start-os
start-os copied to clipboard
Start9Labs
[fix] better privacy settings for Firefox kiosk mode or switch to Libre wolf
+2 for LibreWolf - all its settings out of the box are actually sane, they rip out pocket and turn off the sending of every url you visit to a 3rd party, and they release very quickly after firefox does. Only downside is they are not in debian (yet?), you have to add their own repo (so trusting yet another 3rd party, and their amazon web services hosting provider for that repo).
Are there any known interoperability issues with LibreWolf and eOS? I vaguely recall something.
I had one minor LW issue, but I can't say that it was eOS-related. I think with some testing we'd be good to go with it
Gonna drop this in here, we can make a custom profile for firefox-esr rather than letting mozilla take a huge dump all over user privacy with their default settings: https://github.com/mozilla/policy-templates/
Settings that seem like we should probably enable or disable away from the defaults: DisableFirefoxAccounts DisableFirefoxStudies DisablePocket DisableTelemetry NetworkPrediction NoDefaultBookmarks SearchSuggestEnabled
about:config options - don't send every url we visit to google safebrowsing:
browser.safebrowsing.blockedURIs.enabled = false
browser.safebrowsing.downloads.remote.block_potentially_unwanted = false
browser.safebrowsing.downloads.remote.enabled = false
browser.safebrowsing.downloads.remote.block_uncommon = false
Turn off data reporting to mozilla:
datareporting.healthreport.uploadEnabled = false
datareporting.policy.dataSubmissionEnabled = false
^ these settings should be able to eliminate the browser talking to 3rd parties (for the most part).
===========
Another note on the security of Kiosk mode: Running firefox-esr as the start9 user (which has unfettered sudo access) is not a good practice. We should create a user called 'kiosk' whose role is to just run the kiosk script and who has no shell or home dir or sudo access.
Gonna drop this in here, we can make a custom profile for firefox-esr rather than letting mozilla take a huge dump all over user privacy with their default settings: https://github.com/mozilla/policy-templates/
Settings that seem like we should probably enable or disable away from the defaults: DisableFirefoxAccounts DisableFirefoxStudies DisablePocket DisableTelemetry NetworkPrediction NoDefaultBookmarks SearchSuggestEnabled
about:config options - don't send every url we visit to google safebrowsing:
browser.safebrowsing.blockedURIs.enabled = false browser.safebrowsing.downloads.remote.block_potentially_unwanted = false browser.safebrowsing.downloads.remote.enabled = false browser.safebrowsing.downloads.remote.block_uncommon = falseTurn off data reporting to mozilla:
datareporting.healthreport.uploadEnabled = false datareporting.policy.dataSubmissionEnabled = false^ these settings should be able to eliminate the browser talking to 3rd parties (for the most part).
===========
Another note on the security of Kiosk mode: Running firefox-esr as the start9 user (which has unfettered sudo access) is not a good practice. We should create a user called 'kiosk' whose role is to just run the kiosk script and who has no shell or home dir or sudo access.
For simplicity - it seems Librewolf uses these about:config settings by default. Agree on setting up the kiosk user.
