$Id: chromium,v 1.5 2021/11/23 02:53:38 nanons Exp $

De-googling Chromium
====================

Chromium is a popular modern web browser among OpenBSD developers and
users.  Unlike alternatives like Firefox, Chromium features strong
privilege separation and consequently has a relatively strict pledge(2).

By default, Chromium phones home to Google often, revealing heaps of
personal information.  The Iridium browser, also available on OpenBSD,
alleviates these issues but it is consistently months behind upstream
Chromium security updates.  This guide aims to eliminate the need to
use Iridium by replicating most of its privacy settings in Chromium.

Caution: You must be using OpenBSD -current snapshots to receive the
latest Chromium security fixes.  Few updates are backported to -stable
since Chromium doesn't separate security fixes from feature updates.

To install Chromium:

	# pkg_add chromium

Background connections
======================

These settings will disable most unrequested background connections.
Captive portal checks to gstatic.com are allowed when the network
connection appears to be failing; use ~NOTFOUND below to block these.
To verify there are no leaks, see pf/README for logging network packets.

* Disable your Internet connection before starting Chromium, otherwise
it will contact many Google servers until these settings are applied.

* Start Chromium and type chrome://settings in the address bar to change
the following settings:
Disable: You and Google -> Sync and Google services -> Autocomplete
    searches and URLs
Disable: Autofill -> Passwords -> Auto Sign-In
Disable: Autofill -> Payment methods -> Save and fill payment methods
Disable: Autofill -> Addresses and more -> Save and fill addresses
Disable: Privacy and security -> Cookies and other site data -> Preload
    pages for faster browsing and searching
Disable: Privacy and security -> Security -> No protection
    (it may send visited sites to Google)
Change: Search engine -> Search engine used in the address bar
Disable: Advanced -> Languages -> Language -> Offer to translate pages
    that aren't in a language you read
Disable: Advanced -> Languages -> Spell check
Disable: Advanced -> System -> Continue running background apps when
    Chromium is closed

* Write a script to enable custom command-line options.

	# install -o root -g bin -m 0755 /dev/null /usr/local/bin/chromium

Write to /usr/local/bin/chromium:

	#!/bin/sh
	exec chrome \
	--disable-background-networking \
	--disable-component-update \
	--host-resolver-rules="MAP accounts.google.com ~NOTFOUND" "$@"

Add the script to the .desktop file (in case any programs use xdg-open):

	$ mkdir -p ~/.local/share/applications
	$ cp /usr/local/share/applications/chromium-browser.desktop \
	    ~/.local/share/applications/
	$ sed -i s/Exec=chrome/Exec=chromium/ \
	    ~/.local/share/applications/chromium-browser.desktop

Always start Chromium with the "chromium" command rather than "chrome".

* Configure policies for other settings unavailable in the GUI.

	# mkdir -p /etc/chromium/policies/managed

Write to /etc/chromium/policies/managed/config.json:

	{
		"BrowserSignin": 0,
		"EnableMediaRouter": false,
		"NewTabPageLocation": "about:blank",
 		"DefaultSearchProviderEnabled": false,
	}

Extensions
==========

If ad blocking is needed, install the popular uBlock Origin extension.
Note that uBlock automatically updates its filter lists from many
different websites.  This can be disabled from the extension settings,
and without much harm since the filter lists enabled by default are
also updated when uBlock is updated.

Extensions installed from the Chrome Web Store will automatically
update from Google servers.  uBlock's Web Store download link is:
https://chrome.google.com/webstore/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm

Extensions installed manually do not automatically update and will need
to be manually updated (from GitHub, in uBlock's case).  Consider
whether changing the update server from Google to Microsoft GitHub is
advantageous at all.

To install or update uBlock manually:
* Download the latest ublock.chromium.zip file from the releases page,
https://github.com/gorhill/uBlock/releases/latest

* Extract the archive into the ~/Downloads directory.

	# pkg_add unzip--
	$ unzip -d ~/Downloads /path/to/ublock.chromium.zip

* Start Chromium and navigate to chrome://extensions.
* Enable "Developer mode" from the upper right switch.
* Select "Load unpacked", choose Downloads from the left sidebar and
select the extracted uBlock directory.
* If updating, manually delete the old version of the extension and
re-apply any custom extension settings.

Extensions are disabled in incognito mode by default.  To enable them,
navigate to chrome://extensions, select the extension's "Details", then
"Allow in Incognito".

Other tips
==========

To view, upload or otherwise select local files, move them to the
~/Downloads directory where Chromium's unveil(2) policy allows access.

Do not edit the pledge(2) or unveil(2) files in /etc/chromium.  They are
not supposed to be edited by users, and modification prevents them from
being updated by pkg_add(1) with potential security updates.

Check this guide again after any major Chromium updates.  New settings
that need to be disabled may be added in the future.
