User.js: ToDo: diffs FF58-FF59

hmm .. where did intl.locale.requested in 0205 go? - https://github.com/ghacksuserjs/ghacks-user.js/commit/14c1620994f10e4a4d34f515a6ba22b5b725e058 - zilla link in comments on commit

it's a hidden pref

network.http.referer.defaultPolicy.pbmode -> 587523 pb mode non-secure referers -> moz blog

We made this change only after first ensuring that this would have minimal to no effect on web usability

Awesome. So can this be enforced in normal mode as well? (I haven't read thru the ticket or patches, so if @fmarier can give a quick answer, or someone wants to check it out for me, then that would cool, otherwise I'll come back to it). Note there are two other new referer prefs and one removed, so we should look at them all together

[1] https://blog.mozilla.org/data/2018/01/26/improving-privacy-without-breaking-the-web/ <- breakage report/study

The network.http.referer.defaultPolicy.* prefs are just setting the default referrers. You can ignore those and just set network.http.referer.XOriginTrimmingPolicy or network.http.referer.XOriginPolicy directly. The latter are not overridable and take precedence over defaultPolicy*.

^^ Don't answer, I'll get to it another day .. but if "the latter are not overridable and take precedence over defaultPolicy*" then why bother having a defaultPolicy .. makes no sense in that context, needs MAOR info :)

OffT: Gee whizz some regression is killing keyboard keys: ne1 else having this? works fine in the urlbar/searchbar and other apps (not a hardware problem) - typing and editing is becoming an absolute nightmare [edit doesn't seem to be RFP]

• delete - eg if I type cake and then left arrow back into the word, say before the a in cake and hit delete, nothing happens (if I select what I want to delete though, it works)
• back key - doesn't work at all by the looks of it

^^ Update: its caused by permissions.default.shortcuts from the FF58 release diffs

Back OnT:

In Firefox Regular and Private Browsing Mode, if a site specifically sets a more restrictive or more liberal Referrer Policy than the browser default, the browser will honor the websites request since the site author is intentionally changing the value.

Users can also change their default referrer options in Firefox. These will override the browser’s default Referrer Policy and override the site author’s Referrer Policy, putting the users choice first

^^ This is contradictory. If a site sets a "more restrictive or more liberal" - why not just say "if the policy differs". So if a site sets a policy, and it differs from default, then it gets used, else it uses the user's settings - correct?. HOW does FF determine if settings are default or not? By the user_set/modified status? Or by the value in allprejs.js or whatever it's called?**

why not just say "if the policy differs".

I think it's nice that they explicitly mention that a "more liberal" policy also overrides the browser default, because I was already wondering if it did that.

So if a site sets a policy, and it differs from default, then it gets used, else it uses the user's settings - correct?

yes and no but mostly no. If a site sets a policy it always overwrites the default browser policy BUT the user settings always take precedence. But depending on the set policy and the user prefs it's possible that the user-prefs don't need to do anything, for example if a site sets a policy to never send referrers.

HOW does FF determine if settings are default or not?

if you mean "how does FF determine if the browser policy should apply", it simply needs to look at the response headers and if the Referrer-Policy header is not set by the site, FF sets its own.
But the actual referer headers are sent with request headers and that's where the "real" user-pref settings are applied if necessary. "real" = 1601-1605 (+1607 if Tor is used)

I really don't like the claim "referers are best controlled by an extension." nor the recommendation to "Use an extension to block all referers, and then whitelist sites ...", for several reasons:

1. it causes a lot of breakage
2. it makes you stand out a lot
3. it's a shitload of unnecessary work to whitelist all the problematic sites
4. whitelisting is very easy to screw up unless you know exactly what you do

Our #1 recommendation should be to use the settings as we have set them.
#2 can be "hardening" by setting 1603 to 2 (+ optionally 1604 to 1 or 2 for the rare cases where 1603=2 could still leak something, namely when the scheme or port changes)
#3 is better than no protection but it can still cause breakage and we shouldn't recommend to set it that way. Something like "if Option 1 causes problems on certain sites, temporarily reset network.http.referer.XOriginPolicy in about:config, do your thing and then set it back to 1" would be better IMO.
#4 could be the current #3 but with a clear indication that it is a shitty option

If you look at 3 from Pants eyes (who said he whitelisted a few sites where he logs into) the unnecessary work doesn't exist.

