I used to be sad since the EFF discontinued HTTPS Everywhere extension since the setting often didn’t sync and it only applied to me as opposed to everyone using a shared computer. However since I have dived into browser policies, this is no longer an issue for me.

I will be referring to my shell-things repository a lot, particularly etc/, in case the link rots in the future, chances are my git forges still have that available. I also have a script etc/init-browser-profiles.bash that creates the directories, symlinks for Chromium-based browsers and sets the permissions properly (if something won’t work for you, check the permissions!), so I only need to manage Chromium to also manage Brave, Google Chrome, Microsoft Edge, Vivaldi etc.

Please note that I don’t have a Windows or macOS at paw and my only advice for those is the official documentation (bottom of the page).

Automaattinen sisällysluettelo / Automatically generated Table of Contents

Chromium

I love Chromium policies as I can just throw them in the directories /etc/opt/chromium/policies/{managed,recommended}/ in different .json files and then just copy what I need instead of… Now I am going ahead of myself with Firefox. Managed means that the setting will be locked for the user and that is what I am using here, recommended will change the default and show an indicator for the user about it being recommended while still allowing it to be changed by the way.

The case of HTTPS Everywhere is simple. I will copy a bit of my script:

sudo mkdir -vp /etc/opt/chromium/policies/{managed,recommended}
sudo chmod -v a+rx /etc/opt/chromium/policies/
sudo mkdir -vp /etc/opt/chromium/policies/recommended
sudo chmod -v a+rx /etc/opt/chromium/policies/{managed,recommended}/

If you don’t speak *nix, mkdir -vp creates the directories verbosely including their parent directories if those don’t exist already and chmod -v a+rx verbosely allows everyone to read and execute, which is required for listing directory contents.

# An example, without the -p there would be error about the parent directory
# not existing
% mkdir -vp /tmp/meow/meow
mkdir: created directory '/tmp/meow'
mkdir: created directory '/tmp/meow/meow'
% chmod -v a+rx /tmp/meow
mode of '/tmp/meow' retained as 0755 (rwxr-xr-x)

Anyway, HTTPS Everywhere for Chromium. Once the directory exists, it’s just a matter of creating a json file there, e.g. /etc/opt/chromium/policies/managed/https-everywhere.json:

{
  "EncryptedClientHelloEnabled": true,
  "HttpsOnlyMode": "force_enabled",
  "HttpsUpgradesEnabled": true
}

Now visit about:policy and see the policy appear (or if Chromium was already running, click Update policies) and you are done. Try visiting http.badssl.com to see it in action.

Of course the user can still navigate there, but HTTPS Everywhere the extension had that behaviour too and there is likely a separate policy for that.

EncryptedClientHello was added here some hours after publishing the article alongside with Firefox DNS-over-HTTPS. See the bottom of page for changelog link.

To put EncryptedClientHello simply, it will hide which domain you are requesting from https capable web server, which may be serving multiple domains when DNS-Over-HTTPS is used (Chromium restriction), while generally the query for example.net would go in plaintext alongside Server Name Indication.

It’s good for your privacy, bad for enterprise network admin or those willing to perform censorship.

DNS-over-HTTPS

You might have noticed that Chromium no longer allows you to use DNS over HTTPS since the browser is now “managed by an organization”. This will require another policy that either unlocks it or forces everyone to use it.

/etc/opt/chromium/policies/managed/doh-unlocked-unset.json:

{
  "DnsOverHttpsMode": "automatic"
}

and the user is once again free to use their preferred DoH provider.

/etc/opt/chromium/policies/managed/doh-quad9.json:

{
  "DnsOverHttpsMode": "automatic",
  "DnsOverHttpsTemplates": "https://dns.quad9.net/dns-query https://dns.quad9.net:5053/dns-query"
}

And the user is using DNS-over-HTTPS from Quad9 with fallback to system resolver allowed (which for me is encrypted anyway). The automatic could be replaced with secure to not allow downgrade, but I had issues with Chromium losing connectivity entirely.

