mass cleanup

[Thorin-Oakenpants]

"Death by a thousand cuts" or "How I learned to love the knife", by Pants. Over time, as the number of flipped prefs decreases, as Firefox and the web are able to transition to better defaults, we are ending up with a lot of old info, a lot of inactive prefs, a lot of old references, and even outdated descriptions. It is time to clean out the dead wood.

Clearly a downward trend in flipped prefs, and an upward trend in inactive : source 1, source 2

               TOT ACTIVE INACTIVE EFFECT
v60  MAY-2018  425   328      97    316
v66                                     <- 139kb / 2297 lines: peak
v68  JUL-2019  339   245      94    227 <- 109kb / 1776 lines: last major cleanup
v78  JUN-2020  330   229      99    214
v90  JUL-2021  322   207     115    188 <- 107kb / 1725 lines
v91                                     <- next major cleanup

---

at the time of writing (updated)

v90
- 106.9 KB
- 1725 lines
- end of section 4500: line 1497
- items with [WARNING]: 23

v91-alpha
- 92.1 KB
- 1502 lines
- end of section 5000: line 1267
- items with [WARNING]: 10

diff
- size: 14.8 KB (13.8%)
- lines: 223 (12.9%)
- end of section 5000: 230 lines less (15.4%)
- items with [WARNING]: 13 less (56%)

ALL HAIL PANTS

Every bit made more simple, or removed, means a leaner, cleaner user.js. Check my commits. Make sure I didn't screw something up (earthlng is away for a while focusing on saving the world from trumperism). If you disagree with something, sing out. Here's your chance

Make suggestions

• e.g. I could put all the permissions API items in a single group: since they all have the same settings/info/warnings
  • but I do like them next to their parent API pref
• e.g. I could make 0400 just SB, and move 0401 next to the other extension items in 2600s
  • but I don't think I will as they are different purposes
• what else can be removed
  • e.g. inactive for a long time, pointless to use
• some descriptions are very long-winded
• references
  • some are too old (or dead) wiki,mozilla is rife for that: pages there can often be abandoned, already removed one dead one
  • some don't really add anything
    • eg some bugzillas are only there to show the source: maybe add them in the description line as (number)

⭐ speak now or forever hold your penis peace ... I don't want anyone flipping out like the last time I did a major clean up - btw, that cleanup brought the user.js down from a high (I think) of 137 KB in v65 to 109 KB in v68

...

[rusty-snake]

• Do we still need it? Pants: There's a bunch of things that can be cleaned out when ESR78 reaches EOL: that's one of them

  • edit: actually we can remove it, it's not important: they get prompted to check the box anyway, and ESR users have probably already done so
    

    user.js/user.js

    Line 83 in dc63a75

    user_pref("general.warnOnAboutConfig", false); // XHTML version

• 404, possible alternatives: https://datatracker.ietf.org/doc/html/rfc7540#section-10.8 or https://httpwg.org/specs/rfc7540.html#rfc.section.10.8
  

  user.js/user.js

  Line 373 in dc63a75

  * [3] https://http2.github.io/http2-spec/#rfc.section.10.8

• NXDOMAIN for me

  • https://neverssl.com/ - c9bdceb
    

    user.js/user.js

    Line 705 in dc63a75

    * [TEST] http://neverssl.org/ [no upgrade]

• 404:
  

  user.js/user.js

  Line 1571 in dc63a75

  // [1] https://firefox-source-docs.mozilla.org/browser/base/sslerrorreport/preferences.html

• The use Tor Browser for TOR NOTE exists twice. Maybe this can be reduced to one?

  • will fixup when I move onion items to 7000s

[NOTE] Firefox cannot access .onion sites by default: it is strongly recommended you just use Tor Browser

• Maybe just link to https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=asm.js or use https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Firefox+JIT for all JIT prefs.
  

  user.js/user.js

  Lines 984 to 987 in dc63a75

  	* [2] https://www.mozilla.org/security/advisories/mfsa2015-29/
  	* [3] https://www.mozilla.org/security/advisories/mfsa2015-50/
  	* [4] https://www.mozilla.org/security/advisories/mfsa2017-01/#CVE-2017-5375
  	* [5] https://www.mozilla.org/security/advisories/mfsa2017-05/#CVE-2017-5400

[Thorin-Oakenpants]

One other option, after more tidying up and possible removals, is to take some inactive items left, that make no sense, and move them all to a new section towards the end, like 7000: DON'T BOTHER, this would then make the relevant info shorter

edit: ⭐ 🎉 fukYeah .. yet another genius Pants visionary moment 🚀 👀 ALL HAIL PANTS 😈 🛐

---

Edit: Actually, I'm leaning towards a different structural approach, rather than split things up by what they do, first group them by the threat/impact: not that I am saying to use these names, but items like no-brainer (zero-breakage), troubleshoot, here-be-dragons, optional-hardening (e.g. disk-avoidance-eyeballs), pointless (fyi) - but maybe that can wait for v94, and needs a good think/discussion, so yeah: not this round but something to think about

