User.js: ToDo: diffs FF60-FF61

It looks like the 4th pref in 0501 experiments.activeExperiment was also removed with 1420908

I was going to check on that, because it would seem to be a leftover they missed. I haven't looked at the tickets (except a few others I looked up in the pile of new items I moved) - but I assume experiments (all of 0501) is now replaced by FF60's app.shield.optoutstudies.enabled (0512)

Edit: bump: I think we should just remove browser.storageManager.enabled rather than deprecate it. I'm guessing it was only ever added to handle rolling it out and/or testing. If ESR60 users disable Storage API, it could be handy, other than that it's really a non-event pref

^^ Edit: bump: I think we should just remove browser.storageManager.enabled

Pants wanna remove pref. Pants is smart, be like Pants.

we can also remove services.blocklist.signing.enforced rather than deprecate it, because it's default true since FF50

NEW: security.block_ftp_subresources - Article: https://blog.mozilla.org/security/2018/05/07/blocking-ftp-subresource-loads-within-non-ftp-documents-in-firefox-61/ Not sure if we need to add this, default true is what we want. I'd be more interested in making 0708 active

Edit: moved to ignore (from new)

• pref("gfx.downloadable_fonts.validate_variation_tables", true);
• pref("network.cookie.move.interval_sec", 10); (this is about cookies being moved from one memory location to another)
• pref("media.clearkey.persistent-license.enabled", false);
• pref("media.webspeech.recognition.force_enable", false);
• pref("media.webspeech.test.enable", false);

• dom.indexedDB.storageOption.enabled - safe to ignore, enabled=false is what we want. see https://www.fxsitecompat.com/en-CA/docs/2018/storage-option-for-indexeddb-open-has-been-removed/
• extensions.webcompat.perform_injections ( + extensions.webcompat.perform_ua_overrides )
  if they are user-set they get reset when the system addon starts up. The webcompat SA allows mozilla to inject scripts or css into a site and/or change the User-agent string, presumably to unbreak certain sites. (see https://wiki.mozilla.org/Compatibility/Go_Faster_Addon/Override_Policies_and_Workflows) ATM (in nightly) there are no real live settings just a test config (injections, ua-overrides). To disable it we can't use user_pref but pref() should probably work. IDK if we need/want to do that though, up to you.

dom.indexedDB.storageOption.enabled - I've read this has been breaking extensions, or I may be confused over the removal of a deprecated or non-standard "persistent" IDB feature. I'll have to dig a little more - yup, that compat link is what I was thinking, I doubt any extensions we use break. Agreed, ignore.

Webcompat - agreed, ignore them. Would be interesting to see if webcompat can override RFP.

OT: I have no idea what this means - is it meant to be scary?

^^ sounds like an Ad for VulnDB and the blame is put on Mitre, not mozilla.

In this case, CVE delivered information on 318 vulnerabilities up to seven years late. Compare that to VulnDB, which had information on all of these issues available immediately after disclosure

sounds like an Ad

I know. I just thought I'd draw attention to CVE - I've had loads of problems trying to find things in there.. in other words, I think it's a bit sh^t. No idea why that article focused on FF

61b14 changes since 61b6

new

pref("browser.newtabpage.activity-stream.asrouter.snippetsUrl", "");
pref("layout.css.moz-document.url-prefix-hack.enabled", true); // 61b6: false
pref("services.sync.engine.bookmarks.validation.enabled", true);
pref("services.sync.engine.passwords.validation.enabled", true);
pref("shield.savant.enabled", false);
pref("shield.savant.loglevel", "warn");

removed, renamed or hidden

pref("geo.provider.ms-windows-location", false);

changed

pref("browser.cache.offline.insecure.enable", false); // prev: true
pref("browser.newtabpage.activity-stream.telemetry.ut.events", true); // prev: false
pref("browser.startup.blankWindow", true); // prev: false
pref("device.sensors.ambientLight.enabled", false); // prev: true
pref("device.sensors.proximity.enabled", false); // prev: true
pref("dom.keyboardevent.dispatch_during_composition", true); // prev: false
pref("dom.registerContentHandler.enabled", false); // prev: true
pref("geo.wifi.uri", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%"); // prev: "https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_API_KEY%"
pref("layout.display-list.retain", true); // prev: false
pref("media.wmf.amd.vp9.enabled", false); // prev: true
pref("network.tcp.tcp_fastopen_enable", true); // prev: false
pref("privacy.usercontext.about_newtab_segregation.enabled", true); // prev: false

