qutebrowser_configs/configs/chromium-flags.py

# -*- mode: python; python-indent-offset: 4; tab-width: 0; encoding: utf-8-unix -*-
# This should be execed in config.py

# Test by visiting https://coveryourtracks.eff.org/
# https://niek.github.io/chrome-features/
# https://peter.sh/experiments/chromium-command-line-switches/


# this may interfere wuth some logins
c.content.canvas_reading = False
# just passes --disable-reading-from-canvas

# Which Chromium process model to use.
# Alternative process models use less resources, but decrease security and robustness.
# - https://www.chromium.org/developers/design-documents/process-models
# - https://doc.qt.io/qt-6/qtwebengine-features.html#process-models
c.qt.chromium.process_model = 'process-per-site'
# passes --process-per-site

# qutebrowser adds --disable-accelerated-2d-canvas

# qutebrowser starts with these: 
# ['--webEngineArgs', '--enable-features=WebRTCPipeWireCapturer', '--disable-reading-from-canvas', '--touch-events=disabled', '--force-webrtc-ip-handling-policy=disable_non_proxied_udp', '--process-per-site', '--disable-accelerated-2d-canvas']
enable = ['WebRTCPipeWireCapturer']
disable = []

# I was thinking of tightening up privacy and security by adding some
# well-known flags to qt.args. I broke them up into 4 categories
# and harvested a list of suggestions from the net.

# Many may be chromium flags not used by QtWebEngine.

# https://github.com/qutebrowser/qutebrowser/issues/5378
# https://github.com/qt/qtwebengine/blob/v5.14.2/src/core/web_engine_context.cpp#L478-L690

cacheM = 100
#? are disabled for now
misc = ['log-level=3'
        f"disk-cache-size={cacheM}M",
        f"media-cache-size={cacheM}M"
        ]

# GPU tuning - YMMV
misc += [
        # https://github.com/qutebrowser/qutebrowser/discussions/7917
        'use-gl=desktop',  # or use-gl=egl on wayland
        'enable-accelerated-video-decode', # may make thing slower
        #? enable-features=VaapiVideoDecoder
        #? enable-features=VaapiVideoDecodeLinuxGL
        #? cast-streaming-force-disable-hardware-h264
        #? cast-streaming-force-disable-hardware-vp8
        #? cast-streaming-force-enable-hardware-h264
        #? cast-streaming-force-enable-hardware-vp8
        ]
#? c.qt.workarounds.disable_accelerated_2d_canvas = 'never'

## chromium security
## https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html
# # 'auth-server-whitelist=*.example.com',
security = [ 'ssl-version-min=tls1.3',
             'ssl-version-fallback-min=tls1.2',
             ]
disable += ['EnableServiceWorkersForChromeUntrusted']

## chromium privacy

# https://www.reddit.com/r/privacytoolsIO/comments/kgqmnm/how_to_tweak_chrome_flags_for_privacy_and/
# --disable-plugins-discovery
# --disable-preconnect
# --dns-prefetch-disable
# --no-pings
# --enable-strict-powerful-feature-restrictions
privacy = [
  #? 'use-dns-https-svcb-alpn=disabled',
  #? 'show-autofill-type-predictions=disabled',
  #?       'back-forward-cache=disabled',
  'disable-plugins-discovery',
  'disable-preconnect',
  'dns-prefetch-disable',
  'no-pings',
  #? 'disable-webgl',
  #? 'media-route-dial-provider',
  #? 'allow-silent-push=disabled',
  'disable-notificatons',
  'webview-force-disable-3pcs',
   ]

# https://www.reddit.com/r/privacytoolsIO/comments/kgqmnm/how_to_tweak_chrome_flags_for_privacy_and/
privacy += [
            'strict-origin-isolation',
            'reduced-referrer-granularity'
    ]
# Overall, these two should be enough. You can also consider these flags but imo these doesn't add much benefits
#disallow-doc-written-script-loads
#cookies-without-same-site-must-be-secure
#force-empty-CORB-and-CORS-allowlist
#cors-for-content-scripts
#enable-noscript-previews

disable += ['DnsOverHttps', 'DnsOverHttpsUpgrade']

