User.js: ToDo: diffs FF69-FF70

Created on 21 Sep 2019 · 66Comments · Source: arkenfox/user.js

FF70 is scheduled for release Oct. 22nd

FF70 release notes [when ready]
[FF70 for developers](https://developer.mozilla.org/docs/Mozilla/Firefox/Releases/70)
FF70 compatibility
FF70 security advisories

misc TODO's:

[x] 2610 FF70+ and ESR68.1.0+ svg.disabled no longer affects extensions - - https://github.com/ghacksuserjs/ghacks-user.js/commit/a3611b7cf89b64b7b9814259cb5fdbde3ebbcd3e
[x] 2701 cookie behavior default changed it's name in the UI - https://github.com/ghacksuserjs/ghacks-user.js/commit/65dfad5c76148379c1c3f6d4667b28721c613770

289 diffs ( 200 new, 52 gone, 37 different )

new in v70.0:

[x] pref("media.peerconnection.ice.proxy_only_if_behind_proxy", false); - https://github.com/ghacksuserjs/ghacks-user.js/commit/f0980b5cb84a9f576ff4afa60c1ae39cbba3b86f , https://github.com/ghacksuserjs/ghacks-user.js/commit/8f76d9439f1b7998d100bc0cda316a8f2dcba741
FYI:
- pref("security.identityblock.show_extended_validation", false);
- pref("security.secure_connection_icon_color_gray", true);
- pref("browser.urlbar.megabar", false);

removed, renamed or hidden in v70.0:

nothing to see here... move along

changed in v70.0:

[x] pref("browser.messaging-system.whatsNewPanel.enabled", true); // prev: false - https://github.com/ghacksuserjs/ghacks-user.js/commit/d5f297ed426249e98c9bfc117d3d42ae5882944b
[x] various hidden / default changes - ALL DONE - https://github.com/ghacksuserjs/ghacks-user.js/commit/539750d2f2d82ced8e1dc1761bdf7d17dbf18c58
- 0602 pref("network.dns.disablePrefetchFromHTTPS", true); no longer hidden, needs [DEFAULT] tag
- 1003 pref("browser.cache.memory.capacity", -1); no longer hidden
- 1273 pref("security.insecure_connection_icon.enabled", true); // prev: false
- 1273 pref("security.insecure_connection_icon.pbmode.enabled", true); // prev: false
- 2608 pref("devtools.webide.enabled", false); // prev: true
- 4002 pref("privacy.firstparty.isolate.block_post_message", false); no longer hidden
FYI: moved to the next diffs
- pref("network.http.sendOriginHeader", 2); // prev: 0

ignore

click me for details

==NEW

pref("browser.cache.cache_isolation", false);
pref("browser.contentblocking.customBlockList.preferences.ui.enabled", false);
pref("browser.contentblocking.report.cookie.url", "https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report");
pref("browser.contentblocking.report.cryptominer.url", "https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cryptominers-report");
pref("browser.contentblocking.report.fingerprinter.url", "https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report");
pref("browser.contentblocking.report.lockwise.enabled", true);
pref("browser.contentblocking.report.lockwise.how_it_works.url", "https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report");
pref("browser.contentblocking.report.lockwise.url", "https://lockwise.firefox.com/?utm_source=firefox-desktop&utm_medium=referral&utm_campaign=about-protections&utm_content=about-protections");
pref("browser.contentblocking.report.manage_devices.url", "https://accounts.firefox.com/settings/clients");
pref("browser.contentblocking.report.monitor.enabled", true);
pref("browser.contentblocking.report.monitor.how_it_works.url", "https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/monitor-faq");
pref("browser.contentblocking.report.monitor.sign_in_url", "https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protections&email=");
pref("browser.contentblocking.report.monitor.url", "https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections");
pref("browser.contentblocking.report.proxy.enabled", false);
pref("browser.contentblocking.report.proxy_extension.url", "https://fpn.firefox.com/browser?utm_source=firefox-desktop&utm_medium=referral&utm_campaign=about-protections&utm_content=about-protections");
pref("browser.contentblocking.report.social.url", "https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report");
pref("browser.contentblocking.report.tracker.url", "https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report");
pref("browser.fixup.typo.scheme", true);
pref("browser.messaging-system.fxatoolbarbadge.enabled", true);
pref("browser.newtabpage.activity-stream.asrouter.providers.whats-new-panel", "{\"id\":\"whats-new-panel\",\"enabled\":true,\"type\":\"remote-settings\",\"bucket\":\"whats-new-panel\",\"updateCycleInMs\":3600000}");
pref("browser.newtabpage.activity-stream.discoverystream.engagementLabelEnabled", false);
pref("browser.search.separatePrivateDefault", false);
pref("browser.tabs.remote.force-paint", true);
pref("browser.tabs.remote.useCrossOriginEmbedderPolicy", false);
pref("content.cors.disable", false);
pref("content.notify.backoffcount", -1);
pref("content.notify.interval", 120000);
pref("content.notify.ontimer", true);
pref("content.sink.enable_perf_mode", 0);
pref("content.sink.event_probe_rate", 1);
pref("content.sink.initial_perf_time", 2000000);
pref("content.sink.interactive_deflect_count", 0);
pref("content.sink.interactive_parse_time", 3000);
pref("content.sink.interactive_time", 750000);
pref("content.sink.pending_event_mode", 0);
pref("content.sink.perf_deflect_count", 200);
pref("content.sink.perf_parse_time", 360000);
pref("device.sensors.test.events", false);
pref("devtools.browserconsole.input.editorWidth", 0);
pref("devtools.browsertoolbox.fission", false);
pref("devtools.connectpage.enabled", false);
pref("devtools.debugger.dom-mutation-breakpoints-visible", false);
pref("devtools.debugger.features.dom-mutation-breakpoints", true);
pref("devtools.debugger.features.inline-preview", false);
pref("devtools.debugger.features.overlay-step-buttons", false);
pref("devtools.netmonitor.features.search", false);
pref("devtools.netmonitor.panes-search-height", 450);
pref("devtools.netmonitor.panes-search-width", 550);
pref("devtools.netmonitor.ws.displayed-frames.limit", 500);
pref("devtools.netmonitor.ws.messageDataLimit", 100000);
pref("devtools.netmonitor.ws.visibleColumns", "[\"data\", \"time\"]");
pref("devtools.popup.disable_autohide", false);
pref("devtools.recordreplay.logging", false);
pref("devtools.recordreplay.loggingFull", false);
pref("devtools.storage.extensionStorage.enabled", true);
pref("devtools.toolbox.content-frame", true);
pref("devtools.toolbox.force-chrome-prefs", true);
pref("devtools.webconsole.input.editorOnboarding", true);
pref("devtools.webconsole.input.editorWidth", 0);
pref("dom.allow_XUL_XBL_for_file", false);
pref("dom.block_reload_from_resize_event_handler", true);
pref("dom.capture.enabled", false);
pref("dom.enable_window_print", true);
pref("dom.events.dataTransfer.protected.enabled", false);
pref("dom.events.user_interaction_interval", 5000);
pref("dom.forms.number.grouping", false);
pref("dom.ipc.cpows.log.enabled", false);
pref("dom.ipc.cpows.log.stack", false);
pref("dom.ipc.processPrelaunch.delayMs", 1000);
pref("dom.ipc.processPriorityManager.backgroundGracePeriodMS", 0);
pref("dom.ipc.processPriorityManager.backgroundPerceivableGracePeriodMS", 0);
pref("dom.ipc.processPriorityManager.testMode", false);
pref("dom.ipc.tabs.disabled", false);
pref("dom.largeAllocation.testing.allHttpLoads", false);
pref("dom.maxtouchpoints.testing.value", -1);
pref("dom.quotaManager.loadQuotaFromCache", true);
pref("dom.quotaManager.temporaryStorage.chunkSize", 10240);
pref("dom.quotaManager.temporaryStorage.fixedLimit", -1);
pref("dom.securecontext.whitelist_onions", false);
pref("dom.security.respect_document_nosniff", false);
pref("dom.storage.abort_on_sync_parent_to_child_messages", false);
pref("dom.testing.sync-content-blocking-notifications", false);
pref("dom.w3c_pointer_events.multiprocess.android.enabled", true);
pref("dom.webidl.test1", true);
pref("dom.webidl.test2", true);
pref("dom.webnotifications.allowcrossoriginiframe", false);
pref("dom.window.history.async", true);
pref("editor.password.mask_delay", -1);
pref("editor.password.testing.mask_delay", false);
pref("geo.timeout", 6000);
pref("gfx.blocklist.all", 0);
pref("gfx.core-animation.enabled", false);
pref("gfx.font_rendering.ahem_antialias_none", false);
pref("gfx.webrender.flip-sequential", false);
pref("gfx.webrender.triple-buffering.enabled", true);
pref("identity.fxaccounts.service.monitorLoginUrl", "https://monitor.firefox.com/");
pref("identity.fxaccounts.service.sendLoginUrl", "https://send.firefox.com/login/");
pref("idle_period.during_page_load.min", 12);
pref("idle_period.min", 3);
pref("javascript.options.blinterp", true);
pref("javascript.options.blinterp.threshold", 10);
pref("javascript.options.gc_delay", 4000);
pref("javascript.options.gc_delay.first", 10000);
pref("javascript.options.gc_delay.full", 60000);
pref("javascript.options.gc_delay.interslice", 100);
pref("javascript.options.mem.gc_avoid_interrupt_factor", 100);
pref("javascript.options.mem.gc_non_incremental_factor", 112);
pref("layers.compositing-tiles.height", 1024);
pref("layers.compositing-tiles.width", 1024);
pref("layers.d3d11.enable-blacklist", true);
pref("layout.css.aspect-ratio-number.enabled", false);
pref("layout.css.text-decoration-thickness.enabled", true);
pref("layout.css.use-counters-unimplemented.enabled", false);
pref("layout.framevisibility.amountscrollbeforeupdatehorizontal", 2);
pref("layout.framevisibility.amountscrollbeforeupdatevertical", 2);
pref("layout.reflow.synthMouseMove", true);
pref("layout.show_previous_page", true);
pref("layout.viewport_contains_no_contents_area", false);
pref("mathml.deprecated_style_attributes.disabled", false);
pref("mathml.legacy_number_syntax.disabled", true);
pref("mathml.mathsize_names.disabled", false);
pref("mathml.mathspace_names.disabled", false);
pref("mathml.mfrac_linethickness_names.disabled", false);
pref("mathml.nonzero_unitless_lengths.disabled", true);
pref("media.audioFocus.management", false);
pref("media.cloneElementVisually.testing", false);
pref("media.mediacapabilities.drop-threshold", 95);
pref("media.mediacapabilities.from-database", true);
pref("media.peerconnection.ice.obfuscate_host_addresses", false);
pref("media.peerconnection.mtransport_process", false);
pref("media.rdd-opus.enabled", false);
pref("media.rdd-wav.enabled", false);
pref("media.webrtc.net.force_disable_rtcp_reception", false);
pref("media.webrtc.platformencoder", false);
pref("network.dns.skipTRR-when-parental-control-enabled", true);
pref("network.http.altsvc.proxy_checks", true);
pref("network.http.referer.referrerLengthLimit", 4096);
pref("network.http.spdy.bug1556491", true);
pref("network.http.spdy.bug1563695", true);
pref("network.netlink.route.check.IPv4", "23.219.91.27");
pref("network.netlink.route.check.IPv6", "2a02:26f0:40::17db:5b1b");
pref("network.trr.request_timeout_mode_trronly_ms", 30000);
pref("network.trr.request_timeout_ms", 1500);
pref("page_load.deprioritization_period", 5000);
pref("permissions.desktop-notification.notNow.enabled", false);
pref("permissions.fullscreen.allowed", false);
pref("privacy.fuzzyfox.clockgrainus", 100);
pref("privacy.reduceTimerPrecision.unconditional", true);
pref("privacy.resistFingerprinting.target_video_res", 480);
pref("privacy.restrict3rdpartystorage.console.lazy", true);
pref("privacy.socialtracking.block_cookies.enabled", true);
pref("privacy.socialtracking.notification.counter", 0);
pref("privacy.socialtracking.notification.enabled", true);
pref("privacy.socialtracking.notification.lastShown", "0");
pref("privacy.socialtracking.notification.max", 2);
pref("privacy.socialtracking.notification.period.min", 172800000);
pref("privacy.socialtracking.notification.session.pageload.min", 4);
pref("security.aboutcertificate.enabled", false);
pref("security.all_resource_uri_content_accessible", false);
pref("security.allow_eval_in_parent_process", false);
pref("security.allow_eval_with_system_principal", false);
pref("security.block_Worker_with_wrong_mime", false);
pref("security.protectionspopup.recordEventTelemetry", true);
pref("security.remote_settings.crlite_filters.bucket", "security-state");
pref("security.remote_settings.crlite_filters.checked", 0);
pref("security.remote_settings.crlite_filters.collection", "cert-revocations");
pref("security.remote_settings.crlite_filters.enabled", false);
pref("security.remote_settings.crlite_filters.signer", "onecrl.content-signature.mozilla.org");
pref("security.sandbox.content.win32k-disable", false);
pref("security.tls.enable_delegated_credentials", false);
pref("services.common.log.logger.rest.request", "Debug");
pref("services.common.log.logger.rest.response", "Debug");
pref("services.common.log.logger.tokenserverclient", "Debug");
pref("signon.management.overrideURI", "about:logins?filter=%DOMAIN%");
pref("signon.management.page.breach-alerts.enabled", true);
pref("signon.management.page.breachAlertUrl", "https://monitor.firefox.com/breach-details/");
pref("signon.management.page.hideMobileFooter", false);
pref("signon.management.page.mobileAndroidURL", "https://app.adjust.com/6tteyjo?redirect=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dmozilla.lockbox&utm_campaign=Desktop&utm_adgroup=InProduct&utm_creative=");
pref("signon.management.page.mobileAppleURL", "https://app.adjust.com/6tteyjo?redirect=https%3A%2F%2Fitunes.apple.com%2Fapp%2Fid1314000270%3Fmt%3D8&utm_campaign=Desktop&utm_adgroup=InProduct&utm_creative=");
pref("toolkit.telemetry.geckoview.batchDurationMS", 5000);
pref("toolkit.telemetry.geckoview.streaming", false);
pref("toolkit.telemetry.ipcBatchTimeout", 2000);
pref("toolkit.telemetry.isGeckoViewMode", false);
pref("ui.scrolling.negate_wheel_scroll", false);
pref("urlclassifier.features.cryptomining.annotate.blacklistTables", "base-cryptomining-track-digest256");
pref("urlclassifier.features.cryptomining.annotate.whitelistTables", "mozstd-trackwhite-digest256");
pref("urlclassifier.features.fingerprinting.annotate.blacklistTables", "base-fingerprinting-track-digest256");
pref("urlclassifier.features.fingerprinting.annotate.whitelistTables", "mozstd-trackwhite-digest256");
pref("urlclassifier.features.socialtracking.annotate.blacklistTables", "social-tracking-protection-digest256,social-tracking-protection-facebook-digest256,social-tracking-protection-linkedin-digest256,social-tracking-protection-twitter-digest256");
pref("urlclassifier.features.socialtracking.annotate.whitelistTables", "mozstd-trackwhite-digest256");
pref("urlclassifier.features.socialtracking.blacklistTables", "social-tracking-protection-digest256,social-tracking-protection-facebook-digest256,social-tracking-protection-linkedin-digest256,social-tracking-protection-twitter-digest256");
pref("urlclassifier.features.socialtracking.whitelistTables", "mozstd-trackwhite-digest256");
pref("widget.disable-native-theme", false);

