User.js: SB+TP etc: extreme pruning

I don't know what comments you've been reading, but if they point to a bunch of inactive prefs as source to say we're anti-mozilla and such shit, I wouldn't care about their opinions. Correction: I wouldn't care either way.

Did you like my massive pruning of old deprecated shit ... the user.js feels so light and fluffy now. It's already under 2K lines again

I don't know what comments you've been reading

"I read and I know things" - Tyron Lannister

I read a lot, really . seriously .. a fucking lot. I'm over-exaggerating, but for example, on reddit they actively do not like this repo (that's the vibe and I have seen posts linking to us as a useful source with disclaimers to be careful, getting removed, not just deleted, but removed so there is no trace). Any mention of us gets almost zero votes, and yet things like privacytools.io little tiny tiny list gets tons of mentions and upvotes.

I haven't kept a diary or a list .. but the number of comments I have read (not so much at reddit, but the entire internet, almost finished reading it a second time now) that misconstrue what we do is insane. And as for other sites accrediting us in their sources, that's because we're so comprehensive. I can't ask them to not accredit (that's hypocritical), but what I can do is remove the shit they want. It's not just SB and google URLs etc, it's also the telemetry prefs (I'll look but I don;t think there's anything there to prune).

If they want to rant about Mozilla, I don;t care. What I do care about is them putting users at risk and removing all SB and calling it a privacy gain - so that was one of the aims of this issue

Did you like my massive pruning of old deprecated shit ... the user.js feels so light and fluffy now. It's already under 2K lines again

I'm pretty sure some people won't like it, but personally, I'm loving these cleanup rounds.

the number of comments I have read (not so much at reddit, but the entire internet, almost finished reading it a second time now) that misconstrue what we do is insane.

No wonder you feel underappreciated a lot of the time.

I wanted to keep all info in one place, one file. No need to look anything up. Especially back when people were throwing lists of prefs at us. But I feel I almost know every pref off by heart, sigh. The days of me needing to quickly search for something in the user.js to point out that it was deprecated or gone, and provide a link .. are long gone (queue all the people wanting to now add SB google urls, lol).

And should I ever need to do a compare (edit: with Compare-UserJS of course), it's not hard to copypasta the archived js from the sticky into a file.

I'm loving these cleanup rounds.

You mean this cleanup of deprecated and the above, or the whole 55+ commits in the last 2 weeks? I can't wait for earthlng's next changlog where he says something like "Pants drank the kool-aid.... and went on a mission" :grimacing:

I meant the whole lot of commits (although, I admit I didn't yet get a chance to check them all out... and I still have like 40+ unread notifications).

And should I ever need to do a compare (edit: with Compare-UserJS of course)

lol dat advertisement.

I am not interested in providing info and maintaining it for other blogs etc to use while screaming about Mozilla spying on it's users and being in cahoots with google etc, and then pointing back to here as a source. Every second comment about us (reddit, hackernews, etc) assumes we're also anti-mozilla, and that we put users at risk.

i may be partially to blame for that - i'm too blunt and too general sometimes and i've pounded Mozilla because of decisions which were made at the corporate level without ever defining what i meant by 'Mozilla' and separating the admins from the developers

i've since clarified this a bit on my site, but i should probably do a better job of it

i know there's plenty of people in the trenches (devs) that have ethical intensions and who care about privacy - this is obvious just in the TOR-to-FF ports alone - however when the corporation says how important privacy and the open web is and then partners with privacy hating corporations (and there are many more than just gaagle) and creates an initiative that is all about censorship by jumping on the 'fake news' bullshit bandwagon, i think my pissed-off-ness if more than justified (at the corporate level)

if my criticism has resulted in any negativity toward this project, i do apologize

ps. i too am happy about the cleanup of user.js

0415: I can't find Francois' reply somewhere in this repo about the report urls, which from memory confirmed that they are only used when a user reports a URL

Anyway, so I've had a look at TB

What they did instead was remove the Help>Report Deceptive Site menu item by the looks of it, which indicates that these aren't used unless user initiated

Additionally, looking at 0417, there is no need to blank the URL, just the boolean pref (which is what TB does) - So I'm going to go ahead an remove these

0410 + 0411 + 0412: safe browsing: There's a UI for these: totally not needed

Please do not remove settings because they have a UI. Many people use your user.js _because they do not utilize the UI_. They don't want to have to remember to go through UI preferences every time they re-install firefox. Much easier to copy/paste a preference file and guarantee consistency.

I'm still going to check out some more if I can. A few things that puzzle me. I need to be on an actual website (not activity stream, for example) in order for the menu item to be available (maybe all it does populate the url to be reported field) which seems counterproductive - how do you report a site when you don't want to open it again (e.g it triggers some non-ending popup hell?) Maybe you can edit the reported URL field? Maybe by doing it this way it eliminates typos in URLs and greatly reduces misreported stuff. IDK, because in my main FF, with user.js same as the master, clicking the menu item doesn't load any dialog.

Another thing, is why are there different URLs (phishing, malware) but only one basic dialog: looking a article, it looks like reporting dialog has an url field and a comment field. Nothing for the end user to select a type (and they wouldn't want that - i.e end users shouldn't classify the threat).

I'll have a play in a vanilla Firefox and read up on googles reporting api. Wish @fmarier was here

Please do not remove settings because they have a UI

SB:, I am removing them because they do nothing to improve privacy, security, etc. They're inactive .. if I was enforcing SB to be on, that might be a different story.

