new wiki

[Thorin-Oakenpants]

Actionable

• 1.1: explain "state"
  • additional link to a list of types of state
• 2.2: explain why (or drop) prefs.js is insufficient and a stupid idea
• 3.1, 3.4: don't refer to "starting with Arkenfox v97"
• 3.2: "Cookies" options
  • use settings, not options
  • use hamburger menu symbol
  • show the two methods are either/or
• 3.2: be consistent with 'override this/these`: either do say it for all or say it for none
• 3.3: add pic/example of RFP canvas
• 3.5: add warning not to delete prefs.js
• ALL: excluding bullet points: sentences should end with a period
• ALL: add anchors so it's easy to link to various bits
  • bold non-anchors subheaders to match style
• 4.1: Cookie Extensions API link is now a dead bugzilla (marked invalid)
  • misread that from one of the last comments. It was resolved in FF94
  • the point remains that APIs may be lacking to properly sanitize (which is what a previous iteration of the wiki said)
• 4.1: add pic for uBO add custom filter
• 4.1: add pic/info on Smart Referer whitelist
• 4.1: rework FPing extensions into a single don't bother entry
• 5.1: update prefs in windows updater merge example
  • just dom.netinfo.enabled to go: am tracking this elsewhere
• 5.2: troubleshooting: DONE
• Appendix A: cleanup
• Appendix B: split FP test sites into a new wiki page
• Appendix B: add foreword = FPing tests that give entropy (or advice) are BS etc
  • I am tracking this elsewhere
• Appendix C: cleanup

---

it's not complete

• I will be tidying up the 5 items
  • including draft template for troubleshooting issues #1350 to match
  • updater options to use generic pref names in examples

But for everything up to the 5's - comments welcome

• is there anything that is missing
• is there anything that is not clear enough
• is there anything that can be removed
• should I add anchors to subtitles
• any fucked up links
• anything else

Speak now or forever hold your penis

[ghost]

I think you can fix this :

is there anything that is not clear enough

❗️Cookie extensions lack APIs to work with Total Cookie Protection which will be the default

[ghost]

In Extensions, instead of using Smart refer Extension why not use network.http.referer.XOriginPolicy and network.http.referer.XOriginTrimmingPolicy to a value of 2. This controls the amount of data sent to a reduced level.

or

This spoofs referer header network.http.referer.spoofSource = true

The first one give better privacy while the second does too but might break sites.
Why not use these in the Prefs of AF ?

[Thorin-Oakenpants]

REPEAT: But for everything UP TO the 5's - comments welcome

OT:

• network.http.referer.spoofSource - see 6002
• network.http.referer.XOriginPolicy & network.http.referer.XOriginTrimmingPolicy is already at 2 - read read the user.js - the extension is recommended as an alt if XOriginPolicy is too strict

OT: added to OP

• Cookie Extensions API link is marked invalid

[Dupond]

Hello,

English is not my first language, but I thought you might be interested nonetheless in my opinion, since I assume many Arkenfox users are like me: I must say I haven't had any major issue in understanding the new wiki. Thank you for the time spent in writing this, I've found it very useful; the experience of reading it has been mostly nice ;) However, I've tried to write down what was not 100% clear for me while I was reading it so that I can tell you, so here it is:

• Section 1.1: "Most of the above deals with state and other linkability mechanisms" -> I can't understand if "state" is a thing I don't know or if the sentence should be understood as "state mechanisms and other linkability mechanisms"; I'd suggest to quote the MDN doc and write "Most of the above deals with state (i.e., data stored in the browser) and other linkability mechanisms"
• Section 2.2: "Just backing up prefs.js file is not enough, and not recommended by this wiki": would it be possible to say a word about the why? I mean why doesn't the wiki recommend it? I think it'd be more convincing
• Section 3.1: instead of "Arkenfox flips 140+ prefs", I'd write "Arkenfox flips several dozens of prefs" and don't bother about that number changing in the future... Also, since Firefox v97 is only a few weeks away, I think the future can be replaced by the present in the footnote: "Starting with v97, arkenfox changes to the live master happen once per release: all changes are done in a separate branch and only merged when finished."
• Section 3.2: same as above; I'd replace "These few items, out of 140+ pref changes" by "These few items, out of dozens of pref changes"; for the "Cookies" options, I think it's not clear (for someone new to Arkenfox reading the wiki) that what's under "There is no need to change any prefs - just add site exceptions" are DIFFERENT ways of adding exceptions and that you should use only one of them; I think you should add an "or" -> "OR Options > Privacy & Security etc."; also, I think 1223 should be: "If you have issues with antivirus, override this" (like 0801 and 4520); at the end of the page, " search for [SETUP" should be " search for [SETUP]"
• Section 3.3: I think you should add a link for the words "threat model" as you did in the README: "if your threat model fits" since someone reading the wiki for the first time probably doesn't know what a "threat model" is
• Section 3.4: the "Maintain" part is the same as the section 3.1 I mentioned above; maybe the 3.1 footnote should be a simple link to this part of the page? In any case, I'd also remove the future here; sorry, not sure what a "peacock" is, but I think a summary would still be nice, at least to say how often you should update? Or maybe just: "Summary: you should update and maintain your config regularly, here's how to do it."
• Section 4.1: for "uBlock Origin", you recommend to "Import Actually Legitimate URL Shortener Tool" AND to "enable AdGuard URL Tracking Protection"; I'd flip those two (first enable, then import) and would say a word to explain why they are not redundant and we should still import "Legitimate URL Shortener" list

Also, on many pages (notably the 2.2 section, but all the following ones too) dots are missing at the end of the sentences, and it was quite disturbing for me sometimes. I'd be glad to help adding them, but I assume I've no rights to edit the wiki (which I 200% understand, of course).

I hope I've been understandable and it will help a little bit. Thanx a lot for all your work!

[Thorin-Oakenpants]

Added to OP

2.2: prefs.js
3.1, 3.4: starting with v97 updates
3.2 "Cookies" options

--

1.1

"state" is hyperlinked to here where the very first sentence says "State Partitioning is a broad effort to rework how Firefox manages client-side state (i.e., data stored in the browser)" - I see no point in retyping what I link to

3.1, 3.2: out of 140+ pref change

there is a lot of misinformation going around that AF breaks EVERYTHING and requires LOTS of reading and LOTS of changes - I want to impart that this is BS. I'm not worried about the count not being exact. Considering that it used to be about 15 things that broke shit in 250 prefs, it has always been a load of BS

3.2 I think 1223 should be: "If you have issues with antivirus, override this" (like 0801 and 4520)

I'm trying to cut down on words and I shouldn't need to say "override this/these" for every item, it starts to look redundant and silly: either I do it for all, or none: trouble is I kinda need to do it for some. I need to drink on this one

3.2 search for [SETUP" should be " search for [SETUP]"

it needs to be what I have it as, because tags are e.g. [SETUP-WEB] or [SETUP-CHROME]

3.3 threat model

https://2019.www.torproject.org/about/torusers.html is the link used in the very first wiki to mention "everyday browsing" and I'd rather not re-use it. I use that sentence about using tor browser three times (I think: i have too many tabs/windows open I don't want to lose track right now), and I don't know if I want to link to something else three times, let alone about threat modeling - I don't see this is as my problem, and it's a big topic - i'd rather not link anything

sorry, not sure what a "peacock" is

it's a synonym :)

also

I hate dots, i like minimalism, sorry it triggered you :)

[Thorin-Oakenpants]

2.2: prefs.js

It actually says it right there .... "Just backing up prefs.js file is not enough ...` (emphasis mine). I really want to keep things clean and simple. IDK what part of "NOT ENOUGH" doesn't explain that it isn't a full backup. especially when it mentions later that a profile contains all the other stuff like cookies and other settings/changes

[Dupond]

OK, that was just my reading experience, which seems to have been mostly irrelevant. I think I have completely lost my time. Sorry for that.

