User.js: Check Librefox-Firefox this or that option could interest you...

Yay! Something else to look at :grinning:

I'll see if @claustromaniac's compare tool can handle it. Although this won't be hard, because we've already mapped Firefox's DNA multiple times.

PK's list hasn't had anything (of significance) done to it for almost 2 years (and the wee flurry of activity around 18-22 months ago was from giving them a diff based on ours, which is still open), and is full of obsolete prefs, and IMO, quite a few that contradict each other (but I would have to re-assess that, as some prefs may have been flipped). Not that we're always right either. Different threat models may apply. They're templates FFS :)

Here's PK's repo activity for the last 18 months (added 16 prefs and removed one)

- Nov
  * removed deprecated dom.workers.enabled
- Oct
  * added toolkit.telemetry.archive.enabled=false
- Sep
  * added extensions.systemAddon.update.enabled=false
  * added javascript.options.wasm=false
- Feb
  * added privacy.firstparty.isolate=true
- Jan
  * added network.captive-portal-service.enabled=false
  * added signon.formlessCapture.enabled=false

2017
- Nov
  * added browser.newtabpage.activity-stream.enabled=false
  * added browser.newtabpage.activity-stream.feeds.section.topstories=false
- Oct
  * added browser.startup.homepage_override.buildID=20100101
  * added dom.network.enabled=false (which was deprecated in FF31)
  * added dom.maxHardwareConcurrency=2
  * added extensions.shield-recipe-client.enabled & app.shield.optoutstudies.enabled = false
- Jun
  * added dom.enable_resource_timing=false
  * added browser.shell.shortcutFavicons=false
  * added browser.bookmarks.max_backups=0

It is woefully out of date, especially now ESR52 is EOL. No disrespect to PK, but I wonder why people still harp on about it as being so good (that's not PK's fault).

For some reason he likes to keep all the really old cipher stuff in there. They do no harm (deprecated prefs won't do anything except take up space), except to perhaps parley a false sense of achievement / security. The lists below are a few months old (but I'm due to do another diff of ghacks vs pk)

35 cipher prefs, DEPRECATED BEFORE ESR52
* checked in ESR52.8, FF60, DXR (mozilla-central, mozilla-52, & comm-esr52)

user_pref("security.ssl3.dhe_dss_aes_128_sha", false);
user_pref("security.ssl3.dhe_dss_aes_256_sha", false);
user_pref("security.ssl3.dhe_dss_camellia_128_sha", false);
user_pref("security.ssl3.dhe_dss_camellia_256_sha", false);
user_pref("security.ssl3.dhe_dss_des_ede3_sha", false);
user_pref("security.ssl3.dhe_rsa_camellia_128_sha", false);
user_pref("security.ssl3.dhe_rsa_camellia_256_sha", false);
user_pref("security.ssl3.dhe_rsa_des_ede3_sha", false);
user_pref("security.ssl3.ecdh_ecdsa_aes_128_sha", false);
user_pref("security.ssl3.ecdh_ecdsa_aes_256_sha", false);
user_pref("security.ssl3.ecdh_ecdsa_des_ede3_sha", false);
user_pref("security.ssl3.ecdh_ecdsa_null_sha", false);
user_pref("security.ssl3.ecdh_ecdsa_rc4_128_sha", false);
user_pref("security.ssl3.ecdh_rsa_aes_128_sha", false);
user_pref("security.ssl3.ecdh_rsa_aes_256_sha", false);
user_pref("security.ssl3.ecdh_rsa_des_ede3_sha", false);
user_pref("security.ssl3.ecdh_rsa_null_sha", false);
user_pref("security.ssl3.ecdh_rsa_rc4_128_sha", false);
user_pref("security.ssl3.ecdhe_ecdsa_des_ede3_sha", false);
user_pref("security.ssl3.ecdhe_ecdsa_null_sha", false);
user_pref("security.ssl3.ecdhe_rsa_des_ede3_sha", false);
user_pref("security.ssl3.ecdhe_rsa_null_sha", false);
user_pref("security.ssl3.rsa_1024_rc4_56_sha", false);
user_pref("security.ssl3.rsa_camellia_128_sha", false);
user_pref("security.ssl3.rsa_camellia_256_sha", false);
user_pref("security.ssl3.rsa_fips_des_ede3_sha", false);
user_pref("security.ssl3.rsa_null_md5", false);
user_pref("security.ssl3.rsa_null_sha", false);
user_pref("security.ssl3.rsa_rc2_40_md5", false);
user_pref("security.ssl3.rsa_rc4_40_md5", false);
user_pref("security.ssl3.rsa_seed_sha", false);
user_pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false); // removed in FF50
user_pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false); // removed in FF50
user_pref("security.ssl3.rsa_rc4_128_md5", false); // removed in FF50
user_pref("security.ssl3.rsa_rc4_128_sha", false); // removed in FF50

