User.js: ToDo: diffs FF77-FF78

@earthlng why was this pulled out for action? sorry, I haven't looked at it yet

pref("browser.urlbar.suggest.topsites", true);

the rest: anyone who wants to do some homework, dig in

1. pref("browser.fixup.fallback-to-https", true);
2. pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 1);
3. pref("layout.css.font-visibility.level", 3);
4. pref("network.dns.disabled", false);
5. pref("privacy.dynamic_firstparty.use_site", true);
6. pref("privacy.firstparty.isolate.use_site", false);
7. pref("privacy.partition.network_state", false);

how does this sound?

• 1 sounds good at default -> ignore?
• 2 i need to refresh, but I think we want to change this so single words do not search
• 3 NFI, I was just intrigued what it means
• 4 ?
• 5+6+7: leave them alone for Mozilla to set
  
  
  
  • : I'm not even sure what all of that means: part of some new isolation/ disk separation / memory thing / fission / dFPI / FPI
  
  

* `2` i need to refresh, but I think we want to change this so single words do not search

Leaving it set to 1 uses internal Firefox heuristics to determine whether the word gets resolved or not, setting it to 2 will always resolve the single word and setting to 0 will never resolve the single word.

I suggest something like this:

/* 0850a: disable location bar suggestion types
 * [SETTING] Privacy & Security>Address Bar>When using the address bar, suggest ***/
   // user_pref("browser.urlbar.suggest.history", false);
   // user_pref("browser.urlbar.suggest.bookmark", false);
   // user_pref("browser.urlbar.suggest.openpage", false);
   // user_pref("browser.urlbar.suggest.topsites", false); // [FF78+]

Personally I have the last line uncommented.

Edit: Sorry, my bad. Should have checked it before posting. Search engine keywords work no matter what.
Eidt 2: The above deals with the visibility of the topsites. However there's also "browser.newtabpage.activity-stream.feeds.system.topsites". We probably need to deal with that, too. :(

3:

# Visibility level of font families available to CSS font-matching:
#   1 - only base system fonts
#   2 - also fonts from optional language packs
#   3 - also user-installed fonts

Source: https://dxr.mozilla.org/mozilla-central/source/modules/libpref/init/StaticPrefList.yaml#5753

4: leave false. It disables DNS queries to upstream server i.e. you can use the internet.

OMG. They did it again. Completely blocked all last posibility to disable indexedDB in Firefox. Private browsing mode not help anymore. Replace folder "storage" with empty file with name "storage" breaks browser functionality. urlbar not work, searchbar on about:home not work, right-click on some pages show several dozen options. They did it with purpose. It is the end. If I don't find any loophole that still open. I'm tired of playing cat and mouse with them.

@Thorin-Oakenpants
I edited my posts above before you commited yesterday but seemingly you didn't see it early enough. Sorry for that!

I also read the code for browser.urlbar.dnsResolveSingleWordsAfterSearch. Currently there's no heuristic at all (bug 1642623), i.e. 1=2='always resolve' for now. In the future they want to check the user's host file or if DOH is used, etc.

I just mentioned DoH and host file checking because Mozilla plans including it in the heuristic they want to implement for browser.urlbar.dnsResolveSingleWordsAfterSearch in future versions. In other words, another suggestion:

/* 07XX: DNS: resolve single words after search [FF78+]
 * Necessary if you need to connect to local networks with single word names but also leaks the input to your DNS-provider
 * 0=never, 1=heuristic (default), 2=always
 * (For FF78 1 and 2 are the same and always resolve but that will change in future versions)
 * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1642623
   // user_pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0);

OMG YES! no expanding urlbar anymore in FF78 with ui.prefersReducedMotion=1! Hallelujah! Thank you black Jesus :)

• 1 sounds good at default -> ignore?

yes.

browser.urlbar.dnsResolveSingleWordsAfterSearch fits better in 0800 than 0700 IMO. I wonder if we really need this though when we already have keyword.enabled=false ? @guser-sudo, do you know?
Either way, we should probably add it just in case (active with value 0).

AFAIK 5 + 6 control what's used as the origin attribute for 1st-party isolation. dFPI will now use "site" whereas FPI will remain just domain. A bit weird that they use different OAs but I guess it's best to not mess with it at this point because IDK if all the things isolated by FPI will still work with "site" instead of domain.

