# -*- mode: python; python-indent-offset: 4; tab-width: 0; encoding: utf-8-unix -*-
# This should be execed in config.py

"""Our attempt at listing the chrome flags for security and privacy,
and some of the chrome features. Consult:
* https://niek.github.io/chrome-features/
* https://peter.sh/experiments/chromium-command-line-switches/

Test by visiting https://coveryourtracks.eff.org/

YMMV!
"""


# this may interfere wuth some logins
c.content.canvas_reading = False
# just passes --disable-reading-from-canvas

# Which Chromium process model to use.
# Alternative process models use less resources, but decrease security and robustness.
# - https://www.chromium.org/developers/design-documents/process-models
# - https://doc.qt.io/qt-6/qtwebengine-features.html#process-models
c.qt.chromium.process_model = 'process-per-site'
# passes --process-per-site

# qutebrowser adds --disable-accelerated-2d-canvas

# qutebrowser starts with these: 
# ['--webEngineArgs', '--enable-features=WebRTCPipeWireCapturer', '--disable-reading-from-canvas', '--touch-events=disabled', '--force-webrtc-ip-handling-policy=disable_non_proxied_udp', '--process-per-site', '--disable-accelerated-2d-canvas']
enable = ['WebRTCPipeWireCapturer']
disable = []

# I was thinking of tightening up privacy and security by adding some
# well-known flags to qt.args. I broke them up into 4 categories
# and harvested a list of suggestions from the net.

# Many may be chromium flags not used by QtWebEngine.

# https://github.com/qutebrowser/qutebrowser/issues/5378
# https://github.com/qt/qtwebengine/blob/v5.14.2/src/core/web_engine_context.cpp#L478-L690

cacheM = 100
#? are disabled for now
misc = ['log-level=3'
        f"disk-cache-size={cacheM}M",
        f"media-cache-size={cacheM}M"
        ]

# GPU tuning - YMMV
misc += [
        # https://github.com/qutebrowser/qutebrowser/discussions/7917
        'use-gl=desktop',  # or use-gl=egl on wayland
        'enable-accelerated-video-decode', # may make thing slower
        #? enable-features=VaapiVideoDecoder
        #? enable-features=VaapiVideoDecodeLinuxGL
        #? cast-streaming-force-disable-hardware-h264
        #? cast-streaming-force-disable-hardware-vp8
        #? cast-streaming-force-enable-hardware-h264
        #? cast-streaming-force-enable-hardware-vp8
        ]
#? c.qt.workarounds.disable_accelerated_2d_canvas = 'never'

## chromium security
## https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html
# # 'auth-server-whitelist=*.example.com',
security = [ 'ssl-version-min=tls1.3',
             'ssl-version-fallback-min=tls1.2',
             ]
disable += ['EnableServiceWorkersForChromeUntrusted']

## chromium privacy

# https://www.reddit.com/r/privacytoolsIO/comments/kgqmnm/how_to_tweak_chrome_flags_for_privacy_and/
# --disable-plugins-discovery
# --disable-preconnect
# --dns-prefetch-disable
# --no-pings
# --enable-strict-powerful-feature-restrictions
privacy = [
  #? 'use-dns-https-svcb-alpn=disabled',
  #? 'show-autofill-type-predictions=disabled',
  #?       'back-forward-cache=disabled',
  'disable-plugins-discovery',
  'disable-preconnect',
  'dns-prefetch-disable',
  'no-pings',
  #? 'disable-webgl',
  #? 'media-route-dial-provider',
  #? 'allow-silent-push=disabled',
  'disable-notificatons',
  'webview-force-disable-3pcs',
   ]

# https://www.reddit.com/r/privacytoolsIO/comments/kgqmnm/how_to_tweak_chrome_flags_for_privacy_and/
privacy += [
            'strict-origin-isolation',
            'reduced-referrer-granularity'
    ]
# Overall, these two should be enough. You can also consider these flags but imo these doesn't add much benefits
#disallow-doc-written-script-loads
#cookies-without-same-site-must-be-secure
#force-empty-CORB-and-CORS-allowlist
#cors-for-content-scripts
#enable-noscript-previews

disable += ['DnsOverHttps', 'DnsOverHttpsUpgrade']

# a matter of taste
# https://nira.com/chrome-flags/
taste = [
    #? 'proactive-tab-freeze-and-discard=enabled',
    #? 'enable-lazy-image-loading=enabled',
    #? 'omnibox-ui-hide-steady-state-url-scheme=enabled',
    #? 'omnibox-ui-hide-steady-state-url-trivial-subdomains=enabled',
    #? 'memory-saver-memory-usage-in-hovercards=enabled',
    #? 'block-insecure-private-network-requests=disabled',
    #no 'disable-remote-fonts',
    'disable-remote-playback-api',
  ]

if True:
    c.qt.args =  security + privacy + misc + taste + \
      ['enable-features=' +','.join(enable), 
       'disable-features=' +','.join(disable)]

del security, privacy, misc, taste, enable, disable

# how to disable these?
# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013)  WEAK	128
# TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)  WEAK	256
# TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)  WEAK	128
# TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)  WEAK	256
# TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)  WEAK	128
# TLS_RSA_WITH_AES_256_CBC_SHA (0x35)  WEAK

# See also the env variables
#QT_LOGGING_RULES=qt.webenginecontext.debug=true
#QT_QUICK_BACKEND or QMLSCENE_DEVICE # string
#QT_OPENGL # ; set or not
#QTWEBENGINE_CHROMIUM_FLAGS # space sep. string
#QTWEBENGINE_DISABLE_SANDBOX  # ; set or not
#QTWEBENGINE_DISABLE_GPU_THREAD # ; set or not

# import os
# export QTWEBENGINE_DICTIONARIES_PATH /usr/share/myspell