and these are also in PK's, all active, i.e. not commented out (and in ghacks, but in the ghacks deprecated commented out section)

user_pref("browser.pocket.enabled", false); // removed in FF46
user_pref("browser.safebrowsing.enabled", true); // removed in FF50
user_pref("datareporting.healthreport.service.enabled", false); // removed in Ff46
user_pref("dom.network.enabled", false); // removed in FF31
user_pref("dom.telephony.enabled", false); // removed in FF52
user_pref("loop.logDomains", false); // removed in FF49
user_pref("plugins.update.notifyUser", true); // removed in FF50

also active in PK's, but deprecated or confirmed that the code does nothing (but I might have to double-check a couple, maybe they're for Android) - couldn't be arsed finding the bugzilla's that removed them (if deprecated), as I only do that for what we have had in our js in the past

user_pref("dom.mozTCPSocket.enabled", false); // only exposed in chrome contexts
user_pref("shumway.disabled", true);
user_pref("plugin.state.libgnome-shell-browser-plugin", 0);
user_pref("network.negotiate-auth.allow-insecure-ntlm-v1", false);
user_pref("browser.newtab.url", "about:blank");
user_pref("browser.download.manager.retention", 0);
user_pref("browser.formfill.expire_days", 0); // code is only used in a single test
user_pref("browser.startup.homepage_override.buildID", "20100101"); // last used in ESR52

There's more, but the above = 49 useless prefs (out of a current 307). Not a good start. So if you have any of that in your repo... you're already lacking some credibility

If I get around to it, I'll post some more about your actual choices (a few on quick glance seem very BAD), rather than harp on about PKs (but you did base it heavily on his)

wow! and I thought we are excessive :)

Thank you for taking time to write this cool long answer :)

At first i thought of recompiling and patching firefox, and maintaining patches like the ungoogled-chromium project, but for firefox its a whole other story... it's a huge work for a single person and as 98% of the modifications can be done over about:config, i started there gathering all the reported settings, and as you said it does not hurt if outdated settings are present, but i know i have to do some cleaning because of PKs list i already did some and will do for sure take the time to clean it completely later.

I was very active regarding firefox in the past before the whole web-extensions thing, and left the boat because of that, and still i am one feet in one out lol... i recently tested v60xx... and was amazed by the work mozilla did even if i don't really agree about xul left behind like many but this is an other topic... (life is about evolving).

I posted here because the score of my project is a little different and i think i can bring a plus to ghacks-user.js as you bring us all a plus without doubt with your amazing work and follow up.

I use firefox/chromium as second main browser other than (pm) because it could be very fast some time... and as ffox v60x... is growing in speed amazingly i decided to use it and thus that generated the project...

The project goal is not just to change privacy setting, but more importantly to measure the impact on the performances when those settings are applied to find the perfect equilibrium between performances and privacy... sometimes settings that are not that important lead to huge performance impact. and some times just little tiny changes make a huge difference.

In short am trying to make a modified-bundled firefox with the maximum privacy possible without loosing performances and eventually gaining some.

Bundling the whole thing in firefox directly is also one of the scopes most users just want to use it without digging deep like we geek do... and some are yelling about this or that settings without really understanding what that setting do exactly.

Any way i am sharing my result here i think informations about performances impact would be useful as well here.

And also sometime mitigating issues with a custom extension have less impact other than disabling a whole api. i also often saw things disabled just for prevention while the real issue have been solved.

Now days a browser without js is just not an option.

I don't know where i am going exactly because i fear a little bit mozilla with the road they are taking, and i would not be surprised to see privacy issues growing exponentially to a an unmanageable size. it's already somehow the case it's why we need to keep our forces joined :)

Potential practical impact on your project :

• Disclosing performances impact in the comment
• Adapting this or that setting to avoid performance loss
• May be also disclosing in comment the used work around like i did some...

Applying the whole privacy thing without testing is something like 40/50% speed decrease. (i am not saying that you do... but a lot of user do, me included)

Also not everything is bad about mozilla... like the new setting privacy.resistFingerprinting it's a amazing one with a great potential, we then need to stop editing useragent etc. because this feature already take care of it. (i eventually recommend in my project just change the os in the useragent) the impact is not yet visible because we are not a lot using that. and every settings that we make set our config to a unique one thus make it finger-printable

I saw all those performance metrics, but to me performance is tertiary (the internet and browsers are getting faster all the time). I'm not an expert, but I am also weary of perf tests (read a lot, won't go over it here suffice to say they're not real world, but useful in development). So for sure your project has a slightly different aim.

