User.js: ToDo: diffs FF59-FF60

totally forgot about this from diffs 58->59

layout.css.moz-document.content.enabled=false might be worth considering.
https://bugzilla.mozilla.org/show_bug.cgi?id=1035091
https://www.fxsitecompat.com/en-CA/docs/2015/moz-document-support-will-be-dropped/

Questions: the extension CSS Exfil Protection handles this stuff

• Does this setting make the extension obsolete?
• Does this pref and/or the extension become obsolete in FF61 (or thereabouts? see compat article)

^^I have asked/pointed the CSS Exfill author to your question.

Cheers

Hi all, I'm the author of CSS Exfil Protection. To answer Thorin's question, no I don't believe this removal would make the plugin obsolete as the plugin guards against several other methods that could be used to exfil data (background-image, list-style, cursor, & content).

Actually, the plugin as it stands today does not block anything related to the -moz-document selector. Today is the first I've heard of this selector, although it sounds like it's getting phased out so it's likely I won't need to add protection.

(PS - I would love for a day when my plugin becomes completely obsolete. Although it's fun hacking away at it, I'd rather see the protection offered by default in major browsers.)

Bug 1446470: Make the moz-document-in-content pref false by default.

See here.

The @document at-rule has been limited to use only in user and UA sheets (bug 1035091)

See here.

While @mlgualtieri plugin works by pre-processing the CSS which is loaded onto a web page.

Inspection and sanitization of each CSSRule is done through the browser's native CSSStyleSheet JavaScript API. If a CSSRule.selectorText is detected that: 1) Parses the value attribute of an element, and 2) If the corresponding CSSRule.cssText includes a call to a remote URL, a new rule is created to override the call to the remote URL.

See Defense for Web Users.

https://trac.torproject.org/projects/tor/ticket/25559

network.ftp.enabled
security.mixed_content.upgrade_display_content
dom.registerProtocolHandler.insecure.enabled
browser.cache.offline.insecure.enable
dom.registerContentHandler.enabled

https://www.bleepingcomputer.com/news/software/firefox-gets-privacy-boost-by-disabling-proximity-and-ambient-light-sensor-apis/ - 4 new prefs

// 4604: [2512] disable device sensor API
   // [WARNING] [SETUP] Optional protection depending on your device
   // [1] https://trac.torproject.org/projects/tor/ticket/15758
   // [2] https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/
   // [3] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1357733,1292751
   // user_pref("device.sensors.enabled", false);

--new bit--
   // user_pref("pref("device.sensors.ambientLight.enabled", false); // (FF60+)
   // user_pref("pref("device.sensors.motion.enabled", false); // (FF60+) default: true
   // user_pref("pref("device.sensors.orientation.enabled", false); // (FF60+) default: true
   // user_pref("pref("device.sensors.proximity.enabled", false); // (FF60+)

^^ is this worth it when we have the master switch?

@earthlng do you use the // default: true comments in your scripts? because if you search for // default there are 5 that don't fit the pattern with the colon missing etc

0420 - 2 lines
1402 - 3 lines (we could remove these because they are western defaults, not universal ones)

note: we already have 4604 device.sensors.enabled which is inactive with a setup tag. Just add them as false inactive to the 4604

certain syntax errors stop the parsing and the debug pref is still useful in those cases. We just need to change the last one to something less definite.

Ahh, OK. We'd still have to fixup the wiki. Edited the checklilst item

60b9 changes since 60b5

new

pref("browser.cache.offline.insecure.enable", true); // 60b5: false
pref("browser.policies.enabled", true);
pref("device.sensors.ambientLight.enabled", true); // 60b5: false
pref("device.sensors.proximity.enabled", true); // 60b5: false
pref("services.sync.engine.bookmarks.validation.enabled", true);
pref("services.sync.engine.passwords.validation.enabled", true);

removed, renamed or hidden

pref("geo.provider.ms-windows-location", false);

changed

pref("dom.registerContentHandler.enabled", false); // prev: true
pref("geo.wifi.uri", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%"); // prev: "https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_API_KEY%"
pref("layout.css.moz-document.content.enabled", false); // prev: true
pref("network.tcp.tcp_fastopen_enable", true); // prev: false
pref("security.mixed_content.block_object_subrequest", true); // prev: false

EDIT: updated 1st post

WTF! where did all our sticky issues go??

Pants is gone too???!!!! https://github.com/Thorin-Oakenpants

It seems all of Pants' issues are gone, not just the sticky ones. They must have been banned, or hacked, or this is their way of saying "fuck it".

Can anyone contact them?

Thorin - Someone has vindictively flagged my account (100 points if you can guess who). Shame on you for thinking I was hacked. Edit: WTF are you referring to me in plural?