@ earthlng - draft something up then. And take into account all the new prefs in 59 if you can. Create a new topic or PR if you want, I don't want to pollute the diffs too much, as I think it might get a lot of chat (i need shit explained to me a lot) - the last time when we looked at 1600, it went on and on and on and on .. 3000 posts if I remember rightly.

I actually agree on the extension part: for now I am just using uM's spoof and our settings. When I used to use the legacy RefControl (I think that was it) for per domain control, it WAS a lot of work to set it up - too much hassle - [edit: it wasn't so much the setting up for my main websites that was the problem - it was all the one off sites I visit = too much breakage and pissing around = often flicked open a secondary browser = defeats the purpose of using my FF setup - end edit]. Meanwhile there are no decent extensions for WebExt - there's this one which looks OK for doing the job, but it's a smelly dirty phone home spying bastard, not that I bothered to dig deeper than the reviews :) Those who want to go the route of per domain will just get some extension.

so :+1: for your ideas
"Except for DNT (Do Not Track), referers are best controlled by an extension" - just remove it

FYI (FF60+): https://www.fxsitecompat.com/en-CA/docs/2018/support-for-application-cache-on-insecure-sites-has-been-deprecated/

it's a hidden pref

But we have picked up on hidden prefs before, IIRC. Hence why I asked. I just now checked the files you do and in what order. So I guess my "picking up on hidden prefs before" must be wrong. Wonder how we can nail those

draft something up then. And take into account all the new prefs in 59 if you can.

https://github.com/ghacksuserjs/ghacks-user.js/pull/356 - .sendOriginHeader is most likely not gonna land in FF59 release and isn't included in the PR

IF we add the two reduced timer prefs (original bugzilla 1424341): FYI

• https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Date/getTime#Reduced_time_precision
• doc is a work in progress: see https://bugzilla.mozilla.org/show_bug.cgi?id=1217238#c111

2511 will be covered by RFP in FF59+. I've added the section to the first post. We also need to keep an eye on geolocation blocking - its going to be removed as part of RFP 1441295 because it 1. TBB can already disable it (geo.enabled) 2. it's behind a prompt

^^ We should probably just do a commit now and move the 4609 & 4612 back to 0201 and 02xx
^^ thumbs up for this

https://github.com/ghacksuserjs/ghacks-user.js/commit/2de13258ff968b72708cdbc08dddc0fb02ff8ae5

Its actually worth thinking about setting geo.enabled to inactive and enforcing permissions.default.geo to 2

This would mean all sites will auto deny geolocation requests, but users can then set site specific overrides (for RFP users this won't work until the RFP bit is removed). This makes the user.js more user friendly IMO and I don't see any downsides or issues (unless I'm missing something)

Edit: Except this is no good for ESR52.x users since permissions.default.geo doesn't exist

OT: https://blog.mozilla.org/nnethercote/2018/03/09/a-new-preferences-parser-for-firefox/

• catches overflow integers
• The new parser is slightly stricter and rejects some malformed input that the old parser accepted
• invalid escapes
• null chars
• error messages (no warnings) give line numbers (cool!)
• 17 yrs old bug resolved: holy MF ... 107264 - error trapping

also (haven't read the bug yet) allow .js preference files to set locked prefs - this is awesome!! So can we lock prefs now from user.js?

Note that the addition of the ‘locked’ attribute fixed a 10 year old bug 440908

So does this mean the syntax error parrot might not always be true?

Error recovery minimizes the risk of data loss caused by the increased strictness because malformed pref lines in prefs.js will be removed but well-formed pref lines afterwards are preserved

Not sure if any of this is of interest to earthlng & co

Ships in FF60: 1423840

changed the grammar used by default preference files (but _not_ user preference files) ... The attributes supported so far are ‘sticky’ and ‘locked’.

But yes, the parrot prefs will probably become useless when this lands. When ESR52 reaches EOL we can probably remove them.

