There’s your answer mate, the policy you’re looking for is "ExtensionSettings", and specifically the following bit:
"ExtensionSettings": {
"*": {
"installation_mode": "blocked"
}
Remove or change "installation_mode" to a more relaxed setting (like "allowed") to enable about:debugging
I have a problem when trying to get this to work with a appvm. Whenever I do it, Firefox forgets all my preferences and reverts back.
So I can’t untick “clear history when Firefox closes” or select “open previous windows and tabs” because it just clears on next boot.
Any one have any ideas?
Now that I finally have a stable Firefox-DispVM 
with some bookmarks, it would be fine to have some login credentials for more convenience e.g with KeepassXC installed with some parameters in a similar way as ublock and noscript. I do not know if this is what arkenoi refers to in his “password management how to”, and if so, this would be far beyond my technical (and english) understanding.
Finally, an overall question arises for me: if I have bookmarks, ublock, noscript and maybe Keepass in my DispVM, would that be a fingerprinting issue regarding advanced algorithms? Or would each and every dispxxx still be unique and could not be profiled?
I can’t help without more specific information.
It’s something in the user.js, I’ve got it so that it remembers my history at least. My problem now is:
Firefox settings > privacy & security > cookies and site data > “delete cookies and site data when Firefox is closed” remains ticked
Also I can’t change : >privacy & security > history “Firefox will use custom settings for history”
This is not possible due to the nature of the disposable. You should look into this if you’re interested: GitHub - rustybird/qubes-app-split-browser: Tor Browser (or Firefox) in a Qubes OS disposable, with persistent bookmarks and login credentials
Otherwise you’ll need to handle credentials differently. Check out my other guide: Split-everything: collection of how-to guides for split configurations
Thanks a lot for great assistance, I will have a look into your guides.
Fingerprinting is somewhat irrelevant of dispXXXX VMs. I mean, a lot of advanced fingerprinting algorithms will use stuff like IP address, screen resolution, timezone, language, openGL version, and other things that it is beyond the scope of a disposable VM.
If you threat model demands fingerprinting resistance you should use Tor Browser.
Arkenfox (without any overrides) user.js (GitHub - arkenfox/user.js: Firefox privacy, security and anti-tracking: a comprehensive user.js template for configuration and hardening) helps with resisting fingerprinting, but won’t be as efficient as Tor Browser.
Brave can randomize some fingerprinting.
You should ideally be testing your setup with https://coveryourtracks.eff.org/ and adjust according to your threat model.
In my honest opinion, browser dispVMs are not for anonymity (i.e. fingerprinting issues) but for security issues. You can click/visit those nasty sites that you would never do in a personal computer in a dispVM. As long as you don’t put any personal data and you shutdown the dispVM, any malware that would infect the computer is long gone along with the dispVM. This is how I use my browser dispVM. If I want fingerprinting resistance/anonymity I’ll use a Whonix dispVM with Tor Browser.
As I recall, though, using the Arkenfox style of preconfiguring Firefox with firefox.cfg basically stomps on the keyboard shortcuts that Rustybird’s split browser needs. I know in order to get split browser to work I had to start with a plain firefox install, and not install the Arkenfox policies and firefox.cfg. So, is it a case of “never the twain shall meet?”
(I’m calling it “Arkenfox” but I realize that strictly speaking it’s Arkenfox as extended by you (BEBF738VD) in the original post of this thread. A bit of verbal shorthand that I use at the price of possibly being perceived to minimize your contribution, so let me acknowledge it here.)
I’m actually going to try to work on this now–I’ve finally got a bookmark menu (C++/Gtk) that allows for nested lists of bookmarks to integrate with RustyBird’s schema. (I even have code to import an HTML bookmark export file.) But I want the split browser windows to be Arkenfox-style hardened/configured, too. Yes I want it all–bookmarks separated from a window with no “fingerprint” and a bunch of ad-preventions built in. (I think I can see where to plug in the contents of the firefox.cfg file generated in Part 1 into the split-browser setup…will try some evening soon.)
No, we like to harden it ourselves better. Because if we can’t fingerprint our own homemade hardening, no one will.
Bold assumption. “I can’t break this lock, so no one else will”.
@bayesian is absolutely right, for extensive fingerprinting resistance, and thus anonymity, use Tor Browser. It was made for that with more resources and experience than this guide. And this guide does not pretend to be better than tb.
I mean theoretically you can harden and resist any fingerprinting algorithm. It’s just that I don’t have the time and effort do dedicate for that and probably the target audience of my advise doesn’t also.
