Firefox configuration in DispVM

It’s well known that applications should not be launched in templates - but when configuring a disposable vm template, it can get complicated to configure preferences and settings in certain programs without running them in the template (ex. Firefox).

How do you approach this?

I did the following and it seems to work well. Any thoughts?

  1. Create appVM based on a standard template (ex. Debian 11) named disp-browse-dvm

  2. Set the netVM to “none” in the settings of disp-browse-dvm

  3. In a networked-connected VM running firefox, go to Tools → addons and search for desired addons. Right click each download button for each addon and save the .xpi file.

  4. Open disp-browse-dvm

  5. In the networked appVM, right click → Copy to VM each of the .xpi files and move them to disp-browse-dvm

  6. In disp-browse-dvm, drag the .xpi files one at time into an empty browser window to install the addons.

  7. Configure preferences as you want them.

  8. Configure about:config the way you want it. See https://chrisx.xyz/blog/yet-another-firefox-hardening-guide/ for suggestions if you are using firefox-esr. Otherwise check out Browser Recommendations | Privacy Guides for suggestions.

  9. Create desired bookmarks manually or go to bookmarks → Show All Bookmarks and ‘restore’ using a backup file from another browser.

  10. Once the browser is set up exactly how you want it to launch, shut down the VM.

  11. Open dom0 and type:

qvm-prefs disp-browse-dvm template_for_dispvm True

then type:

qvm-features disp-browse-dvm appmenus-dispvm 1

Finally, if you want to make this disposable template the Qubes default template, type:

qubes-prefs default_dispvm custom-disposable-template
  1. Launch Qubes Manager and open the settings for disp-browse-dvm and set the desired netVM.

  2. Using the Application Launcher, launch the Firefox app for disp-browse-dvm

While I did choose to run Firefox-esr in the disposable template, the template was never connected to a network while Firefox-esr was running. Firefox-esr was also pre-installed in the original Debian template, further reducing threat exposure. Do you consider this a more secure option than simply connecting the template to a network and installing the addons the usual way? It would have been nice to have checksums for the .xpi files but… c’est la vie.

Any thoughts on a more secure method for configuring Firefox in disposable templates? Perhaps a configuration/addon install script that is configured to run every time an instance of the disposable is launched? Does such a thing exist? Would it be complicated to write?

Thanks for reading.

2 Likes

Fine for me! Only way to do it that way.
But some input from the cracks culd be needed also… Curious!

1 Like

I use global Firefox policies and AutoConfig to configure the browser in a template or disposable template without starting it. AutoConfig can integrate arkenfox hardened settings.

This will give you a new profile each time you start the disposable, while preserving settings.

Regarding addons, I only use uBlock Origin, which can be installed directly from Fedora or Debian repository.

3 Likes

@varkya can you please give more details about how this can be accomplish ?

As a stept by step guide ?

@varkya Thank you! I will look into those options.

  1. I removed the network vm at my disp-template,
  2. i started the template it self (in the Qubes Manager)
  3. started the browser i wanted to configure (eg firefox and set defaul search engine to duckduckgo some privacy… )
  4. shut down the template vm,
  5. reconnected the network in the settings.

from now on every disp-vm that is spawned will have my settings in it

@ymy

That sounds about right.

@dallas87
Firefox policies is a simple json file /etc/firefox/policies/policies.json (take a look at the github repo for all values).

Quite useful is 3rdparty, which can set predefined settings for uBlock Origin.
So you install this addon in the template via repository package - mozilla-ublock-origin for Fedora, webext-ublock-origin for Debian. Then preconfigure it via 3rdparty in the template as well for later usage in a disposable. For example I configured mine to block JavaScript, iFrames, etc. as default.

AutoConfig more or less is a file in the root partition, which contains settings akin to user_pref. You can take all config values from the arkenfox user.js and put them in this file. Just note it’s needed to switch from user_pref to pref, as we are in system - not user - scope.

1 Like

@varkya I have to admit, I found the policies overview a bit daunting. They keep referring to templates but they seem more like template “fragments”. Do you know of any examples of policies.json files in a more complete form? In other words, a more comprehensive template that I can edit?

Actually, now that I am writing this, I suppose the best place to looks is my own existing policies.json file… and possibly just drop that into a new template install of Firefox?

When this is all set up, how are the addons installed? Every time I launch an instance of the disposable VM?

Why don’t you just use a profile for that? You could modify the default /home directory to include the arkenfox user.js, it would still not save anything because the /home-template won’t actually be written to but no additional config is needed once you’ve set up everything. Profiles are in the /home/user/.mozilla/firefox directory.

1 Like

Interesting approach.

Anyway I think the profile customisation inside the dispVM template also mentioned elsewhere in this thread should be OK for 95% of users. Those who fear a privacy compromise via an unclean profile should look into your approach or use multiple templates, those who fear a compromise via executing firefox might want to execute it in a disposable VM and copy the profile directory over afterwards.

Actually I wrote a script to update firefox & addons without executing it a few years back, but I now consider it pointless.

The arkenfox user.js is also interesting to start with, but at the end of the day some settings need to be customised to one’s own behaviour and Qubes OS, i.e. one needs to fork.

1 Like

@necker If you have an existing policy, try it out -no harm :-). If active, you will get a notification in Firefox settings about applied policy. The structure of /etc/firefox/policies/policies.json is:

{
  "policies": {
    "AppAutoUpdate": false,
    // other settings from repo
  }
}

With default settings, Firefox will automatically find addons like uBlock Origin installed via package manager and apply them.
THough arkenfox forbids addons from system per default, so you would need to adjust values.

@S9qPsAMNuW4ax5EF5 @tripleh Yep, for sure this is a good alternative.
I just wanted to have a more portable solution, which can be applied automatically on multiple VMs via shell-scripting and no file config overhead.

There were also reports about profile fingerprinting for Firefox and other browsers, which can be mitigated via new profiles for every disposable. But not sure, if this is really a privacy-relevant thing.

1 Like

I guess there is something like this, at least some of the options I’ve seen while changing up some stuff in the about:config does indicate a lot of tracking & telemetry. Though I have disabled pretty much 99% of what I could find and completely disabling things like webRTC is pretty annoying if you want to have video conferences with anyone (though you can disable via addon and then just disable the addon if you want - on non-conference qubes you should completely disable this anti-feature). But having everything set up and a lot of addons that make my fingerprint really (!) unique (and changing it by the minute so that every unique fingerprint is different from the last), sanitizing history and cookies on shutdown even on non-disposables and only leaving that stuff there if it can’t be avoided kinda makes my setup annoying for tracking companys (at least I hope so).

1 Like

@varkya The most recent versions of firefox-esr don’t use policies.json any more. There is /etc/firefox-esr with no policies directory. It seems that most of the information is stored in ~/.mozilla/firefox

@S9qPsAMNuW4ax5EF5 Have you looked at the most recent versions of firefox-esr. Perhaps copying the entire firefox folder is the best approach. Though it’s not clear if the .xpi files are stored elsewhere or if there are signed files that associate the settings with a particular installation to prevent ‘drop in’ folder swaps (for security). I’ll give it a try.

Thanks to the both of you for the assistance…

Just create the folder manually, if not existent:

mkdir -p /etc/firefox/policies

~/.mozilla/firefox is for user space, policies are system-wide.

You might as well combine both approaches. I use policies + AutoConfig for all values I normally put in about:config or would adjust manually.
When custom addons not in the distribution repository are needed, copy the profile to disposable template.

Thanks… I’ll give that a try.