==REMOVED or HIDDEN

pref("abc.def", true);
pref("apz.overscroll.spring_friction", "0.015");
pref("apz.overscroll.spring_stiffness", "0.0018");
pref("browser.cache.compression_level", 0);
pref("browser.cache.frecency_experiment", 0);
pref("browser.contentblocking.allowlist.annotations.enabled", true);
pref("browser.contentblocking.allowlist.storage.enabled", true);
pref("browser.contentblocking.introCount", 0);
pref("browser.contentblocking.introDelaySeconds", 1800);
pref("browser.contentblocking.maxIntroCount", 0);
pref("browser.contentblocking.rejecttrackers.control-center.ui.enabled", true);
pref("browser.contentblocking.rejecttrackers.reportBreakage.enabled", true);
pref("browser.contentblocking.reportBreakage.enabled", false);
pref("browser.contentblocking.trackingprotection.control-center.ui.enabled", true);
pref("browser.security.newcerterrorpage.mitm.enabled", true);
pref("browser.tabs.remote.useCrossOriginPolicy", false);
pref("browser.urlbar.quantumbar", true);
pref("devtools.aboutdebugging.new-enabled", true);
pref("devtools.debugger.features.windowless-workers", true);
pref("devtools.netmonitor.features.resizeColumns", true);
pref("devtools.netmonitor.ws.payload-preview-width", 550);
pref("devtools.onboarding.experiment", "off");
pref("devtools.onboarding.experiment.flipped", false);
pref("devtools.onboarding.telemetry.logged", false);
pref("devtools.webconsole.jsterm.codeMirror", true);
pref("dom.min_tracking_background_timeout_value", 4);
pref("dom.min_tracking_timeout_value", 4);
pref("dom.xhr.lowercase_header.enabled", true);
pref("gfx.font_ahem_antialias_none", false);
pref("gfx.webrender.dcomp-win-triple-buffering.enabled", true);
pref("ghi.jkl", true);
pref("javascript.options.bigint", true);
pref("javascript.options.mem.gc_allocation_threshold_factor", 90);
pref("javascript.options.mem.gc_allocation_threshold_factor_avoid_interrupt", 90);
pref("javascript.options.mem.high_water_mark", 128);
pref("javascript.options.unboxed_objects", false);
pref("layout.css.paint-order.enabled", true);
pref("layout.css.text-decoration-width.enabled", false);
pref("layout.float-fragments-inside-column.enabled", true);
pref("network.trr.request-timeout", 1500);
pref("plugin.persistentPermissionAlways.intervalInDays", 90);
pref("plugin.sessionPermissionNow.intervalInMinutes", 60);
pref("privacy.trackingprotection.cryptomining.annotate.enabled", true);
pref("privacy.trackingprotection.fingerprinting.annotate.enabled", true);
pref("privacy.trackingprotection.introURL", "https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/content-blocking/start/");
pref("privacy.trackingprotection.socialtracking.annotate.enabled", false);
pref("security.block_ftp_subresources", true);
pref("services.sync.prefs.sync.browser.contentblocking.introCount", true);
pref("services.sync.prefs.sync.privacy.trackingprotection.cryptomining.annotate.enabled", true);
pref("services.sync.prefs.sync.privacy.trackingprotection.fingerprinting.annotate.enabled", true);
pref("signon.management.page.faqURL", "https://lockwise.firefox.com/faq.html");
pref("signon.management.page.feedbackURL", "https://www.surveygizmo.com/s3/5036102/Lockwise-feedback?ver=%VERSION%");

==CHANGED

pref("apz.allow_immediate_handoff", false); // prev: true
pref("browser.contentblocking.features.strict", "tp,tpPrivate,cookieBehavior4,cm,fp,stp"); // prev: "tp,tpPrivate,cookieBehavior4,cm,fp"
pref("browser.in-content.dark-mode", true); // prev: false
pref("browser.newtabpage.activity-stream.discoverystream.enabled", true); // prev: false
pref("browser.safebrowsing.provider.mozilla.lists", "base-track-digest256,mozstd-trackwhite-digest256,content-track-digest256,mozplugin-block-digest256,mozplugin2-block-digest256,block-flash-digest256,except-flash-digest256,allow-flashallow-digest256,except-flashallow-digest256,block-flashsubdoc-digest256,except-flashsubdoc-digest256,ads-track-digest256,social-track-digest256,analytics-track-digest256,base-fingerprinting-track-digest256,content-fingerprinting-track-digest256,base-cryptomining-track-digest256,content-cryptomining-track-digest256,fanboyannoyance-ads-digest256,fanboysocial-ads-digest256,easylist-ads-digest256,easyprivacy-ads-digest256,adguard-ads-digest256,social-tracking-protection-digest256,social-tracking-protection-facebook-digest256,social-tracking-protection-linkedin-digest256,social-tracking-protection-twitter-digest256"); // prev: "base-track-digest256,mozstd-trackwhite-digest256,content-track-digest256,mozplugin-block-digest256,mozplugin2-block-digest256,block-flash-digest256,except-flash-digest256,allow-flashallow-digest256,except-flashallow-digest256,block-flashsubdoc-digest256,except-flashsubdoc-digest256,ads-track-digest256,social-track-digest256,analytics-track-digest256,base-fingerprinting-track-digest256,content-fingerprinting-track-digest256,base-cryptomining-track-digest256,content-cryptomining-track-digest256,fanboyannoyance-ads-digest256,fanboysocial-ads-digest256,easylist-ads-digest256,easyprivacy-ads-digest256,adguard-ads-digest256"
pref("devtools.debugger.component-visible", false); // prev: true
pref("devtools.debugger.event-listeners-visible", false); // prev: true
pref("devtools.debugger.expressions-visible", false); // prev: true
pref("devtools.debugger.features.async-stepping", false); // prev: true
pref("devtools.debugger.workers-visible", false); // prev: true
pref("devtools.debugger.xhr-breakpoints-visible", false); // prev: true
pref("devtools.inspector.inactive.css.enabled", true); // prev: false
pref("devtools.markup.mutationBreakpoints.enabled", true); // prev: false
pref("devtools.netmonitor.ws.payload-preview-height", 128); // prev: 450
pref("dom.ipc.cancel_content_js_when_navigating", true); // prev: false
pref("dom.script_loader.external_scripts.utf8_parsing.enabled", true); // prev: false
pref("dom.storage.next_gen", true); // prev: false
pref("dom.worker.script_loader.utf8_parsing.enabled", true); // prev: false
pref("extensions.getAddons.discovery.api_url", "https://services.addons.mozilla.org/api/v4/discovery/?lang=%LOCALE%&edition=%DISTRIBUTION%"); // prev: "https://services.addons.mozilla.org/api/v4/discovery/?lang=%LOCALE%"
pref("javascript.options.baselinejit.threshold", 100); // prev: 10
pref("javascript.options.mem.gc_allocation_threshold_mb", 27); // prev: 30
pref("layout.css.devPixelsPerPx", "-1"); // prev: "-1.0"
pref("layout.css.shared-memory-ua-sheets.enabled", true); // prev: false
pref("layout.css.text-decoration-skip-ink.enabled", true); // prev: false
pref("layout.css.text-underline-offset.enabled", true); // prev: false
pref("media.mediasource.webm.enabled", true); // prev: false
pref("network.http.referer.defaultPolicy.trackers", 2); // prev: 3
pref("network.notify.IPv6", true); // prev: false
pref("signon.generation.available", true); // prev: false
pref("signon.generation.enabled", true); // prev: false
pref("signon.management.page.enabled", true); // prev: false
pref("urlclassifier.disallow_completions", "goog-downloadwhite-digest256,base-track-digest256,mozstd-trackwhite-digest256,content-track-digest256,mozplugin-block-digest256,mozplugin2-block-digest256,block-flash-digest256,except-flash-digest256,allow-flashallow-digest256,except-flashallow-digest256,block-flashsubdoc-digest256,except-flashsubdoc-digest256,goog-passwordwhite-proto,ads-track-digest256,social-track-digest256,analytics-track-digest256,base-fingerprinting-track-digest256,content-fingerprinting-track-digest256,base-cryptomining-track-digest256,content-cryptomining-track-digest256,fanboyannoyance-ads-digest256,fanboysocial-ads-digest256,easylist-ads-digest256,easyprivacy-ads-digest256,adguard-ads-digest256,social-tracking-protection-digest256,social-tracking-protection-facebook-digest256,social-tracking-protection-linkedin-digest256,social-tracking-protection-twitter-digest256"); // prev: "goog-downloadwhite-digest256,base-track-digest256,mozstd-trackwhite-digest256,content-track-digest256,mozplugin-block-digest256,mozplugin2-block-digest256,block-flash-digest256,except-flash-digest256,allow-flashallow-digest256,except-flashallow-digest256,block-flashsubdoc-digest256,except-flashsubdoc-digest256,goog-passwordwhite-proto,ads-track-digest256,social-track-digest256,analytics-track-digest256,base-fingerprinting-track-digest256,content-fingerprinting-track-digest256,base-cryptomining-track-digest256,content-cryptomining-track-digest256,fanboyannoyance-ads-digest256,fanboysocial-ads-digest256,easylist-ads-digest256,easyprivacy-ads-digest256,adguard-ads-digest256"