Just to clarify: speed can go and get f$%ked :) Security first, privacy/anti-tracking/anti-FP'ing second - but I hear ya on the breakage front. Of course JS is needed these days. When I get off my arse, we'll release a list of relaxed prefs so end-users can watch cat videos and tweet

just change the os in the useragent

Don't. They're already going to limit it to 2 OSes, but leave navigator as 4 OSes as per TBB's change. And besides, any useragent prefs have no effect with RFP - you have to use an extension.

Applying the whole privacy thing without testing is something like 40/50% speed decrease

Not surprised. We disable HWA, WASM, ASJSM, HTTP2, SSL session tickets. These alone would probably account for most of it (and could be in the relaxed list).

The other half of that equation (speed gain) is using decent blockers (uBlock, uMatrix) in whatever config you like - sheesh I saw one website, might have been cnn, where 128 requests or domains (I forget which, I think it was domains!!) were not needed. I actually find the web damn uber speedy in my setup.

i am sharing my result here i think informations about performances impact would be useful as well here.

Absolutely, despite my cynicism of benchmarking tests :)

And also sometime mitigating issues with a custom extension have less impact other than disabling a whole api. i also often saw things disabled just for prevention while the real issue have been solved.

Hell yeah. That's what I like about RFP, they attempt to spoof or fuzz the leak rather than kill the tech. Same with some of our prefs, eg geo, why disable that when the default is to ask. Leaking location is already covered, but allows users to set a site permission. Same with extensions that allow per domain. Always a fan of those. Default deny, then whitelist

We are on the same page :) (i am not willing to sacrifice security either just looking for alternatives and LEAVE ALWAYS the choice :))

This could be useful to may be pick-up some stuff from it. for ghacks-user.js project :)

So I took privafox v2, changed all lockPref to user_pref, and did a compare. Here's what is not in our user.js.