Edit: nevertheless, I'd like to add a final word; I think the wiki is worth reading; it's clear, precise, and gives you some links to learn more. However, in my experience, reading the wiki is sometimes not enough; you can still stay with some questions; those questions are sometimes answered in the wiki, but you (especially as a beginner or simply as a non-professional user) may not have understood that it's the case. This is even more true when English is not your native language: sometimes, re-reading the same page 3 or 4 times isn't enough for you to understand, and you'd need to ask a question that others would consider being dumb. What I simply want to say is: OK, the wiki is rewritten; but I think a space where someone could ask questions that are not issues would be useful in addition to the wiki. A few issues have been marked as "invalid" recently, and I think they would have been better asked somewhere else. It could be a sticky post in the Github repo (don't know if it's feasible) where people could comment and ask for anything related to arkenfox; or something like a subreddit, etc. I'm always afraid of asking something that you'd find really dumb when I post here; and I think you shouldn't have to deal with all those questions, especially since sometimes they're more related to privacy in general (for example: why is dFPi better than FPI for me? etc.) than to arkenfox itself. And I also think that such a space where you could more freely ask your questions would help a lot of people to adopt arkenfox.

[Thorin-Oakenpants]

which seems to have been mostly irrelevant.

not true. I've made changes based on your observations, and am still mulling others

edit: look at the first post above and count the six actionable items already done: every single new wiki page got edits

[remyabel2]

In section 4.1 Extensions I would mention the issue I pointed out a few days ago as a caveat:

#1326 (comment)

[GlassGruber]

Thank you for the new wiki content!
Would it be worth a comment in section 1.1 about VPNs?
In particular how much is AF hardening sensed for users without a VPN?

In regard to Dupond's note about where questions can be asked, what do you think of Github Discussions? Else what about linking to other communities or reddits in the wiki?
Just pointing out, not recommending. I can say though that Discussions is nice tool in my experience.

[Marc05]

In section 4.1, it's not clear why Temporary Containers is marked as "DON'T BOTHER". Would you please expand on that? I tried looking for relevant info on this through closed issues, but it seems it's mostly all outdated now.

I'm trying to decide on whether continuing to use Temporary Containers+Containerise+CAD is worth it or not. The goal being e.g. stay logged in to Google on a gmail/youtube container, and clear out those cookies in all other containers. This begs the question: if adding an exception for Google to stay logged in on session restore means that the cookies are available when visiting any site (no containers), does that actually matter given we now have Total Cookie Protection and SmartBlock?

I realize you did not want comments on this section, but I'm thinking clarification on this would help others in the future as well. I appreciate your thoughts on this.

[Thorin-Oakenpants]

what's not to understand. TC partitions stuff - it WAS redundant with FPI, and it is STILL redundant with dFPI + network partitioning - how is this not painfully clear?

on the issue of sanitizing in session (or using a new temp container for each visit) - this is NOT proper OpSec and does not mitigate linkability - see IP, see Tor Browser - how is this not painfully clear?

[rusty-snake]

👍 for Github Discussions

---

TC partitions stuff

It does more

1. You can use it to clear cookies with exceptions if you do not like lifetime=2.
2. It automatically mitigates some kinds of Phishing attacks
3. It can help to workaround website bugs (just open a new container instead of manually deleting cookies)
4. You can use it to set cookies (if you need)
5. You can use delete history containers
6. You get site effects like window.opener=null

[crssi]

Sorry for blunt question, but what exactly network partitioning means/does and what it means when ETP is set to Standard instead of Strict.

[rusty-snake]

• privacy.partition.network_state=true partitionates/isolates HSTS, HTTP-Cache, ...
• dFPI partitionates/isolates cookies, localStorage, ...

https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning

[Thorin-Oakenpants]

TC partitions stuff

It does more

1. You can use it to clear cookies with exceptions if you do not like lifetime=2.
2. It automatically mitigates some kinds of Phishing attacks
3. It can help to workaround website bugs (just open a new container instead of manually deleting cookies)
4. You can use it to set cookies (if you need)
5. You can use delete history containers
6. You get site effects like window.opener=null

You're missing the point and asking the wrong questions

1. clearing cookies in-session can also be done with cookie extensions. clearing cookies can also be done without the lifetime pref. the lifetime pref is going to be deprecated, clearing cookies can be avoided with a container (feel free to use the built in ones, or MAC), clearing cookies can be avoided with a PB mode window, clearing cookies can be done with "Forget about this site" or using the urlbar permissions icon
2. and a normal container doesn't?
3. you can do this without TC and already listed in point 1
4. and why is this important
5. history is scoped per tab and per eTLD+1 and does not leak - what are you talking about
6. and a normal container doesn't?