Indeed, all his issues are gone.

from https://help.github.com/articles/deleting-your-user-account/ :

Deleting your user account removes all repositories, forks of private repositories, wikis, issues, pull requests, and pages owned by your account. Issues and pull requests you've created and comments you've made in repositories owned by other users will not be deleted

but the wiki is still here, no idea how that is possible. and

If you’re the only owner of an organization, you must transfer ownership to another person or delete the organization before you can delete your user account.

Pants is/was the only owner of the organization and the repo but he apparently was able to delete his account without transferring ownership to me or someone else. Maybe his account was banned? IDK

really shitty way to say fuck it if that's the case. He could've just abandoned his account or at least say something first so that I could have copied the stickies, etc. All the infos he's collected over months in the stickies is now just totally gone.

I've written him an email asking what's going on.

Thorin - woah! I would never do anything like that. This is a community based project, and I would never do anything as shitty as that, besides, I'm an adult, not some vindictive baby (and I'm big/wise/old enough to know that any differences over minor aspects are just that, minor). Anyway, I have zero issues with anyone here. I suspect that CK laid a complaint, and my account has been flagged - that guy needs help. I haven't given him a second thought for months, but to him, it eats away at his brain. I have contacted GitHub support to get to the bottom of it. Everything is still here, just hidden.

Whoa! Did I miss something over the weekend like an argument or something or is this from out of nowhere?

really shitty way to say fuck it if that's the case.

Why would he? Was there talk of this before? I typically don't ready through every single Issue or Commit so again I'm not sure if I've missed something.

They must have been banned, or hacked, or this is their way of saying "fuck it".

Can anyone contact them?

How many Pants' are there?

I've written him an email asking what's going on.

Nice. Let's hope for the best... whatever the fuck that would be.

How many Pants' are there?

Billions.

If you expected a more serious answer, then read this. If it was just a rethorical question, well... sorry.

Billions.

If you expected a more serious answer, then read this. If it was just a rethorical question, well... sorry.

Ha, totally kidding. Thought about putting a smiley or something but figured it wasn't needed, glad you knew and good to see the Pants' are reaching such high population numbers.

When I saw most of issues were gone, I didn't understand.
Thanks earthlng for giving some information.

@Pants I wish this will be sorted out fast and without a pain.
About CK... if he is behind or not, I still cannot express my opinion about him and in the same time not to go in the ocean of bad words.

I hope @Thorin-Oakenpants finds his way back soon!

WELCOME BACK MY FRIEND! you had me worried for a moment there! I'm glad everything got sorted out and is now back to normal, all your stickies and issues un-hidden, etc.

so the CHEF-KOCH got you banned, huh?! HOLY SHIT! WHAT A FUCKING CUNT!!

I'd love to know more about the conversations you had with github support to get your account un-banned.

Just to confirm, it was CHEF-KOCH... he must have spent ages pouring over the T&C finding something - it was a comment of mine that pointed readers to his "Say Thanks" asking you to say "Thanks" to him. Removed the comment, and now I am not flagged. Now you know who is a petty, vindictive, twisted individual who would rather the world burns than be constructive

@earthlng Not a ban, a flag . I was still able to login and do things on my account, including bypassing hidden posts, by editing yours !!!

I'd love to know more about the conversations you had with github support to get your account un-banned.

I will forward them to you. Took one email.

PS: Just shows u how much of the content here is driven by moi :kiss: Maybe all u gals need to up your game :trollface:

Welcome back. :)

Sheeshus .. don't you start .. if you get flagged I'll lose the diff issues.

Speaking of issues, there is one I think I will keep top and center, just keep adding to it, so it's always alive, recently updated.. you know, as a reminder .. I might call this the Streissand Effect

Welcome back Thorin !

Ha, totally kidding. Thought about putting a smiley or something but figured it wasn't needed, glad you knew and good to see the Pants' are reaching such high population numbers.

Oh. But I _didn't_ really know. I just bundled three different answers.

Shame on you for thinking I was hacked.

Shame? I just presented some of the less-complex possibilities I could think of. Besides, it just means I consider you sufficiently high-profile to be worth a hack, which should be kind of flattering! I could be exchanging words with terrorists and all sorts of lunatics here, for all I know. Or maybe your crazy asshole computer-genius nephew got ahold of your computer for a few minutes.

Sorry if it offends you. If you live in like a top security bunker and physically store your data in a Faraday cage, I have no fucking way to know, right?

Edit: WTF are you referring to me in plural?

Singular. They. Same argument as before: you could be an alien or some paranoid AI for all I know. You should be thankful I didn't use "it", instead.