EDIT: updated 1st post

61.0 changes since 61b14

changed

pref("app.update.channel", "beta"); // prev: "release"
pref("app.update.url.details", "https://www.mozilla.org/%LOCALE%/firefox/beta/notes"); // prev: "https://www.mozilla.org/%LOCALE%/firefox/notes"
pref("app.update.url.manual", "https://www.mozilla.org/firefox/beta"); // prev: "https://www.mozilla.org/firefox/"
pref("devtools.devedition.promo.enabled", true); // prev: false
pref("toolkit.telemetry.enabled", true); // prev: false

EDIT: updated 1st post

new hidden pref:

// Disable using UNC paths (TBB bug 26424 and Mozilla's bug 1413868)
user_pref("network.file.disable_unc_paths", true);

uplifted all the way back to and including ESR52

I guess we better finish this - have been uber busy (and still am), so just as well 61 is a bit of a non event for our changes

FYI: https://jakearchibald.com/2018/i-discovered-a-browser-bug/ - interesting read (and https://github.com/whatwg/fetch/issues/144#issuecomment-368040980 which is linked in the article

moving all from changed to ignore

pref("browser.tabs.remote.warmup.enabled", true); // prev: false
pref("extensions.legacy.exceptions", "[email protected],@testpilot-containers,jid1-NeEaf3sAHdKHPA@jetpack,@activity-streams,[email protected],@testpilot-addon,@min-vid,[email protected],[email protected],[email protected],[email protected]"); // prev: "{972ce4c6-7e08-4474-a285-3208198ce6fd},[email protected],@testpilot-containers,jid1-NeEaf3sAHdKHPA@jetpack,@activity-streams,[email protected],@testpilot-addon,@min-vid,[email protected],[email protected],[email protected],[email protected]"
pref("extensions.webextensions.tabhide.enabled", true); // prev: false
pref("layout.css.moz-document.content.enabled", false); // prev: true
pref("media.wmf.amd.vp9.enabled", false); // prev: true

pref("browser.newtabpage.activity-stream.asrouter.snippetsUrl", "");
pref("shield.savant.enabled", false);
pref("shield.savant.loglevel", "warn");

• AS is covered by nixing the xpi - also browser.newtabpage.activity-stream.asrouterExperimentEnabled is false, if that's the master switch
• loglevel seems fine as "warn" (wouldn't we want a warning?)
• savant: https://bugzilla.mozilla.org/show_bug.cgi?id=1462725

I'd say we force-disable shield.savant.enabled because fuck shield.

I will definitely also disable tab warmup because I don't want FF to start doing something whenever I hover over a background tab with my mouse. But IDK if it's worth adding under 5000.

And lets not forget about this either. The bugzilla for it is still Access Denied.
I think this is about a potential proxy bypass and is definitely more severe in TBB than vanilla FF. But since most people will never really need a website (??) to access a UNC path anyway, it shouldn't be a problem if we add it IMHO.

error is the log level below warn.

A fresh bugzilla. And it has Critical Priority.

