User.js: ToDo: diffs FF78-FF79

browser.urlbar.usepreloadedtopurls.enabled wasn't removed, just hidden. Default value is false so we can just remove it completely for now and, if necessary, pick it back up when/if they ever enable it, or move it back up to where it was and add some tags.

pref("browser.tabs.remote.useCrossOriginEmbedderPolicy", true); // prev: false
pref("browser.tabs.remote.useCrossOriginOpenerPolicy", true); // prev: false
pref("dom.postMessage.sharedArrayBuffer.withCOOP_COEP", true); // prev: false

these 3 combined re-enable postmessage support for sharedArrayBuffer stuff under certain circumstances, ie this:

https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Releases/79#JavaScript

• SharedArrayBuffer has been re-enabled in a post-Spectre-safe manner. It is available to cross-origin isolated sites (bug 1619649).

  • To cross-origin isolate your site, you need to set the new Cross-Origin-Embedder-Policy (COEP) and Cross-Origin-Opener-Policy (COOP) headers.

Don't know if the high-precision timers that this can provide are covered by RFP.

pref("devtools.application.enabled", true); // prev: false
pref("dom.manifest.enabled", true); // prev: false

enable the Application panel

The Application panel provides tools for inspecting and debugging modern web apps (also known as Progressive Web Apps). This includes inspection of service workers and web app manifests.

But I don't think it actually works ATM because (source)

Note that the Application panel depends on Service worker support

Service worker support = devtools.debugger.features.windowless-service-workers. They had to re-disable that pref again due to bad performance.

the 2 media.peerconnection.* - we already have 2001 user_pref("media.peerconnection.enabled", false); so these 2 probably don't really matter

I need help.

On Firefox 79 I cannot disable location.services.mozilla.com anymore. Every browser start trying to connect and my firewall block it. With Firefox 78.0.2 I not have this issue. Mozilla blocked any possibility to disable location.services.mozilla.com for users, how they did it before for firefox.settings.services.mozilla.com? I tried false/true all new prefs but nothing help.

@TarTakTarBok What are you trying to achieve? What exactly is the problem with connecting to location.services.mozilla.com - see #966

The problem is that I completely disable all geolocation, and the connection to the location.services.mozilla.com server still happens.

user_pref("browser.search.geoSpecificDefaults", false);
user_pref("browser.search.geoSpecificDefaults.url", "");
user_pref("geo.enabled", false);
user_pref("geo.provider.network.url", "");
user_pref("geo.provider.network.logging.enabled", false);
user_pref("geo.provider.ms-windows-location", false);
user_pref("geo.provider.use_corelocation", false);
user_pref("geo.provider.use_gpsd", false);
user_pref("permissions.default.geo", 2);

As soon as I start the browser immediately attempts to connect to the location.services.mozilla.com server. At Firefox 78.0.2 and below, this did not happen. Because all of the above prefs disabled any geolocation. But with the release of Firefox 79, everything changed. One of two. Or Mozilla remove from users the ability to COMPLETELY disable geolocation or in Firefox 79 a new pref appeared that is enabled by default and therefore connects to location.services.mozilla.com. I'm more toward to the first option. Since in the past, Mozilla has already deprived users of any opportunity to disable the connection with the server firefox.settings.services.mozilla.com and I had to block this through host file.

https://bugzilla.mozilla.org/show_bug.cgi?id=1598562

I think they've done the same right now. Deprived users of the ability to completely disable geolocation. I do not use Mozilla services and always stop any attempts "phoning home". So I wanted to know from you maybe I missed some pref? If not, then this is the second non-disabling "phoning home" from Mozilla and I have nothing left to do how to add a another block to host file.

Hi,

try setting browser.search.region to US. That should be enough for FF79. Please let us know if that does the trick.

For the future you may also want to set browser.region.update.enabled to false. This pref is currently hidden and defaults to false in Release but that will change in FF80 or 81.

Optionally set browser.region.network.url to empty string.

@earthlng

Yes, you are right. Responsible for this:

browser.region.network.url;https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%

Therefore, you just need to add to user.js

user_pref("browser.region.network.url", "");

Thank you very much for your help. Be damned a new about:config that does not show anything when you search "location".

Is there any possibility that the old version "about:config" would open when entering about:config in urlbar? Some elegant solution other than bookmarking? CSS, for example?