What the hell, man. Isn't that shit supposed to be kinda common in english? It's a genuine question, this is not my native language.

On second thought, if you were an alien it probably wouldn't be your native language either. Unless you were a Hollywood alien, of course.

Anyway, I'm just glad you're back.

BTW you could actually be several people for all I know... :zipper_mouth_face:

BTW you could actually be several people for all I know...

No, we are not several people. I'm not schizophrenic, and neither am I, BTW.

extensions.webextensions.restrictedDomains - @earthlng check yur email

edit: interesting idea about adding domains to that list eg protonmail

IDK about that. If you don't trust your installed webextensions it might be a good idea. But if f.e a hacker manages to inject external JS into one of those domains, you'd normally see + block that with uMatrix.
If uMatrix etc are locked out with that pref you won't notice anything.

network.dns.native-is-localhost - For testing purposes! -> moved to ignore

^^ I'm digging. See more emails. I do not think this is anything more than them locking down Mozilla domains to be proactive against 3rd parties (eg block lists, scripts, extensions) whether they are malicious or not. You have to have trust in the platform/store and bad press (even if its not caused by Mozilla) is a no no. I'm pushing to see if there is anything else to it.

So for 99.9% of users this is all good. But the trade off is that we have no control over said domains. I'm not worried about a stupid cookie or two (you can simply deny cookies on AMO via site permissions).

Anyway, see email

browser.chrome.errorReporter.* - only enabled in Nightly.

https://wiki.mozilla.org/Firefox/BrowserErrorCollection
https://support.mozilla.org/en-US/kb/firefox-nightly-error-collection
https://firefox-source-docs.mozilla.org/browser/browser/BrowserErrorReporter.html

extensions.getAddons.get.url - never used thanks to 0306 - moved to ignore

https://bugzilla.mozilla.org/show_bug.cgi?id=1453988

edit (from an email) about privacy.resistFingerprinting.block_mozAddonManager (4503)

It was added so that users of Tor Browser who visit AMO could not be fingerprinted by _Mozilla_. In Firefox, we accept that Mozilla will learn more information about you than other third parties, so we don't try to protect one against fingerprinting by Mozilla. In Tor Browser, that should not b the case.

As a _side effect_ it happened to also allow extensions to work on AMO. That was locked down with other domains in 1415644 (currently access denied, will probably be opened up after 60 lands)

So in FF60+ the 4503 pref is meaningless - I trust Mozilla. Pref is inactive anyway, and the new pref mitigates any security concerns raised in 1406795 which I brought up in another issue here. This is a bit weird, because that was resolved as WONTFIX and AFAICT that is exactly what 1415644 is doing. I guess they just moved it to access denied, and it was definitely worth fixing.

From my perspective: I can control MY environment (extensions I install, manipulating local data/web content), but I cannot control external factors such as MiTM attacks. Arthur from Tor wasn't even aware of this - hence new ticket. He didn't see my email from over a month ago. He's definitely onto it now. I guess we can wait and see what happens. But ME, I'm definitely editing out AMO from that pref. For the user.js, I'm not sure what to do

/* xxxx: disable Browser Error Reporter (FF60+)
 * [1] https://support.mozilla.org/en-US/kb/firefox-nightly-error-collection
 * [2] https://firefox-source-docs.mozilla.org/browser/browser/BrowserErrorReporter.html ***/
user_pref("browser.chrome.errorReporter.enabled", false);
user_pref("browser.chrome.errorReporter.submitUrl", "");

maybe 0380? or move the remaining 2 prefs in 0360 somewhere else because those 2 alone don't really "quiet fox" the new Activity-stream page anymore.

So in FF60+ the 4503 pref is meaningless

not setting that pref gives them access to a special mozAddonManager API. Unnecessary API IMO.

But ME, I'm definitely editing out AMO from that pref

that won't work because the code to restrict webextension access checks both the new pref and 4503

that won't work because the code to restrict webextension access checks both the new pref and 4503

I have 4503 in my overrides

not setting that pref gives them access to a special mozAddonManager API.

Yeah, I meant in context of my "I trust mozilla"

Edit: It also means we can flip the pref to active since it no longer (on its own) allows extensions to inject into AMO

yeah let's NOT do that. You've seen the countless reddit posts asking why AMO detects their FFs as an older version. I assume, based on the mozAddonManager pref being an RFP sub-pref, the whole point of the mozAddonManager was to be able to detect the FF version despite RFP.

Who knows what they will do with AMO - it has not been decided, and the new AMO has since rolled out since they first logged the bugzilla (even though someone brought it up 6 months earlier and was ignored!). I followed a few github issues on it, and it's not trivial to build that into the website. So the jury is still out. Also, once ESR60 lands (i.e the spoof is 60), then due to bye-bye-legacy, there will be way less issues.