diffs enhancement task

Source

earthlng

All 66 comments

some bugzilla tickets

abc.def
Bug 1565110 - Rename abc.def and ghi.jkl prefs as dom.webidl.test[12].
apz.allow_immediate_handoff
Bug 1528775 - Disable immediate handoff on all platforms.
Bug 1550422 - P24. Fix style of StaticPrefs.
apz.overscroll.spring_friction
Bug 1572633 - Remove apz.overscroll.spring_{stiffness,friction}.
apz.overscroll.spring_stiffness
Bug 1572633 - Remove apz.overscroll.spring_{stiffness,friction}.
Bug 1550422 - P24. Fix style of StaticPrefs.
browser.cache.cache_isolation
Bug 1536058 - Add Cache-Isolation behind a pref
browser.cache.compression_level
Bug 1562305 - Remove browser.cache.compression_level pref.
browser.cache.frecency_experiment
Bug 1572633 - Remove browser.cache.frecency_experiment.
browser.cache.memory.capacity
Bug 1562305 - Make browser.cache.memory.capacity a static pref.
browser.contentblocking.allowlist.annotations.enabled
Bug 1552643 - P1. Re-organise prefs in sections.
Bug 1571893 - Remove the prefs that can cause Gecko to stop honouring the Content Blocking allow list;
browser.contentblocking.allowlist.storage.enabled
Bug 1566836 - Respect the Content Blocking allow list for ETP interventions on all platforms;
Bug 1570434 - Add an API to toggle engagement event telemetry.
Bug 1552643 - P1. Re-organise prefs in sections.
Bug 1571893 - Remove the prefs that can cause Gecko to stop honouring the Content Blocking allow list;
browser.contentblocking.customBlockList.preferences.ui.enabled
Bug 1568900 - Hide "Change Block List" UI in Custom option of ETP
browser.contentblocking.features.strict
Bug 1566861 - Revise Tracking Protection Panel UI in Preferences
Bug 1543280 - Enable FP and CM in strict in all channel, enable FP and CM in standard for nightly and early beta.
Bug 1529517 - Add prefs for defining expected values in each content blocking category.
browser.contentblocking.introCount
Bug 1564367 - Remove the content blocking UI tour.
browser.contentblocking.introDelaySeconds
Bug 1564367 - Remove the content blocking UI tour.
Bug 1548626 - Delay showing the Privacy-UI onboarding by 30 min for new users.
browser.contentblocking.maxIntroCount
Bug 1564367 - Remove the content blocking UI tour.
Bug 1569542 - Disable Content Blocking UI tour in 69 / 68 ESR.
BUG 1448932 - Added: Prefs for tracking protection intro
browser.contentblocking.rejecttrackers.control-center.ui.enabled
Bug 1572139 - Enable sending UI notifications for ETP on mobile;
Bug 1572139 - Enable sending UI notifications for ETP on mobile.
Bug 1552643 - P1. Re-organise prefs in sections.
browser.contentblocking.rejecttrackers.reportBreakage.enabled
Bug 1566985 - Part 2: Remove unnecessary pref of the breakage report UI.
browser.contentblocking.report.cookie.url
Bug 1569614 - Add SUMO content links.
browser.contentblocking.report.cryptominer.url
Bug 1569614 - Add SUMO content links.
browser.contentblocking.report.fingerprinter.url
Bug 1569614 - Add SUMO content links.
browser.contentblocking.report.lockwise.enabled
Bug 1559421 - Report synced devices count on Lockwise card.
browser.contentblocking.report.lockwise.how_it_works.url
Bug 1569614 - Add SUMO content links.
browser.contentblocking.report.lockwise.url
Bug 1557050 - Add basic telemetry to protection report.
browser.contentblocking.report.manage_devices.url
Bug 1573593 - Show a link to account/device management next to the Lockwise "Syncing to X Devices" label
browser.contentblocking.report.monitor.enabled
Bug 1559422 - Create base Monitor card.
browser.contentblocking.report.monitor.how_it_works.url
Bug 1569614 - Add SUMO content links.
browser.contentblocking.report.monitor.sign_in_url
Bug 1573837 - Add utm_* params to the "View full report on Firefox Monitor" link.
browser.contentblocking.report.monitor.url
Bug 1573837 - Add utm_* params to the "View full report on Firefox Monitor" link.
Bug 1557050 - Add basic telemetry to protection report.
browser.contentblocking.report.proxy.enabled
Bug 1559428 - Create base Proxy card.
browser.contentblocking.report.proxy_extension.url
Bug 1559428 - Create base Proxy card.
browser.contentblocking.report.social.url
Bug 1569614 - Add SUMO content links.
browser.contentblocking.report.tracker.url
Bug 1569614 - Add SUMO content links.
browser.contentblocking.reportBreakage.enabled
Bug 1566985 - Part 2: Remove unnecessary pref of the breakage report UI.
browser.contentblocking.trackingprotection.control-center.ui.enabled
Bug 1572139 - Enable sending UI notifications for ETP on mobile;
browser.in-content.dark-mode
Bug 1565051 - Enable 'browser.in-content.dark-mode' by default and let it ride the trains.
Bug 1545029 - Flip 'browser.in-content.dark-mode' on by default in Nightly builds.
Bug 1519548 - Introduce dark mode in-content page preference.
browser.messaging-system.fxatoolbarbadge.enabled
Bug 1561547 - Use Messaging System to badge the FxA accounts toolbar button
browser.messaging-system.whatsNewPanel.enabled
Bug 1565555 - Set pref to enable What's New panel by default
Bug 1561307 - Add pref to enable/disable the What's New Panel feature
browser.newtabpage.activity-stream.asrouter.providers.whats-new-panel
Bug 1575884 - Create a provider for the What's new message bucket
browser.safebrowsing.provider.mozilla.lists
Bug 1570805 - [stp] Turn on Social Tracking Protection Prefs,
Bug 1560597 - Safe Browsing supports downloading social tracking list.
browser.search.separatePrivateDefault
Bug 1572141 - Add nsISearchService.originalDefaultPrivateEngine to return the private browsing engine from the configuration.
browser.security.newcerterrorpage.mitm.enabled
Bug 1549609 Remove browser.security.newcerterrorpage.mitm.enabled pref
browser.tabs.remote.force-paint
Bug 1570212 - Convert browser.tabs.remote.force-paint to a static pref.
browser.tabs.remote.useCrossOriginEmbedderPolicy
Bug 1543068 - P1 Substitute Cross-Origin header with COEP
browser.tabs.remote.useCrossOriginPolicy
Bug 1552643 - P1. Re-organise prefs in sections.
Bug 1550422 - P13. Add Skip, Once and Live cached preference policy.
Bug 1543068 - P1 Substitute Cross-Origin header with COEP
browser.urlbar.megabar
Bug 1573581 - Add megabar pref.
browser.urlbar.quantumbar
Bug 1564787 - Remove quantumbar pref.
Bug 1557051 - Enable QuantumBar for release users.
Bug 1548031 - Enable the QuantumBar on Nightly and early Beta.
content.cors.disable
Bug 1570212 - Convert content.cors.disable to a static pref.
content.notify.backoffcount
Bug 1570082 - Convert content.notify.backoffcount to static pref.
content.notify.interval
Bug 1570082 - Convert content.notify.interval to static pref.
content.notify.ontimer
Bug 1570082 - Convert content.notify.ontimer to static pref and add content group to prefs groups.
content.sink.enable_perf_mode
Bug 1570082 - Convert content.sink.enable_perf_mode to static pref
content.sink.event_probe_rate
Bug 1570082 - Convert content.sink.event_probe_rate to static pref.
content.sink.initial_perf_time
Bug 1570082 - Convert content.sink.initial_perf_time to static pref.
content.sink.interactive_deflect_count
Bug 1570082 - Convert content.sink.*_deflect_count to static pref.
content.sink.interactive_parse_time
Bug 1570082 - Convert content.sink.*_parse_time to static pref.
content.sink.interactive_time
Bug 1570082 - Convert content.sink.interactive_time to static pref.
content.sink.pending_event_mode
Bug 1570082 - Convert content.sink.pending_event_mode to static pref.
content.sink.perf_deflect_count
Bug 1570082 - Convert content.sink.*_deflect_count to static pref.
content.sink.perf_parse_time
Bug 1570082 - Convert content.sink.*_parse_time to static pref.
device.sensors.test.events
Bug 1570212 - Convert device.sensors.test.events to a static pref.
devtools.aboutdebugging.new-enabled
Bug 1539461 - Remove the aboutdebugging.new-enabled preference
Bug 1553042 - Enable new about:debugging on all channels
Bug 1553028 - Fix the condition for enabling new aboutdebugging on DevEdition and Nightly
Bug 1553028 - Disable new about:debugging on Beta and Release channels
Bug 1518469 - Enable new about:debugging by default;r=ladybenko
Bug 1471795 - Part 1: Implement basis of 'This Firefox' page.
devtools.browserconsole.input.editorWidth
Bug 1572332 - Move non-debugger devtools prefs into all.js and firefox.js.
Bug 1554877 - Make JsTerm editor resizable.
devtools.browsertoolbox.fission
Bug 1572332 - Move non-debugger devtools prefs into all.js and firefox.js.
Bug 1569643 - Fix browser toolbox fission pref.
devtools.connectpage.enabled
Bug 1572332 - Move non-debugger devtools prefs into all.js and firefox.js.
Bug 1539451 - Disable WebIDE and ConnectPage by default
devtools.debugger.features.dom-mutation-breakpoints
Bug 1576219 - Enable DOM Mutation Breakpoints
devtools.inspector.inactive.css.enabled
Bug 1572332 - Move non-debugger devtools prefs into all.js and firefox.js.
Bug 1552116 - Move devtools.inspector.inactive.css.enabled to devtools shared preferences
Bug 1306054 - Display an indicator on properties with inactive CSS
devtools.markup.mutationBreakpoints.enabled
Bug 1572332 - Move non-debugger devtools prefs into all.js and firefox.js.
Bug 1576219 - Enable DOM Mutation Breakpoints
Bug 1550030 - Part 1: Implement the DOM mutation breakpoint context menu items in the markup view.
devtools.netmonitor.features.resizeColumns
Bug 1558355 - Remove devtools.netmonitor.features.resizeColumns pref,
Bug 1533764 - enable pref for column resizer in Nightly;
Bug 1358414 - Introduce column resizer in request list;
devtools.netmonitor.features.search
Bug 1572332 - Move non-debugger devtools prefs into all.js and firefox.js.
Bug 1559347 - Implement generic search across all resources.
devtools.netmonitor.panes-search-height
Bug 1572332 - Move non-debugger devtools prefs into all.js and firefox.js.
Bug 1573493 - Search panel is missing two prefs.
devtools.netmonitor.panes-search-width
Bug 1572332 - Move non-debugger devtools prefs into all.js and firefox.js.
Bug 1573493 - Search panel is missing two prefs.
devtools.netmonitor.ws.displayed-frames.limit
Bug 1572332 - Move non-debugger devtools prefs into all.js and firefox.js.
Bug 1561631 - Limit number of displayed frames in WebSocket side panel.
devtools.netmonitor.ws.messageDataLimit
Bug 1572332 - Move non-debugger devtools prefs into all.js and firefox.js.
devtools.netmonitor.ws.payload-preview-height
Bug 1572332 - Move non-debugger devtools prefs into all.js and firefox.js.
Bug 1555631 - WebSocket frame payload preview.
Bug 1559398 - Implement table and preview sections in WebSocket side panel.
devtools.netmonitor.ws.payload-preview-width
Bug 1555631 - WebSocket frame payload preview.
Bug 1559398 - Implement table and preview sections in WebSocket side panel.
devtools.netmonitor.ws.visibleColumns
Bug 1572332 - Move non-debugger devtools prefs into all.js and firefox.js.
Bug 1561553 - WebSocket frame list should hide some columns by default.
devtools.popup.disable_autohide
Bug 1572332 - Move non-debugger devtools prefs into all.js and firefox.js.
Bug 1569410 - Do not apply disable_autohide to DevTools HTML tooltips
devtools.recordreplay.logging
Bug 1575056 - Control record/replay logging with preference,
devtools.recordreplay.loggingFull
Bug 1575056 - Control record/replay logging with preference,
devtools.storage.extensionStorage.enabled
Bug 1542035 - Add read-only support for extension storage.local in addon debugger
devtools.toolbox.content-frame
Bug 1572332 - Move non-debugger devtools prefs into all.js and firefox.js.
Bug 1539979 - Use a frame with type=content for DevTools frames
devtools.toolbox.force-chrome-prefs
Bug 1575766 - Use chrome preferences for DevTools documents
devtools.webconsole.input.editorOnboarding
Bug 1558417 - Add onboarding UI for Editor.
devtools.webconsole.input.editorWidth
Bug 1572332 - Move non-debugger devtools prefs into all.js and firefox.js.
Bug 1554877 - Make JsTerm editor resizable.
devtools.webconsole.jsterm.codeMirror
Bug 1465149 - Remove old jsterm code.
Bug 1473805 - Enable CodeMirror JSTerm by default on all releases;r=nchevobbe
Bug 1470922 - Enable CodeMirror JSTerm on Nightly except for people using accessible technology;
Bug 1463409 - Add a preference to enable CodeMirror-powered jsterm;
devtools.webide.enabled
Bug 1572332 - Move non-debugger devtools prefs into all.js and firefox.js.
