New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ToDo: diffs FF93-FF94 #1270
Comments
some bugzilla tickets
|
Did anyone ANYONE told them¹ that there's a ten years old w3c standard for that? https://www.w3.org/TR/tracking-dnt/ 🤦 Two Headers for the same thing. One passive FP vector more. ¹authors of CCPA and CRPA |
and active - you can query it via JS However, it should have no impact on fingerprinting for most people. Just don't do anything and you will be the same as almost everyone else on Firefox .... it's completely independent of everything else (for now) But then I fully expect them to tie it to ETP strict mode and PB windows and it'll be the shit-show that DNT. DNT and this should have a RFP protection - DNT was too hard to do and a political fucktoy - everyone hated it and no-one wanted to touch it. They should deprecate DNT, and if/when GPC is controlled via other settings (ETP/PB windows) then when that happens they need to wrap RFP into it |
Firefox 94.0, See All New Features, Updates and Fixes
But site isolation don't seem to be enabled. Introducing Firefox’s new Site Isolation Security Architecture
This pref is default set to 'false'.. Now Firefox introduced site isolation, should it be enabled in the user.js or wait till Firefox enables it? |
1732358 assuming everything goes smoothly ... FF96 landing 2022-Jan-11 |
Thanks! That explains it. (Mozilla could have been more clear on that in the release notes) |
Just something to add on the Do Not Track and Global Privacy Control discussion... DNT
I think the Do Not Track header in on a dead end. Global Privacy Control looks like a successor, but it's Californian law and therefor limited to California. In the EU you have the GDPR which states that you cannot track users, collect and process personal data without consent, that's why people in de EU have those cookie policy warnings. The EU privacy watchdog wants a complete ban on targeted advertising. Euro privacy watchdog calls for end of targeted advertising plus a squeeze on the processing of personal info But as with GPC this is limited to the EU. And many of us already use ad-blockers which do a lot of 'do not track'. :) |
anyone knows if with "Site Isolation",the Temporary containers add-on will not be needed anymore? |
TL;DR: No "Site Isolation" (aka. fission) and (d)FPI/TC are two different kinds of isolation.
|
current draft patch - #1275
https://hg.mozilla.org/mozilla-central/rev/1bb499672d52
What if RFP was enabled at at level 2, but TP was at 1 - WTF happens?
I might see if I can get @jfkthame to clarify Edit: OK, I need to add that PB windows choose the lowest value depending if they're applicable |
Paste the function below in your console and the call it like
function font_visibility(rfp, pbm, tp, tp_pbm, private_, standard, trackingprotection, resistFingerprinting) {
const BASE = 1;
const USER = 3;
var level = 0;
if (rfp === true) {
level = resistFingerprinting;
} else if (tp === true || (pbm === true && tp_pbm === true)) {
level = trackingprotection;
} else {
level = standard;
}
if (pbm === true) {
level = Math.max(Math.min(level, private_), BASE);
}
level = Math.max(Math.min(level, USER), BASE);
return level;
} python version: def font_visibility(
rfp, pbm, tp, tp_pbm,
private, standard, trackingprotection, resistFingerprinting
):
BASE = 1
USER = 3
if rfp is True:
level = resistFingerprinting
elif tp is True or (pbm is True and tp_pbm is True):
level = trackingprotection
else:
level = standard
if pbm is True:
level = max(min(level, private), BASE)
level = max(min(level, USER), BASE)
return level |
Yeah, I get that Ignoring PB windows. There is RFP, or TP or standard (TP being the component you see in custom which has an option for all windows or just PB windows). That is all crystal clear. RFP overrides TP which overrides standard But in a PB windows it takes the lowest of the above one value, or private. This means that is RFP is higher than private, then RFP is altered. RFP should not be overridden IMO, as it alters the FP. Now it's going to be very unlikely that someone does that, but I'd rather the code didn't allow it edit: see console.log( font_vis(true, true, true, true, 1, 1, 1, 2 ) ) // rfp on in a pb window = 1
cconsole.log( font_vis(true, false, true, true, 1, 1, 1, 2 ) ) // rfp on in a normal window = 2 end edit Anyway, do you want to type up how that all works in a sentence? |
@rusty-snake , do you want to add: https://bugzilla.mozilla.org/show_bug.cgi?id=1714182 /* 0700s: disable falling back from DoH to native in cases of request failure ***/
// user_pref("network.trr.strict_native_fallback", true); |
If you do not want leak via native DNS, you should use |
FYI:
others:
|
|
^ thanks, not enough of what I was after, but a start, also XP is not supported anyway :) There are also changes to the warnings since 94
what does it do? - support multi-page logins
We disable auto-filling of signon fields (0903), but that's not the concern here, as it would still trigger when you enter the field - which has always been the case
Anyway, I guess this is stable enough for release now. And I don't see any privacy issues here not already mitigated |
|
pref("network.disable-localhost-when-offline", false); I tried this, and TBH IDK what they mean by
|
This offline mode
|
Yes, I tried that, it didn't stop localhost loading - quote "went to menu and chose offline" |
WFM
|
OK, IDK what the fuck I did, but WFM too - could have sworn I did a restart (and I sanitize on close) - must have been cached (I always use a new tab, so refreshing is not a thing for me - instead did a quick ctrl-shift-del) |
played around with the other closing prefs:
|
but wait... we use FPI Line 958 in 6b351a9
but wait... we'll be moving to dFPI very soon looking at For now, I have added it to the tasks in #1051 and we can revisit it in FF96+ |
quit warningsOK, so I'm thinking this should be as simple as just adding it and letting users work it all out themselves My use case
Anyway, I think we should just ignore this rabbit hole labyrinth of old vs new behavior, different OS defaults, changed OS defaults, call it a day, and resort to some nude drinking |
IDK about the menu contexts, but in an app close the warn on other tabs seems about as useful as tits on a bull- see comments from moz devs in previous post I did some tests (closing app via close button) FF78, Nightly96
I couldn't even get a warning for closing the app with a single tab (I do not close on lasttab - this is probably tied into it). In the above, clearly IDFC anymore :) |
FF94 is scheduled for release Nov. 2nd
FF94 release notes [when ready]
FF94 for developers
FF94 security advisories
122 diffs ( 45 new, 65 gone, 12 different )
1402
pref replacement - 1715507 - e2e7f9cremoved, renamed or hidden in v94.0:
1402
pref("layout.css.font-visibility.level", 3); - 1715507 - e2e7f9cchanged in v94.0:
4510
pref("browser.display.use_system_colors", true); // prev: false 1593273 - bd59131 + 17beb469000
pref("browser.tabs.warnOnClose", false); // prev: true 1724977 - 15158977010
pref("network.http.altsvc.oe", false); // prev: true 1730935 - 1515897ignore
click me for details
==NEW
==REMOVED or HIDDEN
==CHANGED
The text was updated successfully, but these errors were encountered: