS preload list
"security.OCSP.enabled" = 1;
"security.ssl.enable_ocsp_stapling" = true;
"security.ssl.enable_ocsp_must_staple" = true;
"security.OCSP.require" = true;
"security.ssl.disable_session_identifiers" = true;
"security.tls.version.min" = 3;
"security.tls.version.max" = 4;
"security.tls.version.fallback-limit" = 4;
"security.cert_pinning.enforcement_level" = 2;
"security.pki.sha1_enforcement_level" = 1;
"security.ssl.treat_unsafe_negotiation_as_broken" = true;
"security.ssl.errorReporting.automatic" = false;
"browser.ssl_override_behavior" = 1;
"network.security.esni.enabled" = true;
"security.ssl3.rsa_null_sha" = false;
"security.ssl3.rsa_null_md5" = false;
"security.ssl3.ecdhe_rsa_null_sha" = false;
"security.ssl3.ecdhe_ecdsa_null_sha" = false;
"security.ssl3.ecdh_rsa_null_sha" = false;
"security.ssl3.ecdh_ecdsa_null_sha" = false;
"security.ssl3.rsa_seed_sha" = false;
"security.ssl3.rsa_rc4_40_md5" = false;
"security.ssl3.rsa_rc2_40_md5" = false;
"security.ssl3.rsa_1024_rc4_56_sha" = false;
"security.ssl3.rsa_camellia_128_sha" = false;
"security.ssl3.ecdhe_rsa_aes_128_sha" = false;
"security.ssl3.ecdhe_ecdsa_aes_128_sha" = false;
"security.ssl3.ecdh_rsa_aes_128_sha" = false;
"security.ssl3.ecdh_ecdsa_aes_128_sha" = false;
"security.ssl3.dhe_rsa_camellia_128_sha" = false;
"security.ssl3.dhe_rsa_aes_128_sha" = false;
"security.ssl3.ecdh_ecdsa_rc4_128_sha" = false;
"security.ssl3.ecdh_rsa_rc4_128_sha" = false;
"security.ssl3.ecdhe_ecdsa_rc4_128_sha" = false;
"security.ssl3.ecdhe_rsa_rc4_128_sha" = false;
"security.ssl3.rsa_rc4_128_md5" = false;
"security.ssl3.rsa_rc4_128_sha" = false;
"security.tls.unrestricted_rc4_fallback" = false;
"security.ssl3.dhe_dss_des_ede3_sha" = false;
"security.ssl3.dhe_rsa_des_ede3_sha" = false;
"security.ssl3.ecdh_ecdsa_des_ede3_sha" = false;
"security.ssl3.ecdh_rsa_des_ede3_sha" = false;
"security.ssl3.ecdhe_ecdsa_des_ede3_sha" = false;
"security.ssl3.ecdhe_rsa_des_ede3_sha" = false;
"security.ssl3.rsa_des_ede3_sha" = false;
"security.ssl3.rsa_fips_des_ede3_sha" = false;
"security.ssl3.ecdh_rsa_aes_256_sha" = false;
"security.ssl3.ecdh_ecdsa_aes_256_sha" = false;
"security.ssl3.rsa_camellia_256_sha" = false;
"security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256" = true;
"security.ssl3.ecdhe_rsa_aes_128_gcm_sha256" = true;
"security.ssl3.dhe_rsa_camellia_256_sha" = false;
"security.ssl3.dhe_rsa_aes_256_sha" = false;
"security.ssl3.dhe_dss_aes_128_sha" = false;
"security.ssl3.dhe_dss_aes_256_sha" = false;
"security.ssl3.dhe_dss_camellia_128_sha" = false;
"security.ssl3.dhe_dss_camellia_256_sha" = false;
"security.ssl3.rsa_aes_256_sha" = false;
"security.ssl3.rsa_aes_128_sha" = false;
"security.ssl3.ecdhe_rsa_aes_256_sha" = false;
"security.ssl3.ecdhe_ecdsa_aes_256_sha" = false;
"security.sandbox.content.level" = 3; # Workaround for glibc regression, remove when #167785 hits
};
id = 0;
};
};
};
}