    app.feedback.baseURL                                                 ""
    app.normandy.first_run                                               false
    app.normandy.user_id                                                 ""
    app.releaseNotesURL                                                  ""
    app.update.lastUpdateTime.telemetry_modules_ping                     0
    app.update.url                                                       ""
    app.update.url.details                                               ""
    app.update.url.manual                                                ""
    app.vendorURL                                                        ""
    browser.bookmarks.restore_default_bookmarks                          false
    browser.contentblocking.reportBreakage.url                           ""
[i] browser.download.animateNotifications                                false
    browser.formfill.expire_days                                         0
    browser.newtabpage.activity-stream.aboutHome.enabled                 false
    browser.newtabpage.activity-stream.asrouter.messageProviders         ""
    browser.offline-apps.notify                                          true
    browser.ping-centre.staging.endpoint                                 ""
    browser.safebrowsing.passwords.enabled                               false
    browser.safebrowsing.provider.google.advisoryURL                     ""
    browser.safebrowsing.provider.google.lastupdatetime                  ""
    browser.safebrowsing.provider.google.lists                           ""
    browser.safebrowsing.provider.google.nextupdatetime                  ""
    browser.safebrowsing.provider.google.pver                            ""
    browser.safebrowsing.provider.google4.advisoryURL                    ""
    browser.safebrowsing.provider.google4.lists                          ""
    browser.safebrowsing.provider.mozilla.lastupdatetime                 ""
    browser.safebrowsing.provider.mozilla.nextupdatetime                 ""
    browser.shell.didSkipDefaultBrowserCheckOnFirstRun                   true
    browser.startup.homepage_override.buildID                            "20100101"
    browser.tabs.closeTabByDblclick                                      true
[i] browser.urlbar.autoFill.typed                                        false
    browser.urlbar.daysBeforeHidingSuggestionsPrompt                     0
    browser.urlbar.searchSuggestionsChoice                               false
    browser.urlbar.timesBeforeHidingSuggestionsHint                      0
    datareporting.healthreport.infoURL                                   ""
    datareporting.policy.firstRunURL                                     ""
    devtools.debugger.force-local                                        true
    devtools.devedition.promo.url                                        ""
    devtools.devices.url                                                 ""
    devtools.gcli.imgurUploadURL                                         ""
    devtools.gcli.jquerySrc                                              ""
    devtools.gcli.underscoreSrc                                          ""
    devtools.onboarding.telemetry.logged                                 false
    devtools.telemetry.supported_performance_marks                       ""
    devtools.telemetry.tools.opened.version                              ""
    dom.enable_performance_navigation_timing                             false
    dom.indexedDB.logging.details                                        false
    dom.indexedDB.logging.enabled                                        false
    dom.mozTCPSocket.enabled                                             false
    dom.permissions.enabled                                              false
    dom.registerProtocolHandler.insecure.enabled                         true
    extensions.blocklist.detailsURL                                      ""
    extensions.blocklist.itemURL                                         ""
    extensions.pocket.api                                                ""
    extensions.pocket.oAuthConsumerKey                                   ""
    extensions.pocket.site                                               ""
    extensions.update.background.url                                     ""
    gecko.handlerService.schemes.mailto.0.uriTemplate                    ""
    gecko.handlerService.schemes.mailto.1.uriTemplate                    ""
    gecko.handlerService.schemes.webcal.0.uriTemplate                    ""
    html5.offmainthread                                                  true
    identity.fxaccounts.auth.uri                                         ""
    identity.fxaccounts.remote.oauth.uri                                 ""
    identity.fxaccounts.remote.profile.uri                               ""
    identity.mobilepromo.android                                         ""
    identity.mobilepromo.ios                                             ""
[i] javascript.options.mem.high_water_mark                               96
    layers.acceleration.force-enabled                                    true
    layers.async-video.enabled                                           true
    layers.offmainthreadcomposition.async-animations                     true
    layers.offmainthreadcomposition.enabled                              true
    layout.frame_rate.precise                                            true
    lpbmode.enabled                                                      true
    mailnews.messageid_browser.url                                       ""
    mailnews.mx_service_url                                              ""
    media.webspeech.recognition.enable                                   false
[i] network.dns.blockDotOnion                                            true
    network.negotiate-auth.allow-insecure-ntlm-v1                        false
    network.negotiate-auth.allow-insecure-ntlm-v1-https                  false
    network.protocol-handler.expose.about                                true
    network.protocol-handler.expose.blob                                 true
    network.protocol-handler.expose.chrome                               true
    network.protocol-handler.expose.data                                 true
    network.protocol-handler.expose.file                                 true
    network.protocol-handler.expose.ftp                                  true
    network.protocol-handler.expose.http                                 true
    network.protocol-handler.expose.https                                true
    network.protocol-handler.expose.javascript                           true
    network.protocol-handler.expose.moz-extension                        true
    network.protocol-handler.expose-all                                  false
    network.protocol-handler.external.about                              false
    network.protocol-handler.external.blob                               false
    network.protocol-handler.external.chrome                             false
    network.protocol-handler.external.data                               false
    network.protocol-handler.external.file                               false
    network.protocol-handler.external.ftp                                false
    network.protocol-handler.external.http                               false
    network.protocol-handler.external.https                              false
    network.protocol-handler.external.javascript                         false
    network.protocol-handler.external.moz-extension                      false
    network.protocol-handler.warn-external-default                       true
    network.stricttransportsecurity.preloadlist                          false
    pdfjs.previousHandler.alwaysAskBeforeHandling                        true
    plugin.state.libgnome-shell-browser-plugin                           0
    plugins.crash.supportUrl                                             ""
    pref.general.disable_button.default_browser                          false
    pref.privacy.disable_button.cookie_exceptions                        false
    pref.privacy.disable_button.tracking_protection_exceptions           false
    pref.privacy.disable_button.view_passwords                           false
    privacy.trackingprotection.introURL                                  ""
    security.disable_button.openCertManager                              false
    security.disable_button.openDeviceManager                            false
    security.fileuri.strict_origin_policy                                true
    security.mixed_content.upgrade_display_content                       true
    security.sri.enable                                                  true
    security.ssl3.ecdh_ecdsa_rc4_128_sha                                 false
    security.ssl3.ecdh_rsa_rc4_128_sha                                   false
    security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256                         true
    security.ssl3.ecdhe_ecdsa_aes_256_sha                                true
    security.ssl3.ecdhe_ecdsa_chacha20_poly1305_sha256                   true
    security.ssl3.ecdhe_rsa_aes_128_gcm_sha256                           true
    security.ssl3.ecdhe_rsa_aes_256_sha                                  true
    security.ssl3.ecdhe_rsa_chacha20_poly1305_sha256                     true
    security.ssl3.rsa_seed_sha                                           false
    security.tls.version.fallback-limit                                  3
    services.sync.clients.lastSync                                       "0"
    services.sync.clients.lastSyncLocal                                  "0"
    services.sync.declinedEngines                                        ""
    services.sync.enabled                                                false
    services.sync.engine.addresses.available                             false
    services.sync.globalScore                                            0
    services.sync.jpake.serverURL                                        ""
    services.sync.migrated                                               true
    services.sync.nextSync                                               0
    services.sync.prefs.sync.browser.safebrowsing.downloads.enabled      false
    services.sync.prefs.sync.browser.safebrowsing.malware.enabled        false
    services.sync.prefs.sync.browser.safebrowsing.passwords.enabled      false
    services.sync.prefs.sync.browser.safebrowsing.phishing.enabled       false
    services.sync.serverURL                                              ""
    services.sync.tabs.lastSync                                          "0"
    services.sync.tabs.lastSyncLocal                                     "0"
    shumway.disabled                                                     true
    sync.enabled                                                         false
    sync.jpake.serverURL                                                 ""
    sync.serverURL                                                       ""
    toolkit.crashreporter.infoURL                                        ""
    toolkit.telemetry.coverage.opt-out                                   true
    toolkit.telemetry.infoURL                                            ""
    toolkit.telemetry.previousBuildID                                    ""
    toolkit.telemetry.prompted                                           2
    toolkit.telemetry.rejected                                           true
    toolkit.telemetry.reportingpolicy.firstRun                           false
    toolkit.telemetry.server_owner                                       ""
    urlclassifier.malwareTable                                           ""
    webextensions.storage.sync.serverURL                                 ""
    webgl.force-enabled                                                  true

