From e2fcf4856e1fabce48f0038d79c110b19ac5c86a Mon Sep 17 00:00:00 2001
From: Wilson Mar <wilsonmar+github@gmail.com>
Date: Tue, 4 Jun 2024 08:34:58 -0600
Subject: [PATCH] add firefox-user

---
 firefox-user.js | 91 +++++++++++++++++++++++++++++++++++++++++++++++++
 mac-setup.env   |  6 ++--
 mac-setup.zsh   | 37 ++++++++++++++++----
 3 files changed, 124 insertions(+), 10 deletions(-)
 create mode 100644 firefox-user.js

diff --git a/firefox-user.js b/firefox-user.js
new file mode 100644
index 0000000..00d52a7
--- /dev/null
+++ b/firefox-user.js
@@ -0,0 +1,91 @@
+// Firefox hardening using preferences (automated)
+user_pref("app.normandy.first_run", false);
+user_pref("app.shield.optoutstudies.enabled", false);
+user_pref("app.update.auto", false);
+user_pref("browser.contentblocking.category", "custom");
+user_pref("browser.download.useDownloadDir", false);
+user_pref("browser.formfill.enable", false);
+user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false);
+user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false);
+user_pref("browser.newtabpage.activity-stream.feeds.section.topstories", false);
+user_pref("browser.newtabpage.activity-stream.feeds.topsites", false);
+user_pref("browser.search.suggest.enabled", false);
+user_pref("browser.urlbar.placeholderName", "DuckDuckGo");
+user_pref("datareporting.healthreport.uploadEnabled", false);
+user_pref("doh-rollout.disable-heuristics", true);
+user_pref("dom.forms.autocomplete.formautofill", true);
+user_pref("dom.security.https_only_mode_ever_enabled", true);
+user_pref("dom.security.https_only_mode", true);
+user_pref("extensions.formautofill.addresses.enabled", false);
+user_pref("extensions.formautofill.creditCards.enabled", false);
+user_pref("extensions.pocket.enabled", false);
+user_pref("identity.fxaccounts.enabled", false);
+user_pref("layout.spellcheckDefault", 1); // Used to disable spellchecker… set to `0` for increased privacy
+user_pref("media.peerconnection.enabled", false); // Used to disable WebRTC (mitigating WebRTC leaks)… set to `true` to enable WebRTC
+user_pref("network.cookie.cookieBehavior", 1);
+user_pref("network.cookie.lifetimePolicy", 2); // Used to delete cookies when Firefox is closed… set to `0` to enable default cookie persistence
+user_pref("network.proxy.socks_remote_dns", true);
+user_pref("network.trr.custom_uri", "https://doh.mullvad.net/dns-query");
+user_pref("network.trr.mode", 3); // Used to enable Mullvad DNS over HTTPS… set to `5` to disable Mullvad DNS over HTTPS
+user_pref("network.trr.uri", "https://doh.mullvad.net/dns-query");
+user_pref("places.history.enabled", false);
+user_pref("privacy.donottrackheader.enabled", true);
+user_pref("privacy.history.custom", true);
+user_pref("privacy.sanitize.sanitizeOnShutdown", true); // Used to delete cookies and site data when Firefox is closed… set to `false` to enable cookie and site data persistence
+user_pref("privacy.trackingprotection.enabled", true);
+user_pref("privacy.trackingprotection.socialtracking.enabled", true);
+user_pref("signon.management.page.breach-alerts.enabled", false);
+user_pref("signon.rememberSignons", false);
+// Firefox hardening using about:config (arkenfox/user.js recommendations, automated)
+user_pref("accessibility.force_disabled", 1);
+user_pref("app.normandy.api_url", "");
+user_pref("app.normandy.enabled", false);
+user_pref("app.shield.optoutstudies.enabled", false);
+user_pref("beacon.enabled", false);
+user_pref("browser.pagethumbnails.capturing_disabled", true);
+user_pref("browser.ping-centre.telemetry", false);
+user_pref("browser.places.speculativeConnect.enabled", false);
+user_pref("browser.sessionstore.privacy_level", 2);
+user_pref("browser.ssl_override_behavior", 1);
+user_pref("browser.tabs.crashReporting.sendReport", false);
+user_pref("browser.uitour.enabled", false);
