aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authortilpner2020-04-05 20:48:13 +0200
committertilpner2020-04-05 20:51:20 +0200
commit58a4f76dcad054cac6d5624b6f95e23145c16ae1 (patch)
treec8411c894bb93e58674cf344385e4c383adf6318
parent5014c0ed2160393fb787b585127bce8f27fda722 (diff)
downloadfirefox-profiles-58a4f76dcad054cac6d5624b6f95e23145c16ae1.tar.gz
firefox-profiles-58a4f76dcad054cac6d5624b6f95e23145c16ae1.tar.xz
firefox-profiles-58a4f76dcad054cac6d5624b6f95e23145c16ae1.zip
ocsp, safebrowsing: refactor to finer choices per topic
-rw-r--r--default.nix6
-rw-r--r--nix/lib.nix6
-rw-r--r--profiles/noOCSP.nix5
-rw-r--r--profiles/noSafebrowsing.nix10
-rw-r--r--profiles/ocsp.nix25
-rw-r--r--profiles/safebrowsing.nix32
6 files changed, 64 insertions, 20 deletions
diff --git a/default.nix b/default.nix
index e2b0656..8fdf3e1 100644
--- a/default.nix
+++ b/default.nix
@@ -27,7 +27,7 @@ in rec {
addons.disableExtensionSignatureChecking
addons.privacybadger addons.noscript
- addons.borderify
+ # addons.borderify
minimalConnections
minimalHome
@@ -40,10 +40,12 @@ in rec {
noPocket
noTunnels
noLocation
- noSafebrowsing
+ safebrowsing.disableAll
restrict
# distrustUser
+ ocsp.disabled
+
forgetActivity
{ policies.RequestedLocales = [ "de-DE" "en-US" ]; }
diff --git a/nix/lib.nix b/nix/lib.nix
index 12940b1..1095ab4 100644
--- a/nix/lib.nix
+++ b/nix/lib.nix
@@ -19,7 +19,7 @@ rec {
else abort "unsupported value type: ${builtins.typeOf v}";
mkPrefs = settings: pkgs.writeText "prefs.js"
- ("// dummy line\n" +
+ ("// dummy line\n" +
(lib.concatStringsSep "\n"
(lib.mapAttrsToList (k: v: "pref(\"${k}\", ${mkValueString v}, locked);")
(flattenAttrs settings))));
@@ -39,7 +39,7 @@ rec {
inherit policies;
});
- mergeProfiles = profiles:
+ mergeProfiles = profiles:
let
sanitise = args: {
policies = args.policies or {};
@@ -55,7 +55,7 @@ rec {
policies' = mkPolicies policies;
preferences' = mkPrefs preferences;
patched = pkgs.runCommand "firefox-bundle" {
- nativeBuildInputs = [ pkgs.nix ];
+ nativeBuildInputs = [ pkgs.nix ];
disallowedReferences = [ firefox ];
} ''
cp -r ${firefox} $out
diff --git a/profiles/noOCSP.nix b/profiles/noOCSP.nix
deleted file mode 100644
index a61b9ed..0000000
--- a/profiles/noOCSP.nix
+++ /dev/null
@@ -1,5 +0,0 @@
-{ }: {
- preferences = {
- security.OCSP.enabled = false;
- };
-}
diff --git a/profiles/noSafebrowsing.nix b/profiles/noSafebrowsing.nix
deleted file mode 100644
index bd53006..0000000
--- a/profiles/noSafebrowsing.nix
+++ /dev/null
@@ -1,10 +0,0 @@
-{ ffLib }: {
- preferences = {
- browser.safebrowsing = {
- phishing.enabled = false;
- malware.enabled = false;
- downloads.enabled = false;
- downloads.remote.enabled = false;
- };
- };
-}
diff --git a/profiles/ocsp.nix b/profiles/ocsp.nix
new file mode 100644
index 0000000..d56d8df
--- /dev/null
+++ b/profiles/ocsp.nix
@@ -0,0 +1,25 @@
+{ }: {
+ meta.description = ''
+ The Online Certificate Status Protocol is used to distrust revoked certificates.
+ When a new TLS connection is established, and OCSP stapling is not used, the browser checks with the
+ responsible certificate authority whether the received certificate is still valid.
+ It should not be disabled for security-sensitive situations, but it may be disabled for privacy reasons.
+ '';
+
+ enabled.preferences = {
+ security.OCSP = {
+ enabled = 1;
+ # OCSP is useless, if the response is not mandatory
+ require = true;
+ };
+
+ security.ssl = {
+ enable_ocsp_stapling = true;
+ enable_ocsp_must_staple = true;
+ };
+ };
+
+ disabled.preferences = {
+ security.OCSP.enabled = 0;
+ };
+}
diff --git a/profiles/safebrowsing.nix b/profiles/safebrowsing.nix
new file mode 100644
index 0000000..79f3c82
--- /dev/null
+++ b/profiles/safebrowsing.nix
@@ -0,0 +1,32 @@
+{ ffLib }: rec {
+ meta.description = ''
+ Safebrowsing is a feature meant to protect the user from malicious websites and downloads.
+
+ See:
+ - https://wiki.mozilla.org/Security/Safe_Browsing
+ - https://wiki.mozilla.org/Security/Application_Reputation
+ '';
+
+ disableDownloads.preferences = {
+ browser.safebrowsing = {
+ downloads = {
+ # TODO: does this do offline checks?
+ enabled = false;
+ remote = {
+ enabled = false;
+ url = "";
+ };
+ };
+ };
+ };
+
+ disablePhishing.preferences = {
+ browser.safebrowsing.phishing.enabled = false;
+ };
+
+ disableMalware.preferences = {
+ browser.safebrowsing.malware.enabled = false;
+ };
+
+ disableAll = ffLib.mergeProfiles [ disableDownloads disablePhishing disableMalware ];
+}