changed all lockPref to user_pref

Was that necessary? The script should be able to read pref(), user_pref(), lockPref() and sticky_pref(). If that is not the case then something is wrong.

I told ya already, I'm lazy .. I did a 2 second search & replace rather than risk wasting time with errors (which I sitll got one, thanks!)

Right... I started going thru all those 156 prefs, got down to about 30 left. A lot overlap with what I have covered before (eg in that horrendous 450+ diff monsta thrown on me).

I was going to provide the results of my work eg

/* ALREADY COVERED: by master pref extensions.pocket.enabled ***/
    extensions.pocket.api                                                ""
    extensions.pocket.oAuthConsumerKey                                   ""
    extensions.pocket.site                                               ""
/* INFO URLS ETC: require user interaction (e.g Help>Submit Feedback) ***/
    app.feedback.baseURL                                                 ""
    app.releaseNotesURL                                                  ""
    browser.contentblocking.reportBreakage.url                           ""
    datareporting.healthreport.infoURL                                   ""
    toolkit.crashreporter.infoURL                                        ""
    toolkit.telemetry.infoURL                                            ""
    privacy.trackingprotection.introURL                                  ""
/* DEFAULT IS SAME
   this is generally a bad idea: if FF disables something due to a security concern, the
   end user who doesn't keep up to date with changes (IF you do them) is now fucked over) ***/
    browser.offline-apps.notify                                          true
    browser.safebrowsing.passwords.enabled                               false
    html5.offmainthread                                                  true
    security.sri.enable                                                  true
    security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256                         true
    security.ssl3.ecdhe_ecdsa_aes_256_sha                                true
    security.ssl3.ecdhe_ecdsa_chacha20_poly1305_sha256                   true
    security.ssl3.ecdhe_rsa_aes_128_gcm_sha256                           true
    security.ssl3.ecdhe_rsa_aes_256_sha                                  true
    security.ssl3.ecdhe_rsa_chacha20_poly1305_sha256                     true
/* NOT PRIVACY etc related ***/
[i] browser.download.animateNotifications                                false
    browser.tabs.closeTabByDblclick                                      true
/* covered by dom.enable_performance (& also RFP) ***/
    dom.enable_performance_navigation_timing                             false
/* is only exposed to chrome ( https://trac.torproject.org/projects/tor/ticket/27268#comment:2 ) ***/
    dom.mozTCPSocket.enabled                                             false
/* only used in a single test ***/
    browser.formfill.expire_days                                         0
/* specifically removed because people don't understand it (and we don't want to encourage Tor over FF) ***/
[i] network.dns.blockDotOnion                                            true

and so on, but I've had enough.

@intika Good luck with your project, and feel free to drop in and share stuff and ask questions

@Thorin-Oakenpants thanks a lot for taking time doing that it actually was help full... i am cleaning the whole thing for the new version... and as my project is tied to yours don't worry about difference i will post important one my self here, you don't have to check ;)
thanks again :+1:

The project was renamed to Librefox... i still did not released v2 but it's coming.

I do experienced some idle communication to mozilla (with default user.js), i am adding a section in v2 to block those connections... i will let you know here the result after the release ;) this may be useful... (i know that those connection are legit, i just don't want them)

Keep the good fight :+1: :)

Thanks

One last thing i am reorganizing the project sections to make it easily reviewable
with section like "not present in ghacks" "deprecated" etc
and adding comment on why this or that settings differ from user.js
(i did not upload it yet)

I do experienced some idle communication to mozilla (with default user.js)

Do you mean ours or yours? Startup always checks for updates unless you block it using Enterprise Policy (it also does this when you into Help>About and into Options, AFAIK). Also check no addons are doing anything (like getting an icon!)

Also our default does not block SB and blocklist updates.