You're welcome.

Clearing the URL should always work and not cause any problems but you can stop the code path at an earlier stage by also setting the 2 other prefs I mentioned so that it never actually gets to the point where it would use that URL:

user_pref("browser.search.region", "US");
user_pref("browser.region.update.enabled", false);
user_pref("browser.region.network.url", "");

Be cursed by a new about:config that does not show anything when you search "location".

I hear you :)
FYI you can bookmark chrome://global/content/config.xhtml as about:config, so that when you start typing "about" (without the quotes) it will show up in the urlbar dropdown list for easy access to the old and much better XUL about:config which allows you, among other things, to search for values.

Alredy add to user.js.

I totaly disable any urlbar dropdown. Therefore, only the add of a bookmark or some CSS solution (it is unlikely). Maybe I should experiment with the redirect or something. In any case, I appreciate for your help.

@earthlng Any ideas on the last 3 items, and also that region crap

/* 0205: disable GeoIP-based search results
 * [NOTE] May not be hidden if Firefox has changed your settings due to your locale ***/
user_pref("browser.search.region", "US"); // [HIDDEN PREF]
user_pref("browser.region.update.enabled", false);
user_pref("browser.region.network.url", ""); // [FF78+]

browser.navigation.requireUserInteraction has unfixed regressions - ignore for now IMO

• we/me took browser.search.region out in 75-beta https://github.com/ghacksuserjs/ghacks-user.js/blob/master/scratchpad-scripts/ghacks-clear-removed.js#L223
• browser.region.update.enabled doesn't exist in any of my FF profiles: tested right up to nightly. Is it hidden or something?
• not keen on blanking URLS
• not keen on any of it being active

region is being "redefined" - I'll dig up a meta ticket, and it's not like there's a roadmap or list of what it's all meant to do. But we can;t just have things breaking because someone throws a hissy fit when a mozilla url is pinged. If they don;t trust mozilla, then they shouldn't be using Firefox

• https://bugzilla.mozilla.org/show_bug.cgi?id=1617907
• https://phabricator.services.mozilla.com/D82083

edit: What exactly is the threat here, is my question. That patch link helps explain a little - how exactly does the search engine leak anything (not to a third party) - I don't quite get it. The region is also used by other things such as AS(?) which can be get fucked, DoH rollout(?), however .. the search pref might be OK (it's US in TB), the region updating, I think will cause problems? yes/no?

browser.navigation.requireUserInteraction - I know (its not that bad). But if we don't add it and flip it active, then we miss out for ages, and like most things we then wait for it to flip and hope it flips - look how long it took to turn on noopener (14 releases FFS). I like this one because it helps solve that shitty history push/pop state

requireUserInteraction: it's bad enough that they even disabled it again in nightly.

the search pref might be OK (it's US in TB), the region updating, I think will cause problems?

if we'd force the region to US we may as well disable the updating too because it's pointless

if we'd force the region to US we may as well disable the updating too because it's pointless

So that was my initial analysis (and I wasn't keen of making anything active). Now I've time to think about it. Let's see if I have this correct

• Firefox ships with default search engines: these are decided by the bundle
  
  
  
  • i.e. I unpack and use a FF portable en-US, or a Nightly/Beta en-US install
  
  
  • i.e. it comes with default engines for e.g. google as compared to yandex or something for russian builds
  
  
• Firefox gets your "location" and will change your region
  
  
  
  • after two weeks? (might be right away for a new profile? doesn't matter)
  
  
  • e.g. my portables and installed Nightly/Beta are all showing browser.search.region as my actual country
  
  
• How is location discovered? What if you're on a VPN?
  
  
  
  • I guess it gets the VPN server's location: but generally a user would change servers from time to time
  
  
• IIUnderstandCorrectly, just changing the search region to en-US wouldn't be enough, because a location check would change it on you: It's storing Region.current and Region.home and those two decide the search region pref - so yes, if we set it, then the update check needs to also be blocked/stopped

What is it updating? Is it just the pref changes? Or if you're holidaying in Russia, do you get a yandex engine (I don't think so since the engines are bundled inside omni jar, right)?

What does the pref change actually do? I'm on en-US, with en-US search region, and I do a google search using the build in search engine. How does that differ exactly if I was on holiday in France for three weeks? Do I suddenly switch from google.com to google.fr ? (google might not be a great example because the TLD can change based on IP). How does google know I want french stuff (i.e how does mozilla influence the results? does it send something to google?)