+user_pref("browser.uitour.url", "");
+user_pref("browser.urlbar.speculativeConnect.enabled", false);
+user_pref("browser.urlbar.suggest.quicksuggest.nonsponsored", false);
+user_pref("browser.urlbar.suggest.quicksuggest.sponsored", false);
+user_pref("browser.urlbar.trimURLs", false);
+user_pref("browser.xul.error_pages.expert_bad_cert", true);
+user_pref("captivedetect.canonicalURL", "");
+user_pref("datareporting.policy.dataSubmissionEnabled", false);
+user_pref("dom.security.https_only_mode_send_http_background_request", false);
+user_pref("extensions.getAddons.showPane", false);
+user_pref("extensions.htmlaboutaddons.recommendations.enabled", false);
+user_pref("geo.provider.use_corelocation", false);
+user_pref("network.auth.subresource-http-auth-allow", 1);
+user_pref("network.captive-portal-service.enabled", false);
+user_pref("network.connectivity-service.enabled", false);
+user_pref("network.dns.disableIPv6", true);
+user_pref("network.dns.disablePrefetch", true);
+user_pref("network.http.speculative-parallel-limit", 0);
+user_pref("network.predictor.enabled", false);
+user_pref("network.prefetch-next", false);
+user_pref("pdfjs.enableScripting", false);
+user_pref("privacy.userContext.enabled", true);
+user_pref("privacy.userContext.ui.enabled", true);
+user_pref("security.cert_pinning.enforcement_level", 2);
+user_pref("security.mixed_content.block_display_content", true);
+user_pref("security.OCSP.require", true);
+user_pref("security.pki.crlite_mode", 2);
+user_pref("security.pki.sha1_enforcement_level", 1);
+user_pref("security.remote_settings.crlite_filters.enabled", true);
+user_pref("security.ssl.require_safe_negotiation", true);
+user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);
+user_pref("security.tls.enable_0rtt_data", false);
+user_pref("toolkit.coverage.endpoint.base", "");
+user_pref("toolkit.coverage.opt-out", true);
+user_pref("toolkit.telemetry.coverage.opt-out", true);
+// Firefox fingerprinting hardening using about:config (automated)
+user_pref("privacy.resistFingerprinting", false); // Used to help resist fingerprinting but breaks dark mode and screenshots (among other features)… set to `true` for increased privacy
+user_pref("privacy.resistFingerprinting.block_mozAddonManager", true);
+user_pref("privacy.resistFingerprinting.letterboxing", true); // Used to help resist fingerprinting… set to `false` to disable letterboxing
+user_pref("webgl.disabled", true);
diff --git a/mac-setup.env b/mac-setup.env
index 25a7d64..3c9ffe9 100755
--- a/mac-setup.env
+++ b/mac-setup.env
@@ -71,9 +71,9 @@ export ROOT_APPS_TO_INSTALL="Keybase  DiffMerge  NordVPN  PowerShell  Slack  Wha
 export HOME_APPS_TO_INSTALL="Docker Firefox google-cloud-sdk Hyper KeepassXC LibreOffice Macvim OBS Warp"
    # Also: 1Password, warp CLI https://www.youtube.com/watch?v=d4bTkiftBOk
    # For OBS video recorder, see https://obsproject.com/kb/quick-start-guide
-export CLI_PGMS_TO_INSTALL="curl docker-compose entr fzf git jq mc node pwgen ripgrep safety wget zoxide"
-   # Also: ncdu, github hadolint lazygit graphviz htop hub 
-   # tree doesn't so exa (folder colors), 
+export BREWS_TO_INSTALL="curl docker-compose git jq yq node safety wget"
+   # tree doesn't so exa (folder colors), entr fzf fuse to restore from borgbase
+   # Also: borg, ncdu, github hadolint lazygit graphviz htop hub mc pwgen ripgrep zoxide 
    # https://www.youtube.com/watch?v=2OHrTQVlRMg bat, ripgrep (rg cmd), 
    # entr (run on change), fzf (fuzzy find), zoxide (z instead of cd), mc (midnight commander)
    # lazygit: https://www.youtube.com/watch?v=CPLdltN7wgE
diff --git a/mac-setup.zsh b/mac-setup.zsh
index 08aa2c2..0fa4812 100755
--- a/mac-setup.zsh
+++ b/mac-setup.zsh
@@ -1198,9 +1198,11 @@ if [ "${USE_MOUNT_DRIVE}" = true ]; then  # -mount
             #fi
          fi
 
