nixos/home-manager/firefox/firefox-profile.nix

{
  settings = {
    # data privacy
    "browser.discovery.enabled" = false;
    "dom.security.https_only_mode" = true;
    # no autofill
    "extensions.formautofill.addresses.enabled" = false;
    "extensions.formautofill.creditCards.enabled" = false;
    # stop fonts
    "browser.display.use_document_fonts" = 0;
    # dont show about:config warning
    "browser.aboutConfig.showWarning" = false;
    # dont offer to save passwords
    "signon.rememberSignons" = false;
    # home page
    "browser.startup.homepage" = "about:blank";
    # blank new tab
    "browser.newtabpage.enabled" = false;
    # compact density
    "browser.uidensity" = 1;
    # dont draw tabs in titlebar
    "browser.tabs.drawInTitlebar" = false;
    # autoscroll middleclick
    "general.autoScroll" = true;
    # dont paste on middlemouse
    "middlemouse.paste" = false;
    # userChrome
    "toolkit.legacyUserProfileCustomizations.stylesheets" = true;
    # menu bar
    "ui.key.menuAccessKeyFocuses" = false;
    # use desktop file picker
    "widget.use-xdg-desktop-portal.file-picker" = 1;
    # sidebar at right
    "sidebar.position_start" = false;
    # disable pocket
    "extensions.pocket.enabled" = false;
    # browser links should be new tab
    "browser.link.open_newwindow.restriction" = 0;
    # allow custom search enginers
    "browser.urlbar.update2.engineAliasRefresh" = true;
    # force enable hardware accel
    "media.hardware-video-decoding.force-enabled" = true;
    # vaapi
    "media.ffmpeg.vaapi.enabled" = true;
    # downloads ask to save or open
    "browser.download.always_ask_before_handling_new_types" = true;
    # downloads always ask download location
    "browser.download.useDownloadDir" = false;
    # download to tmp dir, NOT Downloads (seriously Mozilla?)
    "browser.download.start_downloads_in_tmp_dir" = true;
    # widevine
    "browser.eme.ui.enabled" = false;
    "media.eme.enabled" = false;
    # media control keys
    "media.hardwaremediakeys.enabled" = false;
    # restore tabs on startup
    "browser.startup.page" = 3;
    # do not trim http
    "browser.urlbar.trimURLs" = false;

    /* Arkenfox Begin */

    /* 0320: disable recommendation pane in about:addons (uses Google Analytics) ***/
    "extensions.getAddons.showPane" = false;

    /* 0321: disable recommendations in about:addons' Extensions and Themes panes [FF68+] ***/
    "extensions.htmlaboutaddons.recommendations.enabled" = false;

    /* 0330: disable new data submission [FF41+]
     * If disabled, no policy is shown or upload takes place, ever
     * [1] https://bugzilla.mozilla.org/1195552 ***/
    "datareporting.policy.dataSubmissionEnabled" = false;

    /* 0340: disable Studies
     * [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to install and run studies ***/
    "app.shield.optoutstudies.enabled" = false;

    /* 0341: disable Normandy/Shield [FF60+]
     * Shield is a telemetry system that can push and test "recipes"
     * [1] https://mozilla.github.io/normandy/ ***/
    "app.normandy.enabled" = false;
    "app.normandy.api_url" = "";

    /* 0350: disable Crash Reports ***/
    "breakpad.reportURL" = "";
    "browser.tabs.crashReporting.sendReport" = false;

    /* 0351: enforce no submission of backlogged Crash Reports [FF58+]
     * [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to send backlogged crash reports  ***/
    "browser.crashReports.unsubmittedCheck.autoSubmit2" = false;

    /* 0403: disable SB checks for downloads (remote)
     * To verify the safety of certain executable files, Firefox may submit some information about the
     * file, including the name, origin, size and a cryptographic hash of the contents, to the Google
     * Safe Browsing service which helps Firefox determine whether or not the file should be blocked
     * [SETUP-SECURITY] If you do not understand this, or you want this protection, then override this ***/
    "browser.safebrowsing.downloads.remote.enabled" = false;
    "browser.safebrowsing.downloads.remote.url" = "";

    /* 1201: require safe negotiation
     * Blocks connections to servers that don't support RFC 5746 [2] as they're potentially vulnerable to a
     * MiTM attack [3]. A server without RFC 5746 can be safe from the attack if it disables renegotiations
     * but the problem is that the browser can't know that. Setting this pref to true is the only way for the
     * browser to ensure there will be no unsafe renegotiations on the channel between the browser and the server
     * [SETUP-WEB] SSL_ERROR_UNSAFE_NEGOTIATION: is it worth overriding this for that one site?
     * [STATS] SSL Labs (May 2024) reports over 99.7% of top sites have secure renegotiation [4]
     * [1] https://wiki.mozilla.org/Security:Renegotiation
     * [2] https://datatracker.ietf.org/doc/html/rfc5746
     * [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
     * [4] https://www.ssllabs.com/ssl-pulse/ ***/
    "security.ssl.require_safe_negotiation" = true;
    /* 1206: disable TLS1.3 0-RTT (round-trip time) [FF51+]
     * This data is not forward secret, as it is encrypted solely under keys derived using
     * the offered PSK. There are no guarantees of non-replay between connections
     * [1] https://github.com/tlswg/tls13-spec/issues/1001
     * [2] https://www.rfc-editor.org/rfc/rfc9001.html#name-replay-attacks-with-0-rtt
     * [3] https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/ ***/
    "security.tls.enable_0rtt_data" = false;

    /* 2002: force WebRTC inside the proxy [FF70+] ***/
    "media.peerconnection.ice.proxy_only_if_behind_proxy" = true;
    /* 2003: force a single network interface for ICE candidates generation [FF42+]
     * When using a system-wide proxy, it uses the proxy interface
     * [1] https://developer.mozilla.org/docs/Web/API/RTCIceCandidate
     * [2] https://wiki.mozilla.org/Media/WebRTC/Privacy ***/
    "media.peerconnection.ice.default_address_only" = true;

    /* 2701: enable ETP Strict Mode [FF86+]
     * ETP Strict Mode enables Total Cookie Protection (TCP)
     * [NOTE] Adding site exceptions disables all ETP protections for that site and increases the risk of
     * cross-site state tracking e.g. exceptions for SiteA and SiteB means PartyC on both sites is shared
     * [1] https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/
     * [SETTING] to add site exceptions: Urlbar>ETP Shield
     * [SETTING] to manage site exceptions: Options>Privacy & Security>Enhanced Tracking Protection>Manage Exceptions ***/
    "browser.contentblocking.category" = "strict";
  };
  userChrome = ''
    /* Hide tab bar in FF Quantum */
    @-moz-document url(chrome://browser/content/browser.xul), url(chrome://browser/content/browser.xhtml) {
      #TabsToolbar {
        visibility: collapse !important;
        margin-bottom: 21px !important;
      }

      #sidebar-box[sidebarcommand="treestyletab_piro_sakura_ne_jp-sidebar-action"] #sidebar-header {
        visibility: collapse !important;
      }
    }
  '';
}