TP: We haven't been adding anything new, because it's constantly changing in the last few cycles with a lot more to come. Crypto list, fingerprinting list, flipping TP on by default and other things - we even made the ONE pref we used to have as active -> inactive and added a warning (see 0422), this was maybe 7 or 8 releases ago. The whole TP thing is best handled by the UI. Keeping this long-time-dead TP section, which is at worst possibly misleading due to it being incomplete, is a waste of time and space - and I for one do not wish to maintain it or follow it (overhead I can do without)

OK, it;s not a dialog, instead it loads a webpage

The good news is, it uses recaptcha, so we're all safe in the knowledge that we can never (accidently) submit anything to them :grinning: as we'll never pass the test.

So one, you need to actively select report deceptive site, and two still submit it. But I'll see what happens when I try again and I'll watch the network inspector

Here's everything that happened

The "bad URL" is in the URL, so that's "leaked", and that's it - I was using google.com as my page because they wouldn't block themselves if I accidentally reported them, and somehow, it was approved, and I took down google (would be a hell of a story though!)

https://safebrowsing.google.com/safebrowsing/report_phish/?tpl=mozilla&hl=en-US&url=https%3A%2F%2Fwww.google.com%2F

So the only thing that confuses me, it if this is just a single webpage, why do we have 7 URLs - that's what's bugging me.

Please do not remove settings because they have a UI. Many people use your user.js _because they do not utilize the UI_. They don't want to have to remember to go through UI preferences every time they re-install firefox. Much easier to copy/paste a preference file and guarantee consistency.

It takes several minutes to add these type of settings to the override list under a "personal" category. But since don't want to spend 30sec in the UI every time you "reinstall" firefox (I assume you meant reset), you won't bother with user.js personalization either...

I wonder, what will you do when you encounter site breakage?, spend a whole couple of minutes fixing it yourself, OR, come here asking for a fix...

I don't intend to be disparaging, only to show that there are "some" of opposite mindset.

Sorry for the off topic reply.

i may be partially to blame for that

@atomGit : so it was you .. you utter bastard\

^^ edit: just to make sure ... that's a joke :kiss:

@ everyone who cares to read

On a more serious note, i do not care about orthogonal shit, and the other part of that is, that in all these off-topic items (e.g using google search engine as a default for most regions, mr robot, cliqz, pocket, etc), my answer is always:

before you criticize someone, walk a mile in their shoes. Then criticize them, because one, you'll be a mile away, and two, you'll have their shoes

Only those who make the decisions are probably fully informed. I for one have never run a company with thousands of employees, or controlled the design of web tech / UI that touches on hundreds of millions of daily users. I've never tried to compete with a competitor that has tens (hundreds) of billions of dollars to use against me. And so on. Ooh .. national outcry, the world is doomed if Mozilla make a mistake with e.g Mr Robot. But Chrome does something way worse, intentionally, and no-one bats a fucking eyelid. I know we judge Mozilla more highly, but put some godamn perspective on things.

Unless they start sticking zombie baby heads on spikes, then I just don't fucking care. Also, just quietly, the zombies probably had it coming, the little biters!

OK, it's really only 4 URLs as they transition from google. to google4.

user_pref("browser.safebrowsing.provider.google.reportURL", "");
user_pref("browser.safebrowsing.provider.google4.reportURL", "");

user_pref("browser.safebrowsing.provider.google.reportMalwareMistakeURL", "");
user_pref("browser.safebrowsing.provider.google4.reportMalwareMistakeURL", "");

user_pref("browser.safebrowsing.reportPhishURL", "");

user_pref("browser.safebrowsing.provider.google.reportPhishMistakeURL", "");
user_pref("browser.safebrowsing.provider.google4.reportPhishMistakeURL", "");

The first one looks like the one that controls the URL provided when you click Report Deceptive Site - I'll test that shortly. I'm digging around on DXR to see how malware and phish are used (and NFI why there's an extra phish)

Actually, I don't need to investigate anymore.

user_pref("browser.safebrowsing.provider.google.reportURL", "");
user_pref("browser.safebrowsing.provider.google4.reportURL", "");
^^ safebrowsing.google and requires you to actively try and report a site

the other five all use mozilla.com, so I have no problem with that. NFI if they get used, don't care

So all can go, as well as the datasharing URL in the now numbered 0404, the .enabled pref is sufficient

https://dxr.mozilla.org/mozilla-central/source/toolkit/components/url-classifier/nsUrlClassifierDBService.cpp#1924
https://developers.google.com/resources/api-libraries/documentation/safebrowsing/v4/java/latest/com/google/api/services/safebrowsing/Safebrowsing.ThreatHits.html

so what are you trying to say @KOLANICH ?

Just dumping some links relevant to 0403. May make sense to add them.

the current 0403?

/* 0403: disable data sharing [FF58+] ***/
user_pref("browser.safebrowsing.provider.google4.dataSharing.enabled", false);

Yes. I have searched the DXR. The first link is to the symbol sending the data. The second link is the docs for some Google lib supposedly doing the same, but in Java.

Ahh, OK. Well, we disable Data Sharing (same as Tor Browser), and I'm not sure if those links are about data sharing. I'm not too interested in digging too much deeper.

Well, we disable Data Sharing

In fact it is disabled by default, but defence in depth won't harm. It may even make sense to lock that pref.

Oooh, is it. Prime candidate to get removed then - thanks