User.js: ToDo: diffs FF79-FF80

dom.security.https_only_mode_ever_enabled_pbm

# WARNING: Don't ever update that pref manually! It is only used
# for telemetry purposes and allows to reason about retention of
# the pref dom.security.https_only_mode_pbm from above.

source

moved to ignore

prefers-contrast = false -> safe to ignore IMO

unexpected_system_load_telemetry_enabled - should be covered by disabling telemetry but there's an unfixed regression causing a crash, so maybe we should disable this

browser.preferences.* - no need to add/change these IMO. Just waiting until it rides the train is fine

browser.tabs.documentchannel.parent-controlled - not ready yet and documentchannel stuff goes pretty deep so it's best not to mess with this. see https://bugzilla.mozilla.org/show_bug.cgi?id=1647557#c0:

This is the main thing needed for bug 1647550, but isn't fully correct until we can also use it for all load types (including history loads).

We need all loads to be controlled from the parent at the same time so that all requests are processed in the same place and in the right order.

moving to ignore

So we added browser.region.update.enabled in https://github.com/ghacksuserjs/ghacks-user.js/commit/6905187b3e14b1aea336ffcbfdf4e42126593527 ... the source was 1627555 which is FF79.. and if you look at D79272 the code is

#ifdef EARLY_BETA_OR_EARLIER
  pref("browser.region.update.enabled", true);
#endif

So, what exactly does that mean (I know it means beta, dev, nightly the value is true)? I'm asking if that means the pref can be still be used in stable 79? I know it was being used in beta/dev/nightly 79 .. (I'm not asking if it was functional, just asking if it can be overwritten by user.js)

So is the commit correct and it was new in 79, or is it new in 80?

soz for the rambling .. I've been at it hard AF for two days

browser.preferences.exposeHTTPSOnly .. that explains https://github.com/ghacksuserjs/ghacks-user.js/commit/58fb1db8380d641f43fa90308c36cd15fea0bb31

I was waiting for beta 81 to land to see if it was still there .. I had bookmarked this when I did that commit, to remind me .. I should have looked at the changes

We don't need to add browser.preferences.exposeHTTPSOnly - we have the 1244 pref(s), and they'll flip it when ready. And then it becomes dead wood, and we would remove it. So F that :)

1244 suggestions

• change the setting tag to [Nightly] or remove it and wait for FF to show it by default?
• add dom.security.https_only_mode_pbm pref
  
  
  
  • is this where if true it overrides dom.security.https_only_mode ?
  
  
  • in other words, what is the relationship between the two prefs?
  
  

prefers-contrast = false -> safe to ignore IMO

Yes, this is the one I mentioned last diffs. It's just a master switch. We don't want it to be different to default ever ... because it will alter your fingerprint

• e.g. when its default true and someone sets it to false, then they will return something whatever the web page code says such as "not supported" and everyone else will return "no-preference", "forced", "high" or "low"

When FF flip it on, RFP will take care of it. AFAIK there isn't any prefs to set the value for RFP Alts like we can for reduced-motion or color-scheme

browser.region.update.enabled - https://github.com/ghacksuserjs/ghacks-user.js/issues/978#issuecomment-665589158

re: 1244 suggestions - the SETTING line already has (FF81+). Assuming they'll flip exposeHTTPSOnly in FF81, I think that's fine.

Yes we can add https_only_mode_pbm. The one we already have, https_only_mode, enables HOM for both normal and private windows, whereas the new one enables it for private windows only.
If https_only_mode is true, https_only_mode_pbm is ignored

browser.region.update.enabled is set to true for FF80 as per this commit. Relevant bug.

security.xfocsp.errorReporting.* - https://bugzilla.mozilla.org/show_bug.cgi?id=1647825#c9:

The reporting is disabled by default. When users hit an XFO or a CSP error page, there is a checkbox UI to allow user opt-in the reporting. Once users check the checkbox, we will start to report. So, we will report every time users hit an XFO or CSP error page. And users can opt-out the reporting by unchecking the checkbox. After that, we will no longer report the error.

screenshot of the error page with the checkbox: https://bug1647825.bmoattachments.org/attachment.cgi?id=9162074

"The reporting is disabled by default" = security.xfocsp.errorReporting.automatic=false

Checking the checkbox flips the .automatic pref to true.
Setting security.xfocsp.errorReporting.enabled to false hides the checkbox.

Uses normal telemetry ping (which we disable) and "The client_id and environment are not sent with this ping."