Special use and edge cases are not a reason to promote yet another extension that adds virtually nothing - listing edge case arguments like testing or other benefits of Origin Attribute keying which already exist in existing partitioning (such as gwarser does, testing that is, not making up arguments)

Answer me this: 99% of users ... WHAT are you trying to achieve and WHAT is so important that you need to clear cookies and site data in a session

[Thorin-Oakenpants]

I'm not going to have github discussions - already said no once, recently - that's just shoveling the noise into a different bucket.

And I will mark things as invalid if users keep refusing to read the wiki or at least don't try to help themselves. How many times do we need to reply that is it referers, or it is RFP, or explain that keyword is the pref that stops auto searching from the urlbar, or people asking where to put the user.js file FFS, or wondering why something they changed in about:config is reset when they restart FFS, or asking for help with issues where they have added 50 other pref changes from dubious sources FFS, or failing to check if it was an extension causing it ... or failing to understand how the syntax and commenting in a user.js works, or explaining for the tenth time how to add cookies as site exceptions

jesus f h christ - these people shouldn't be here if they can't follow basic instructions ... and yet it seems as if the consensus is to add more SHIT for users to misunderstand

If users can't/don't read the wiki, then that's not my problem. And it's not my problem if English is not their native language. I spent a LOT of time re-writing so it was better laid out, visually cleaner, smaller + broken up better, and it should be much simpler to understand - in order to help reduce the noise and confusion - and yet it's still not good enough?

All that work and a single thumbs up (and an extra rocket)

End of story - I don't want the noise

[rusty-snake]

3. Yes but it is easier with TC
4. normal container don't

99% of users

Yes, the most users don't need it

but edge cases and my workflow ...

Even if deleting cookies between short visits achieves nothing (probably not for all sites), there are reasons to use it. There's nothing wrong with using it. Using it does not harm (except for more code). It's just not that important like uB or ETP/dFPI+network partitioning stuff.

clear cookies and site data in a session

Depends what a session is but I've running my fox often for more than 2 weeks without restarting. And then I restart with session restore (but FF sometimes fucks up and forgets everything) so deleting cookies/site-data (Ctrl-Shift-Del) happens 1 or 2 times per month.

[Thorin-Oakenpants]

“It seemed to me,' said Thorin the Sane, 'that any civilization that had so far lost its head as to need to include a set of detailed instructions for how to read, was no longer a civilization in which I could live and stay sane.” - Douglas Adams, So Long, and Thanks for All the Fish

[Thorin-Oakenpants]

but it is easier with TC

Still missing the point ... Special use and edge cases are ... even if they automated and slightly easier are still edge cases

[crssi]

For non technical users ETP set to strict is too strict and for user experience the standard is more "comforting".
I felt like you don't want to talk about and I hold me back, but would you be so kind to explain in not too technical terms, what does someone loose if standard is set for ETP instead of strict?

❤️

[Thorin-Oakenpants]

For non technical users ETP set to strict is too strict and for user experience the standard is more "comforting".

"comforting" is not measurable. You may have an example website, IDK (your experience is only anecdata and you fail to provide any), but I also doubt it's that widespread - this is the default for PB mode - by design they only add things when breakage is minimal? And you can set a site exception. So I disagree with your premise as worded. Granted, there are differences: e.g. TP is additional

Look we came from FPI with no exceptions and all third party cookies + site data blocked And that wasn't too strict? Now we're using dFPI which is less strict (all third party) and more compatible with shims and heuristics, and it's somehow still strict? Maybe arkenfox isn't for you (or your olds)

OK, you're not trying to compare it to FPI. Is this for your olds? Read the wiki - https://github.com/arkenfox/user.js/wiki/1.1-to-arkenfox-or-not - if your mom can't handle it, then don't use it

As for the differences, until the roll out dFPI for everyone, then on Standard you will not have dFPI .. which is the WHOLE POINT. Once dFPI is part of ETP Standard, the differences will be what the code says: I am not interested, this is the same BS about custom ETP - but for starters Tracking Protection is not part of standard - it's probably these three things with more to come, such as font protections etc

   // user_pref("network.http.referer.disallowCrossSiteRelaxingDefault", true);
   // user_pref("privacy.partition.network_state.ocsp_cache", true);
   // user_pref("privacy.trackingprotection.enabled", true);

You can check by setting to standard and checking the value

[Thorin-Oakenpants]

Depends what a session is but I've running my fox often for more than 2 weeks without restarting

Right. Edge case. This is a YOU problem, not an arkenfox problem. By all means use TC to auto-sanitize (and a container ext is the only one that can do this properly AFAIK as it uses a different API), but I'm not adding paragraphs of stuff and recommending another extension for edge cases. You still didn't answer WHAT you are trying to achieve.