In the case of right now for me, using the default google search engine, with my region as mars, I am still getting google.com, not google.mars

• If we force it to en-US (and stop the update check), do all the non en-US users now get different search results to what they expect: do we make them stand out more? e.g. they search for "starbucks" and get starbucks.com instead of starbucks.fr as a suggestion?
• Does anyone else but the search provider know
• Is anything actually leaked (must be, right, if the search results are being changed by "region")
• Is this affecting user-added search engines?

I've always said we shouldn't mess with people's search engines, and users are free to add their own (and disable the default ones).

AFAIC .. connecting to the location services URL is not a privacy issue: but probably needs to be stopped for the real issue, which is: FF changing the region pref just because your location changed and was stable for two weeks (right? region.current need to be stable for two weeks), and would likewise take two weeks to flip back when you get home - I think this use case would be rare.

So the only relevant question here is what exactly is the privacy leak here?

Anyone know if dom.targetBlankNoOpener.enabled makes "Don't Touch My Tabs" extension redundant? Thanks.

we've never recommended Don't Touch My Tabs

I have ditched Don't Touch My Tabs in favor of dom.targetBlankNoOpener.enable.

Thanks @crssi I shall do the same. It's not that I do not like DTMT, seems to work fine, but one less extension is always a plus.

@Thorin-Oakenpants Sure, but I do not necessarily use everything you recommend and nothing else lol. I do avoid stuff you say to avoid however :-) I do appreciate everyone's work here though, very well organized nowadays, I can simply read the DIFF issues (and related Mozilla bugs) to keep-up every month (I do this manually, my user.js is organized differently then yours). And when I redid my user.js completely to move from FF52 to FF77, you guys had nice scripts that I used to identify deprecated things and different things etc. Took me days, but you all made it easier than before. Thanks.

Best Regards,

doc; https://firefox-source-docs.mozilla.org/toolkit/modules/toolkit_modules/Region.html

Instead of forcing everyone into the "US" region, we could use "ZZ" which is what they use to mean "unknown".
That'd probably not be ideal for people in the US because it'd opt them out of certain things that mozilla rolls out based on region, fe currently formautofill. But IDK if anyone really cares about that.
I also don't know what kind of content they'd show on AS for the "unknown" region, etc. But again ... does anyone really care about that shit?
IMO it's kinda dumb to tie content and whatnot to an IP address anyways, because it'll constantly change for VPN users for example or people who travel a lot. Like, 1 day they'll get all their AS content in russian and then maybe spanish the next 2 weeks?! Sounds pretty awesome. :trollface:
Habla espaniol? No, but gracias, mucho appreciados. Vodka? Da! na zdrowie :)

dns_first_for_single_words = default false - SGTM. No need to add or change this IMO

so several days ago I looked at what TB does for ESR78 based (but I didn't look at non en-US build) and they had for defaults

• user_pref("browser.search.region", "US");
• user_pref("browser.region.update.enabled", false);
• user_pref("browser.region.network.url", "");

note: Still can't find browser.region.update.enabled in about config in FF. Is it hidden? When was it added
note 2: we should check some non en-US TB bundles (but I don't even think TB uses it: browser.search.region = en-US in the en-US build is because it's not hidden for en-US builds? IDK for sure: needs MOAR cowbell)

Now TB actually rip out or nip AS in the bud before it's even called, and they ship their own list of search engines, etc: so they're not really in the same boat as us. What I think we could do is something more like this

user_pref("browser.region.update.enabled", false);
  // user_pref("browser.search.region", "US");
  // user_pref("browser.region.network.url", ""); // defense in depth? do we even need this?

Most people wouldn't have been bouncing around getting new regions (2 weeks of a solid new region? edit: 2 solid weeks where the region !== home), and thus we lock em down to what they should be. We don't push en-US at them, as that might affect roll-outs: e.g. DoH, or their Pocket content for those who like that on AS, or AS users, etc

As for the threat of not being en-US "region" - I don't see one TBH.

Looks like they flipped browser.region.update.enabled to true for Firefox 80 on 17 July 2020. At least according to this commit with the message Enable region cachebusting on release r=mikedeboer. Relevant bug.