-         # TODO: Backup other folders/files into a compressed and encrypted drive.
-
-         # TODO: Firefox config https://support.mozilla.org/en-US/kb/customizing-firefox-using-autoconfig
+         # TODO: Backup other folders/files into a compressed and encrypted drive using Veracrypt?
+         # TODO: Cloud $2mo Borgbase.com backup using deduplication encrypted compressed https://www.borgbackup.org
+                 # and https://vorta.borgbase.com GUI Fail safe vs fail secure.
+         # TODO: Rsync.net ZFS RAID-6 mirrored volume https://www.youtube.com/watch?v=1cz_ViFB6eE
+                 # https://www.youtube.com/watch?v=asZX2YbTaNE&t=108s
 
          note " At ${USB_FOLDER_PATH} ..."
          if [ "${SHOW_DEBUG}" = true ]; then  # -vv = Show all mounts:
@@ -1781,18 +1783,19 @@ if [ "${RUN_UTILS}" = true ]; then  # -utils
             # Docs.app, Gmail.app, Google Drive.app, Sheets.app, Slides,app, YouTube.app
 
          h2 "-I install brew CLI utilities ..."
-         # TODO: CLI_PGMS_TO_INSTALL=$( brew list )  # instead of brew upgrade # which does them all 
+         # TODO: BREWS_TO_INSTALL=$( brew list )  # instead of brew upgrade # which does them all 
          # Defined in ~/mac-setup.env :
-         # CLI_PGMS_TO_INSTALL="curl wget jp jq yq htop tree git hub ncdu docker-compose hadolint 1password-cli keepassc"
+         # BREWS_TO_INSTALL="curl wget jp jq yq htop tree git hub ncdu docker-compose hadolint 1password-cli keepassc"
             # * jq manipulates JSON
             # * yq manipulates YAML
-         ARRAY=(`echo ${CLI_PGMS_TO_INSTALL}`);  # from ~/mac-setup.env
+         # Backups: Rsync vs Borg vs Restic.net vs Kopia.io (grigio.org - youtube.com/watch?v=abqvgU_SSWU)
+         ARRAY=(`echo ${BREWS_TO_INSTALL}`);  # from ~/mac-setup.env
          for brewname in "${ARRAY[@]}"; do
             brew install $brewname
             # NOTE: Brew updates if already installed.
          done
 
-         # Exceptions:
+         # Exceptions (to avoid issues, install on its own):
          brew install jmespath/jmespath/jp
          # https://github.com/jmespath/jp
          
@@ -1808,6 +1811,26 @@ if [ "${RUN_UTILS}" = true ]; then  # -utils
          # Replacement for ls - see https://the.exa.website/#installation
          # brew install exa
 
+         # Configure Firefox:
+         if [ ! -f "firefox-user.js" ]; then   # NOT found
+            warnng "firefox-user.js not found. Skipping Firefox config..."
+         else  # file found:
+            # Copy existing user.js in Firefox - see https://www.youtube.com/watch?v=s-vwthG28ks
+            # TODO: Backup to USB chip!
+            
+            # TODO: Install using CLI
+            # separate cookies in different accounts, 
+               # at https://addons.mozilla.org/en-US/firefox/addon/multi-account-containers/
+            # Add Privacy Badget by EFF to block invisible trackers 
+               # at https://addons.mozilla.org/en-US/firefox/addon/privacy-badger17/
+
+            # Find ???.default-release folder in "$HOME/Library/Application Support/Firefox/Profiles/"
+            ls "$HOME/Library/Application Support/Firefox/Profiles/"
+
+            note "Overwriting firefox-user.js in mac-setup from github into Firefox user.js ..."
+            # See https://github.com/arkenfox/user.js/
+            # See https://github.com/sunknudsen/privacy-guides/blob/master/how-to-configure-firefox-for-privacy-and-security/user.js
+         fi
 
          ### 18c. Define file extensions to edit using VSCode
          # https://superuser.com/questions/273756/how-to-change-default-app-for-all-files-of-particular-file-type-through-terminal