From 885a16dce7a93ecb359594caf62a9c88b789d7a0 Mon Sep 17 00:00:00 2001
From: tilpner
Date: Sun, 14 Jun 2020 20:40:32 +0200
Subject: replaceAllUrls: init

---
 profiles/replaceAllUrls.nix | 192 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 192 insertions(+)
 create mode 100644 profiles/replaceAllUrls.nix

diff --git a/profiles/replaceAllUrls.nix b/profiles/replaceAllUrls.nix
new file mode 100644
index 0000000..8b71033
--- /dev/null
+++ b/profiles/replaceAllUrls.nix
@@ -0,0 +1,192 @@
+{ ... }:
+
+let
+  # Requirements:
+  # - is valid connection target (from FF perspective)
+  # - doesn't have any negative effects on the user privacy or security
+  h = "127.0.0.1";
+  u = "http://${h}";
+in {
+  meta.description = ''
+    Firefox communicates with external services in many different ways. Not all of them
+    happen on startup, and they can be triggered on different intervals.
+
+    This is a desperate effort to prevent as much of that communication as possible, by depriving FF of all configurable
+    URLs. It will break things, put the users security/privacy at risk, and probably shouldn't be enabled.
+
+    Even so, this list may be insufficient. It was created manually from an about:config listing
+    for the searchterms "url", "uri", "endpoint", and "server", so it will miss hidden (but defaulted) and hardcoded URLs.
+
+    Further consideration for the placeholder value is required.
+
+    Known issues:
+      - This list will get outdated rather quickly
+      - Typos and renaming of keys are not caught in any way
+  '';
+
+  preferences = {
+    app = {
+      feedback.baseURL = u;
+      releaseNotesURL = u;
+      support.baseURL = u;
+      update = {
+        url.details = u;
+        url.manual = u;
+      };
+    };
+
+    browser = {
+      uitour.url = u;
+
+      contentblocking = {
+        report = {
+          cookie.url = u;
+          cryptominer.url = u;
+          fingerprinter.url = u;
+
+          lockwise = {
+            how_it_works.url = u;
+          };
+
+          monitor = {
+            enabled = false;
+            url = u;
+            how_it_works.url = u;
+            sign_in_url = u;
+          };
+        };
+      };
+
+      newtabpage.activity-stream = {
+        discoverystream = {
+          config = "{}";
+          endpoints = u;
+          endpointSpocsClear = u;
+        };
+
+        default.sites = "";
+        feeds = {
+          snippets = false;
+          section.topstories.options = "{}";
+        };
+        asrouter.providers.snippets = false;
+
+        fxaccounts.endpoint = u;
+
+        telemetry.structuredIngestion.endpoint = u;
+      };
+
+      safebrowsing = {
+        downloads.remote.url = u;
+        provider =
+          let mock = {
+                advisoryURL = u;
+                dataSharingURL = u;
+                gethashURL = u;
+                reportMalwareMistakeURL = u;
+                reportPhishMistakeURL = u;
+                reportURL = u;
+                updateURL = u;
+              };
+          in {
+            google = mock;
+            google4 = mock;
+            mozilla = mock;
+          };
+      };
+
+      search.searchEnginesURL = u;
+    };
+
+    captivedetect.canonicalURL = u;
+    datareporting = {
+      healthreport.infoURL = u;
+      firstRunURL = u;
+      policy.firstRunURL = u;
+    };
+
+    dom.push.serverURL = "wss://${h}";
+
+    extensions = {
+      abuseReport = {
+        amoDetailsURL = u;
+        url = u;
+      };
+
+      blocklist = {
+        detailsURL = u;
+        itemURL = u;
+      };
+
+      getAddons = {
+        discovery.api_url = u;
+        get.url = u;
+        langpacks.url = u;
+        link.url = u;
+        search.browseURL = u;
+      };
+
+      recommendations = {
+        privacyPolicyUrl = u;
+        themeRecommendationUrl = u;
+      };
+
+      systemAddon.update.url = u;
+      update.background.url = u;
+      update.url = u;
+      webservice.discoverURL = u;
+    };
+
+    media.gmp-manager.url = u;
+
+    identity = {
+      fxaccounts = {
+        remote.root = u;
+        auth.uri = u;
+        remote = {
+          oauth.uri = u;
+          pairing.uri = u;
+          profile.uri = u;
+        };
+
+        service = {
+          monitorLoginUrl = u;
+          sendLoginUrl = u;
+        };
+      };
+      sync.tokenserver.uri = u;
+      sendtabpromo.url = u;
+    };
+
+    services.settings.server = u;
+
+    network.trr.uri = u;
+
+    toolkit = {
+      telemetry.server = u;
+      coverage.endpoint.base = u;
+    };
+
+    security = {
+      # TODO: investigate exploit potential (I told you not to enable it!)
+      certerrors.mitm.priming.endpoint = u;
+
+      ssl.errorReporting.url = u;
+
+      remote_settings = {
+        intermediates.enabled = false;
+        intermediates.signer = "";
+        crlite_filters.enabled = false;
+        crlite_filters.signer = "";
+      };
+    };
+
+    signon.management.page = {
+      breachAlertUrl = u;
+      mobileAndroidURL = u;
+      mobileAppleURL = u;
+    };
+
+    webextensions.storage.sync.serverURL = u;
+  };
+}
-- 
cgit v1.2.3