[Marc05]

I have no doubt there are many people who have learned from this project and are thankful for all of the work put into it. I didn't mean to stir the pants lol. These things are not clear to me for the same reason it won't be clear to many coming here and (hopefully) reading the wiki first - we're ignorant about the issue.

What I'm trying to achieve (outside of edge cases) is 1) prevent other websites from seeing cookies I've made exceptions for (e.g. gmail), and 2) reset those cookies with exceptions whenever possible (e.g. with TC) to limit tracking. With that in mind, is TC+CAD unnecessary or the wrong approach?

[rusty-snake]

I've simply discovered that TC has a lot of good effects so it's just so deep in my thread models that I can not remember all cases. So to extend my list from above:

7. TC+permissions.isolateBy.userContext=true makes permissions "session-only" while you can keep permissions in permanent containers.

[Thorin-Oakenpants]

What I'm trying to achieve is prevent other websites from seeing cookies I've made exceptions for

FFS - that's what dFPI is. It isolates to first party. What exceptions? To keep cookies? Sanitizing has nothing to do with partitioning

[Marc05]

I've simply discovered that TC has a lot of good effects so it's just so deep in my thread models that I can not remember all cases. So to extend my list from above:

I've found this to be the case as well. Keeping up with all of the changes and understanding them takes more time than I have sometimes. I'm trying to limit the number of addons installed partly in an effort to cut down on the time spent managing the browser.

FFS - that's what dFPI is. It isolates to first party. What exceptions? To keep cookies? Sanitizing has nothing to do with partitioning

Right, that's what I thought after reading, but just wanted confirmation hence why I asked "does that actually matter given we now have Total Cookie Protection and SmartBlock"?" The reason for the addons though is my second point. By "limit tracking", I mean limit any potential tracking that I don't know about, and there's a lot I don't know! Perhaps this is also pointless given the new state partitioning technologies?

[Marc05]

yes temporary containers is redundant with dFPI unless you want more granular control.

Thank you! Granular control of what? And what would be the reason for wanting that?

[Onfroygmx]

If anyone of you can explain me where FF or Arkenfox wants to go in therms of anonymity, I would be happy:)

It's become so complex no one is able to tell the truth.
I would love Arkenfox to explain a clear threat model that they defend and keep to that, discussion was never their model!
And I thank them a lot for their work the last 7 years.

But today(Since 2 years) I don't agree with all their decisions.

[GlassGruber]

yes temporary containers is redundant with dFPI unless you want more granular control.

Thank you! Granular control of what? And what would be the reason for wanting that?

From a privacy perspective there is really no reason because containers are basically ad hoc private browsing sessions without the benefit of clearing out browsing history as soon as the private window is closed.

I think that granular control refers to possibility to have multiple "sessions" with a single site, do you have multiple accounts with a site?
Take for example Gmail, if you have more than an email you either merge all in a single account, or you will need to logout from an account before logging in another. Tedious and inconvenient: so instead open a container, either permanent or temporary, and there you are multiple login sessions at the same time!

In essence in a new container you are in a mint clean fresh condition with no cookies or local storage. When interacting with a site inside a container, that site won't have any previous state about you (in that container), and that's pretty much about it.

Please correct me if I said something wrong, thanks!

[GlassGruber]

If anyone of you can explain me where FF or Arkenfox wants to go in therms of anonymity, I would be happy:)

If you look at wiki 1.1 you can see this (bold is mine)

🟪 TOR BROWSER

If your threat model calls for anonymity and advanced fingerprinting protection, USE TOR BROWSER. You can also use Tor Browser for everyday browsing as another secondary browser. However, you're going to want a non-Tor Browser browser too, which is Firefox, so carry on reading :).