One last thing i am reorganizing the project sections to make it easily reviewable with section like "not present in ghacks" .. etc

Do you really want to do that? It's a bit of overhead for you. Up to you, but then you could be mis-representing what we have when we make changes. It would be better to leave that out, but for sure, saying WHY you set something as you did is always good.

don't worry about difference i will post important one my self here

That would be cool. Share the knowledge brother :kiss:

Do you really want to do that? It's a bit of overhead for you

Indeed it's a little bit fucked up this whole thing i don't remember who said here i would love to have a master switch but he is 1000% right in the other hand it's amazing to have all those stuff accessible easily

It would be better to leave that out

Okay i will then just add userJS_diff.log and explain the differences

Do you mean ours or yours?

Both... trying to make a firefox version with zero automated request ^^ thanks for the infos by the way

Both... trying to make a firefox version with zero automated request

That's super easy / doable ... but it just creates roadblocks for end-users (eg trying to update) and puts them at risk (blocklists, revoked extensions+graphic cards etc, SB lists)

@intika on your readme: https://github.com/intika/Librefox#about under contributors you list @Thorin-Oakenpants @claustromaniac and @earthlng

I know you based almost all of your prefs on our work, and that's fine (this repo is attributed :+1: and that's enough), but I'd rather not have my individual name listed as some sort of contributor (sure, I pointed out that there are a bunch of dead prefs, but that's nothing). The reason is I do not agree with a number of "things" (not just some settings).

I'll let the other two decide for themselves if they want their name listed. Thanks

I don't mind being mentioned there, but I reckon listing Contributors that don't appear as contributors here without mentioning how they contributed is very ambiguous. @intika, if your intent is simply to give everyone in that list credit because our work helped you in one way or another, I suggest you to either be more descriptive, or to reword it to something like Acknowledgments (thank you's) or something of the sort. My 2 cents :cat:

@Thorin-Oakenpants thank you for the feedback no problem i will remove that :)
@claustromaniac i will update that to something more clear like Thanks/Acknowledgments @Thorin-Oakenpants do you also want not being listed on a "thank you" section ?

Thorin-Oakenpants do you also want not being listed on a "thank you" section ?

It was more along the lines of what claustromaniac said. "Contributor" is not the right word - it makes me sound like part of the project, when I'm not. Also the donations is not my thing. I would rather not be individually named.

Also this line "Librefox uses more than 500 privacy/security/performance settings (gHacks and additional options)... " .. implies that you're using ghacks settings, and I do not want people to think that. Could you change it to something more like

"Librefox uses more than 500 privacy/security/performance settings (we used the work and research from the ghacks user.js, added a few more preferences, and configured it to our liking)... " .. or something like that

Thanks in advance :+1:

i updated the about section https://github.com/intika/Librefox#about let me know if i can keep https://github.com/intika/Librefox#comparing-changes-and-updates or if you want any modification to what is written there

Also no donation where made (just to let you know) and the donation link was just there as additional info like i do on all my projects and it was there from the get go. (i was not asking explicitly for donation).

i am sorry if i hurt the feeling of anyone.

for the section https://github.com/intika/Librefox#librefox-browse-with-freedom- i just removed this '(gHacks and additional options)' to avoid confusion let me know its okay that way.

Any way let me know if its okay the way it is right now and if you want me to do any modification.

Thanks, it's a lot clearer now :) :+1:

i am sorry if i heart the feeling of anyone

That's OK. No-one has hurt feelings, we're all grown ups here :) And I understand English is not your native language - it's just how it was worded has led to implications / assumptions with ghacks-user.js's relationship. Especially a lot of the comments I have read on palemoon's forum, the numerous (10?) reddit threads, ghacks.net etc

... Going back to the main purpose of this... While working on Librefox i found some differences with gHacks that are worth a discussion:

// Pref : 2803: set what history items to clear on shutdown
// [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes>Settings
// [NOTE] If 'history' is true, downloads will also be cleared regardless of the value
// but if 'history' is false, downloads can still be cleared independently
// However, this may not always be the case. The interface combines and syncs these
// prefs when set from there, and the sanitize code may change at any time 
//defaultPref("privacy.clearOnShutdown.siteSettings", false); // Site Preferences
defaultPref("privacy.clearOnShutdown.cache", true);
defaultPref("privacy.clearOnShutdown.cookies", true);
defaultPref("privacy.clearOnShutdown.downloads", true); // see note above
defaultPref("privacy.clearOnShutdown.formdata", true); // Form & Search History
defaultPref("privacy.clearOnShutdown.history", true); // Browsing & Download History
defaultPref("privacy.clearOnShutdown.offlineApps", true); // Offline Website Data
defaultPref("privacy.clearOnShutdown.sessions", true); // Active Logins

This could be simplified with
defaultPref("privacy.sanitize.sanitizeOnShutdown", true); and defaultPref("privacy.cpd...