I actually think what they will do is "hardcode" AMO as a UA spoof exception. Its a much simpler and cheaper solution. I say hardcode, but they may throw it behind a pref (why? I wouldn't), or even use this new restrictedDomains one.

Well, I'm leaning on adding the new restrictedDomains pref as 4504 (inactive though) even though its not RFP, because the two prefs together work. I guess it would be better for both to be inactive. Got three or more weeks to think about it

I'd put it under 2600, something like this:

/* 26xx: disable webextension restrictions on certain mozilla domains (FF60+) ***/
   // user_pref("extensions.webextensions.restrictedDomains", "");

add notes and/or warnings as you see fit, f.e. that several mozilla domains use google analytics and noscript etc won't be able to block that.

OT: https://bugzilla.mozilla.org/show_bug.cgi?id=1410106 Interesting bug. I thought PB mode didn't allow IDB, seems workers could bypass that at some stage - hell, it even has a CVE

For 3rd party scripts only, starting from FF 43 until today:

The Web Storage API now respects the browser’s third-party cookies preference, so it will no longer work when the script is in a third-party context and the user has disabled third-party cookies. The IndexedDB API and the new Service Worker Cache API will also obey the same constraint.

...see link here.

Atavic, I don't see the relevance - the whole point of PB mode was no persistent data. IDB was explicitly left out for a reason - there was no sanitizing mechanism. It's the oversight that I'm pointing out, not how persistent data is controlled.

If the 1st party uses web workers, then it is able to use IndexedDB.
I don't see it as an oversight, cliqz is partner with Mozilla.

I know web workers can use IDB, what I am talking about is that in PB MODE they made a decision to not allow IDB due to a lack of ability to sanitize it on close, and completely forgot about workers using it. Maybe I read the bug wrong

I totally agree! But it cannot be an oversight.

It definitely IS an oversight. They decided the rule was ZERO persistent web data. That meant web site breakage was a secondary consideration, i.e no IDB (and they did that, see, even extensions got caught up in it), but then they didn't check everything did they. That's the very definition of an oversight.

PS: Unless I'm mistaken, the bug was only just opened to the public

^^ https://medium.com/@konarkmodi/breaking-bad-to-make-good-firefox-cve-2017-7843-219034357496

60b16 changes since 60b9

new

pref("app.normandy.first_run", true);
pref("image.animated.decode-on-demand.threshold-kb", 4194303); // 60b9: 20480
pref("network.cookie.same-site.enabled", true);

changed

pref("layout.display-list.retain", true); // prev: false
pref("privacy.resistFingerprinting.reduceTimerPrecision.microseconds", 1000); // prev: 2000

EDIT: updated 1st post

same site cookies

• pref("network.cookie.same-site.enabled", true);
• https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60/
• insert bugzilla here

OT: 1400805 web ext can now control browser.display.use_document_fonts

Here's the meta bug for same-site cookies: https://bugzilla.mozilla.org/show_bug.cgi?id=samesite-cookies

Probably no point in listing this pref in user.js since it's enabled by default and it restricts cookies further. The pref is only there in case we need to turn the feature off quickly due to unforeseen bugs/breakage.

Is this the same as uMatrix rule...

* * cookie block
* 1st-party cookie allow

...which reads as allow outbound 1st-party cookies and deny outbound 3rd-party cookies?

SameSite=strict goes further than disabling third-party cookies. It also strips the first-party cookie if you follow a link from a different site. See http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/ for a good explanation.

@fmarier thx
If I understand correctly this behavior is server side controlled over header and not client side by preferences?

I agree with @fmarier in that we don't need the pref in the user.js per se but I think it's a nice new feature and worth adding for the links alone. something like this:

/* 27xx: enable support for same-site cookies (FF60+)
 * [NOTE] support for same-site cookies is enabled by default but we don't enforce it
 * in case mozilla needs to turn it off quickly due to unforeseen bugs/breakage.
 * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=samesite-cookies
 * [2] https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60/
 * [3] https://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/ ***/
   // user_pref("network.cookie.same-site.enabled", true); // default: true

This browser setting lets the end-user disable all third-party cookies. The same-site cookie attribute, on the contrary, gives web sites fine-grained control over how to handle their cookies.

