User.js: ToDo: diffs FF72-FF73

LSNG is delayed again .. I'm beginning to think we could enforce this as true. The problems are edge case IMO (but I might have to read some more), not sure about ESR users (who I have no sympathy for, the user.js is for stable).

If LSNG is enabled, LocalStorage depends on QuotaManager storage which is currently broken for some users. We don't want to ship LSNG until the issue is fixed

I guess the question is what exactly breaks QM for some users. Personally, I have no issues with it - it's much more robust (less arbitrary async timing) and fixes the problem with sanitizing localStorage on close #774

or we could wait until they flip it

Feature Policy was also backed out

re crlite .. I read that article and am happy for it to ride the trains. One less thing to add, maintain and later remove as dead wood. And based on that, we should probably ignore LSNG, as well then.

@earthlng

I didn't see anything exciting except what I had already pulled out in earlier edits (and seems like those were all reversed). I'll trust the results and your edits: but seems strange tls min was held back :shrug: [edit: ok it's one of those non-release not-riding-the-train ones that just so happens to be nightly and dev/beta]

for some reason, 19 days ago, I listed two items for new - the VR one is probably for interest only (but we do list the other default permission prefs: e.g geo etc )

I have no idea really what permissions delegation entails or the ramifications of it - we don't actively set any permissions (because the default is always to prompt), but I wonder what this does exactly (e.g you allow geo on Site A as 1st party, does that "delegate" down to 3rd party content - or does it mean that Site A can use geo as a third party? IDK - care to take a look?

Do you see anything else that needs addressing, any other tweaks (settings tags, default values, typos)?

I do have a new RFP patch to add ( android css [any-]pointer and [any-]hover ) which landed in 74 - but it's not urgent (just waiting until my next edit)

Delegation I think is tied to Feature Policy which was backed out.
Feature Policy: https://www.fxsitecompat.dev/en-CA/docs/2020/geolocation-fullscreen-camera-mic-screen-capture-requests-from-cross-origin-iframe-are-now-disabled-by-default/

more about the delegation stuff: https://groups.google.com/d/topic/mozilla.dev.platform/BdFOMAuCGW8/discussion

PS: thanks for the prefers-color* bugzilla - I also fixed the sticky. The one I linked was a proposal that was ruled invalid since they decided to stick with RFP=light which was already in the original patch

OK, so geo, camera+mic (and screen capture and FS) can be allowed - and these are the ones delegation applies to

These features can no longer be used in cross-origin <iframe>s unless the feature is explicitly enabled with the allow attribute:

persistent storage, vibrate, and notifications can't

These features can no longer be used in cross-origin <iframe>s even if you use the allow attribute

Well, I don't care about persistent storage, vibrate or notifications (or full screen: it requires a user gesture), or screen capture

I'll have to check it all out more tomorrow: that second link is good. And from a quick glance I don't think we want delegation

I'm going to ignore delegation until Feature Policy lands - i.e we'll just add it to the next diff and if required add all the relevant prefs then

As for the VR permission, I'll add it as inactive: we have the other five Settings>Privacy & Security>Permissions prefs in the user.js

I find it this comment in a related bugzilla interesting

This prompt is displayed before enumerating hardware, as the enumeration itself often results in physical devices powering on or software launching persistently in the background

This leads to a FPing concern over timing (see comment 2). We don't disable VR (or gamepads in the RFP alts) since that's FP'able (and pretty much unique) and it's likely that those who have VR devices or gamepads, want to use them.

I would also think the number of users with VR would be low - so in this regard the FPing entropy should be low: i.e the vast bulk of us are all in the same boat. On top of that we have RFP's timing protection (although there are ways to work around it: e.g getting 1ms precision isn't hard: just use an 1ms incremental counter and refer to it)

At the end of the day what we probably need is something similar to RFP's patch for gamepads: i.e the api is available, but RFP reports no devices

@earthlng I'm all done: thumbs up or close and I'll do a beta release. Apologies for the huge changelog you'll have to author ;)

just reading some of that intent to ship

emphasis mine

Give an ability to delegate permissions from first party to third party embedded iframes, and impose a restriction to embedded iframes to request permission only when the iframe’s embedder has explicitly delegated it. The permission request will use the top level origin to show in the prompt

Fuck no. I'm on Site A and an iframe with Site B content.Site B makes a request to use e.g.geo (an embedded google map for example), currently the prompt shows that it's Site B - zero confusion. Delegation means the prompt will actually lie and say that it's Site A - all in the name of not confusing end users. WTF!! That's so misleading.

That's my take on it. We should disable it.

Edit: Johann's comment is worth reading, but just makes me ask more questions

When an origin requests access to a permission (either as first or third party) and the user wants to remember this decision, the Firefox permission manager by default stores a key-value pair consisting of origin and permission value[0]. It does not "double-key", so there's no
differentiation between first or third party access.