This is not present in gHack

// Pref : Preferred language for displaying websites... 
// The first settings overflow the second one
defaultPref("privacy.spoof_english", 2);
//defaultPref("intl.accept_languages", "en-US, en");

This one should be set to false ?

/* 0906: disable websites' autocomplete="off" (FF30+)
 * Don't let sites dictate use of saved logins and passwords. Increase security through
 * stronger password use. The trade-off is the convenience. Some sites should never be
 * saved (such as banking sites). Set at true, informed users can make their own choice. ***/
user_pref("signon.storeWhenAutocompleteOff", true); // default: true

Not present in gHacks

// Pref : Allow extensions access to list of sites
// https://github.com/mozilla/gecko/blob/central/toolkit/mozapps/extensions/AddonManagerWebAPI.cpp
lockPref("extensions.webapi.testing", false); // hidden prefs // default false

Not present in gHacks

// Pref : Disabling performance addon url [FF64+]
lockPref("devtools.performance.recording.ui-base-url", "");
// Default Value : https://perf-html.io

Thanks

privacy.sanitize.sanitizeOnShutdown only controls whether to sanitize, it does not control what to sanitize. same with cpd. The cpd items you can change when you ctrl-shift-del .. it just makes sense to provide the info for people, and to reset it each startup (people can change them to suit so they have one set for closing and one for manual). Same reason we add the time range to clear for cpd (as everything / all time - because by time-range can't clean IDB)

privacy.spoof_english is handled internally, from memory, as part of RFP. And forcing it etc can cause issues

signon.storeWhenAutocompleteOff - that's up to you.

I'm not sure about the webapi testing thing - it's probably (99% sure) harmless. I do not see an issue with the perf in devtools ..

There's this fixation in your settings to kill every external request: not that I have done a decent comparison, because quite frankly, it's not my project. When I first looked, a quick scan had me horrified, there are, or at least were, some settings that actually put people at risk, and lots of silly (to me) decisions such as not updating info like blocked extensions/graphic cards) and lots more. But I'm not going to analyze it for you.

And as for the killing of every external request, it's not as black and white as that. You need to look at each item in isolation.

Yes true i know many settings are controversial... moonchild from palemoon came with an analyze about those... https://forum.palemoon.org/viewtopic.php?f=4&t=21123&#p158437...

The project is very young, it was intended at first to be an alternative hardened Firefox (mixing settings and addons) for my personal needs and sharing it for those who would be interested... and to be honest i did not expect at all that much interest in the project... i did post 2 reddit to get some feedback about my work, but it kind a went viral... now it's normal that this or that setting would not match everyone's need... i have to come with a flexible release (settings page or so) to let every user configure the settings as he wish.

@Thorin-Oakenpants thank you for your feedback, you don't need to waste your time to analyze it but if you want to, it will be appreciated :) :+1: and your comments will be added to https://github.com/intika/Librefox/issues/53

Yup, more than welcome to do that :)

At the end of the day, and we've been at this for 4 years (and myself longer), some people think this template of ours is too harsh - because it breaks webrtc, webgl, videos (gmp. widevine, eme, cdm) and a couple of other items. That's about it. Easy as F to remedy if people flipped a handful of prefs. But your's is breaking shit left right and center - it's too much mate! It's a shell of a browser and it's kinda dangerous (IMO, see below)

And I kind of feel you're just reinventing the wheel, our wheel. It's like you've come along, slurped up 4 years of labor, and thousands of hours of research and testing etc, and wham, in a few days you get 600 followers (kudos to you!). But your project is "dangerous" (in quote marks because I haven't really looked at your settings), and you're going to have to do a lot of work (work we already considered and did, and tested, etc). And you've added prefs from god knows where (was it some 250+ we haven't got - we don't add everything for a reason, so you'll need to look at that as well), and the diffs are huge (with prefs in common), and then there's the lock pref stuff. AND, you're stripping things out like Safe Browsing (as far as i know), but decided now to drop recommending extensions. So new users are now put at risk. I think that's irresponsible.

People can achieve what you're done with a user.js - sure, I haven't exactly followed what core FF changes you have done, but they aren't needed IMO. So as much as I like you, I really don't like the project, at all - at least in it's current state.

Pro Tip: You have to assume that anyone who uses your product has no knowledge or skills :) That's how I treat mine: so it's SB on by default, auto-update checks for extensions on by default, and so on. And I provide a wiki full of things like important stuff to check when first getting it. Recommended extensions. And so on. You have a lot of work in front of you, and I can't help but feel you had no idea that this will suck the life out of you, and consume all your time. I don't want you to die intika , I like ya. :kiss:

PPS: don't listen to some of the rabid commentators on your repo. Just because that's how they like it, doesn't mean it's a good default (I have read some ludicrous ideas from some of them already).