We already block all 3rd party cookies (in fact we I already block all cookies). Also, bend me over and call me Susan, but wouldn't FPI also mitigate this (if you allowed 3rd party cookies .. but then again the only reason I would do so is for login purposes eg secure.bank.com on bank.com). That .nl link is pretty nice :+1:

2706 is the next slot. Wouldn't mind nudging them down and stealing 2703

@crssi correct: server sets the SameSite=strict, FF can now honor that. It's not a client side pref to enforce all cookies to do it, just one to turn the feature on

AFAIK FPI only works on domain anyway ie secure.bank.com has access to cookies etc from bank.com and vice-versa.

same-site cookies makes it so that when you click a link to yourbank.com and you happen to be logged in to yourbank.com in another tab (or didn't logout) the cookie will not be sent and therefore preventing potential CSRF. FPI has nothing to do with that. EDIT: not just links but some other things as well, like certain forms and whatnot, see the .nl link for details.

maybe secure.bank.com and bank.com was a bad example (not sure how those tlds work). Take a look at the article again - I'll use facebook.com cookies as 3rd party (i.e the FB widget/like buttons etc)

FPI means that the FB cookies used on siteA cannot be used on siteB - that's what First Party Isolation means. They even want to enable 3rd party cookies in TBB (quote Arthur if I can find where he said it was in the pipeline)

moved from new to ignore. These are just visual indicators (camera light, urlbar indicator for microphone)

• 1436352 2x media.getusermedia.camera.off_*
• 1299515 2x media.getusermedia.microphone.off_*

MDN doc, also see Dev 60 Notes Media & WebRTC section

the URL bar displays a pulsing red icon to indicate that recording is underway. The icon is gray if the permission is in place but recording is not currently underway. The device's physical light is used to indicate whether or not recording is currently active

my 2 cents:

pref("app.normandy.first_run", true); - probably unnecessary but we can add it to the other normandy stuff, up to you
pref("browser.startup.blankWindow", false); - nothing to do with privacy/security and IMO not worth adding to 5000 either
pref("browser.urlbar.openintab", false); - sounds pretty annoying. I'd ignore it
pref("devtools.policy.disabled", false); - devtools are awesome. Why would anyone want to disable that? IMO move to ignore
pref("dom.push.alwaysConnect", false); - default is false which is what we want and thus it's safe to ignore but I don't mind adding it with the other push stuff just in case
pref("network.ftp.enabled", true); - maybe add as inactive for those who want to disable it. I think FF61 will disable ftp for sub-resources which is probably the better option
pref("media.cubeb.sandbox", false); - something to do with audio on linux (and maybe Mac, IDK). It's true on linux and false on Windows. I'd say move to ignore

changed:

IMO move to ignore:
pref("browser.schedulePressure.timeoutMs", 300); // prev: 1000
pref("devtools.debugger.features.root", true); // prev: false - no idea what this is but most people probably don't use the debugger anyway
pref("gfx.webrender.blob-images", 1); // prev: 2
pref("gfx.webrender.hit-test", true); // prev: false
pref("layout.css.servo.chrome.enabled", true); // prev: false - seemingly removed in FF61
pref("privacy.resistFingerprinting.reduceTimerPrecision.microseconds", 1000); // prev: 2000

:jeans: you forgot to move 0512 to deprecated/removed

I am going to make 4503 privacy.resistFingerprinting.block_mozAddonManager active (as true). It reduces extra data collection (by Mozilla) and now with extensions.webextensions.restrictedDomains in FF60+ at default, there is no risk of scripts injecting etc. While Mozilla is probably a special case at times, to me, all domains are to be treated equal (personally I'm also blanking restrictedDomains - I'm a big boy and can take care of myself - no to GA and yes to allowing extensions to work on those domains)

ESR52.x users who will hang out until the bitter end instead of moving to ESR60 branch .. not affected since 4503 is a FF57+ pref

you forgot to move 0512 to deprecated/removed

Did a commit, and added to the deprecated sticky. BUT, I gotta ask @earthlng ), how did these two prefs not get listed in the diffs above - I rely on the diffs to generate the sticky issue and drive changes here. Just asking, not throwing stones or anything. Is is something to do with being a system addon, and the prefs are hidden until created by the addon?

Is is something to do with being a system addon, and the prefs are hidden until created by the addon?

yes exactly. I already planned to change the way I retrieve the default prefs for the next diff because of some changes mozilla made in 61 but I'll update this diff as well as soon as FF60 portable is available.

I'll have to install a certain version to get a diff for it and thus I won't be able to create OS-diffs anymore because I don't have a Mac.

moved from new to ignore

• pref("browser.urlbar.openintab", false);
  
  
  
  • agreed it sounds silly. searchbar I get, but the urlbar? why would anyone type over a current tab and then open in a new one? Does the old urlbar URL come back? IDK, don't care.
  