OK, that answers one question I had. Granting permission doesn't care about origin - got it!

This means an embedded google.com iframe, having access to your geolocation through google.com/maps, can track your geolocation around the web.

Right .. no double-keying

The concept isn't perfect and of course it clashes with double-keying, so we can't have both.

Geeze Louise

What ever happened to applying OA to site permissions 1422056 : note the FPI part of this was done in 1330467 - so now I'm confused

FYI: 1599226 landed: enabling Ion on Chrome content (including Extensions) but disabling it on web content

I'll have to read the ticket and look at the patch: not sure if there's a pref or it's like other two where content/extensions ignore the pref

/* 2422: disable WebAssembly [FF52+] [SETUP-PERF]
 * [NOTE] In FF71+ this no longer affects extensions (1576254)
user_pref("javascript.options.wasm", false);

/* 2610: disable in-content SVG (Scalable Vector Graphics) [FF53+]
 * [NOTE] In FF70+ and ESR68.1.0+ this no longer affects extensions (1564208)
   // user_pref("svg.disabled", true);

for the record (so we could add something here)

/* 2421: disable Ion and baseline JIT to help harden JS against exploits
   // user_pref("javascript.options.ion", false);
   // user_pref("javascript.options.baselinejit", false);

Happy to deal with it in this issue (so I don't forget) before we close it

Delegation means the prompt will actually lie and say that it's Site A - all in the name of not confusing end users. WTF!! That's so misleading.

yeah it's totally backwards! stupid AF

At least with FPI the permission should still be keyed to the 1st party domain and this:

This means an embedded google.com iframe, having access to your geolocation through google.com/maps, can track your geolocation around the web.

shouldn't be possible.

We should disable it.

100% agree

I need to check/ask about something - because I have a feeling not all site permissions are double keyed. And I'm also totes confused when Johann says delegation and double-keying can't exist : so WTF happens with PB mode, or containers, or FPI enabled when they flip this on - are they expecting people's browsers to fall into small blacks holes and wink out of existence?

I have to go .. but I think I get it: with delegation, it's keyed to 1st party (I think) .. so

• Site A with goolgle.maps as 3rd party: google.maps wants your testicles: Site A prompts for it (as Site A) and you grant it
• Site B also has google.maps as a third party wanting to feel up your sweaty massive balls, but it has to ask again: this time as Site B

But then I might be wrong: because if it's not doubled keyed, then what it is keyed to? How do they keep track? You can't just auto grant all third party permission requests on Site A just because you did it once before.

F&^!#!*#!#k this .. I'm outta here :) It's doing my head in. And of course, all this shit was thought up and brought to you by google

because if it's not doubled keyed, then what it is keyed to?

without FPI, I don't think it's keyed to anything. Just grants google.maps geolocation access, period. If someone then also decides to "remember decision" because they think it's just Site A then they're really fucked because it will never ask again and Site B, C, D, etc will all silently grant google.maps iframes permission to geolocation.
If that's not a really fucking great improvement IDK what is! /s
THANKS google!

Do you see anything else that needs addressing, any other tweaks (settings tags, default values, typos)?

nope

we don't need to worry about this [delegation] until Feature Policy lands

ok we can wait for FF74 to deal with permission delegation

2421: disable Ion and baseline JIT

I'd like to disable the Ion pref for FF75 so I'd say we add this one to the "to keep an eye on" sticky.

From looking at the patches it seems that disabling baselinejit also disables Ion (regardless of the patch). So, for FF75 we need to keep the baseline jit pref inactive (defaulting to true) and set the Ion pref to false so that only trusted principals like FF itself + extensions are allowed to use it.

I'm all done: thumbs up or close and I'll do a beta release.

👍

Apologies for the huge changelog you'll have to author ;)

no worries :) 💋

I don't think it's keyed to anything

Just came across this - https://bugzilla.mozilla.org/show_bug.cgi?id=1572461#c2

emphasis mine

One-off granting really isn't the issue here, as that should still be scoped to the single entity that made the call to access the functionality (i.e. in my idea if the frame calls getUserMedia and gets it granted and if the top-level then call getUserMedia again there's another prompt, though we should probably clarify this). The big problem is what happens if the user clicks on "Remember this decision"?

I get your point that we could double-key the permission here. Back when we originally started this project double-keying permissions was actually technically blocked on some work that has now been resolved (and I don't think we expected it to become possible so quickly). So we could do that...

So I think that explains why there was some confusion with "I'm also totes confused when Johann says delegation and double-keying can't exist" - i.e it was problematic back then, but isn't now

I guess we can just do some tests when Feature Policy and delegation land in Stable, and document just how the permissions are treated as 1st/3rd party, with/without FPI/containers (I think we can skip PB mode) and with feature policy and/or delegation on or off