Bug 1539451 - Disable WebIDE and ConnectPage by default
dom.allow_XUL_XBL_for_file
Bug 1570212 - Convert dom.allow_XUL_XBL_for_file to a static pref.
dom.block_reload_from_resize_event_handler
Bug 1570566 - Don't block reloading during a resize event handler on Android and Nightly.
dom.capture.enabled
Bug 1553603 - Support "capture" attribute in Gecko and expose in GV.
dom.enable_window_print
Bug 1571121 - Change Window.print() from using Func to Pref.
dom.events.dataTransfer.protected.enabled
Bug 1570212 - Convert dom.events.dataTransfer.protected.enabled to a static pref.
dom.events.user_interaction_interval
Bug 1575938 Convert dom/JSEnvironment GC timing constants to StaticPref
dom.forms.number.grouping
Bug 1573720 - Convert dom.forms.number.grouping to a static pref.
dom.ipc.cancel_content_js_when_navigating
Bug 1552643 - P1. Re-organise prefs in sections.
dom.ipc.cpows.log.enabled
Bug 1563996 - Make dom.ipc.cpows.log.{enabled,stack} static prefs.
dom.ipc.cpows.log.stack
Bug 1563996 - Make dom.ipc.cpows.log.{enabled,stack} static prefs.
dom.ipc.processPrelaunch.delayMs
Bug 1571544 - Convert dom.ipc.processPreLaunch.delayms to static pref.
dom.ipc.processPriorityManager.backgroundGracePeriodMS
Bug 1571544 - Convert two dom.ipc.processPriorityManager.* prefs to static prefs.
dom.ipc.processPriorityManager.backgroundPerceivableGracePeriodMS
Bug 1571544 - Convert two dom.ipc.processPriorityManager.* prefs to static prefs.
dom.ipc.processPriorityManager.testMode
Bug 1570212 - Convert three dom.ipc.* prefs into static prefs.
dom.ipc.tabs.disabled
Bug 1570212 - Convert three dom.ipc.* prefs into static prefs.
dom.largeAllocation.testing.allHttpLoads
Bug 1571544 - Convert dom.largeAllocation.testing.allHttpLoads to static pref.
dom.maxtouchpoints.testing.value
Bug 1539497, navigator.maxTouchPoints returns 0 in child process,
dom.min_tracking_background_timeout_value
Bug 1569004 - Remove dom.min_tracking_timeout_value and dom.min_tracking_background_timeout_value varcache prefs.
dom.min_tracking_timeout_value
Bug 1569004 - Remove dom.min_tracking_timeout_value and dom.min_tracking_background_timeout_value varcache prefs.
dom.quotaManager.loadQuotaFromCache
Bug 1563023 - Part 7: Implement caching functionality;
dom.quotaManager.temporaryStorage.chunkSize
Bug 1570212 - Convert dom.quotaManager.temporaryStorage.* to static prefs.
dom.quotaManager.temporaryStorage.fixedLimit
Bug 1570212 - Convert dom.quotaManager.temporaryStorage.* to static prefs.
dom.script_loader.external_scripts.utf8_parsing.enabled
Bug 1554362 - Add a preference to control whether external script data is accumulated as UTF-8 instead of UTF-16 (and if so, compiled as UTF-8 without inflating to UTF-16).
dom.securecontext.whitelist_onions
Bug 1570212 - Convert dom.securecontext.whitelist_onions to a static pref.
dom.security.respect_document_nosniff
Bug 1570658 - Add a Flag for Navigation-Nosniff
dom.storage.abort_on_sync_parent_to_child_messages
Bug 1574569 - Don't abort LocalStorage requests when a sync message from parent is detected;
dom.storage.next_gen
Bug 1570644 - Part 4: Disable LSNG in 69;
Bug 1570644 - Disable LSNG in 69;
Bug 1539835 - Flip pref on for LSNG for (non-early) Beta and Release;
dom.testing.sync-content-blocking-notifications
Bug 1570212 - Convert dom.testing.sync-content-blocking-notifications to a static pref.
dom.w3c_pointer_events.multiprocess.android.enabled
Bug 1507495, Enable Pointer events on GeckoView by default,
dom.webidl.test1
Bug 1565110 - Rename abc.def and ghi.jkl prefs as dom.webidl.test[12].
dom.webidl.test2
Bug 1565110 - Rename abc.def and ghi.jkl prefs as dom.webidl.test[12].
dom.webnotifications.allowcrossoriginiframe
Bug 1560741 - Part 1: Disallow notification permission requests from cross-origin iframes;
dom.window.history.async
Bug 1563587, Make history.back/forward/go asynchronous,
dom.worker.script_loader.utf8_parsing.enabled
Bug 1552643 - P1. Re-organise prefs in sections.
Bug 1553502 - Add a preference to (...eventually) control whether DOM worker scripts are compiled directly from UTF-8 without inflating.
dom.xhr.lowercase_header.enabled
Bug 1504344 - Remove the pref dom.xhr.lowercase_header.enabled;
editor.password.mask_delay
Bug 1548389 - part 6: Add automated tests for new API and rendering of password fields
editor.password.testing.mask_delay
Bug 1548389 - part 6: Add automated tests for new API and rendering of password fields
extensions.getAddons.discovery.api_url
Bug 1564731 - Pass distribution id as edition in the discopane api_url.
Bug 1546248 - Add discopane to about:addons HTML view
extensions.webcompat-reporter.enabled
Bug 1572590 - Indent conditionally-defined prefs in all.js.
geo.timeout
Bug 1570212 - Convert geo.timeout to a static pref.
gfx.blocklist.all
Bug 1552126 - Convert gfx.blocklist.all to a non-Skip pref.
Bug 1550422 - P24. Fix style of StaticPrefs.
gfx.core-animation.enabled
Bug 1574538 - Enable CoreAnimation by default.
Bug 1572590 - Indent conditionally-defined prefs in all.js.
Bug 1565668 - Add an off-by-default preference called gfx.core-animation.enabled.
gfx.font_ahem_antialias_none
Bug 1561792 - Rename the pref gfx.font_ahem_antialias_none to gfx.font_rendering.ahem_antialias_none to avoid the additional pref observer added in the previous patch.
Bug 1552643 - P1. Re-organise prefs in sections.
gfx.font_rendering.ahem_antialias_none
Bug 1561792 - Rename the pref gfx.font_ahem_antialias_none to gfx.font_rendering.ahem_antialias_none to avoid the additional pref observer added in the previous patch.
gfx.webrender.dcomp-win-triple-buffering.enabled
Bug 1567347 - Add option of using DXGI_SWAP_EFFECT_FLIP_SEQUENTIAL without DirectComposition
gfx.webrender.flip-sequential
Bug 1572590 - Indent conditionally-defined prefs in all.js.
Bug 1567347 - Add option of using DXGI_SWAP_EFFECT_FLIP_SEQUENTIAL without DirectComposition
gfx.webrender.triple-buffering.enabled
Bug 1572590 - Indent conditionally-defined prefs in all.js.
Bug 1567347 - Add option of using DXGI_SWAP_EFFECT_FLIP_SEQUENTIAL without DirectComposition
ghi.jkl
Bug 1565110 - Rename abc.def and ghi.jkl prefs as dom.webidl.test[12].
identity.fxaccounts.service.monitorLoginUrl
Bug 1562006 - Update FxA toolbar menu for skyline
identity.fxaccounts.service.sendLoginUrl
Bug 1562006 - Update FxA toolbar menu for skyline
idle_period.during_page_load.min
Bug 1564724 - Tweak StaticPrefList.h.
Bug 1566573, Add prefs to control idle time limits,
idle_period.min
Bug 1564724 - Tweak StaticPrefList.h.
Bug 1566573, Add prefs to control idle time limits,
javascript.options.baselinejit.threshold
Bug 1565807 - Bump Baseline JIT threshold from 50 to 100.
Bug 1564017 part 7 - Enable the Baseline Interpreter in the browser.
javascript.options.bigint
Bug 1552643 - P1. Re-organise prefs in sections.
Bug 1570886 - Remove enableBigInt run-time flag
javascript.options.blinterp
Bug 1564017 part 7 - Enable the Baseline Interpreter in the browser.
Bug 1564017 part 6 - Add prefs to about:config.
javascript.options.blinterp.threshold
Bug 1564017 part 6 - Add prefs to about:config.
javascript.options.gc_delay
Bug 1575938 Convert dom/JSEnvironment GC timing constants to StaticPref
javascript.options.gc_delay.first
Bug 1575938 Convert dom/JSEnvironment GC timing constants to StaticPref
javascript.options.gc_delay.full
Bug 1575938 Convert dom/JSEnvironment GC timing constants to StaticPref
javascript.options.gc_delay.interslice
Bug 1575938 Convert dom/JSEnvironment GC timing constants to StaticPref
javascript.options.mem.gc_allocation_threshold_factor
Bug 1570905 - Rework the GC triggers to make the incremental trigger the default and the non-incremental trigger some factor of this
javascript.options.mem.gc_allocation_threshold_factor_avoid_interrupt
Bug 1570905 - Rework the GC triggers to make the incremental trigger the default and the non-incremental trigger some factor of this
javascript.options.mem.gc_allocation_threshold_mb
Bug 1570905 - Rework the GC triggers to make the incremental trigger the default and the non-incremental trigger some factor of this
javascript.options.mem.gc_avoid_interrupt_factor
Bug 1570905 - Rework the GC triggers to make the incremental trigger the default and the non-incremental trigger some factor of this
javascript.options.mem.gc_non_incremental_factor
Bug 1570905 - Rework the GC triggers to make the incremental trigger the default and the non-incremental trigger some factor of this
javascript.options.mem.high_water_mark
Bug 1569564 - Remove the original malloc counter infrastructure
javascript.options.unboxed_objects
Bug 1564349 part 1 - Convert Baseline/Ion/NativeRegExp prefs from ContextOptions to JitOptions.
layers.compositing-tiles.height
Bug 1491456 - Split the window into "compositing tiles" sized to 1024x1024.
layers.compositing-tiles.width
Bug 1491456 - Split the window into "compositing tiles" sized to 1024x1024.
layers.d3d11.enable-blacklist
Bug 1574327. Add a pref that we can use to disable d3d11 blacklist.
layout.css.aspect-ratio-number.enabled
Bug 1565562: Media Query - Enable single <number> and <number>/<number> for <aspect-ratio>.
layout.css.devPixelsPerPx
Bug 1573992 - Convert layout.css.devPixelsPerPx to static pref.
layout.css.paint-order.enabled
Bug 1437367 - Remove the layout.css.paint-order.enabled pref, this feature is always enabled.
Bug 1550422 - P24. Fix style of StaticPrefs.
layout.css.shared-memory-ua-sheets.enabled
Bug 1552643 - P1. Re-organise prefs in sections.
layout.css.text-decoration-skip-ink.enabled
Bug 1561131: Adding parsing support for text-decoration-skip-ink
layout.css.text-decoration-thickness.enabled
Bug 1567282: renamed text-decoration-width to text-decoration-thickness
layout.css.text-decoration-width.enabled
Bug 1555863 added text-decoration-width support to style system including mochitests and web platform tests
Bug 1567282: renamed text-decoration-width to text-decoration-thickness
layout.css.text-underline-offset.enabled
Bug 1555150: adding support for CSS text underline offset to the style system
layout.css.use-counters-unimplemented.enabled
Bug 1575062 - Support css use counters for unimplemented properties.
layout.float-fragments-inside-column.enabled
Bug 1571135 - Remove the preference that controls breaking floats inside columns.
layout.framevisibility.amountscrollbeforeupdatehorizontal
Bug 1571544 - Convert the two layout.framevisibility.amountscrollbeforeupdate* prefs to static prefs.
layout.framevisibility.amountscrollbeforeupdatevertical
Bug 1571544 - Convert the two layout.framevisibility.amountscrollbeforeupdate* prefs to static prefs.
layout.reflow.synthMouseMove
Bug 1570212 - Convert layout.reflow.synthMouseMove to a static pref.
layout.show_previous_page
Bug 1563996 - Make layout.show_previous_page a static pref.
layout.viewport_contains_no_contents_area
Bug 1508177 - Expand the minimum scale height even if the expanded area doesn't contain any contents.
mathml.deprecated_style_attributes.disabled
Bug 1548524 - Remove attributes deprecated from MathML3.
mathml.legacy_number_syntax.disabled
Bug 1575596 - MathML Lengths: Do not accept numbers ending with a dot.
mathml.mathsize_names.disabled
Bug 1548527 - Remove values "small", "normal", "big" values of the mathsize attribute.
mathml.mathspace_names.disabled
Bug 1574750 - Remove support for MathML length values thinmathspace, mediummathspace, thickmathspace, etc.
mathml.mfrac_linethickness_names.disabled
Bug 1548529 - Remove values "thin", "thick", "medium" values of mfrac@linethickness.
mathml.nonzero_unitless_lengths.disabled
Bug 1574749 - Remove support for nonzero unitless lengths.
media.audioFocus.management
Bug 1565689 - part3 : use static pref to control audio competing.
media.cloneElementVisually.testing
Bug 1570212 - Convert media.cloneElementVisually.testing to a static pref.
media.mediacapabilities.drop-threshold
Bug 1530996 - Use the benchmark class from MediaCapabilities.
media.mediacapabilities.from-database
Bug 1530996 - Use the benchmark class from MediaCapabilities.
media.mediasource.webm.enabled
Bug 1564466 - Make MediaSource not call Preferences::GetBool off-main-thread.
media.peerconnection.ice.obfuscate_host_addresses
Bug 1554976 - Add plumbing to enable/disable host address obfuscation;
media.peerconnection.ice.proxy_only_if_behind_proxy
Bug 1572590 - Indent conditionally-defined prefs in all.js.