[Thorin-Oakenpants]

Maybe just link to https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=asm.js

I like that, all four of them summarize that they affected Firefox, and in fact it adds CVE-2014-1488 for good measure

FYI, adding the #hash tags to the top two for reference

 * [2] https://www.mozilla.org/security/advisories/mfsa2015-29/#CVE-2015-0817 - yes: in new super-link
 * [3] https://www.mozilla.org/security/advisories/mfsa2015-50/#CVE-2015-2712 - yes
 * [5] https://www.mozilla.org/security/advisories/mfsa2017-05/#CVE-2017-5400 - yes

 * [4] https://www.mozilla.org/security/advisories/mfsa2017-01/#CVE-2017-5375 <-- JIT - is in JIT super-link

[Thorin-Oakenpants]

example: and we could create a permissions subsection to de-dupe info: benefits

• would remove a lot of [WARNING] tags and instead replace them with [WHY]
• makes the main part read and used by users a lot shorter
• we get to rescue a parrot 🎉 fuckyeah

/*** [SECTION 7000] DON'T BOTHER ***/
user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies!");
/* 7001: disable Location-Aware Browsing
 * [WHY] The API state is fingerprintable. Permission is already behind a prompt (7002)
 * [1] https://www.mozilla.org/firefox/geolocation/ ***/
   // user_pref("geo.enabled", false);
/* 7002: set a default permission for Location (7001) [FF58+]
 * 0=always ask (default), 1=allow, 2=block
 * [WHY] Fingerprintable via Permissions API. Just use site exceptions for annoying sites you frequent
 * [SETTING] to add site exceptions: Ctrl+I>Permissions>Access Your Location
 * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Location>Settings ***/
   // user_pref("permissions.default.geo", 2);

[Thorin-Oakenpants]

cool, that last commit, along with previous cleaning up, now means the user has 176 less lines to scroll/read/parse (compared to v90) to get to the end of the personal section. Great usability improvement. Can't wait to smash that more with section 7000

[Onfroygmx]

Hello,

First thanks for the cleanup, sometimes it is needed.

As for my 2 cents:

• Set active prefs at the beginning of each section (not a mix up of active, inactive prefs and comments)

• Remove completely inactive sections and refer to them in the wiki instead:
  Ex:

  • CIPHERS
  • DON'T BOTHERS

• Add a section just for performance tweaks at startup/shutdown (in contradiction with below)

• Put all UI, personal settings at the end, if referenced at all (they are personal not security related)

The file is still 1500 lines long and unless you want to know why you use it, most of the users will just copy it. Just easier maintenance for the future.

Onf

[Thorin-Oakenpants]

Thanks @Onfroygmx

• I don't want to rearrange based on active vs inactive as that is not a guaranteed state
  • it can also mess up relevant items that are related: e.g. item 1234 says see 1235
  • some items have prefs at both states
  • The key is to remove items to make them sections shorter and relevant: either
    • remove "dead" items
    • move "dead items" to other sections that most people won't need/use/read
• I do not want a wiki page: all info should be in the user.js itself so it is self-contained
  • the don't bother is because of previous recommendations (either here or from advice in general on the internet) and FAQ about them
  • that will include the ciphers
• the personal section is still usable: we provide it for that reason: it should come before the "dead" sections
  • edit: actually, I've decided to move personal back to the end
• I am still toying with the idea of creating sections for
  • enforced defaults
  • optional opsec

But yes, ultimately, one day, all the don't bothers are just dead weight: so are the enforced defaults: in fact we could make all the enforced defaults into inactive don't bothers and just slap a WHY on them (except there is a benefit in active for new users)

There is still at least another 12 items and 80+ lines I am targeting for don't bother or removal. And there is yet more that can be done to simply/reduce the reading bits. Then I can tidy/renumber sections: some of them are starting to get quite compact. I just need to play it by ear .. prototype as I go

[username-is-not]

[NOTE] Firefox cannot access .onion sites by default: it is strongly recommended you just use Tor Browser

Not trying to spam, just... Why print: "strongly".

Can do without, right, "it is recommended to just use Tor Browser". Without the "you", as well: not trying to issue orders, yeah?

Cool, thanks for your time!! :))

[Thorin-Oakenpants]

because words matter :) And I have shares in Tor Browser :) But honestly, sometimes it's just organic: probably at the time when they were added or tweaked, I'd probably been reading about people using FF with Tor

But sure, a lot of descriptions can be trimmed of excessive wording .. indeed whole sentences. As for the onion prefs, they are already changed

user.js/user.js

Lines 1321 to 1324 in 778421c

	/* 7006: onions
	* [WHY] Firefox doesn't support hidden services. Use Tor Browser ***/
	// user_pref("dom.securecontext.whitelist_onions", true); // 1382359
	// user_pref("network.http.referer.hideOnionSource", true); // 1305144