• network.http.sendOriginHeader - wait until they change it to 1 or 2
• privacy.resistFingerprinting.autoDeclineNoUserInputCanvasPrompts - may want to add this, idk
• security.csp.enable_violation_events - they'll eventually enable this but we should never allow it - add to MISC with the other security.csp.* prefs
• security.mixed_content.block_object_subrequest - stupid flash stuff. ignore
• toolkit.telemetry.hybridContent.enabled - add to 0330

ignore everything else I guess

Agreed: am looking at the items still in the ``` sections

new

• alerts.useSystemBackend seems fine, its just a pref for using XUL notifications
• dom.clients.openwindow_favors_same_process sounded excited but did my head in :headspin:
• dom.registerContentHandler.enabled we could set to false - they put it behind a pref so they could test it for a few releases before actually stripping out all the code. I think we can ignore this
• extensions.formautofill.section.enabled i don't think we care about a multiple sections pref as we have a master switch, right?
• the rest all look harmless: eme, peerconnection both already covered & not touching spectre prefs

changed

• dom.w3c_pointer_events.enabled - will look for a bugzilla
• rest seem fine

done

security.mixed_content.block_object_subrequest - stupid flash stuff. ignore

https://bugzilla.mozilla.org/show_bug.cgi?id=1417473#c66 ... https://firefox-source-docs.mozilla.org/toolkit/components/telemetry/ -> 404 not found

Why isn't all this telemetry covered under a master switch. Maybe it is, or under a couple of switches. But man, its getting so convoluted and new prefs every release (pings etc) that its just becoming easier to add the prefs and not investigate

layout.css.moz-document.content.enabled=false might be worth considering.
https://bugzilla.mozilla.org/show_bug.cgi?id=1035091
https://www.fxsitecompat.com/en-CA/docs/2015/moz-document-support-will-be-dropped/

So down to 3 or 5 prefs .. will keep look at the css one later - I need a break (food, a movie, etc)

Can you dig up the w3c pointer and canvas RFP tickets?

edit: canvas - https://bugzilla.mozilla.org/show_bug.cgi?id=1376865 .. never picked up they added a new pref

https://bugzilla.mozilla.org/show_bug.cgi?id=1411467

Sorry if I'm posting where I shouldn't, I just wanted to say what phenomenal work you do, release after release.
Mozillas myriad of changes and anti-features keep piling up, I would find it hard to stomach using Firefox without your work. Hopefully a serious fork will happen one day, with the likes of you involved in it. Until such time, everyone who's capable should be using your config.
Thank you for all your time and efforts in doing this, really. I look forward to the next changelog!

https://reviewboard.mozilla.org/r/221164/diff/3#index_header

Just in case this breaks something irrepairably, we have a cutoff pref. We don't intend to keep this pref forever

privacy.resistFingerprinting.autoDeclineNoUserInputCanvasPrompts - I do not think we need to add this to the user.js. I will leave it in the top section for visibility, and mention in the RFP sticky

OT: @earthlng may be of interest to you https://github.com/gorhill/uMatrix/issues/967 -> https://bugzilla.mozilla.org/show_bug.cgi?id=1377689

Why isn't all this telemetry covered under a master switch

I was looking at the GPO stuff ( https://github.com/mozilla/policy-templates ) that Mike Kaply has going on. I know he's expressed interest in the container prefs section (Tom was showing off on ghacks!), so maybe he's interested in some other items - @mkaply, feel free to peruse the user.js for ideas

Now I'm not 100% sure exactly how this works, but I think any policy is tied to a pref (or prefs: see 1429186), and we can just use those prefs in the user.js (one example already is the fxaccounts we added)

Here is a bugzilla for a policy to handle telemetry - 1429153 - so no idea if they will create a master pref

PS: I'm quite keen to create a group policy sticky and itemize each policy item along with its bugzillas and prefs used

• network.http.sendOriginHeader - wait until they change it to 1 or 2

446344 default is 0 in 59.

// Include an origin header on non-GET and non-HEAD requests regardless of CORS
// 0=never send, 1=send when same-origin only, 2=always send

Why wait until Mozilla flip the pref? I'm assuming you're thinking along the lines of enforcing to 0 based on the waiting game? My understanding is that this would be better as 1? @fmarier what are your succinct thoughts on this - when would it be likely to be flipped, and to what?

