How hardened can you make Nyxt?

I am considering switching to a lightweight Vim-Like browser and don’t necessarily want to switch to qutebrowser before I haven’t looked at other options (yes I know Vimium exists for stuff like Brave and Firefox-forked LibreWolf).
However, I am pretty paranoid when it comes to tracking and fingerprinting on the web. I already saw you can disable JavaScript, but how hardened is the browser beyond that? Like I assume you can set your custom user agent, but how are other aspects of the browser in terms of tracking, fingerprinting and everything that comes with it. Are there config tweaks I can make to truly harden up the browser against the most intrusive tracking and if so, which ones? And is there a way to selectively block certain parts of web pages similar to UBlock Origin?

If you wish to have a truly hardened browser, I can only suggest something like tails. Nyxt can be hardened to some extent, but it will never be as good as a complete setup.

You can disable javascript.
Add tracking obfuscation.
Block certain elements via our DOM library.

As per config tweaks, the sky is the limit. Unlike traditional browsers, there are no limits imposed upon you by Nyxt. You could literally make it do anything.

I’d say quite a lot, if you tinker with WebKit settings. Not the level of detail Firefox provides, for example, but still quite good.

Things that are possible through Nyxt interfaces:

  • Disabling JS and WebGL (with no-script-mode and no-webgl-mode respectively).
  • Reducing the fingerprint with reduce-tracking-mode (quite primitive and only changes user-agent, locale, timezone, and strips off URLs some basic tracking parameters; definitely can be improved).
  • Configuring cookies.
  • Blocking ads and trackers by host (with blocker-mode). A more fine-grained blocking can be achieved with the help of nx-router and, hopefully, with the improvements in blocker-mode that I’m planning (no promises).
  • Using as much contexts (analogous to Firefox Containers), as you want, with all the WebKit data separated.
  • Injecting JS scripts to clean up the identifying data before the page has access to those, using user scripts.

Things that are possible via WebKit settings (I have this snippet in my config, for example, reliant on the WebKitSettings):

  • Disabling JS access to page markup, clipboard, and opening new windows.
  • Disabling access to file:// and data: URLs.
  • Disabling auto-load media.
  • Disabling navigation touch gestures (fingerprinting).
  • Toggling some HTML storage things, like local storage and HTML5 databases.
  • Disabling Java.
  • Disabling WebAudio and WebRTC.

Things that neither WebKit nor Nyxt can do:

  • Reliably changing JS APIs so that those are not even accessible to pages (user scripts can only do so much).
  • Intercepting all the requests and creating isolated contexts for all of those (like Brave’s unlinkable bouncing).

All in all, Nyxt is not the most hardened browser by default, and the engine is quite restrictive in what we can do, but it’s still relatively good in what you can configure with these parts :wink:

3 Likes

A bit late of me but huge thanks for the very detailed answer!