  
• pref("dom.keyboardevent.keypress.dispatch_non_printable_keys_only_system_group_in_content", false);
  
  
  
  • sounds complicated and over my head, I don't even have any idea what this is really, but it ain't privacy related
  
  
  • pref("dom.push.alwaysConnect", false);
  
  
  • 1440467 - ignore it, we can add it IF they ever flip it
  
  
• pref("network.ftp.enabled", true);
  
  
  
  • Agreed. Ignore it. We can look at FTP subresources in 61 as you said
  
  

--
should we add this one?

• pref("dom.registerProtocolHandler.insecure.enabled", true);
  
  
  
  • 1429732
  
  
  • fxsitecompat
  
  
  • if I read this right, then we want it to be false, which will happen in FF62 anyway, but it would benefit ESR60 users
  
  
  • edit: benefit esr60: actually, they would probably flip it for both channels since no more code would be needed?
  
  

• keyboardevent stuff:
  https://www.fxsitecompat.com/en-CA/docs/2018/non-printable-keys-will-soon-stop-firing-keypress-event/
  FF60 doesn't have the whitelist yet and enabling it already might just break too many sites. Waiting at least for FF61 seems like a good idea. Perhaps even wait until they enable it by default because I don't know what the pros and cons of this are, either.
• ftp - I wouldn't mind adding it inactive tbh. Martin wrote an article about it and we could link to that.
  https://www.ghacks.net/2018/02/20/firefox-60-with-new-preference-to-disable-ftp/
• registerProtocolHandler - yes false is what we want. "low usage rate of the functionality" so breakage-wise it shouldn't be a problem to set this already. 1 more bit for fingerprinting but it's very unlikely that anyone is using that. Nightly has it disabled too. a similar pref was added in 59: dom.registerContentHandler.enabled
• dom.registerContentHandler.enabled
  https://bugzilla.mozilla.org/show_bug.cgi?id=1398169
  https://www.fxsitecompat.com/en-CA/docs/2018/navigator-registercontenthandler-has-been-removed/
  https://developer.mozilla.org/en-US/Firefox/Experimental_features#DOM
  we can disable that too IMO. Also already disabled in Nightly 61
• security.mixed_content.upgrade_display_content - not even enabled in Nightly. We should wait IMO
• security.pki.distrust_ca_policy - if they land it as 1, which they most likely will, we don't need to enforce it.
• dom.ipc.useNativeEventProcessing.content - fixes some kind of bugs. No idea what the pros and cons of flipping this back would be. Best not to mess with it
• dom.moduleScripts.enabled - ignore. some links are here: https://bugzilla.mozilla.org/show_bug.cgi?id=1438139#c5
• security.webauth.webauthn - probably best to ignore this, nobody is forced to use it.
  https://www.w3.org/TR/webauthn/
  https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API
  https://hacks.mozilla.org/2018/01/using-hardware-token-based-2fa-with-the-webauthn-api/

updated the 1st post.

• pref("app.shield.optoutstudies.enabled", true); was added to the default pref files in FF60 but apparently existed before that as a pref set by a system addon. I kept it under NEW regardless.
• following are the prefs set by system addons or not included in the default prefs files and therefore missing in the diffs. some of them are NEW in FF60 and are now included in the updated 1st post.