So in our case the checkbox does nothing and we could include these 2 prefs to (1) make sure the reporting is disabled and (2) the checkbox is not visible. Or just move them to ignore

security.allow_disjointed_external_uri_loads - caused some regressions initially but they apparently think it's ready now after landing some fixes in FF80.

# Whether window A is allowed to navigate cross-origin window B (that is not
# a descendant frame of A) to a URI that loads externally.

source

"allow...=false" is what we want. move to ignore IMO

Assuming they'll flip exposeHTTPSOnly in FF81, I think that's fine.

I doubt it will land in FF81 .. it's not even going to be dev/beta 81 (99% sure, but I'll wait for dev/beta 81 to land to comfirm) - there are too many blockers IMO.

My thinking now is we just remove it and wait for the pref to get flipped (or removed) in stable and that's out reminder to add the [setting] tag

security.xfocsp.errorReporting.* ... So in our case the checkbox does nothing and we could include these 2 prefs to (1) make sure the reporting is disabled and (2) the checkbox is not visible. Or just move them to ignore

I'm 51/49 in favor of ignoring ... I typed out the discussion in my head and got nowhere: tl;dr you and I are fine, and we will always pick up if the automatic pref is flipped, and the less stuff in the user.js the better. That said, defence in depth is good, especially since URIs would be recorded and that data would be kept (I think: I'm not sure what happens when the pings fails - are you talking about browser.ping-centre.telemetry in 0506?)

The choice is yours @earthlng

I'm 51/49 in favor of ignoring

I agree. It's opt-in and the worst that could happen is someone willingly opting-in to help Mozilla identify and block malicious sites and ending up not sending anything because we have all telemetry disabled.
Even if it would send a ping somehow, "the client_id and environment are not sent with this ping." and thus the only potentially linkable/identifiable "id" would be the IP and IDK if they record/store that. But even if they do record and/or store that - it's opt-in!

source

https://developer.mozilla.org/en-US/docs/Mozilla/Firefox/Releases/80 unexciting (which is actually a feature)

LOL

what's left

• A; new: pref("dom.block_download_insecure", false);
• B: new: pref("dom.security.unexpected_system_load_telemetry_enabled", true);
• C: changed: pref("signon.backup.enabled", true); // prev: false
• D: changed: pref("signon.capture.inputChanges.enabled", false); // prev: true

C: ignore IMO: a local backed up passwords file is (probably) no more dangerous than having the original. I haven't read anything about it, so I don't know if it keeps multiple copies or how often or if it's triggered when you add/remove passwords. But it can't hurt for end users, except that if you removed the account details for secretplace.com, there could still be a record of it. We're getting a bit edge case here.

D: NFI : feel free to look up if it's harmless

A: this has some regressions. I wouldn't expect any of our users to get HTTP downloads on secure pages. We could either wait for it to get flipped, or add it now (because who knows if it will take 14 releases to get flipped like noopener)

B:E said : should be covered by disabling telemetry but there's an unfixed regression causing a crash, so maybe we should disable this

• IMO ignore it: if crashes were that bad, Moz would do a point release

tl;dr: B,C,D = ignore; A = ignore and make a note (new issue as reminder) to revisit in 3 or 4 releases

@earthlng and co, wot say you

D: commit - Bug. ¯\_(ツ)_/¯ but probably safe to ignore.

^^ Thanks. Sorry for my laziness .. I know the relevant bugzillas are listed by earthlng: and I see most bugs because every day or so I check out all landed bugs as I look for possible version feature detection items (edit: I don't read them all as I'm looking for feature detection: so I can ignore things like wasm, svg, etc which are things that can be disabled by a pref: but I do look at interesting things that might impact us)

D: Ahhh, yeah, we can ignore that

I wouldn't expect any of our users to get HTTP downloads on secure pages.

HTTP downloads are still common if mirrors are used because of big downloads.

This pref is on about:config but not in dxr. :rofl: LOL.

Here's a bit of a dig around

Depends on

• 1654780 drag and drop bypasses

Regressions

• open 1654139 silent failure to DL
• fixed 82: 1656296 = add indicator for blocked downloads
• open 1660969 ship panel/button to manually confirm/override block
• open 1660952 probable duplicate or may be windows only

Lots of others marked as duplicates

• pdfs not loading (if not viewed internally)
• other DLs nothing happens or insecure warnings

One of the comments in one of those tickets says telemetry indicates about 10% of downloads initiated from secure sites are insecure. So I guess they just need to get user notification and manual overrides working, and the we can flip it on