But I would stress more on the most important part of this snippet

your threat model

It's a very complicated and deep subject, but in my opinion IF you can't really tell what a threat is to you, then potentially you can go on without much bothering about this thing, because AF and other tools mentioned in the wiki will take care of most common things for you.

If you look at the resources and links in the wiki, a lot about this subject can be found where you can surely get a grasp of what are possible threats for you and what you should care about and what not.

[2glops]

Thanks a lot for this clean and lean new wiki, I appreciate the structure and approach.
That's a fantastic job.

1.1 "We hope that arkenfox will one day become obsolete."
Agreed.

[g-2-s]

Yep, love the new wiki, good job.

[DonPicciotto]

Sorry if this is not the right place to write this, but I have a suggestion about "Overrides [Common]" section. At least in italy (idk about other countries) there are a lot of government sites that don't support RFC 5746, so maybe a suggestion about changing 1201 "security.ssl.require_safe_negotiation" to false can be useful. As always: thanks for your work

[Thorin-Oakenpants]

@DonPicciotto This was brought up elsewhere a couple of days ago by the fish: and we've had two issues on it in arkenfox

my reply last time was the user gets a error that says unsafe negotiation, just search for it. I even added the actual error code SSL_ERROR_UNSAFE_NEGOTIATION which users get shoved in their faces: it's an easy fix and a super easy troubleshoot. Teach a man to fish ....

I am loath to add more and more items to the list. Most prefs will potentially break something - there's a reason why they're not default

The other one is the 1212 (OCSP require) seems to cause a few issues depending on the ISP. Along with 1223 strict pinning, maybe I can group these three together? @fxbrit what do you think

[Thorin-Oakenpants]

@githubuniqu the old one wasn't "bad", it had the right info - but it wasn't clean and simple and was the left overs of five years of edits and changes - do you not find the new one more streamlined and simple?

As for adding uBO stuff - no thanks. not my job to tell you how to tweak uBO

• for the record, uBO as a tracker blocker is redundant
• as a content blocker it's great: less attack surface / noise (ads) etc, removeparam as well, etc

It's not about privacy in that respect - so what if you connect to a third party in an iframe - this is the same BS argument about LocalCDN. If you want to stop connecting to other parties to protect your IP, then mask your fucking IP

That said, if you want to configure your web experience to enumerating goodness, that's on you

[fxbrit]

I would at least put the [SETUP-WEB] tag next to 1201. as for the wiki my two cents:

• 1212 shouldn't be that big of a deal since CRLite is set to no OCSP fallback, meaning that OCSP should kick in less often.
• you could start conservative by leaving out the other two, and if they end up being mentioned often in issues you can add them later. also consider that the issue template will stress about checking the above mentioned tag.

[crssi]

Italy is very specific... I haven't seen anywhere I have been (around the globe), so many bad written pages with so many trackers and privacy issues (despite GDPR) as I have seen in Italy.

[Thorin-Oakenpants]

well adding shortener list was about privacy right

yes, it is about privacy and adding something we haven't got - it reduces navigational tracking. uBO blocking 3p iframes except when clicking is not adding privacy - that tracking is already mitigated by dFPI. I can compare it to LocalCDN in that regard - i.e localCDN users' argument is about not connecting to the third party because "tracking"

I did not say it didn't improve security. Setting up your mode and tweaking your uBO is a YOU problem, not an AF one. These things are best left for their respective repos and wikis - I am not going to post instructions on everything or second guess what users want/need - I am not going to reinvent the wheel

The last fucking thing I want is people asking me questions on how to configure uBO, or asking for help or information on this suggested rule in the wiki, or people saying the WIKI IS SHIT AND NEEDS MORE INFO ABOUT THE UBO RULE

can you see where this is going. I am the only person maintaining this repo (excluding E providing diffs) - and have been for the last 2 years. Either it stays super fucking simple, or I archive it and get on with other things

[rusty-snake]

uBO blocking 3p iframes except when clicking is not adding privacy - that tracking is already mitigated by dFPI. I can compare it to LocalCDN in that regard - i.e localCDN users' argument is about not connecting to the third party because "tracking"

IMHO there's a different between block 3p resources that are required (e.g. a library served by an CDN) and blocking 3p frames if you don't need the frame.

