Afaq Browser is a privacy-focused desktop browser built on the Firefox source tree. It is designed for users who want strong anti-tracking defaults, practical fingerprinting resistance, controlled site-data cleanup, and a clean daily browsing experience without claiming Tor-style anonymity.
The project goal is to compete with serious privacy browsers such as Mullvad Browser and Tor Browser in the areas that matter most for everyday use: predictable defaults, a shared browser fingerprint, auditable hardening, minimal telemetry, and clear compatibility tradeoffs.
This repository is an active browser fork. The current source tree includes custom branding, a hardened start page, privacy-oriented search defaults, security-level controls, site-cleanup rules, and bundled privacy tooling.
The project is not yet a finished release channel. Before public distribution, the browser should complete the roadmap in Development Roadmap, especially release signing, update infrastructure, reproducible builds, privacy regression testing, and legal review of branding.
- Privacy should be the default, not a hidden expert mode.
- Fingerprinting protection should prefer consistency over endless custom toggles.
- Security controls should explain their compatibility cost.
- Remote services should be disabled unless they provide clear user value.
- The browser should never imply VPN, Tor, or network anonymity when it does not provide them.
- Every privacy claim should be testable from the source tree or release artifacts.
- Custom Afaq Browser branding under
browser/branding/afaq. - Hardened local start page at
chrome://browser/content/afaq-home/index.html. - Startpage and PrivAU search configuration with DuckDuckGo available from the start page.
- Default dark appearance through
AfaqAppearanceService. - Security levels through
AfaqSecurityLevelService:standardfor broad compatibility with the privacy baseline enabled.hardenedas the recommended daily profile.maximumfor stronger restrictions with higher breakage risk.
- WebRTC policy control:
protectedkeeps WebRTC available while reducing local address exposure.disabledremoves the WebRTC surface for users who do not need calls or conferencing.
- Compatibility profile control:
balancedpreserves the selected security level.troubleshootrelaxes the most common breakage points without turning off the full privacy model.
- Exit-cleanup controls through
AfaqCleanupService. - Per-site cleanup exceptions for preserving or forcing site-data deletion.
- Local cleanup audit log stored in the browser profile.
- uBlock Origin bundled as a built-in browser extension.
- Telemetry, sponsored content, Mozilla experiments, and promotional surfaces disabled by default.
- DNS-over-HTTPS defaults configured for Mullvad DNS.
- Fingerprinting, query stripping, partitioning, prefetch, speculative connection, WebRTC, WebGL, PDF scripting, clipboard event, and permission defaults managed by browser-level security profiles.
Afaq Browser reduces tracking by combining several layers:
- Reduced network prefetching and speculative connections.
- Restricted third-party storage behavior.
- Global Privacy Control enabled.
- Query stripping enabled.
- Fingerprinting protection and Resist Fingerprinting enabled.
- Letterboxing available in hardened profiles.
- WebRTC disabled by default in hardened and maximum profiles.
- WebGL disabled in maximum mode.
- Remote safety checks disabled by default to avoid reputation-service lookups.
- Default search experience designed around privacy-focused engines.
This model improves browser privacy, but it does not hide your IP address, replace a VPN, route traffic through Tor, defeat all correlation attacks, or guarantee anonymity.
Mullvad Browser is a useful benchmark because it brings Tor Browser privacy concepts to non-Tor browsing. Afaq Browser should aim for the same seriousness while adding a more transparent security-control layer, stronger local diagnostics, better cleanup auditing, and a documented release pipeline.
Target differentiators:
- Clear security levels with visible diagnostics.
- Auditable preference bundles for each privacy level.
- Local-only cleanup audit history.
- Built-in site-data exception rules.
- Privacy-preserving search choices without sponsored surfaces.
- Release artifacts that can be reproduced and independently verified.
- A test suite that checks privacy-sensitive defaults before every release.
| Area | Path |
|---|---|
| Branding | browser/branding/afaq |
| Start page | browser/base/content/afaq-home |
| Appearance service | browser/modules/AfaqAppearanceService.sys.mjs |
| Security levels | browser/modules/AfaqSecurityLevelService.sys.mjs |
| Cleanup service | browser/modules/AfaqCleanupService.sys.mjs |
| Startup integration | browser/components/BrowserGlue.sys.mjs |
| Privacy preferences UI | browser/components/preferences/privacy.js |
| Search configuration | services/settings/dumps/main/search-config-v2.json |
| Built-in uBlock Origin | browser/extensions/ublockorigin |
| Privacy baseline | docs/PRIVACY_BASELINE.md |
| Roadmap | docs/DEVELOPMENT_ROADMAP.md |
Firefox-based source trees require a full platform toolchain. Use Mozilla's bootstrap flow first, then build the browser target.
./mach bootstrap
./mach build
./mach runFor interface and branding work, use the artifact profile in Build Optimization.
tools/afaq-dev configure
tools/afaq-dev build
tools/afaq-dev runFor a faster development loop after the first build:
tools/afaq-dev faster
tools/afaq-dev runIf this source tree was unpacked without Git or Mercurial metadata, artifact mode cannot resolve Mozilla build artifacts. Use the full development profile instead:
tools/afaq-dev configure-full
tools/afaq-dev build-fullRun the focused Afaq Browser tests after privacy, cleanup, startup, or preferences changes.
./mach xpcshell-test browser/modules/test/unit/test_AfaqSecurityLevelService.js
./mach xpcshell-test browser/modules/test/unit/test_AfaqCleanupService.js
./mach test browser/components/preferences/tests/browser_afaqSecurityLevels.js
./mach test browser/components/preferences/tests/browser_afaqCleanupPreferences.jsRecommended broader checks before a release candidate:
tools/afaq-dev audit
./mach lint browser/modules browser/components/preferences
./mach test browser/modules/test/unit
./mach test browser/components/preferences/tests- Keep upstream Firefox changes isolated from Afaq Browser product changes.
- Treat privacy defaults as product-critical behavior.
- Add or update tests for every security-level, cleanup, search, or startup change.
- Keep user-facing text clear, factual, and free of anonymity claims.
- Record compatibility tradeoffs in the roadmap or release notes.
- Avoid new remote dependencies unless they are documented and user-controlled.
- Review every bundled extension and remote endpoint before release.
A public release should not be considered ready until these items are complete:
- Product naming is consistent across desktop files, installers, package metadata, preferences, and UI.
- Update endpoints are owned, signed, and documented.
- Release builds are reproducible or accompanied by a clear verification process.
- Privacy-sensitive preferences have automated regression tests.
- Bundled extensions have source, version, license, and update policy documented.
- Installer and application metadata no longer contain upstream placeholder text.
- Security reporting instructions are specific to Afaq Browser.
Report security issues privately before public disclosure. Until a dedicated process is published, use the maintainers' preferred private channel and include:
- Affected platform and build.
- Exact browser version or commit identifier.
- Reproduction steps.
- Expected and actual behavior.
- Logs, crash IDs, or proof-of-concept files when safe to share.
- Mullvad Browser FAQ by the Tor Project
- Tor Browser Manual: privacy and fingerprinting overview
- Firefox Source Documentation
This source tree inherits Mozilla Firefox licensing structure. Most Mozilla-originated code is covered by the Mozilla Public License 2.0. Third-party components retain their own licenses in the relevant source directories.