/* 2600s: disable CSP security violation events
 * [earthlng will explain why because I have no idea] ***/  << needs a little more cowbell
user_pref("security.csp.enable_violation_events", false);

and last one: dom.w3c_pointer_events.enabled flipped to true in 59 - https://developer.mozilla.org/en-US/docs/Web/API/PointerEvent . Do we really want this? Seems like a lot of data can be gathered here - from hardware (mouse, touch, pen/stylus) and things like width, height, pressure, tangential pressure, tilt(s), twist - there's a lot of entropy in here. I wonder what TBB will do or if they have a ticket open on it. Note the pref has been around since 41.

using 2516 - most of the 2500s are in the 4600's

/* 2516: disable PointerEvents
 * [1] https://developer.mozilla.org/en-US/docs/Web/API/PointerEvent ***/
user_pref("dom.w3c_pointer_events.enabled", false);

If there is anything in here that is useful at an enterprisey level, I might be interested, but changing this many prefs is way out of our scope. And honestly I'm not convinced that changing a lot of these is even useful.

@hubiqs Thanks for your kind words! There's never a wrong place for comments like that :)

re: GPO - here you can see which policies are purely pref-based ie setAndLockPref()

re: sendOriginHeader - it's not ready yet: https://bugzilla.mozilla.org/show_bug.cgi?id=1424076
Once they set it to 2 (which I presume they will) we can set it to 1, maybe with a note for people who want to completely disable it. Origin leaks are already happening right now and there's no pref to disable that. (fe. remote fonts, maybe everything else loaded with CSS as well, IDK, haven't tested it yet)

re: csp violation events - addons like uBO etc cause lots of CSP violation reports, as you can see for example in the uMatrix issue you linked above. uBO and uMatrix can already block these reports which would normally be sent to the server but these new violation events allow a site to receive the reports with JS. Ergo we also want to block those. A site doesn't need to know that we block fonts and whatnot.
https://developer.mozilla.org/en-US/docs/Web/API/SecurityPolicyViolationEvent

re: w3c_pointer_events - I'm not sure. Was disabled until now so it shouldn't cause too many problems if we keep it that way.

Enterprise policies [meta] ticket

Why wait until Mozilla flip the pref? I'm assuming you're thinking along the lines of enforcing to 0 based on the waiting game? My understanding is that this would be better as 1? @fmarier what are your succinct thoughts on this - when would it be likely to be flipped, and to what?

It's a good thing to enable because many sites use it to protect against CSRF attacks. It only gets set on non-GET and non-HEAD requests (i.e. it's pretty much just when you submit a form) so it wouldn't really be an effective way to track users.

We've got a few things to fix before we can flip the default value to 2, but you're welcome to enable it now, there shouldn't be any downsides.

@mkaply

If there is anything in here that is useful at an enterprisey level, I might be interested

That's what I meant. Since it contains some 450+ relevant prefs for ESR60+, which all retain to security, tracking, privacy etc - that this might be a good list for you to peruse for ideas, that was all. This is where Tom got those container prefs you were interested in

but changing this many prefs is way out of our scope

Yup, not what was I was after :)

• PointerEvents - added, and I emailed Arthur on what he plans to do with it
• sendOriginHeader - OK, we'll forget about it until Mozilla flip it (left in at top for visibility)
• CSP violation events - will enforce as false. thanks for the plain English explanation :)

note: I use uBO's no-csp-reports: * true .. can't find the uBO issue where it was argued for and against and gorhill's explanation made me immediately check this option to block CSP reporting

uBO and uMatrix can already block these reports

Umm, where in uM is this?

@earthlng https://github.com/ghacksuserjs/ghacks-user.js/commit/ffced9b4c00082d329f0d39d53e5d116ea968563 - if you want to add an explanation, go ahead. Close this issue when happy and I will do a version/date change and release an alpha

Ooooh .. haven't looked in there for ages .. its currently

 disableCSPReportInjection false

So I can change that to true, right? - https://github.com/gorhill/uMatrix/wiki/Raw-settings .. something about webworkers

nvm, I was wrong. Keep that setting false and block csp reports with uBlock.

@fmarier here you said:

It only gets set on non-GET and non-HEAD requests (i.e. it's pretty much just when you submit a form) so it wouldn't really be an effective way to track users.

but the origin header is already set on a bunch of GET requests even without this new pref. On github fe. in css, js and websocket requests and those are all GET requests. The issue isn't so much tracking but leaking information. IMO it's particularly bad for remote fonts fe. from google. Are you guys aware of that? Are there any plans to change that behavior? If not, why? Why do fe. fonts need to send an origin header? There are no CSRF risks when requesting fonts

The Origin header in that case comes from CORS, not the CSRF protection feature. It's a little confusing because the same header name is used for two different features.