# a matter of taste
# https://nira.com/chrome-flags/
taste = [
    #? 'proactive-tab-freeze-and-discard=enabled',
    #? 'enable-lazy-image-loading=enabled',
    #? 'omnibox-ui-hide-steady-state-url-scheme=enabled',
    #? 'omnibox-ui-hide-steady-state-url-trivial-subdomains=enabled',
    #? 'memory-saver-memory-usage-in-hovercards=enabled',
    #? 'block-insecure-private-network-requests=disabled',
    #no 'disable-remote-fonts',
    'disable-remote-playback-api',
  ]

if True:
    c.qt.args =  security + privacy + misc + taste + \
      ['enable-features=' +','.join(enable), 
       'disable-features=' +','.join(disable)]

del security, privacy, misc, taste, enable, disable

# how to disable these?
# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)  WEAK	128
# TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)  WEAK	256
# TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)  WEAK	128
# TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)  WEAK	256
# TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)  WEAK	128
# TLS_RSA_WITH_AES_256_CBC_SHA (0x35)  WEAK

# See also the env variables
#QT_LOGGING_RULES=qt.webenginecontext.debug=true
#QT_QUICK_BACKEND or QMLSCENE_DEVICE # string
#QT_OPENGL # ; set or not
#QTWEBENGINE_CHROMIUM_FLAGS # space sep. string
#QTWEBENGINE_DISABLE_SANDBOX  # ; set or not
#QTWEBENGINE_DISABLE_GPU_THREAD # ; set or not

# import os
# export QTWEBENGINE_DICTIONARIES_PATH /usr/share/myspell
first 2024-04-30 14:51:36 +00:00			`# -- mode: python; python-indent-offset: 4; tab-width: 0; encoding: utf-8-unix --`
			`# This should be execed in config.py`

			`# Test by visiting https://coveryourtracks.eff.org/`
			`# https://niek.github.io/chrome-features/`
			`# https://peter.sh/experiments/chromium-command-line-switches/`


			`# this may interfere wuth some logins`
			`c.content.canvas_reading = False`
			`# just passes --disable-reading-from-canvas`

			`# Which Chromium process model to use.`
			`# Alternative process models use less resources, but decrease security and robustness.`
			`# - https://www.chromium.org/developers/design-documents/process-models`
			`# - https://doc.qt.io/qt-6/qtwebengine-features.html#process-models`
			`c.qt.chromium.process_model = 'process-per-site'`
			`# passes --process-per-site`

			`# qutebrowser adds --disable-accelerated-2d-canvas`

			`# qutebrowser starts with these:`
			`# ['--webEngineArgs', '--enable-features=WebRTCPipeWireCapturer', '--disable-reading-from-canvas', '--touch-events=disabled', '--force-webrtc-ip-handling-policy=disable_non_proxied_udp', '--process-per-site', '--disable-accelerated-2d-canvas']`
			`enable = ['WebRTCPipeWireCapturer']`
			`disable = []`

			`# I was thinking of tightening up privacy and security by adding some`
			`# well-known flags to qt.args. I broke them up into 4 categories`
			`# and harvested a list of suggestions from the net.`

			`# Many may be chromium flags not used by QtWebEngine.`

			`# https://github.com/qutebrowser/qutebrowser/issues/5378`
			`# https://github.com/qt/qtwebengine/blob/v5.14.2/src/core/web_engine_context.cpp#L478-L690`

			`cacheM = 100`
			`#? are disabled for now`
			`misc = ['log-level=3'`
			`f"disk-cache-size={cacheM}M",`
			`f"media-cache-size={cacheM}M"`
			`]`