FYI: layout.css.font-variations.enabled is locked

is that related to layout.css.font-visibility.level at all?

layout.css.font-visibility.level looks nice at first glance but doesn't it just add another vector to detect locale?
Like, fe on my system the arabic fonts are "hidden" in my OS and font-visibility.level=1 would make them not accessible for CSS anymore but someone with an en-US FF (spoofed or not) on an OS in arabic would have those fonts exposed in the list. I don't see how this improves privacy TBH

layout.css.font-variations.enabled is related to https://developer.mozilla.org/en-US/docs/Web/CSS/font-variation-settings. Not sure it figures into any privacy related stuff..

browser.urlbar.dnsResolveSingleWordsAfterSearch fits better in 0800 than 0700 IMO. I wonder if we really need this though when we already have keyword.enabled=false ? @guser-sudo, do you know?
Either way, we should probably add it just in case (active with value 0).

I monitored my DNS-traffic: keyword.enabled=false still causes a DNS-lookup, browser.urlbar.dnsResolveSingleWordsAfterSearch=0 does not.

Thanks for testing @guser-sudo!

keyword.enabled=false still causes a DNS-lookup,

yeah but isn't that because it tries to access that "keyword" as a hostname? Unless you previously accessed that hostname and therefore still have it in your MAC or DNS cache, that access would necessarily require a dns lookup, right?

ie, with keyword.enabled=false, when I enter "pants" in the urlbar it'll try to access http://pants/.
I don't think there's any way to stop that.

So, as I understand it, dnsResolveSingleWordsAfterSearch=0 only makes sense with keyword.enabled=true ie you always want to search for single words and never try to resolve it as a hostname.

what does heuristics actually mean?

they haven't decided yet. https://bugzilla.mozilla.org/show_bug.cgi?id=1642623#c8 lists some of their ideas atm:

• user is using DOH
• /etc/hosts only contains localhost
• no policies are in use
• the computer is not enrolled in a domain

@earthlng
Yes, with keyword.enabled=false the default setting browser.urlbar.dnsResolveSingleWordsAfterSearch=1 is sufficient which should prevent (hopefully most) typos from being externally resolved when the heuristic has landed.

@Thorin-Oakenpants
That pref seems to be the AS of browser.urlbar.suggest.topsites. They do almost the same however I don't know the exact differences. Still investigating if both are needed or only one of them.

What happened to the browser.urlbar.dnsResolveSingleWordsAfterSearch comments?

maybe something like this for dnsResolveSingleWordsAfterSearch:

/* 0811: disable location bar leaking single words to DNS provider when keywords (0801) are enabled [FF78+]
 * 0=never resolve single words, 1=heuristic (default), 2=always resolve
 * (For FF78 value 1 and 2 are the same and always resolve but that will change in future versions)
 * [1] https://bugzilla.mozilla.org/1642623 ***/
user_pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0);

IDK if we need to explain more than that, fe that with keywords disabled all single words are treated as hostnames and could "leak" (unless you have them in your hosts file (and don't use DOH because DOH currently doesn't check hosts)).

We can also add network.dns.disabled as optional defense-in-depth to prevent any potential DNS leaks for proxy/tor users.

Firefox 78.0.1 with no proxy here. I tested setting _network.dns.disabled_ to _true_ and I wasn't surprised more than that with the effect : no connection.
My understanding of English is sometimes approximate so if my above comment initiates hilarity I won't feel excessively ashamed!

Did anyone noticed the DNS leak when dnsResolveSingleWordsAfterSearch = 1?
I do use keyword.enabled = true and no single word DNS leak is visible here.

@crssi
Yes, I can see it when logging my DNS queries.
It happens after a single word search like 'cat' when firefox asks you if you want to open http://cat instead.

@Thorin-Oakenpants wrote above, concerning network.dns.disabled

If we add network.dns.disabled it would be inactive, but I wondering what other use cases it has: e.g. VPNs with their own DNS servers. What about if you use DoH? So it's basically an off switch if the any DNS alternatives fails. But I'm struggling to think of any other use cases.

I linger as well to understand this setting's pertinence. No VPN here and no FF TRR, DNS is resolved with DNSCrypt-proxy (hence its own DNS servers). Maybe makes sense with FF's DoH (TRR)? I'm really looking forwards to understand why/where the setting is useful.

I just turned on browser.fixup.alternate.enabled for testing but it doesn't work and always causes a search instead. Am I missing something or is it broken?