Bug 1452713 - Update webRTCIPHandlingPolicy to match Chrome
media.peerconnection.mtransport_process
Bug 1555792: Set the socket-process-isolation prefs to true on nightly.
Bug 1572590 - Indent conditionally-defined prefs in firefox.js.
media.rdd-opus.enabled
Bug 1560368 - add Opus decoding on RDD.
media.rdd-wav.enabled
Bug 1560366 - add WAV decoding on RDD.
media.webrtc.net.force_disable_rtcp_reception
Bug 1570212 - Convert media.webrtc.net.force_disable_rtcp_reception to a static pref.
media.webrtc.platformencoder
Bug 1568101 - part2 : use a static pref to control the feature.
network.dns.disablePrefetchFromHTTPS
Bug 1572505 - Convert network.dns.disablePrefetchFromHTTPS to static pref.
network.dns.skipTRR-when-parental-control-enabled
Bug 1570732 - Skip trr when parental control is enabled
network.http.altsvc.proxy_checks
Bug 1569224 - Part 2: Add a unit test for examining the alt-svc cache isolation for third-party trackers;
network.http.referer.defaultPolicy.trackers
Bug 1569996 - Enable setting the default referrer policy for third-party tracking resources to strict-origin-when-cross-origin when Enhanced Tracking Protection is turned on;
network.http.referer.referrerLengthLimit
Bug 1557346 - Limit referer header length
network.http.sendOriginHeader
Bug 1424076 - P1 send Origin headers for all eligible requests
network.http.spdy.bug1556491
Bug 1565518, emergency preferences to turn off individual bug fixes: 1563695, 1556491, 1562315,
network.http.spdy.bug1563695
Bug 1565518, emergency preferences to turn off individual bug fixes: 1563695, 1556491, 1562315,
network.notify.IPv6
Bug 1567616 - network id based on default gateway is wrong when VPN overrides default gateway by more specific routes
Bug 1572590 - Indent conditionally-defined prefs in all.js.
network.trr.request-timeout
Bug 1575780 - We need a long request's timeout for trronly mode.
page_load.deprioritization_period
Bug 1570797, Add a pref to control the time when certain tasks are deprioritized during page load,
permissions.desktop-notification.notNow.enabled
Bug 1570674 - Default to "Never Allow" for notification permission prompt denials.
permissions.fullscreen.allowed
Bug 1522120 - Remove permission prompts when entering full-screen and leave full-screen when a permission prompt is shown.
privacy.fuzzyfox.clockgrainus
Bug 1571544 - Convert privacy.fuzzyfox.clockgrainus to static pref.
privacy.reduceTimerPrecision.unconditional
Bug 1570212 - Clean up privacy.* static pref definitions.
Bug 1387894 - Resolve timer intermittents when reduceTimerPrecision is disabled.
privacy.resistFingerprinting.target_video_res
Bug 1570212 - Remove privacy.resistFingerprinting.* VarCache prefs.
privacy.restrict3rdpartystorage.console.lazy
Bug 1540117 - Part 2: Add a pref to allow turning off the lazy reporting off anti-tracking warnings to the web console;
privacy.socialtracking.block_cookies.enabled
Bug 1566961 - Integrate SocialTracking and ETP,
privacy.socialtracking.notification.counter
Bug 1567896 - Part 3: Implement social tracking protection doorhanger;
privacy.socialtracking.notification.enabled
Bug 1567896 - Part 3: Implement social tracking protection doorhanger;
privacy.socialtracking.notification.lastShown
Bug 1573109 - use string pref to avoid overflow;
privacy.socialtracking.notification.max
Bug 1570415 - change the max amount of times the STP doorhanger can be shown from 5 to 2 times;
Bug 1567896 - Part 3: Implement social tracking protection doorhanger;
privacy.socialtracking.notification.period.min
Bug 1567896 - Part 3: Implement social tracking protection doorhanger;
privacy.socialtracking.notification.session.pageload.min
Bug 1567896 - Part 3: Implement social tracking protection doorhanger;
privacy.trackingprotection.cryptomining.annotate.enabled
Bug 1570971 - Enable all the annotation URL-Classifier features and remove their prefs,
Bug 1552643 - P1. Re-organise prefs in sections.
privacy.trackingprotection.fingerprinting.annotate.enabled
Bug 1570971 - Enable all the annotation URL-Classifier features and remove their prefs,
Bug 1552643 - P1. Re-organise prefs in sections.
privacy.trackingprotection.introURL
Bug 1564367 - Remove the content blocking UI tour.
privacy.trackingprotection.socialtracking.annotate.enabled
Bug 1560040 - Introduce 2 new URL-Classifier features to annotate and block social trackers,
security.aboutcertificate.enabled
Bug 1572368 - Enables about:certificate by default.r=johannh
Bug 1560538 - Opens a new tab to show the certificate.
security.all_resource_uri_content_accessible
Bug 1570212 - Convert security.all_resource_uri_content_accessible to a static pref.
security.allow_eval_in_parent_process
Bug 1572590 - Indent conditionally-defined prefs in firefox.js.
Bug 1570738 - Record Telemetry if eval() is used in the Parent Process
security.allow_eval_with_system_principal
Bug 1567499 - Re-allow eval with system principal on Nightly while we investigate crashes.
Bug 1564527 - Enable AssertEvalNotUsingSystemPrincipal on Nightly builds
Bug 1560915 - Hardcode minimal eval()-whitelist for test files into eval()-assertion,
Bug 1572590 - Indent conditionally-defined prefs in firefox.js.
Bug 1567623 - Update AssertEvalNotUsingSystemPrincipal and re-enable it
security.block_ftp_subresources
Bug 1560699 - Download FTP resources instead of rendering them.
security.block_Worker_with_wrong_mime
Bug 1569122 - Use StaticPrefs for our MIME type script blocking prefs.
Bug 1523706 - Consider strictly enforcing MIME checks for Worker scripts.
security.identityblock.show_extended_validation
Bug 1572936 - Flip security.identityblock.show_extended_validation to false to hide the ev indicators in the identity block.
Bug 1572389 - Add pref to show normal lock icon for sites with EV (Extended Validation) certificates.
security.insecure_connection_icon.enabled
Bug 1562881 - Part 4: Showing the degraded UI for Http pages by default.
security.insecure_connection_icon.pbmode.enabled
Bug 1562881 - Part 4: Showing the degraded UI for Http pages by default.
security.protectionspopup.recordEventTelemetry
Bug 1560327 - [Protections Panel] Implement telemetry event recording.
security.remote_settings.crlite_filters.bucket
Bug 1571934 - Inline security-prefs.js into all.js.
bug 1563056 - download the most recent CRLite filter and all following incremental filters
security.remote_settings.crlite_filters.checked
Bug 1571934 - Inline security-prefs.js into all.js.
bug 1563056 - download the most recent CRLite filter and all following incremental filters
security.remote_settings.crlite_filters.collection
Bug 1571934 - Inline security-prefs.js into all.js.
bug 1563056 - download the most recent CRLite filter and all following incremental filters
security.remote_settings.crlite_filters.enabled
Bug 1572590 - Indent conditionally-defined prefs in all.js.
Bug 1571934 - Inline security-prefs.js into all.js.
bug 1563056 - download the most recent CRLite filter and all following incremental filters
security.remote_settings.crlite_filters.signer
Bug 1571934 - Inline security-prefs.js into all.js.
bug 1563056 - download the most recent CRLite filter and all following incremental filters
security.sandbox.content.win32k-disable
Bug 1572590 - Indent conditionally-defined prefs in StaticPrefList.yaml.
Bug 1569139: Add a static pref to enable win32k lockdown in the Windows content process sandbox policy.
security.secure_connection_icon_color_gray
Bug 1572675 - Switch to using the grey lock icon by default.
Bug 1568820 - Add a pref for making the lock icon gray.
security.tls.enable_delegated_credentials
Bug 1571934 - Inline security-prefs.js into all.js.
Bug 1562773 - Add a preference to enable Delegated Credentials in NSS
services.common.log.logger.rest.request
Bug 1572621 - Merge services-common.js into all.js.
services.common.log.logger.rest.response
Bug 1572621 - Merge services-common.js into all.js.
services.common.log.logger.tokenserverclient
Bug 1572621 - Merge services-common.js into all.js.
services.sync.prefs.sync.browser.contentblocking.introCount
Bug 1564367 - Remove the content blocking UI tour.
services.sync.prefs.sync.privacy.trackingprotection.cryptomining.annotate.enabled
Bug 1570971 - Enable all the annotation URL-Classifier features and remove their prefs,
services.sync.prefs.sync.privacy.trackingprotection.fingerprinting.annotate.enabled
Bug 1570971 - Enable all the annotation URL-Classifier features and remove their prefs,
signon.generation.available
Bug 1548381 - Add prefs to release and enable password generation.
Bug 1565407 - Enable password generation and make it available by default.
signon.generation.enabled
Bug 1548381 - Add prefs to release and enable password generation.
Bug 1565407 - Enable password generation and make it available by default.
signon.management.overrideURI
Bug 1560431 - Enable about:logins on Nightly channel.
signon.management.page.breach-alerts.enabled
Bug 1572118 - Actually enable about:logins breach-alerts by default
Bug 1572118 enable about:logins breach-alerts
Bug 1560431 - Add pref for breach alerts in about:logins and disable it by default.
signon.management.page.breachAlertUrl
Bug 1564539 - Add breach alerts to login items
signon.management.page.enabled
Bug 1560433 - Enable about:logins for release builds.
Bug 1560431 - Enable about:logins on Nightly channel.
Bug 1548463 - Base page for HTML-based login manager.
signon.management.page.faqURL
Bug 1567548 - Remove references to Lockwise FAQ page.
Bug 1550165 - Footer advertising links to Lockwise mobile apps.
Bug 1559549 - Add FAQ menuitem to the ellipsis menu in about:logins. ?jaws
signon.management.page.feedbackURL
Bug 1572569 - Replace 'Send Feedback' with 'Help' in the about:logins menu.
Bug 1550165 - Footer advertising links to Lockwise mobile apps.
Bug 1559549 - Add FAQ menuitem to the ellipsis menu in about:logins. ?jaws
signon.management.page.hideMobileFooter
Bug 1550165 - Footer advertising links to Lockwise mobile apps.
signon.management.page.mobileAndroidURL
Bug 1550165 - Footer advertising links to Lockwise mobile apps.
Bug 1550166 - Install on Mobile Device button in Ellipsis menu
signon.management.page.mobileAppleURL
Bug 1550165 - Footer advertising links to Lockwise mobile apps.
Bug 1550166 - Install on Mobile Device button in Ellipsis menu
toolkit.telemetry.geckoview.batchDurationMS
Bug 1566366 - Redirect GV Streaming Telemetry to a delegate
toolkit.telemetry.geckoview.streaming
Bug 1566352 - Support 'geckoview_streaming' product for Telemetry
toolkit.telemetry.ipcBatchTimeout
Bug 1570212 - Convert toolkit.telemetry.ipcBatchTimeout to a static pref.
toolkit.telemetry.isGeckoViewMode
Bug 1566352 - Support 'geckoview_streaming' product for Telemetry
ui.scrolling.negate_wheel_scroll
Bug 1573992 - Convert ui.scrolling.negate_wheel_scroll to static pref.
urlclassifier.disallow_completions
Bug 1570805 - [stp] Turn on Social Tracking Protection Prefs,
Bug 1560597 - Safe Browsing supports downloading social tracking list.
urlclassifier.features.cryptomining.annotate.blacklistTables
Bug 1564414 - Add Fingerprinting annotation and Cryptoming annotation tables to preference.
urlclassifier.features.cryptomining.annotate.whitelistTables
Bug 1564414 - Add Fingerprinting annotation and Cryptoming annotation tables to preference.
urlclassifier.features.fingerprinting.annotate.blacklistTables
Bug 1564414 - Add Fingerprinting annotation and Cryptoming annotation tables to preference.
urlclassifier.features.fingerprinting.annotate.whitelistTables
Bug 1564414 - Add Fingerprinting annotation and Cryptoming annotation tables to preference.
urlclassifier.features.socialtracking.annotate.blacklistTables
Bug 1573176 - Fix SafeBrowsing doesn't use correct preference name for social tracking and cryptoming.
urlclassifier.features.socialtracking.annotate.whitelistTables
Bug 1573176 - Fix SafeBrowsing doesn't use correct preference name for social tracking and cryptoming.
urlclassifier.features.socialtracking.blacklistTables
Bug 1570805 - [stp] Turn on Social Tracking Protection Prefs,
Bug 1560597 - Safe Browsing supports downloading social tracking list.
urlclassifier.features.socialtracking.whitelistTables
Bug 1560597 - Safe Browsing supports downloading social tracking list.
widget.disable-native-theme
Bug 1571544 - Convert mozilla.widget.disable-native-theme to static pref.