pref("browser.newtabpage.activity-stream.collapseTopSites", false);
pref("browser.newtabpage.activity-stream.default.sites", "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/");
pref("browser.newtabpage.activity-stream.disableSnippets", false);
pref("browser.newtabpage.activity-stream.enableWideLayout", true);
pref("browser.newtabpage.activity-stream.feeds.favicon", true);
pref("browser.newtabpage.activity-stream.feeds.migration", true);
pref("browser.newtabpage.activity-stream.feeds.newtabinit", true);
pref("browser.newtabpage.activity-stream.feeds.places", true);
pref("browser.newtabpage.activity-stream.feeds.prefs", true);
pref("browser.newtabpage.activity-stream.feeds.section.highlights", true);
pref("browser.newtabpage.activity-stream.feeds.section.topstories", false);
pref("browser.newtabpage.activity-stream.feeds.section.topstories.options", "{\"api_key_pref\":\"extensions.pocket.oAuthConsumerKey\",\"hidden\":true,\"provider_description\":\"pocket_description\",\"provider_icon\":\"pocket\",\"provider_name\":\"Pocket\",\"read_more_endpoint\":\"https://getpocket.com/explore/trending?src=fx_new_tab\",\"stories_endpoint\":\"https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=en-US&feed_variant=default_spocs_off\",\"stories_referrer\":\"https://getpocket.com/recommendations\",\"privacy_notice_link\":\"https://www.mozilla.org/privacy/firefox/#suggest-relevant-content\",\"disclaimer_link\":\"https://getpocket.com/firefox/new_tab_learn_more\",\"topics_endpoint\":\"https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_lang=en-US\",\"show_spocs\":false,\"personalized\":true}");
pref("browser.newtabpage.activity-stream.feeds.sections", true);
pref("browser.newtabpage.activity-stream.feeds.snippets", true);
pref("browser.newtabpage.activity-stream.feeds.systemtick", true);
pref("browser.newtabpage.activity-stream.feeds.telemetry", true);
pref("browser.newtabpage.activity-stream.feeds.topsites", true);
pref("browser.newtabpage.activity-stream.filterAdult", true);
pref("browser.newtabpage.activity-stream.migrationExpired", false);
pref("browser.newtabpage.activity-stream.migrationLastShownDate", 0);
pref("browser.newtabpage.activity-stream.migrationRemainingDays", 4);
pref("browser.newtabpage.activity-stream.section.highlights.collapsed", false);
pref("browser.newtabpage.activity-stream.section.highlights.includePocket", true);
pref("browser.newtabpage.activity-stream.section.topstories.collapsed", false);
pref("browser.newtabpage.activity-stream.section.topstories.showDisclaimer", true);
pref("browser.newtabpage.activity-stream.sectionOrder", "topsites,topstories,highlights");
pref("browser.newtabpage.activity-stream.showSearch", true);
pref("browser.newtabpage.activity-stream.showSponsored", true);
pref("browser.newtabpage.activity-stream.showTopSites", true);
pref("browser.newtabpage.activity-stream.telemetry", true);
pref("browser.newtabpage.activity-stream.telemetry.ping.endpoint", "https://tiles.services.mozilla.com/v4/links/activity-stream");
pref("browser.newtabpage.activity-stream.telemetry.ut.events", false);
pref("browser.newtabpage.activity-stream.tippyTop.service.endpoint", "https://activity-stream-icons.services.mozilla.com/v1/icons.json.br");
pref("browser.newtabpage.activity-stream.topSitesRows", 1);
pref("extensions.pocket.api", "api.getpocket.com");
pref("extensions.pocket.oAuthConsumerKey", "40249-e88c401e1b1f2242d9e441c4");
pref("extensions.pocket.site", "getpocket.com");
pref("extensions.webcompat.perform_ua_overrides", true);
pref("pdfjs.cursorToolOnLoad", 0);
pref("pdfjs.defaultZoomValue", "");
pref("pdfjs.disableAutoFetch", false);
pref("pdfjs.disableFontFace", false);
pref("pdfjs.disablePageLabels", false);
pref("pdfjs.disablePageMode", false);
pref("pdfjs.disableRange", false);
pref("pdfjs.disableStream", false);
pref("pdfjs.enablePrintAutoRotate", false);
pref("pdfjs.enableWebGL", false);
pref("pdfjs.externalLinkTarget", 0);
pref("pdfjs.pdfBugEnabled", false);
pref("pdfjs.renderer", "canvas");
pref("pdfjs.renderInteractiveForms", false);
pref("pdfjs.showPreviousViewOnLoad", true);
pref("pdfjs.sidebarViewOnLoad", 0);
pref("pdfjs.textLayerMode", 1);
pref("pdfjs.useOnlyCssZoom", false);

FYI: FF60 security advisories CVE-2018-5152 - This is the extensions.webextensions.restrictedDomains pref. It links to 1415644 which we already listed, but also to 1427289 (no idea what's in there - as both are still access denied). Anyway the description is

WebExtensions with the appropriate permissions can attach content scripts to Mozilla sites such as accounts.firefox.com and listen to network traffic to the site through the webRequest API. For example, this allows for the interception of username and an encrypted password during login to Firefox Accounts. .. [etc]

pdfjs is ... secure/vetted as any pdf reader out there
Exploits are rare

really? https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5158

Anything related to pdf and office files isn't secure. They are widely used, sent by mail and exploited.

really? https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5158

So the second one in 4 or 5 years. What's your point. Shit happens. It's been patched. Would you like me to dig up and find the thousands of other patches and exploits for all the other pdf applications out there

Also, way to take shit out of context. Here is the full sentence

• and as secure/vetted as any pdf reader out there (more than most)

wanna finish this?

what to do with the parrot? change the header of the first pref? what's the relevance of link 2?

wanna finish this?

probably

what to do with the parrot etc

We're using a bird (in this case a parrot, cuz Monty Python) just like a canary in a coal mine - a missing or dead canary indicates something went wrong. I know it's not for "warrants" but the concept is identical

• If you want we can remove the two existing links
• Remove line about redundancy, replace with line about "not all errors are now caught (see [3])" and add a [3] article link
• ^^ add same info to wiki page on how a user.js works - DONE

/* START: internal custom pref to test for syntax errors (thanks earthling)
 * [NOTE] In FF60+, not all syntax errors cause parsing to abort, see [3]
 * [1] https://en.wikipedia.org/wiki/Dead_parrot
 * [2] https://en.wikipedia.org/wiki/Warrant_canary
 * [3] https://blog.mozilla.org/nnethercote/2018/03/09/a-new-preferences-parser-for-firefox/ ***/

Do we want to change the wording for the last instance?