@earthlng I need some help with the last commit re the changes with the new home page and new tab UI

/* 0102: set start page (0=blank, 1=home, 2=last visited page, 3=resume previous session)
 * [SETTING] General>Startup>When Firefox starts>Restore previous session ***/
   // user_pref("browser.startup.page", 0);
/* 0103: set your "home" page (see 0102) or use an extension
 * about:home=Activity Stream (default, see 0514), custom URL (see example below), about:blank
 * [SETTING] Home>New Windows and Tabs>Homepage and new windows ***/
   // user_pref("browser.startup.homepage", "https://www.example.com/");
/* 0104: set your "newtab" page
 * true=Activity Stream (default, see 0514), false=blank page (or set by an extension)
 * [SETTING] Home>New Windows and Tabs>New tabs ***/
user_pref("browser.newtabpage.enabled", false);
user_pref("browser.newtab.preload", false); // not used now?

• 0102: I haven't got a pre61 handy to look at the previous UI, so I am not sure what the old UI had for options. The new UI only has an option for checking/unchecking "restore previous session". So think we (and I'm all tired out) need to check that those values 0=blank 1=home still exist, or if they get set by 0102 or 0103, and also work out what is the default is and what it changes to/from when flicking between the options in the new UI (I am so confused right now).
• 0103: i think this is right
• 0104: this was 0360 - it only has 2 options, even if you use an extension for your newtab. I do not think the preload does anything any more (because all the defaults for AS are handled by AS prefs), so if we can check that we could remove that pref - yes/no?
• tied 0103+0104 into 0514, but not sure if I need to add anything more to 0514?

The defaults for both newtab and homepage and new windows are to use AS. The default for startup seems to be 1 = home = AS (need to confirm that)

Edit: if 0102 is only about previous session then maybe this could be with the other session stuff? IDK

this is what it looks like in FF60:

0102+0103 could use a [SETTING-ESR60].

re: 0102 ...

need to check that those values 0=blank 1=home still exist

they do

work out what is the default is and what it changes to/from when flicking between the options in the new UI

default is 1. In FF61+ it toggles between 1 and 3

0103: I don't really like the "or use an extension". A newtab extension has nothing to do with privacy/security

re: 0104: "I do not think the preload does anything any more" - in FF61+ it's obsolete because it's checked together with browser.newtabpage.enabled and if that's false then so is newtab preloading. But in ESR60 and ESR52 it's slightly different and for that reason I'd say we keep it.

if 0102 is only about previous session then maybe this could be with the other session stuff?

it's about what happens on startup and thus fits perfectly where it is right now, IMO.

ps: I wouldn't mind activating both 0102 and 0103 and setting them to 0 and "about:blank" to make sure that no websites start loading before all extensions are ready.

this is what it looks like in FF60:

So that's the same as ESR60 then? Yup, we'll need a [SETTING-ESR60] tag.

it's about what happens on startup and thus fits perfectly where it is right now, IMO

was just a thought pending answers. The answer that 60 vs 61 handles shit differently put a whole new spin on everything. Why didn't they get all this shit sync with ESR (annoys me). It's already complicated as it is.

ps: I wouldn't mind activating both 0102 and 0103 and setting them to 0 and "about:blank" to make sure that no websites start loading before all extensions are ready.

I thought about it yesterday - some people set a custom url, others use an extension (like myself - it sets a moz-extension address) - this is something that users need to set themselves IMO. There's a whole UI for it. For those who want they can set an override.

I thought about making the inactive value as about:blank, but I also wanted to keep the URL example

here's what 0102 looks like in 61+

This is getting messy

• set browser.startup.page to 0 - this turns both homepage+newwindows and newtabs to "blank page" (you need to reload the options page)
• changing homepage+newwindows to custom url or Firefox home (activity stream) changes browser.startup.page back to 1
• changinghomepage+newwindows back to blank does not reset browser.startup.page to 0 (and there is not UI for that in 61+). Guess they really want the startup page to be AS

update

• changing BOTH homepage+newwindows and newtab to blank still does not change browser.startup.page to 0 - so all the UI options do not cover starting with a blank page
• no idea if 2 still works for browser.startup.page (probably but gets changed if people tinker with the UI)
• no idea how installing an extension affects it - probably the same since its just an API call to set a custom URL

some people set a custom url, others use an extension

yeah but most people don't use either and IMHO it should be the people using custom urls or extensions that should set an override and not the other way around. Also, people might not realize that when they have a homepage set and startup set to 1 (default) that the site will start to load before all their extensions are ready.