earthlng on 21 Sep 2019

moved from NEW to ignore:

all the browser.contentblocking.report.*.url prefs - links used in/around about:protections
browser.fixup.typo.scheme - fixes common scheme typos
javascript.options.*gc* - not messing with garbage collection timers/intervals

earthlng on 3 Oct 2019

OT: 1576254 cool javascript.options.wasm_trustedprincipals (default true) ... so in FF71+ you can disable wasm (which we do: see 2426) but extensions like uBO/uM can still use it

Edit: and hopefully backported to ESR

Thorin-Oakenpants on 5 Oct 2019

🚀1

FYI: FF70+ (and ESR68.1.0+) will allow extensions to use SVG content regardless of whether the svg.disabled pref is toggled.

Maybe worthy of a NOTE (?)

earthlng on 9 Oct 2019

🚀1

70.0 changes since 70.0b8

new

pref("browser.contentblocking.report.lockwise.url", "https://lockwise.firefox.com/?utm_source=firefox-desktop&utm_medium=referral&utm_campaign=about-protections&utm_content=about-protections"); // "https://lockwise.firefox.com/" in FF70.0b8
pref("browser.contentblocking.report.proxy_extension.url", "https://fpn.firefox.com/browser?utm_source=firefox-desktop&utm_medium=referral&utm_campaign=about-protections&utm_content=about-protections"); // "https://private-network.firefox.com/" in FF70.0b8
pref("browser.newtabpage.activity-stream.discoverystream.engagementLabelEnabled", false);
pref("devtools.debugger.features.inline-preview", false); // true in FF70.0b8
pref("devtools.storage.extensionStorage.enabled", true); // false in FF70.0b8
pref("dom.security.respect_document_nosniff", false); // true in FF70.0b8
pref("security.allow_eval_in_parent_process", false); // true in FF70.0b8
pref("security.allow_eval_with_system_principal", false); // true in FF70.0b8

removed

pref("plugin.persistentPermissionAlways.intervalInDays", 90);
pref("plugin.sessionPermissionNow.intervalInMinutes", 60);

changed

pref("app.releaseNotesURL", "https://www.mozilla.org/%LOCALE%/firefox/%VERSION%beta/releasenotes/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=whatsnew"); // prev: "https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=whatsnew"
~~pref("app.update.channel", "beta"); // prev: "release"~~
~~pref("app.update.url.details", "https://www.mozilla.org/%LOCALE%/firefox/beta/notes"); // prev: "https://www.mozilla.org/%LOCALE%/firefox/notes"~~
~~pref("app.update.url.manual", "https://www.mozilla.org/firefox/beta"); // prev: "https://www.mozilla.org/firefox/"~~
pref("browser.newtabpage.activity-stream.discoverystream.enabled", true); // prev: false
~~pref("extensions.webcompat-reporter.enabled", true); // prev: false~~
~~pref("toolkit.telemetry.enabled", true); // prev: false~~

EDIT : updated 1st post

earthlng on 22 Oct 2019

@Thorin-Oakenpants none of these pref changes landed in ESR. They still have their old values and/or are still hidden in ESR

earthlng on 22 Oct 2019

NEW prefs which we can ignore IMO:

browser.search.separatePrivateDefault
network.http.referer.referrerLengthLimit
2x network.trr.request_timeout_*
privacy.fuzzyfox.clockgrainus
security.all_resource_uri_content_accessible

👖 : done, and I added security.block_Worker_with_wrong_mime which gets flipped soon, and the AS engagementLabel

earthlng on 22 Oct 2019

1270 seems to doesn't matter anymore... any setting will show broken padlock for unsecure site.

If someone wish to have an "old" green padlock instead of a new "gray": user_pref("security.secure_connection_icon_color_gray", false);

crssi on 22 Oct 2019

In version FF70, I discovered new suspicious functionality related to youtube. When user use youtube video in first time it create folder mediacapabilities with two files (data.mdb and lock.mdb) inside folder **.default-release. In previous versions FF, this was not. I tested a little and found out that it is connected with youtube codec vp9 (webm). You can stop it just by switching pref media.mediasource.webm.enabled to false. But unfortunately after that the maximum resolution that can be selected in youtube player is 720p. I haven’t found another way to stop creating folder :( . Knowing the close collaboration of google and mozilla ... I think it's better to find a way to disable the creation of a folder without harming the functionality of youtube.
What do you think about this?

ghost on 23 Oct 2019

^^ If I delete that folder and create a file with the same name, then FF cannot create the folder and files in it... and YT still works at 1080p/Max (also 4K) resolution.

Edit by Thorin: just delete the folder and set media.mediacapabilities.from-database = false

crssi on 23 Oct 2019

^^ If I delete that folder and create a file with the same name, then FF cannot create the folder and files in it... and YT still works at 1080p/Max (also 4K) resolution.

Yeah, but ... I would like to find pref responsible for this and false it. For now i create rule for ccleaner to delete this folder after browser close.

ghost on 23 Oct 2019

Ok. One more thing. I`m notice when user open site with a self-signed certificate FF phone to:

https://mitmdetection.services.mozilla.com/

You can check using this site:
https://bluebird-hd.org

It can be stopped:
security.certerrors.mitm.priming.enabled;false

May I find out why you still haven't added this to user.js?

ghost on 23 Oct 2019

Why do you think it is a good idea to disable a security feature? Don't you WANT firefox to alert you to a possible MitM?

This is not a security feature. FF alert even this pref disable. This pref exists only to send data to mozilla. Sends information about the site you visited. Telemetry. Even old FF alert about self-signed certificate.

I went to https://bluebird-hd.org and it simply downgraded me to http and gave no errors

Sorry im forgot. Im use custom rule for "HTTPS Everywhere" force https on this site. Try to create a rule. After test just delete.

ghost on 23 Oct 2019

@Dragomir7 the purpose of that pref is to inform you of potential MitM attacks. The mechanism triggers only during cert-related errors, and Mozilla's servers receive almost no information whatsoever about you in the process. That does not qualify as "phoning home" IMO.

See #740 for more info (skip to this comment if you don't feel like reading everything).

claustromaniac on 23 Oct 2019

I don't find any mention of that in this repo: I searched for mitm.priming.enabled

I mentioned it here and actually proposed to disable it.

the purpose of that pref is to inform you of potential MitM attacks.

are you sure? I think this only covers local MITM like AV and things like that.

earthlng on 23 Oct 2019

@Dragomir7 the purpose of that pref is to inform you of potential MitM attacks. The mechanism triggers only during cert-related errors, and Mozilla's servers receive almost no information whatsoever about you in the process. That does not qualify as "phoning home" IMO.

See #740 for more info (skip to this comment if you don't feel like reading everything).

I`m sorry. But im alredy say what even old browser in which did not exist yet this pref, can alert user about self-signed certificate. The only objective of this pref is collecting data and sending to mozilla.

ghost on 23 Oct 2019

I think this only covers local MITM like AV and things like that.

Yeah, attack or not, that's probably the main goal, but it also detects at least one specific type of MitM attack outside the local network (it's not 100% reliable).

But im alredy say what even old browser in which did not exist yet this pref, can alert user about self-signed certificate. The only objective of this pref is collecting data and sending to mozilla.

I speak with certain confidence because I looked at the source code at the time this was implemented (haven't looked at it since). As you said, leaving that pref enabled does not increase security, because cert errors are enough to cover that, but when priming triggers, it does not directly inform Mozilla of anything. They don't get to know what's the site in question or anything else. It's a ping.

claustromaniac on 23 Oct 2019

It's also worth mentioning that security.certerrors.mitm.auto_enable_enterprise_roots depends on priming.

claustromaniac on 23 Oct 2019

Just in case, I want to make clear that I'm neither for nor against adding this pref to the user.js (and I've never been). I just wanted to point out that priming does not leak unnecessary information.

claustromaniac on 23 Oct 2019

priming does not leak unnecessary information.

that's correct. It does not leak fe the visited site that triggered the error page in the 1st place as @Dragomir7 believes

but it also detects at least one specific type of MitM attack outside the local network

but this priming feature is not about "protection" and only about better information.