@guser-sudo
I see what you mean, but there is no such query here... In wireshark I can see only request for a search on DDG.
Will try to find out today afternoon what I have different in setup.
Will report back later.

* [NOTE] disabling location bar search also has the same effect (see 0801)

I wouldn't call it the same effect: It prevents the search and does a DNS lookup because you probably want to reach a local resource.
browser.urlbar.dnsResolveSingleWordsAfterSearch decides whether after a search you want to be given the opportunity to reach a local resource instead.

I read that as you can only disable the single dns leak if you also have 0801 enabled

that's exactly how it's meant to be read :)

type "pants" and hit enter and it just goes straight to an error page.

yeah but after it tried to resolve pants ie dns leak

@crssi are you sure you didn't send the single word to your search engine ie something like "d word"? The leak only happens if you enter a single word without a search-engine keyword/letter

I never use search-engine keyword/letter.

I have build a new profile from scratch. And everything is as you say and cannot reproduce.
I must have done something in my work profile that I am not aware off, since there I have no leakage and the browser.urlbar.dnsResolveSingleWordsAfterSearch = 1.... it is strange, but in is just part of my fckedup profile.
Will try to get to the bottom of it later, just out of curiosity.

Update: Forget I have written anything, just can't reproduce anymore and I have no clue why is that.

• [a] keyword true, dns = 1/2 (FF defaults): search _and_ resolve single word; FF shows the search results _and_ asks you if you want to open http://single_word (probably a local resource)
• [b] keyword true, dns = 0: search only

this is what the prompt looks like:

But the prompt only shows up if the DNS lookup actually found a host with that name. That's why I used localhost.

The way I tested it was a new fresh profile with the latest user.js, (optional: change default search engine to the builtin DDG), then in about:config change keyword.enabled to true and set browser.fixup.domainwhitelist.localhost to false.

This is just to illustrate the prompt though - the DNS leak doesn't really happen here because localhost is in everyone's hosts file and that's looked up prior to any remote DNS lookup. (unless you use FF's DoH!)

With that test environment now in place you can test when (or not) the prompt shows up, ie search buttons etc. If it doesn't show up it most likely means the DNS lookup didn't happen but I haven't verified that with wireshark or similar. BUT just make sure you never click the "Yes, take me to ..." button because that will set a pref and mess up further testing!

In my test it apparently didn't try a DNS lookup when I clicked one of the one-off search buttons to trigger the search nor when I used a search-engine keyword/letter.

FYI secretplace,com is considered a single word too. Probably everything without a space is a single word.

I hope this helps

Does anyone care about adding

• network.dns.disabled

Does anyone care about adding these as true, now we know what they do (inactive)

• privacy.partition.network_state
• privacy.firstparty.isolate.use_site

Does anyone care about 2200

• if anything has really actually changed then it would be nice to get into 78 since it's ESR
• dom.disable_window_open_feature - see 1507375, compat

I tried doing various tests here, and I have my own tests, and I just don't get it. I can still remove all those items: menubar, personalbar and toolbar (but I can't add them?). I also got some really whacked out results, where I loaded the test in a popup and the changes were being applied to the parent window (and I could show/hide things like the menu, toolbar etc)

I just don't know if I can be fucked dealing with this mess

Does anyone care about

network.dns.disabled: No
privacy.partition.network_state: IDK what it does, the onlything I found was the linked ticket.

/* 400x: Isolate DNS cache per first-party [FF78+] ***/
   // user_pref("privacy.partition.network_state", true);

privacy.firstparty.isolate.use_site: I do some testing

/* 400x: Isolate by site and not by domain [FF78+] ***/
   // user_pref("privacy.firstparty.isolate.use_site", true);

privacy.partition.network_state: IDK what it does, the only thing I found was the linked ticket

It is being used to isolate some things that FPI didn't. Maybe they'll even move things to use this so it's simpler from an engineering point of view. Here is the meta ticket

FPI was going to isolate font cache (pretty sure this is the graphics card cache) - that was 1560580, but this has been dropped and instead is covered with privacy.partition.network_state (see 1647732) , but that's not until FF80

"Network" being distinct from web content : "This leaves storage, permissions, cookie jars etc alone but isolates cached and network stuff by site. Nothing that should be observable to a website (except through side channels.)"

We certainly don't need to add any of these for this release, but probably will at some point. And at that point when they are ready to use (bugs), they will most likely be flipped