I also want to add the following (except not as blah blah). Or should we ignore them and let FF take their course. I do not know if they flip these for ESR at the same time

/* xxxx: blah blah
user_pref("dom.registerContentHandler.enabled", false); // (FF59+)
user_pref("dom.registerProtocolHandler.enabled", false); // (FF60+)

should we enforce layout.css.moz-document.content.enabled=false or ignore it since it will be covered by default in 61+ (also, remembering ESR users)

scratchpad scripts. Suggest we delete them all and just create two up to ESR60 - deprecated and removed

If you want we can remove the two existing links

:+1:

IDK if we need the 3rd link either. Better to just explain what it means for users. maybe something like

In FF60+, not all syntax errors cause parsing to abort ie reaching the last debug pref no longer necessarily means that all prefs have been applied. Check the console right after startup for any warnings/error messages related to non-applied prefs.

I do not know if they flip these for ESR at the same time

probably not. Maybe if someone asks them to. The prefs are already there and it would be a simple change.

or ... ignore them and let FF take their course

:+1:

re: moz-document - FF61 will also have an exception to avoid most breakage. It's unlikely that this will be backported to ESR. "ignore it since it will be covered by default in 61+" :+1:

Suggest we delete them all and just create two up to ESR60 - deprecated and removed

and maybe one for RFP-ALTS?

cleanup scripts: I kinda liked the [changes-only] because users can reset everything with a single script. Otherwise they need to run 3 or 4 and commented-out won't be covered.

and maybe one for RFP-ALTS?

:+1: so three scripts then

I kinda liked the [changes-only]

We only have one of those. Kinda forgot about it. It looks lonely. We should put it out of it's misery. I was thinking more about the two the rest ones. Waste of time now - that's what the prefs cleaner is for and is not based on our master's state of active/inactive.

I need a list of removed items since last release

And I'm confused: If we have a deprecated up and including to ESR60, then running it on ESR60 = always up to date for ESR60 branch .. It's the next version (61) we add a line gap in deprecated and start a new ESR one char switch .. OK, I had to type that out to get my it straight .. not confused anymore

I need a list of removed items since last release

everything we removed since last release only enforced the default values and doesn't need to be reset because they weren't stored in prefs.js anyway.

That may be so, but I still want the list to be in the scratchpad so its complete. Just waiting on that (I guess I could go thru the commits if you can't rustle up a quick diff) and then I will run the three scripts, and then upload

I think this was all of them anyway

    /* 60-beta - these were all at default anyway */
    'device.storage.enabled',
    'general.useragent.compatMode.firefox',
    'network.dns.blockDotOnion',
    'network.stricttransportsecurity.preloadlist',
    'security.block_script_with_wrong_mime',
    'security.fileuri.strict_origin_policy',
    'security.sri.enable',

on my setup, there were no errors, but one pref failed to reset (probably because I am on 59 still) - it was browser.newtabpage.enhanced. I have three files I'll upload in a sec

• ghacks-clear-FF60inclusive-[deprecated].js
• ghacks-clear-FF60inclusive-[removed].js
• ghacks-clear-FF60inclusive-[RFP-alternatives].js

They all reference up to and including ghacks user.js 60-beta. The removed one includes 14 prefs commented out - they were all from the e10s section, and playing with that caused issues in the past - only two of them were ever active anyway (shims and browser.tabs.remote.separateFileUriProcess I think), so no big deal.

There were other items removed, I'm sure of it, but it's so hard to follow the 2600 changes with it all being reordered. As per the wiki section on Scratchpad Scripts

The REMOVED script is the ONLY single point of reference for everything we once tinkered with, but is now gone. ...

^^ I'd like the list to be complete. Also, users may have tinkered and changed the value from default and then removed it. So adding them does no harm.

Can you pretty please do a quick diff from 59-alpha vs now for removed prefs :kiss:

you have all of them in the list above

Hah, wasn't sure when you'd be back, ran my own - came up with the same as you :) Thanks

All done. Scripts uploaded. Will set to beta and create a release if you're ready - just thumbs up if thunderbirds are go

edit: or you can do it, I'm off for some sleep - make sure to use -beta

https://github.com/ghacksuserjs/ghacks-user.js/releases/tag/v60.0-beta

If you want to add anything to the description re changing from alpha to beta naming, that's cool - go for it