All it does is in some cases upgrade the UNSEC_ERROR message to a page informing you about a potential MITM. ie the MITM attempt would have already failed because otherwise you wouldn't get the error message in the 1st place.

https://bugzilla.mozilla.org/show_bug.cgi?id=1529643#c0:

Our current AV MitM detection works by listening to failed internal requests such as the update or blocklist pings and comparing the issuer certificates to those in certificate errors when loading content. If they match, we show a special error that should be much more helpful to users.

However, this method is lacking because the user's browser may not have triggered any internal requests at the time they view the certificate error.

ie the only reason why they added this ping feature is "because the user's browser may not have triggered any internal requests at the time they view the certificate error." and explicitly to help with their AV MITM detection ie local MITM

earthlng on 23 Oct 2019

but this priming feature is not about "protection" and only about better information.

oh nvm, you already acknowledged that "leaving that pref enabled does not increase security, because cert errors are enough to cover that"

earthlng on 23 Oct 2019

@crssi wrote:

1270 seems to doesn't matter anymore... any setting will show broken padlock for unsecure site.

1270 doesn't matter anymore because we enabled 1201 a while ago.

On that note, AFAICT the title of 1201 is actually incorrect because that pref is about "negotiation" not re-negotiation and the note about % of servers not supporting secure renegotiation therefore probably irrelevant ...

https://wiki.mozilla.org/Security:Renegotiation:

Negotiation refers to the initial handshake between client and server.

Renegotiation refers to an attempt to repeat the negotiation on an existing connection.

and under https://wiki.mozilla.org/Security:Renegotiation#security.ssl.require_safe_negotiation:

This pref controls the behaviour during the initial negotiation between client and server.

If set to true, a Mozilla client will reject all connection attempts to servers that are still using the old SSL/TLS protocol and which might be vulnerable to the attack.

earthlng on 23 Oct 2019

Is there any way to remove fat white line bottom urlbar when enter something?

Mozilla do not collect or sell any personal data.

How do you know? You not insider. You really think that all this data that they collect from browsers of users from all over the world is used "for improvement". For improvement. For the past five years, this phrase has become synonymous with someone wanting to steal data from your computer. When it all started, you could still believe in it. But now, when almost every program that you install tells you "Help us to improve and bla-bla-bla ...". I don’t believe in that anymore.
I give a well-known example. Windows 10 collect tons of data but with every new build it gets worse and worse. The question is why, when collecting such a quantity of telemetry, the quality only worsens? Maybe data is not used "for improvement"?
Mozilla Foundation and Mozilla Corporation two different things. Percentage of browser usage is dropping and incomes grow. What a generous search engine. Yes!?
Take Firefox 40 and Firefox 70 and compare them by the number of prefs for collecting and sending information "for improvement".

... because of they are pro-privacy ...

But is it really so? Or they just want to pick up the functionality of popular web extensions for privacy in order to control this data itself. Remember how Google decided to fight advertising? Block ad by the browser itself. I will give an example of the possible negative consequences of such actions. Take privacy.resistFingerprinting pref. I think you know that this pref replace canvas fingerprint standard value from Tor Browser. All test resources like browserleaks.com and panopticlick.eff.org show what you have Tor Browser canvas value. But how do you know that Mozilla partners do not see your true canvas value? Mozilla could leave a loophole for them. Please don't tell me it's open source. The code can be so confusing that you will never find it even knowing what you are looking for. I trust kkapsner with his CanvasBlocker webextension because he is one man and did not do it for the money. But when Mozilla took over this function ... no i do no trust.

YES. I do not trust mozilla. If I trusted them, then there would be no need for ghack-user.js. I 100% trust Thorin-Oakenpants, earthlng and all contributors from here. And although in some matters I do not always agree with you... you did the right thing guys. Without all of you, Firefox to me would be like shity spying Chrome. Therefore, as the Vulcans say, "Live long and prosper".

ghost on 23 Oct 2019

I do not trust mozilla.

Then stop using Firefox, cause it could be hidden malware that takes control of your computer.

rusty-snake on 23 Oct 2019

@earthlng

1270 doesn't matter anymore because we enabled 1201 a while ago.

Hmmm... in my overrides I have 1201 set to false and it still doesn't matter from GUI point of view... talking about padlock icon, not saying whats behind-the-scene, since as a noob I really don't have a clue. 😉

crssi on 23 Oct 2019

pref("media.peerconnection.mtransport_process", false);

Looks like they move network into a separate process and this settings controls if to create a process for WebRTC. Though I don't understand any reasons to do so; aren't threads sufficient for that?

KOLANICH on 28 Oct 2019

pref("dom.security.respect_document_nosniff", false);

It is claimed that it controls

Whether to respect X-Content-Type nosniff on Page loads

If the header XCTO nosniff is set for any browsing context, then we set the skipContentSniffing flag on the Loadinfo. Within GetMIMETypeFromContent we then bail early and do not do any sniffing.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options says that disabling mime sniffing is a security feature of webservers (as I understand to prevent a stored XSS) and that pentesters may want to ignore it (I guess because there can be browsers that don't support this header).

KOLANICH on 28 Oct 2019

pref("permissions.desktop-notification.notNow.enabled", false);

obviously, enables Not now option for them.

KOLANICH on 28 Oct 2019

privacy.resistFingerprinting.reduceTimerPrecision.unconditional

Haven't found in the code any effect produced by it.

KOLANICH on 28 Oct 2019

pref("dom.w3c_pointer_events.multiprocess.android.enabled", true);

Can be ignored IMHO.

pref("dom.securecontext.whitelist_onions", false);

Maybe add commented if users want to use TOR with FFX.

rusty-snake on 28 Oct 2019

privacy.resistFingerprinting.reduceTimerPrecision.unconditional

Haven't found in the code any effect produced by it.

# If privacy.reduceTimerPrecision is false, this pref controls whether or not
# to clamp all timers at a fixed 20 microsconds. It should always be enabled,
# and is only specified as a pref to enable an emergency disabling in the event
# of catastrophic failure.
- name: privacy.reduceTimerPrecision.unconditional
  type: RelaxedAtomicBool
  value: true
  mirror: always

https://github.com/mozilla/gecko-dev/blob/c55cda47e6f212e59cbb9e7cd5d83070c653bacd/modules/libpref/init/StaticPrefList.yaml#L6938-L6945

Should not be touched.

rusty-snake on 28 Oct 2019

👍1

network.dns.skipTRR-when-parental-control-enabled

Something like:

/* XXXX: allow DoH even there is parental control [FF70+]
 * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1570732 ***/
user_pref("network.dns.skipTRR-when-parental-control-enabled", false);

rusty-snake on 28 Oct 2019

network.netlink.route.check.IPv*

I don't think that here is anything to do.

# IP addresses that are used by netlink service to check whether default route
# is used for outgoing traffic. They are used just to check routing rules,
# no packets are sent to those hosts. Initially, addresses of host
# detectportal.firefox.com were used but they don't necessarily need to be
# updated when addresses of this host change.
- name: network.netlink.route.check.IPv4
  type: String
  value: "23.219.91.27"
  mirror: never
- name: network.netlink.route.check.IPv6
  type: String
  value: "2a02:26f0:40::17db:5b1b"
  mirror: never

https://github.com/mozilla/gecko-dev/blob/11d9c7b7fa82fdfb8ac2a8f0864e9d8d5fe2b926/modules/libpref/init/StaticPrefList.yaml#L6690-L6702

rusty-snake on 28 Oct 2019

👀1

security.protectionspopup.recordEventTelemetry

Only controls collecting of telemetry data. We already disable sending telemetry reports.

rusty-snake on 28 Oct 2019

👍1

@crssi

Hmmm... in my overrides I have 1201 set to false and it still doesn't matter from GUI point of view...

do you have an example page for us? The connection to the example page should presumably be blocked with 1201 enabled or show a broken padlock if 1201 is false.

moving to ignore:

dom.security.respect_document_nosniff - should get enabled by default in FF71
dom.w3c_pointer_events.multiprocess.android.enabled - I don't care about android. Feel free to move it back, research it and do whatever you think needs to be done.
permissions.fullscreen.allowed - fxsitecompat ... SGTM
privacy.reduceTimerPrecision.unconditional - see comment by @rusty-snake
privacy.resistFingerprinting.target_video_res - changing this would increase entropy for little to no good reason
security.tls.enable_delegated_credentials - still default false atm. Not sure what this is but safe to ignore for now
network.http.referer.defaultPolicy.trackers - value 2 is better than 3

earthlng on 28 Oct 2019

@Thorin-Oakenpants

items left in changed are not in the user.js. Do we need to treat them like the new prefs and consider adding them?

that's the idea. Key word being "consider"

earthlng on 28 Oct 2019

StaticPrefList.yaml

Yaml is not C++ or JS

KOLANICH on 28 Oct 2019

There is a special kind of pref called a static pref. Static prefs are defined
in StaticPrefList.yaml.

If a static pref is defined in both StaticPrefList.yaml and a pref data
file, the latter definition will take precedence. A pref shouldn't appear in
both StaticPrefList.yaml and all.js, but it may make sense for a pref
to appear in both StaticPrefList.yaml and an app-specific pref data file
such as firefox.js.

https://github.com/mozilla/gecko-dev/blob/master/modules/libpref/docs/index.md

rusty-snake on 28 Oct 2019

security.tls.enable_delegated_credentials - still default false atm. Not sure what this is but safe to ignore for now

Here you go | blog

dom.security.respect_document_nosniff - should get enabled by default in FF71

Backed out until at least FF72 | source

Thorin-Oakenpants on 4 Nov 2019

🍌 NEW -> IGNORE

pref("network.dns.skipTRR-when-parental-control-enabled", true);
// ^^ maybe one day if anyone ever wants to create a DoH section and maintain it

pref("network.http.spdy.bug1556491", true);
pref("network.http.spdy.bug1563695", true);
// internal stuff not to be messed with
// "this is nothing more then branching of code the way as it was before..."
// https://bugzilla.mozilla.org/show_bug.cgi?id=1565518#c3

pref("network.netlink.route.check.IPv4", "23.219.91.27");
pref("network.netlink.route.check.IPv6", "2a02:26f0:40::17db:5b1b");
// internal stuff that checks what the fuck is working and what to use
// https://dxr.mozilla.org/mozilla-central/source/netwerk/system/netlink/NetlinkService.h#89

pref("permissions.desktop-notification.notNow.enabled", false);
// internal UI shit to do with permission doorhanger shit
// https://dxr.mozilla.org/mozilla-central/source/browser/modules/test/browser/browser_PermissionUI_prompts.js#21

pref("privacy.restrict3rdpartystorage.console.lazy", true);
// internal ETP reporting shit: reduce console spamming shit
// https://bugzilla.mozilla.org/show_bug.cgi?id=1540117

pref("security.protectionspopup.recordEventTelemetry", true);
// covered by main telemetry switch
// https://bugzilla.mozilla.org/show_bug.cgi?id=1560327#c6

🐳 CHANGED -> IGNORE

pref("network.notify.IPv6", true); // prev: false
// doesn't seem to do anything - anyway, not touching it, it's just internal networking code shit
// https://dxr.mozilla.org/mozilla-central/source/netwerk/system/win32/nsNotifyAddrListener.cpp#62

Thorin-Oakenpants on 6 Nov 2019

I added browser.messaging-system.whatsNewPanel.enabled to 5000s, which I tidied up a little to reflect that these prefs don't just disable a feature, but also hide their icons and menus. e.g. for this pref it also gets rid of the What's New menu in the hamburger

I put it as [FF70+] even though it already existed, since that's when it first showed up in the interface. If you want to make it technically correct, feel free to confirm the actual release (I suspect it was 69?) - @earthlng

Thorin-Oakenpants on 8 Nov 2019

Both can/should be ignored.

pref("media.peerconnection.mtransport_process", false);

https://dxr.mozilla.org/mozilla-central/source/browser/app/profile/firefox.js#1687-1692

pref("widget.disable-native-theme", false);

Setting this to true cause strange issue for me, like no window close button.

rusty-snake on 9 Nov 2019

Yeah, I left it there to remind me about fingerprinting widgets, which is already a known issue, and I already have something in the pipeline (as does Mozilla)

Edit: also moved network.http.altsvc.proxy_checks to ignore

1569224 - Part 2: Add a unit test for examining the alt-svc cache isolation for third-party trackers;

Thorin-Oakenpants on 9 Nov 2019

browser.newtabpage.activity-stream.discoverystream.enabled

added in FF69 (false), flipped true in FF70

https://dxr.mozilla.org/mozilla-central/source/browser/components/newtab/docs/v2-system-addon/preferences.md#117-129

When this is set to true the Discovery Stream experience will show up if enabled is also true on browser.newtabpage.activity-stream.discoverystream.config. Otherwise the old Activity Stream experience will be shown.