			`# GPU tuning - YMMV`
			`misc += [`
			`# https://github.com/qutebrowser/qutebrowser/discussions/7917`
			`'use-gl=desktop', # or use-gl=egl on wayland`
			`'enable-accelerated-video-decode', # may make thing slower`
			`#? enable-features=VaapiVideoDecoder`
			`#? enable-features=VaapiVideoDecodeLinuxGL`
			`#? cast-streaming-force-disable-hardware-h264`
			`#? cast-streaming-force-disable-hardware-vp8`
			`#? cast-streaming-force-enable-hardware-h264`
			`#? cast-streaming-force-enable-hardware-vp8`
			`]`
			`#? c.qt.workarounds.disable_accelerated_2d_canvas = 'never'`

			`## chromium security`
			`## https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html`
			`# # 'auth-server-whitelist=*.example.com',`
			`security = [ 'ssl-version-min=tls1.3',`
			`'ssl-version-fallback-min=tls1.2',`
			`]`
			`disable += ['EnableServiceWorkersForChromeUntrusted']`

			`## chromium privacy`

			`# https://www.reddit.com/r/privacytoolsIO/comments/kgqmnm/how_to_tweak_chrome_flags_for_privacy_and/`
			`# --disable-plugins-discovery`
			`# --disable-preconnect`
			`# --dns-prefetch-disable`
			`# --no-pings`
			`# --enable-strict-powerful-feature-restrictions`
			`privacy = [`
			`#? 'use-dns-https-svcb-alpn=disabled',`
			`#? 'show-autofill-type-predictions=disabled',`
			`#? 'back-forward-cache=disabled',`
			`'disable-plugins-discovery',`
			`'disable-preconnect',`
			`'dns-prefetch-disable',`
			`'no-pings',`
			`#? 'disable-webgl',`
			`#? 'media-route-dial-provider',`
			`#? 'allow-silent-push=disabled',`
			`'disable-notificatons',`
			`'webview-force-disable-3pcs',`
			`]`

			`# https://www.reddit.com/r/privacytoolsIO/comments/kgqmnm/how_to_tweak_chrome_flags_for_privacy_and/`
			`privacy += [`
			`'strict-origin-isolation',`
			`'reduced-referrer-granularity'`
			`]`
			`# Overall, these two should be enough. You can also consider these flags but imo these doesn't add much benefits`
			`#disallow-doc-written-script-loads`
			`#cookies-without-same-site-must-be-secure`
			`#force-empty-CORB-and-CORS-allowlist`
			`#cors-for-content-scripts`
			`#enable-noscript-previews`

			`disable += ['DnsOverHttps', 'DnsOverHttpsUpgrade']`

			`# a matter of taste`
			`# https://nira.com/chrome-flags/`
			`taste = [`
			`#? 'proactive-tab-freeze-and-discard=enabled',`
			`#? 'enable-lazy-image-loading=enabled',`
			`#? 'omnibox-ui-hide-steady-state-url-scheme=enabled',`
			`#? 'omnibox-ui-hide-steady-state-url-trivial-subdomains=enabled',`
			`#? 'memory-saver-memory-usage-in-hovercards=enabled',`
			`#? 'block-insecure-private-network-requests=disabled',`
			`#no 'disable-remote-fonts',`
			`'disable-remote-playback-api',`
			`]`

			`if True:`
			`c.qt.args = security + privacy + misc + taste + \`
			`['enable-features=' +','.join(enable),`
			`'disable-features=' +','.join(disable)]`

			`del security, privacy, misc, taste, enable, disable`

			`# how to disable these?`
			`# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) WEAK 128`
			`# TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) WEAK 256`
			`# TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK 128`
			`# TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK 256`
			`# TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128`
			`# TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK`

			`# See also the env variables`
			`#QT_LOGGING_RULES=qt.webenginecontext.debug=true`
			`#QT_QUICK_BACKEND or QMLSCENE_DEVICE # string`
			`#QT_OPENGL # ; set or not`
			`#QTWEBENGINE_CHROMIUM_FLAGS # space sep. string`
			`#QTWEBENGINE_DISABLE_SANDBOX # ; set or not`
			`#QTWEBENGINE_DISABLE_GPU_THREAD # ; set or not`

			`# import os`
			`# export QTWEBENGINE_DICTIONARIES_PATH /usr/share/myspell`