feat(firefox): add further hardening
This commit is contained in:
parent
f395b6a287
commit
c930eeecdd
1 changed files with 28 additions and 11 deletions
|
@ -1,6 +1,7 @@
|
|||
# References:
|
||||
# https://discourse.nixos.org/t/declare-firefox-extensions-and-settings/36265
|
||||
# https://github.com/gvolpe/nix-config/blob/6feb7e4f47e74a8e3befd2efb423d9232f522ccd/home/programs/browsers/firefox.nix
|
||||
# https://brainfucksec.github.io/firefox-hardening-guide
|
||||
{
|
||||
pkgs,
|
||||
lib,
|
||||
|
@ -16,7 +17,11 @@ lib.mkIf config.programs.firefox.enable {
|
|||
"browser.toolbars.bookmarks.visibility" = "never";
|
||||
"browser.urlbar.quicksuggest.enabled" = false;
|
||||
"browser.urlbar.sponsoredTopSites" = false;
|
||||
"browser.urlbar.suggest.recentsearches" = false;
|
||||
"browser.urlbar.suggest.addons" = false;
|
||||
"browser.urlbar.suggest.trending" = false;
|
||||
"browser.urlbar.suggest.weather" = false;
|
||||
"browser.urlbar.suggest.yelp" = false;
|
||||
"browser.urlbar.suggest.bookmark" = false;
|
||||
"browser.urlbar.suggest.engines" = false;
|
||||
"browser.urlbar.suggest.history" = false;
|
||||
|
@ -32,16 +37,35 @@ lib.mkIf config.programs.firefox.enable {
|
|||
"browser.newtabpage.activity-stream.showSearch" = false;
|
||||
"browser.newtabpage.activity-stream.feeds.topsites" = false;
|
||||
"browser.newtabpage.activity-stream.feeds.section.highlights" = false;
|
||||
# Add-ons
|
||||
"extensions.pocket.enabled" = false;
|
||||
"dom.security.https_only_mode" = true;
|
||||
"extensions.postDownloadThirdPartyPrompt" = false; # Prompt for install before download
|
||||
"extensions.htmlaboutaddons.recommendations.enabled" = false;
|
||||
"extensions.getAddons.showPane" = false; # Hides the recommendations tab at about:addons
|
||||
|
||||
"dom.security.https_only_mode" = true;
|
||||
"cookiebanners.service.mode" = 2;
|
||||
"cookiebanners.service.mode.privateBrowsing" = 2;
|
||||
# Hides the recommendations tab at about:addons
|
||||
"extensions.getAddons.showPane" = false;
|
||||
|
||||
"browser.shell.checkDefaultBrowser" = false;
|
||||
"privacy.clearOnShutdown.offlineApps" = true;
|
||||
#"privacy.clearOnShutdown.offlineApps" = true;
|
||||
"layout.spellcheckDefault" = true;
|
||||
"browser.startup.page" = 3; # Restore session
|
||||
"browser.search.suggest.enabled" = false;
|
||||
"browser.discovery.enabled" = false;
|
||||
"browser.ping-centre.telemetry" = false;
|
||||
# Disable Studies
|
||||
"app.shield.optoutstudies.enabled" = false;
|
||||
"app.normandy.enabled" = false;
|
||||
"app.normandy.api_url" = "";
|
||||
# Headers
|
||||
"network.http.referer.XOriginPolicy" = 2; # If host matches
|
||||
"network.http.referer.XOriginTrimmingPolicy" = 2; # only send scheme+host+port
|
||||
# Downloads
|
||||
"browser.download.manager.addToRecentDocs" = false; # don't add downloaded files to "recent"
|
||||
"browser.download.useDownloadDir" = false; # always ask where to download
|
||||
# Fingerprinting
|
||||
"privacy.resistFingerprinting.block_mozAddonManager" = true;
|
||||
};
|
||||
policies = {
|
||||
PasswordManagerEnabled = false;
|
||||
|
@ -64,7 +88,6 @@ lib.mkIf config.programs.firefox.enable {
|
|||
(extension "firefox-translations" "firefox-translations-addon@mozilla.org")
|
||||
(extension "private-relay" "private-relay@firefox.com")
|
||||
(extension "decentraleyes" "jid1-BoFifL9Vbdl2zQ@jetpack")
|
||||
(extension "duckduckgo-for-firefox" "ddg@search.mozilla.org")
|
||||
];
|
||||
FirefoxHome = {
|
||||
Search = true;
|
||||
|
@ -84,12 +107,6 @@ lib.mkIf config.programs.firefox.enable {
|
|||
Locked = true;
|
||||
};
|
||||
StartDownloadsInTempDirectory = true;
|
||||
SanitizeOnShutdown = {
|
||||
Cookies = true;
|
||||
Cache = true;
|
||||
FormData = true;
|
||||
Locked = true;
|
||||
};
|
||||
SearchBar = "unified";
|
||||
ShowHomeButton = false;
|
||||
Permissions = {
|
||||
|
|
Loading…
Add table
Reference in a new issue