// These prefs control if Discovery Stream is enabled.
#ifdef NIGHTLY_BUILD
pref("browser.newtabpage.activity-stream.discoverystream.enabled", true);
#else
pref("browser.newtabpage.activity-stream.discoverystream.enabled", false);
#endif
pref("browser.newtabpage.activity-stream.discoverystream.hardcoded-basic-layout", false);
pref("browser.newtabpage.activity-stream.discoverystream.spocs-endpoint", "");

https://bugzilla.mozilla.org/show_bug.cgi?id=1573930#c6 shows the affects of toggling the prefs

So AFAICT, this has no affect on whether or not anything is displayed or not, that's still the checkboxes and relative prefs in the UI. And it won't even be used if you don't use AS as a landing page: which is what I said here

So moving to ignore

Thorin-Oakenpants on 19 Nov 2019

I have NFI about get, head or cors: so someone else will have to decide without explaining (earthlng) or explain it to me (anyone else) why this can be ignored or why it should be added at what value and what state (active/inactive). Otherwise I cannot move forward with closing this ticket (edit: unless I stick it on the sticky issue of items to investigate, or move it to the next diffs)

// FF59+
// Include an origin header on non-GET and non-HEAD requests regardless of CORS
// 0=never send, 1=send when same-origin only, 2=always send
pref("network.http.sendOriginHeader", 2); // prev: 0

sources

Thorin-Oakenpants on 19 Nov 2019

crssi

1270 seems to doesn't matter anymore... any setting will show broken padlock for unsecure site.

earthlng

1270 doesn't matter anymore because we enabled 1201 a while ago

So I can remove 1270 then?

Thorin-Oakenpants on 19 Nov 2019

I would say yes, but I guess you are asking @earthlng. 😄

crssi on 19 Nov 2019

I'm asking anybody

Mozilla (like Chrome) is changing from highlighting secure sites, to highlighting insecure sites - e.g no padlock = good, padlock = bad. Not sure on the rollout of that stuff and its not worth looking up, TBH.

So all I really need to do is a test, on both ESR68 and FF68. That's with 1270 and 1201 both inactive and at default. So I want a test page. Either someone does the tests for me, or gives me a test page to trigger the "red padlock" in 1270

Thorin-Oakenpants on 19 Nov 2019

On FF 70 the "red padlock" is triggered in any case on HTTP site. Try http://http.badssl.com/.
~~I wouldn't know for FF68 or ESR68~~.

UPDATE: That is not the case for FF 68.2 and ESR68.2 (portable) vanilla... "red padlock" is not triggered on http://http.badssl.com/.

crssi on 19 Nov 2019

... is triggered in any case on HTTP site ...

but we need to explicitly test for the case in 1201 .. and I don't fully understand the whole (re)negotiation thing - but doesn't it still mean you end up with HTTPS (no need to answer).

The thing is it might be impossible to find a working test. And we'd only keep 1270 as a fallback (if it actually does something: hence the required test) in case someone flipped 1201

/* 1201: disable old SSL/TLS "insecure" negotiation (vulnerable to a MiTM attack)
 * [1] https://wiki.mozilla.org/Security:Renegotiation ***/
user_pref("security.ssl.require_safe_negotiation", true);

/* 1270: display warning (red padlock) for "broken security" (see 1201)
 * [1] https://wiki.mozilla.org/Security:Renegotiation ***/
user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);

Thorin-Oakenpants on 19 Nov 2019

Sure, as said before, I am seeing this from UI perspective only. There must/might be something more behind-the-scene.

crssi on 19 Nov 2019

network.http.sendOriginHeader

Sound related to @claustromaniac Extension.

https://addons.mozilla.org/de/firefox/addon/privacy-oriented-origin-policy/
https://github.com/claustromaniac/poop

rusty-snake on 19 Nov 2019

testpage for 1201 + 1270: https://secure.brightcove.com/

keep 1270 as a fallback ... in case someone flipped 1201

SGTM. Maybe add a note to 1270 that there's this bug: warning padlock not indicated for subresources on a secure page

The red padlock on http sites that @crssi is talking about is probably due to security.insecure_connection_icon.enabled which they enabled by default in FF70

earthlng on 19 Nov 2019

The red padlock on http sites that @crssi is talking about is probably due to security.insecure_connection_icon.enabled which they enabled by default in FF70

Thats it 👍

crssi on 19 Nov 2019

same behavior on ESR68, FF68, FF70, FF72

about:config: security.ssl*negotiation
test page: https://secure.brightcove.com/

A: both false (FF default) = green padlock
B: both true (our default) = connection failed -> internal page (no padlock)
C: 1201 true, 1270 false = connection failed -> internal page (no padlock)
D: 1201 false, 1270 true = grey padlock with a yellow warning triangle = "Not Secure: this page uses weak encryption"

OK, my mind is zonked, but I'll try (correct me if I fuck up)

in order to not block pages but warn the user, both need to be true = an improvement on FF's green padlock. If we remove 1270 (show padlock), then the connection fails which is not the result we were testing for

So: in order to make it simpler, we could merge 1270 into 1201. And we can fix up the description and add the bugzilla about subresources. Does anyone want to have a stab at that while I take a break?

Thorin-Oakenpants on 19 Nov 2019

in order to not block pages but warn the user, both need to be true

in order to not block pages (or subresources in some cases), 1201 would need to be false.

earthlng on 19 Nov 2019

OK, my mind is zonked, but I'll try (correct me if I fuck up)

yup, completely fucked that up. I knew it, I could feel myself getting totally exhausted and not thinking straight trying to match pref numbers to pref names to defaults to what we have

Meanwhile - what do you think if we merge 1270 into 1201 - thumbs up if you agree: I'll do a PR tomorrow after a sleep - @earthlng

Thorin-Oakenpants on 19 Nov 2019

yeah, do a PR and we can take it from there. But please, no hurry! like, don't close it if I don't respond in a timely manner etc ;)
It's a general enhancement and doesn't have to block finishing this diff

earthlng on 19 Nov 2019

I can't make any headway with these: too many variables and I do not know enough about WebRTC (i.e, I know nothing)

/* 2002: limit WebRTC IP leaks if using WebRTC
 * [TEST] https://browserleaks.com/webrtc
 * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1189041,1297416
 * [2] https://wiki.mozilla.org/Media/WebRTC/Privacy ***/
user_pref("media.peerconnection.ice.default_address_only", true);
user_pref("media.peerconnection.ice.no_host", true); // [FF51+]

pref("media.peerconnection.ice.obfuscate_host_addresses", false);

This only enables mDNS on OS X for now. Some versions of Windows lack mDNS support, there are some oddities with resolving IPv6 addresses on Linux, and Android has not yet been tested. All of these will be addressed in follow on bugs.

I think/hoope this will get flipped when they iron out the bugs - but if they don't then we'll never pick up on this pref again? The pref name looks like it should be true from a privacy standpoint

pref("media.peerconnection.ice.proxy_only_if_behind_proxy", false);

I read it, twice, and am still none the wiser. I think it can be ignored

Thorin-Oakenpants on 22 Nov 2019

When you mention WebRTC... I don't know why not leave 2001 at default (true)?
In that case I couldn't find leakage of local IP over some VPNs when both at 2002 are set to true... I always got only the public IP "leakage", which is not really a leakage.
In case that there is a private IP leakage over VPN, then the VPN provider must be changed 😉.

And thank you @Thorin-Oakenpants and @earthlng for your hard work... I really love you guys ❤️ .

crssi on 22 Nov 2019

re: media.peerconnection.ice.proxy_only_if_behind_proxy

these are the WE API values for controlling this WebRTC thing:

"default"
"default_public_and_private_interfaces"
"default_public_interface_only"
"disable_non_proxied_udp"
"proxy_only"

you can the see the prefs+values associated with each setting here.

1452713#c32:

The canonical explanation of these modes is in ietf-rtcweb-ip-handling. default, default_public_and_private_interfaces, default_public_interface_only and disable_non_proxied_udp map to mode 1, mode 2, mode 3 and mode 4, respectively.

1452713#c23 explains disable_non_proxied_udp prior and after the fix in 1452713.
As I understand it, disable_non_proxied_udp used to actually be "proxy_only" which offered the best privacy but didn't work if no proxy was used:

proxy_only is our old version of mode 4, prior to this bug, that was not entirely up to spec in that it disallows any peer connection from connecting if a proxy is not set. There's still some value in this mode, since it's the only mode that guarantees that no ip addresses leak to remote peer or application, regardless of other settings (proxy).

The new disable_non_proxied_udp is a better version of default_public_interface_only that works with or without a proxy AND with the added benefit of when a proxy is used it's equivalent to proxy_only.
And I think that's where we want to be and therefore we should add media.peerconnection.ice.proxy_only_if_behind_proxy=true to 2002. Maybe also adding the link to the spec modes and note that our setting matches mode 4

They also mention uBlockOrigin in that bugzilla and uBO currently uses disable_non_proxied_udp in Chrom(e|ium) and default_public_interface_only for Firefox. (see source)

Firefox currently works differently, use default_public_interface_only for now.

emphasis mine. I think after 1452713 ie FF70+, @gorhill can now use disable_non_proxied_udp for FF as well since their main goal in 1452713 was apparently "functional equivalency to Chrome" and because disable_non_proxied_udp is now a better version of default_public_interface_only

earthlng on 22 Nov 2019

re: media.peerconnection.ice.obfuscate_host_addresses

2002 already has "no_host" and thus I don't think "obfuscate_host_addresses" really matters.
With no hosts there's presumably nothing to obfuscate.

earthlng on 22 Nov 2019

I'll just defer that to you, go ahead and commit it

@crssi

we disable WebRTC because

https://bugzilla.mozilla.org/buglist.cgi?bug_id=1375122,1314443,1466148,959893,1338006

Thorin-Oakenpants on 22 Nov 2019

I'll just defer that to you, go ahead and commit it

Thank you. Need to learn how to do it. But first I will read all bugzillas.

crssi on 23 Nov 2019

I'll just defer that to you, go ahead and commit it

That was for earthlng, the @crssi was for the subsequent message

Thorin-Oakenpants on 24 Nov 2019

OK, never-mind, did some tests anyway.

FF 70.0.1 plan vanilla + latest user.js + media.peerconnection.enable = true

The following tests:
https://mozilla.github.io/webrtc-landing/stun_test.html
https://bric.lepus.uberspace.de/ff28Fail.html
https://diafygi.github.io/webrtc-ips/
https://browserleaks.com/webrtc

does not leak internal IP, but the deviceId stays the same for a session until restart.
DeviceId is somehow tied to cookie controlled storage, which is cleared by user.js on restart.
When cookies are cleared manually within a session, the deviceId changes.
Also TC + Auto mode deals with that.

crssi on 24 Nov 2019

Was this page helpful?

0 / 5 - 0 ratings

Related issues

What is the suggested "pace" to update the user.js file?

GIPeon · 3Comments

changelog: v65-beta

earthlng · 4Comments

Same project

TerkiKerel · 4Comments

Happy New Year

earthlng · 6Comments

Additional value for TRR to "...disable DoH under all circumstances."

grauenwolfe · 7Comments