From c930eeecddba21f07a57d92c6006e27ae2f34677 Mon Sep 17 00:00:00 2001 From: Nydragon Date: Sat, 24 Aug 2024 20:42:56 +0200 Subject: [PATCH] feat(firefox): add further hardening --- modules/programs/firefox.nix | 39 ++++++++++++++++++++++++++---------- 1 file changed, 28 insertions(+), 11 deletions(-) diff --git a/modules/programs/firefox.nix b/modules/programs/firefox.nix index d13c0cc..e4b96a3 100644 --- a/modules/programs/firefox.nix +++ b/modules/programs/firefox.nix @@ -1,6 +1,7 @@ # References: # https://discourse.nixos.org/t/declare-firefox-extensions-and-settings/36265 # https://github.com/gvolpe/nix-config/blob/6feb7e4f47e74a8e3befd2efb423d9232f522ccd/home/programs/browsers/firefox.nix +# https://brainfucksec.github.io/firefox-hardening-guide { pkgs, lib, @@ -16,7 +17,11 @@ lib.mkIf config.programs.firefox.enable { "browser.toolbars.bookmarks.visibility" = "never"; "browser.urlbar.quicksuggest.enabled" = false; "browser.urlbar.sponsoredTopSites" = false; + "browser.urlbar.suggest.recentsearches" = false; "browser.urlbar.suggest.addons" = false; + "browser.urlbar.suggest.trending" = false; + "browser.urlbar.suggest.weather" = false; + "browser.urlbar.suggest.yelp" = false; "browser.urlbar.suggest.bookmark" = false; "browser.urlbar.suggest.engines" = false; "browser.urlbar.suggest.history" = false; @@ -32,16 +37,35 @@ lib.mkIf config.programs.firefox.enable { "browser.newtabpage.activity-stream.showSearch" = false; "browser.newtabpage.activity-stream.feeds.topsites" = false; "browser.newtabpage.activity-stream.feeds.section.highlights" = false; + # Add-ons "extensions.pocket.enabled" = false; - "dom.security.https_only_mode" = true; + "extensions.postDownloadThirdPartyPrompt" = false; # Prompt for install before download "extensions.htmlaboutaddons.recommendations.enabled" = false; + "extensions.getAddons.showPane" = false; # Hides the recommendations tab at about:addons + + "dom.security.https_only_mode" = true; "cookiebanners.service.mode" = 2; "cookiebanners.service.mode.privateBrowsing" = 2; - # Hides the recommendations tab at about:addons - "extensions.getAddons.showPane" = false; + "browser.shell.checkDefaultBrowser" = false; - "privacy.clearOnShutdown.offlineApps" = true; + #"privacy.clearOnShutdown.offlineApps" = true; "layout.spellcheckDefault" = true; + "browser.startup.page" = 3; # Restore session + "browser.search.suggest.enabled" = false; + "browser.discovery.enabled" = false; + "browser.ping-centre.telemetry" = false; + # Disable Studies + "app.shield.optoutstudies.enabled" = false; + "app.normandy.enabled" = false; + "app.normandy.api_url" = ""; + # Headers + "network.http.referer.XOriginPolicy" = 2; # If host matches + "network.http.referer.XOriginTrimmingPolicy" = 2; # only send scheme+host+port + # Downloads + "browser.download.manager.addToRecentDocs" = false; # don't add downloaded files to "recent" + "browser.download.useDownloadDir" = false; # always ask where to download + # Fingerprinting + "privacy.resistFingerprinting.block_mozAddonManager" = true; }; policies = { PasswordManagerEnabled = false; @@ -64,7 +88,6 @@ lib.mkIf config.programs.firefox.enable { (extension "firefox-translations" "firefox-translations-addon@mozilla.org") (extension "private-relay" "private-relay@firefox.com") (extension "decentraleyes" "jid1-BoFifL9Vbdl2zQ@jetpack") - (extension "duckduckgo-for-firefox" "ddg@search.mozilla.org") ]; FirefoxHome = { Search = true; @@ -84,12 +107,6 @@ lib.mkIf config.programs.firefox.enable { Locked = true; }; StartDownloadsInTempDirectory = true; - SanitizeOnShutdown = { - Cookies = true; - Cache = true; - FormData = true; - Locked = true; - }; SearchBar = "unified"; ShowHomeButton = false; Permissions = {