You may notice that multiple DoH providers are allowed, however I don’t know what logic is used for choosing between them. Oh and the weird https port 5053? It comes from docs.quad9.net/services.

Firefox

Firefox is a bit more complicated in the sense that everything belongs to one policies.json file, so there is no separating different policies to different files and there is no direct policy for HTTPS-only mode.

WARNING for LibreAwoo users! This will mask LibreAwoo’s policy (/usr/share/librewolf/distribution/policies.json, codeberg), so make sure to copy the parts you wish to use before applying this (although I think it might have this out of the box).

Hoping you read the Chromium section above, you may know the drill with the commands and flags:

sudo mkdir -vp /etc/firefox/policies
sudo chmod -v a+rx /etc/firefox/
sudo chmod -v a+rx /etc/firefox/policies/
# A new command! Updates modification/creation dates to now or if it doesn't
# exist, creates the file
sudo touch /etc/firefox/policies/policies.json
sudo chmod -v a+r /etc/firefox/policies/policies.json
# Firefox ESR reads a different directory that I don't want to manage
# separately. -n prevents creating /etc/firefox/firefox if the symlink
# already exists.
sudo ln -nsv /etc/firefox /etc/firefox-esr

Now edit the /etc/firefox/policies/policies.json with your favourite text editor and have contents similar to:

{
  "policies": {
    "DisableEncryptedClientHello": false,
    "Preferences": {
      "dom.block_download_insecure": {
        "Status": "locked",
        "Type": "boolean",
        "Value": true
      },
      "dom.security.https_only_mode": {
        "Status": "locked",
        "Type": "boolean",
        "Value": true
      }
    }
  }
}

After saving and restarting Firefox, about:policies should display the change, about:config should display the two preferences as grayed out and within settings HTTPS-Only mode is used in all windows and grayed out.

An easy test is again http.badssl.com.

DNS-over-HTTPS

This section was edited in afterwards some hours after the publishing. Refer to the log link on the bottom for more information.

Like Chromium, Firefox also supports DoH, although here it must be in the same /etc/firefox/policies/policies.json file as before. It’s simply appended (or prepended) a bit:

{
  "policies": {
    "DNSOverHTTPS": {
      "Enabled": true,
      "Fallback": false,
      "Locked": true,
      "ProviderURL": "https://dns.quad9.net/dns-query"
    },
    "DisableEncryptedClientHello": false,
    "Preferences": {
      "dom.block_download_insecure": {
        "Status": "locked",
        "Type": "boolean",
        "Value": true
      },
      "dom.security.https_only_mode": {
        "Status": "locked",
        "Type": "boolean",
        "Value": true
      }
    }
  }
}

The new sections are also quite self-explanatory with boolean true or false values.

  • Is DoH enabled by default?
  • Is it OK to automatically use system resolver if the DoH server doesn’t work? (There is a similar warning as with HTTPS only mode even if this was false like in the example.)
  • Is the user allowed to change these options (including which DoH server (if any) they want to use) or are they grayed out? I like locking it so I don’t have to worry where else I may have configured it.
  • Which URL is used for queries? I am under impression that unlike with Chromium, multiple addresses aren’t allowed here.

Have you seen a note about temptation to write about IPv6 here? Perhaps you are looking for network.dns.preferIPv6 and network.trr.early-AAAA?

Updated note on Firefox ECH: DNS-Over-HTTPS is no longer required for ECH, since network.dns.native_https_query exists (if you aren’t using ESR branch on version 115). You should already know how to enable it if you have read this far 😼

SEQUEL ANNOUNCEMENT! Part Ⅱ: Browser policies Ⅱ: Deploying PrivacyBadger and uBlock Origin is now online!

Documentation and other policies

In case you have talked with me recently, chances are you have heard me complaining about all the nice settings being hidden in browser policy.

GitHub commits for this page.