[Thorin-Oakenpants]

how do I know if you need the frame or not

[Thorin-Oakenpants]

Wiki is not shit and definitely it doesn't need to be archived.

You misunderstood. I meant the REPO

[Thorin-Oakenpants]

1ba6a21#diff-417e8f625f16252f8ace3b0791d24c9b073d7394e9216c7b5d14a516d2572277R459

exactly: if it's a govt website or two that is always the issue and you need to use those sites all the time (because its the govt), then consider your secondary browser - everyone should have one

 * [SETUP-WEB] SSL_ERROR_UNSAFE_NEGOTIATION: is it worth overriding this for that one site

[Thorin-Oakenpants]

It's pretty clear that AF without some overrides is not a thing. And not every override directly affects websites - e.g. the startup page, enabling keyword search especially if a user switches to a privacy respecting search engine. And some are subjective such as session restore (if you protect your device this becomes a bit moot). And then there is the threat model and tolerance level - which is also dependent on the user's experience

The main browser needs to be usable, the browser they can do MOST their stuff in. What is the point in a browser if you can't enjoy and use it. What is being suggested and hinted at, is if a few sites cause issues, consider those in a secondary browser

Of course, everyone can do what they like. Have as many profiles or firefoxes (dev, beta, nightly) or other engines (e.g. safari on macOS is always a pretty good private browser - see https://privacytests.org/ and the 🐟 would agree on that one, he is a mac nerd). Use whatever configs of prefs you want. That's the whole beauty of it

One thing or only thing I didn't like in new wiki is - arkenfox will one day become obsolete

quote : "We hope that arkenfox will one day become obsolete" .. also ... "Hopefully before the Canadian Rockies wear away to a plain"

a project which allows to make Firefox better security and privacy wise can never become obsolete

well not 100% because some issues can never be solved as a default. But it can almost certainly get to a stage where we can't do any more and/or a stage where very little all needs to be done or ever changes (we're down to 147 prefs flipped - in the early days it was double that) and is handled by an extension (e.g. referers, content blockers)

Understand there are defaults for a reason

Well, it's a balance: it's good that things like webrtc, clipboard, being able to keep logins, being able to use cross-domain logins, bigger newwin sizes, and so on has reduced the usability issues without really compromising anything - and simpler toggles to change things such as one DRM pref, one webGL pref etc.

I consider the current setup to be quite "hardened" but very simple to change - see less than 10 items cover 99% of issues. Personally, all my overrides are cosmetics (and two for hardening) - i.e i have no need for webgl, drm, nothing ever breaks any of those networking prefs. But I'm anecdotal.

[GlassGruber]

how do I know if you need the frame or not

This. Oh boy, I hate when some very obscure old or gov site do weird sh..enanigans with pages placing frames pointing to other gov sites, or even other pages of the very same site!
On sites like these would be a clickety fest just to see a damn page!

The point IMO is that other people will just copy paste without really understand why, just because is recommended, and then get upset for (un?)expected side effects on their side.

Being conservative is generally a sensed and good approach.
Nonetheless, a suggestion to look in the depths of the incredible powers of uBO could be a nice addition.

A wiki linking to a wiki, golly how meta! 🧐

[Thorin-Oakenpants]

@crssi

For non technical users ETP set to strict is too strict

FYI: https://bugzilla.mozilla.org/show_bug.cgi?id=1101005

[szepeviktor]

Do you plan to include links to real-world user-overrides.js examples?

[Thorin-Oakenpants]

no - there is no such thing as one size fits all and other people's overrides can be dumb (and change: not going to keep an eye on them). The only way to get what you want is to read, change, experience it yourself

[Thorin-Oakenpants]

whoops, 5.1 still needs updating, re-opening to remind me

[Thorin-Oakenpants]

and how come it's not on the user.js

they are on the user.js .. which is a template .. so I use overrides ... and no, you can't ask :)

webrtc

media devices - even without RFP, device ids are temporary (even per tab, or instance - not 100% sure on exactly what all the outcomes are, except that it is nothing to worry about and certainly not cross-domain). RFP will report you have one audioinput and one videoinput

When you allow/start a webrtc connection, the device names are reported as "Internal Camera" and "Internal Microphone" and the ondevicechange event is supppressed