It all depends on your threat model and how far are you comfort on spending resources/times on that…
I was able, last night, to get an Arkenfox-originated set of user prefs plugged into split-browser. This was a file I had generated with a “medium” set of things enabled–including his fingerprint resisting section (4500? 5000? I can’t recall the number). It also has about twelve additional prefs in it that I use to configure the UI, so who knows how much fingerprinting that entails.
I was still able to call up the bookmarks list with Alt-B so what I did, did not break split browser. In essence, split browser has a user.js file (I believe it’s in /usr/share/split-browser but I’m not on my qubes machine so I can’t check that); just append what you get from Step One in the first post, to that.
The split-browser directory structure is different from standard Firefox, so I still haven’t figured out where the profiles file (from step 2) should go. Since that’s the one that causes extensions to be loaded, and which can actually set the default search engine, I really want to solve that problem. (It’s a bit tedious having to reinstall ublock every time I fire up a browser!) My first guess yesterday did not work. If I can solve that, I’ll just start a new topic.
I’ll look into that. Another, less ideal, solution could be to install ublock in the template with apt, however the version is likely not up to date.
Actually @SteveC in the guide I mention /usr/lib but could you check if /usr/share/firefox-esr exists? One should be a link of the other but still worth checking.
I missed something guaranteed, but doesn’t something like
$ sudo dnf install mozilla-ublock-origin mozilla-https-everywhere
in a browser’s template work?
On my “arkenfox” VM, /usr/lib/firefox-esr is a directory, it’s not a link. But inside it is a link distribution->…/…/share/firefox-esr/distribution, which is to say /usr/lib/firefox-esr/distribution/ links to /usr/share/firefox-esr/distribution/. The only other link in that directory is firefox-bin->firefox-esr.
The same is true on the split-browser VM.
Differences between split and arkenfox
arkenfox
OK, so your guide mentions, basically, four files. The first is (1) user.js, Arkenfox’s file with my relatively minor changes to it, which is full of “user_pref()” calls. This for me lives on dom0. It gets converted into (2) firefox.cfg, which is basically the same content except the calls are pref() calls (the conversion also strips away comments).
Firefox.cfg gets installed to /usr/lib/firefox-esr/firefox.cfg. There is no such file on split browser.
(3) autoconfig.js of course references (2)firefox.cfg; it goes to /usr/share/firefox-esr/browser/defaults/preferences/autoconfig.js. there is no such file on split browser but it contains other files like firefox.js, vendor.js, firefox-branding.js, and debugger.js
Finally (4)policies.json goes to /usr/lib/firefox-esr/distribution…which, remember is also a link to /usr/share/firefox-esr/distribution. (Distribution, with policies.json in it, is a sibling to browser, buried in which is autoconfig.js). there is no such file on split browser, the only thing in that directory there is a subdirectory named searchplugins.
split browser
/usr/share/split-browser-disp/firefox contains sb.js and sb-load.js. sb-load.js looks a lot like your autoconfig.json file with a reference to general.config.filename (sb.js), and obscure-value. It also sets sandbox_enabled to false. sb.js contains, among other things, his keyboard mappings (so that alt-B opens his bookmark list on his bookmark vm). To this I appended my (2)firefox.cfg file. I didn’t realize until just now that I should have appended the .js file, not the firefox.cfg file. However, it seemed to work anyway even though the calls are to pref rather than user_pref!
/usr/lib/tmpfiles.d contains something called split-browser-disp.conf which looks like it contains a command to run /run/split-browser-disp. I’m not sure exactly what that’s about, honestly, I’m just guessing here.
/etc/split-browser-disp contains a couple of bash files to set environment variables (one for tor and one for firefox).
/etc/qubes-rpc contains split-browser-disp which I assume is the service handler for calls from the bookmark machine.
I tried putting the arkenfox policies.json in /user/share/split-browser-disp/firefox/distribution. That didn’t work. I’m now thinking I should have tried /usr/lib/firefox-esr/distribution (i.e. the identical location to on the arkenfox system). EDIT TO ADD: No, that didn’t work either.
If I can just figure out where split-browser looks for its policies.json file; I can probably create the Grand Unified Browser; split-arkenfox if you will.
EDIT YET AGAIN. I found out I put that file on the arkenfox template, not the split browser template.
Once placed on the split browser template, in /usr/lib/firefox-esr/distribution…it DOES seem to work! HALLELUJAH!!!
Thanks for your contribution. It made it somewhat clearer for me, what I’am aiming for. I naively tried to to get security and anonimity in one solution. But wouldn’t that be somewhat like a disposable whonix-ws VM in a split browser configuration?
If I use Qubes the way I do, who will pay for it? The premise about something HAS to be payed is wrong in so many ways…