Good luck buddy :beers:

Thank you for you feedback i am adding important notice to https://github.com/intika/Librefox/issues/53 ...

You have a lot of work in front of you

Yes indeed i know :D but it's worth it right ?

that this will suck the life out of you

Hhahahaha Yes i noticed that looool fully true !

PPS: don't listen to some of the rabid commentators on your repo. Just because that's how they like it, doesn't mean it's a good default (I have read some ludicrous ideas from some of them already)

I know, those users make a lot of noise ^^ indeed

decided now to drop recommending extensions

Yes but not in the current state of the project this is for next release, the "dangerous" thing will be first solved and the browser will have a default state much more acceptable compared to the current one and the idea is to provide a settings page for advanced users to let them switch whatever they want easily without going through a 3000 line file... and also this will fix the "locked" setting critique

advanced users to let them switch whatever they want easily without going through a 3000 line file

then they aren't advanced users. You need to define and clarify for users what your target market is

then they aren't advanced users. You need to define and clarify for users what your target market is

Yes of course, i noticed a lot and lot of newbie users just grabbing Librefox without any questioning and you are right i should treat all users as newbie... it's why i am willing to change a lot of default settings... but advanced technical users are a must for the project to survive (my self included) so an advanced settings page would be the thing that would make the project differ from Firefox... it's all about giving the choice right ? so the choice will be given in an easy interface

Also one important thing

And I kind of feel you're just reinventing the wheel, our wheel. It's like you've come along, slurped up 4 years of labor

It's been almost 2 months now that i am working on this almost full time... what can i do regarding regarding your comment ?

Also as i already said i am planning to change the cfg/user.js integration into a gui. it will be different when it will be done.

You're not doing anything "wrong" - the ghacks user.js is there to be used and built on, as long as it's attributed, as per the license.

It's me, not you :grin: It's just weird that I struggle to get any attention and have been hammered by years of negativity and attacks and whammo, you get almost as much as me on here in 2 days as i did in 2 years. Maybe I'm a little jealous and feel like I've been ripped off (but I know I haven't) .. sorry for that. And maybe I can do without so many "shouty" people and the million views they bring. Maybe its a good thing :)

Oh yeah, I totally get that you have spent a lot of time on it already and changed it, and added new things. Didn't mean to imply that.

I think that it draw attention because it's kind a accessible for anyone (binaries) even if i did not meant that when i created the project (not for beginners). and because of its name too; also the extensions... and also may be kind a saying yes to any request...

Where gHacks is kind a meant for advanced user, and getting the hands dirty... (even if i know it could be applied easily) may be building a binary for gHacks would attract more users, kind a patcher that would apply the ghacks settings. like the one used in https://github.com/overdodactyl/ShadowFox.

But to be 100% honest i think it's about posting the right thing at the right moment in the right place (https://www.reddit.com/r/linux/comments/a8ru20/librefox_mainstream_firefox_with_a_better_privacy/) other users did posted an equivalent post before i came with the binaries without success. i did so just after releasing the version i thought good enough to be published.

and i never did ask anyone to post anything. i just posted twice on reddit... and people did the rest, it's all about communication ;)

Any way just to summarize (and this is just my opinion)

1. Develop a patching binary multi-platform x32/x64 - Win/Linux/Mac (6 versions)
2. Post a reddit under r/linux and an other one under whatever you think it's good. (after releasing the binary)
3. Drop the ego, and use the critiques to enforce the project.

Note : i need you to survive, keep going and get more attention for my project looool :p ... it's why i gave you as much credit in the first place in my readme page (not that i needed that to attract users but truly to give you credit !)

PPS : an extension as updater could be helpful as well and also you could improve the main readme (make it nicer... with links to the binaries if you decide to... )

No worries mate :) :kiss:

Just as example, https://github.com/intika/Linux-Application-Firewall this is a very interesting project but because there where 0 communication the project have 0 stars

I kind of like the @intika idea and his drive for Librefox.
For sure the project is young and there are many wrong directions/choices/decision (as always at start and missing mileage).
With a, for example, wisdom of @Thorin-Oakenpants , @earthlng , @claustromaniac and others... and if @intika will take those seriously then Librefox might become a great browser.
Don't you think so?

@crssi yes indeed and i am listening to every one :) but ghacks deserve more attention in the current state of the project (ghacks) the attention will continue to grow continuously but a little/big push wont hurt. i don't know what @Thorin-Oakenpants is deciding about that