146 lines
5.1 KiB
Python
146 lines
5.1 KiB
Python
# -*- mode: python; python-indent-offset: 4; tab-width: 0; encoding: utf-8-unix -*-
|
|
# This should be execed in config.py
|
|
|
|
"""Our attempt at listing the chrome flags for security and privacy,
|
|
and some of the chrome features. Consult:
|
|
* https://niek.github.io/chrome-features/
|
|
* https://peter.sh/experiments/chromium-command-line-switches/
|
|
|
|
Test by visiting https://coveryourtracks.eff.org/
|
|
|
|
YMMV!
|
|
"""
|
|
|
|
|
|
# this may interfere wuth some logins
|
|
c.content.canvas_reading = False
|
|
# just passes --disable-reading-from-canvas
|
|
|
|
# Which Chromium process model to use.
|
|
# Alternative process models use less resources, but decrease security and robustness.
|
|
# - https://www.chromium.org/developers/design-documents/process-models
|
|
# - https://doc.qt.io/qt-6/qtwebengine-features.html#process-models
|
|
c.qt.chromium.process_model = 'process-per-site'
|
|
# passes --process-per-site
|
|
|
|
# qutebrowser adds --disable-accelerated-2d-canvas
|
|
|
|
# qutebrowser starts with these:
|
|
# ['--webEngineArgs', '--enable-features=WebRTCPipeWireCapturer', '--disable-reading-from-canvas', '--touch-events=disabled', '--force-webrtc-ip-handling-policy=disable_non_proxied_udp', '--process-per-site', '--disable-accelerated-2d-canvas']
|
|
enable = ['WebRTCPipeWireCapturer']
|
|
disable = []
|
|
|
|
# I was thinking of tightening up privacy and security by adding some
|
|
# well-known flags to qt.args. I broke them up into 4 categories
|
|
# and harvested a list of suggestions from the net.
|
|
|
|
# Many may be chromium flags not used by QtWebEngine.
|
|
|
|
# https://github.com/qutebrowser/qutebrowser/issues/5378
|
|
# https://github.com/qt/qtwebengine/blob/v5.14.2/src/core/web_engine_context.cpp#L478-L690
|
|
|
|
cacheM = 100
|
|
#? are disabled for now
|
|
misc = ['log-level=3'
|
|
f"disk-cache-size={cacheM}M",
|
|
f"media-cache-size={cacheM}M"
|
|
]
|
|
|
|
# GPU tuning - YMMV
|
|
misc += [
|
|
# https://github.com/qutebrowser/qutebrowser/discussions/7917
|
|
'use-gl=desktop', # or use-gl=egl on wayland
|
|
'enable-accelerated-video-decode', # may make thing slower
|
|
#? enable-features=VaapiVideoDecoder
|
|
#? enable-features=VaapiVideoDecodeLinuxGL
|
|
#? cast-streaming-force-disable-hardware-h264
|
|
#? cast-streaming-force-disable-hardware-vp8
|
|
#? cast-streaming-force-enable-hardware-h264
|
|
#? cast-streaming-force-enable-hardware-vp8
|
|
]
|
|
#? c.qt.workarounds.disable_accelerated_2d_canvas = 'never'
|
|
|
|
## chromium security
|
|
## https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html
|
|
# # 'auth-server-whitelist=*.example.com',
|
|
security = [ 'ssl-version-min=tls1.3',
|
|
'ssl-version-fallback-min=tls1.2',
|
|
]
|
|
disable += ['EnableServiceWorkersForChromeUntrusted']
|
|
|
|
## chromium privacy
|
|
|
|
# https://www.reddit.com/r/privacytoolsIO/comments/kgqmnm/how_to_tweak_chrome_flags_for_privacy_and/
|
|
# --disable-plugins-discovery
|
|
# --disable-preconnect
|
|
# --dns-prefetch-disable
|
|
# --no-pings
|
|
# --enable-strict-powerful-feature-restrictions
|
|
privacy = [
|
|
#? 'use-dns-https-svcb-alpn=disabled',
|
|
#? 'show-autofill-type-predictions=disabled',
|
|
#? 'back-forward-cache=disabled',
|
|
'disable-plugins-discovery',
|
|
'disable-preconnect',
|
|
'dns-prefetch-disable',
|
|
'no-pings',
|
|
#? 'disable-webgl',
|
|
#? 'media-route-dial-provider',
|
|
#? 'allow-silent-push=disabled',
|
|
'disable-notificatons',
|
|
'webview-force-disable-3pcs',
|
|
]
|
|
|
|
# https://www.reddit.com/r/privacytoolsIO/comments/kgqmnm/how_to_tweak_chrome_flags_for_privacy_and/
|
|
privacy += [
|
|
'strict-origin-isolation',
|
|
'reduced-referrer-granularity'
|
|
]
|
|
# Overall, these two should be enough. You can also consider these flags but imo these doesn't add much benefits
|
|
#disallow-doc-written-script-loads
|
|
#cookies-without-same-site-must-be-secure
|
|
#force-empty-CORB-and-CORS-allowlist
|
|
#cors-for-content-scripts
|
|
#enable-noscript-previews
|
|
|
|
disable += ['DnsOverHttps', 'DnsOverHttpsUpgrade']
|
|
|
|
# a matter of taste
|
|
# https://nira.com/chrome-flags/
|
|
taste = [
|
|
#? 'proactive-tab-freeze-and-discard=enabled',
|
|
#? 'enable-lazy-image-loading=enabled',
|
|
#? 'omnibox-ui-hide-steady-state-url-scheme=enabled',
|
|
#? 'omnibox-ui-hide-steady-state-url-trivial-subdomains=enabled',
|
|
#? 'memory-saver-memory-usage-in-hovercards=enabled',
|
|
#? 'block-insecure-private-network-requests=disabled',
|
|
#no 'disable-remote-fonts',
|
|
'disable-remote-playback-api',
|
|
]
|
|
|
|
if True:
|
|
c.qt.args = security + privacy + misc + taste + \
|
|
['enable-features=' +','.join(enable),
|
|
'disable-features=' +','.join(disable)]
|
|
|
|
del security, privacy, misc, taste, enable, disable
|
|
|
|
# how to disable these?
|
|
# TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) WEAK 128
|
|
# TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) WEAK 256
|
|
# TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK 128
|
|
# TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK 256
|
|
# TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
|
|
# TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK
|
|
|
|
# See also the env variables
|
|
#QT_LOGGING_RULES=qt.webenginecontext.debug=true
|
|
#QT_QUICK_BACKEND or QMLSCENE_DEVICE # string
|
|
#QT_OPENGL # ; set or not
|
|
#QTWEBENGINE_CHROMIUM_FLAGS # space sep. string
|
|
#QTWEBENGINE_DISABLE_SANDBOX # ; set or not
|
|
#QTWEBENGINE_DISABLE_GPU_THREAD # ; set or not
|
|
|
|
# import os
|
|
# export QTWEBENGINE_DICTIONARIES_PATH /usr/share/myspell
|