FYI: I just tested with browser.startup.page = 0 (and I use an extension to control my newtab/home/newwindow) and it is independent of the extension. Haven't read your post above just yet, getting my thoughts down .. since there is no UI in FF61 to stop AS on startpage, then 0102 we could enforce as 0 - this also controls sets 103+104 to about:blank (but not those controlled by an extension - see my test I just did). thoughts?

Not sure what just doing 0102 as 0 is on ESr60

I don't like this because all 4 values are still supported in all versions

I re-edited the draft which is fast becoming moot again anyway

I'm pretty sure that when you don't delete the AS xpi and you use the UI to set this to "Firefox Homepage" (or whatever it's called), it will set the value to "about:newtab". If you delete the xpi it will set "about:home", last I checked.

If i delete the XPI (as in my current setup) it sets about:home = correct. WITH the XPI I will recheck but I got the values I wrote from a default portable 61 - will let you know. Update: it sets `about:home: regardless of whether or not the XPI exists (FF61)

when you use a newtab extension FF will set these prefs for you automatically and even lock the UI, doesn't it? So, again, no need to mention extensions anywhere in this section

here is my UI

newtab is locked, but homepage+newwindow are not

wow they really fucked it up big time! what a fucking mess

Let's just keep it simple and fuck all the infos and settings and shit

/* 0102: set a blank startup-, home- and newtab page ***/
user_pref("browser.startup.page", 0); // 0=blank, 1=home, 2=last visited, 3=resume previous session
user_pref("browser.startup.homepage", "about:blank");
user_pref("browser.newtabpage.enabled", false);
user_pref("browser.newtab.preload", false);

edited: final v2 (merged the two settings in 0102)

/* 0102: set START page (0=blank, 1=home, 2=last visited page, 3=resume previous session)
 * [SETTING] General>Startup>When Firefox starts ***/
user_pref("browser.startup.page", 0);
/* 0103: set HOME+NEWWINDOW page
 * about:home=Activity Stream (default, see 0514), custom URL, about:blank
 * [SETTING] Home>New Windows and Tabs>Homepage and new windows ***/
user_pref("browser.startup.homepage", "about:blank");
/* 0104: set NEWTAB page
 * true=Activity Stream (default, see 0514), false=blank page
 * [SETTING] Home>New Windows and Tabs>New tabs ***/
user_pref("browser.newtabpage.enabled", false);
user_pref("browser.newtab.preload", false);

my overrides

user_pref("browser.startup.page", 1);
user_pref("browser.startup.homepage", "moz-extension://8ablahblah");

no need for explanations, no need to mention versions, no need to mention how the code works which will probably change

:+1: or :+1: (no thumbs down allowed) and then I will commit

PS: we can relook at the settings tags when we get an ESR60 portable

We could add this to 5000s

• // user_pref("browser.tabs.remote.warmup.enabled", false); // disable tab warmup (FF57+)

Or add it to 0300s (quiet fox) with all the other "speculative" connections: IMO it is speculative, because you may not even want to load that tab or it caused by an errant wayward mouse - and what about mousing over a tab (let's say you have dozens open) just to get the page title

We could also add a link to https://www.ghacks.net/2018/01/12/firefox-tab-warming-explained/ if you want

I'm not 100% sure exactly when this works. I mean, this must only apply to people who load sessions, right? i.e the tabs haven't been loaded yet. Because we don't use sessions in our user.js (but I don't mind the fallback of this pref for users). And maybe it applies as well when users "open all" for a bunch of bookmarks etc. IDK.

@earthlng

AFAIK tab warmup is not about making connections and stuff. It's about doing the visual parsing and processing of the page, DOM, etc so that it displays faster when you switch to that tab. We don't need to add it because it's probably not a big issue and most people are so performance hungry these days.

ah OK .. i thought you wanted it added as per an earlier comment.. no worries