feat(firefox): add further hardening

modules/programs/firefox.nix

@@ -1,6 +1,7 @@
 # References:
 # https://discourse.nixos.org/t/declare-firefox-extensions-and-settings/36265
 # https://github.com/gvolpe/nix-config/blob/6feb7e4f47e74a8e3befd2efb423d9232f522ccd/home/programs/browsers/firefox.nix
+# https://brainfucksec.github.io/firefox-hardening-guide
 {
   pkgs,
   lib,
@@ -16,7 +17,11 @@ lib.mkIf config.programs.firefox.enable {
       "browser.toolbars.bookmarks.visibility" = "never";
       "browser.urlbar.quicksuggest.enabled" = false;
       "browser.urlbar.sponsoredTopSites" = false;
+      "browser.urlbar.suggest.recentsearches" = false;
       "browser.urlbar.suggest.addons" = false;
+      "browser.urlbar.suggest.trending" = false;
+      "browser.urlbar.suggest.weather" = false;
+      "browser.urlbar.suggest.yelp" = false;
       "browser.urlbar.suggest.bookmark" = false;
       "browser.urlbar.suggest.engines" = false;
       "browser.urlbar.suggest.history" = false;
@@ -32,16 +37,35 @@ lib.mkIf config.programs.firefox.enable {
       "browser.newtabpage.activity-stream.showSearch" = false;
       "browser.newtabpage.activity-stream.feeds.topsites" = false;
       "browser.newtabpage.activity-stream.feeds.section.highlights" = false;
+      # Add-ons
       "extensions.pocket.enabled" = false;
-      "dom.security.https_only_mode" = true;
+      "extensions.postDownloadThirdPartyPrompt" = false; # Prompt for install before download
       "extensions.htmlaboutaddons.recommendations.enabled" = false;
+      "extensions.getAddons.showPane" = false; # Hides the recommendations tab at about:addons
+
+      "dom.security.https_only_mode" = true;
       "cookiebanners.service.mode" = 2;
       "cookiebanners.service.mode.privateBrowsing" = 2;
-      # Hides the recommendations tab at about:addons
+
-      "extensions.getAddons.showPane" = false;
       "browser.shell.checkDefaultBrowser" = false;
-      "privacy.clearOnShutdown.offlineApps" = true;
+      #"privacy.clearOnShutdown.offlineApps" = true;
       "layout.spellcheckDefault" = true;
+      "browser.startup.page" = 3; # Restore session
+      "browser.search.suggest.enabled" = false;
+      "browser.discovery.enabled" = false;
+      "browser.ping-centre.telemetry" = false;
+      # Disable Studies
+      "app.shield.optoutstudies.enabled" = false;
+      "app.normandy.enabled" = false;
+      "app.normandy.api_url" = "";
+      # Headers
+      "network.http.referer.XOriginPolicy" = 2; # If host matches
+      "network.http.referer.XOriginTrimmingPolicy" = 2; # only send scheme+host+port
+      # Downloads
+      "browser.download.manager.addToRecentDocs" = false; # don't add downloaded files to "recent"
+      "browser.download.useDownloadDir" = false; # always ask where to download
+      # Fingerprinting
+      "privacy.resistFingerprinting.block_mozAddonManager" = true;
     };
     policies = {
       PasswordManagerEnabled = false;
@@ -64,7 +88,6 @@ lib.mkIf config.programs.firefox.enable {
           (extension "firefox-translations" "firefox-translations-addon@mozilla.org")
           (extension "private-relay" "private-relay@firefox.com")
           (extension "decentraleyes" "jid1-BoFifL9Vbdl2zQ@jetpack")
-          (extension "duckduckgo-for-firefox" "ddg@search.mozilla.org")
         ];
       FirefoxHome = {
         Search = true;
@@ -84,12 +107,6 @@ lib.mkIf config.programs.firefox.enable {
         Locked = true;
       };
       StartDownloadsInTempDirectory = true;
-      SanitizeOnShutdown = {
-        Cookies = true;
-        Cache = true;
-        FormData = true;
-        Locked = true;
-      };
       SearchBar = "unified";
       ShowHomeButton = false;
       Permissions = {