-
Notifications
You must be signed in to change notification settings - Fork 514
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
new wiki #1354
Comments
I think you can fix this :
|
In Extensions, instead of using Smart refer Extension why not use or This spoofs referer header The first one give better privacy while the second does too but might break sites. |
REPEAT: But for everything UP TO the 5's - comments welcome OT:
OT: added to OP
|
Hello, English is not my first language, but I thought you might be interested nonetheless in my opinion, since I assume many Arkenfox users are like me: I must say I haven't had any major issue in understanding the new wiki. Thank you for the time spent in writing this, I've found it very useful; the experience of reading it has been mostly nice ;) However, I've tried to write down what was not 100% clear for me while I was reading it so that I can tell you, so here it is:
Also, on many pages (notably the 2.2 section, but all the following ones too) dots are missing at the end of the sentences, and it was quite disturbing for me sometimes. I'd be glad to help adding them, but I assume I've no rights to edit the wiki (which I 200% understand, of course). I hope I've been understandable and it will help a little bit. Thanx a lot for all your work! |
Added to OP
--
"state" is hyperlinked to here where the very first sentence says "State Partitioning is a broad effort to rework how Firefox manages client-side state (i.e., data stored in the browser)" - I see no point in retyping what I link to
there is a lot of misinformation going around that AF breaks EVERYTHING and requires LOTS of reading and LOTS of changes - I want to impart that this is BS. I'm not worried about the count not being exact. Considering that it used to be about 15 things that broke shit in 250 prefs, it has always been a load of BS
I'm trying to cut down on words and I shouldn't need to say "override this/these" for every item, it starts to look redundant and silly: either I do it for all, or none: trouble is I kinda need to do it for some. I need to drink on this one
it needs to be what I have it as, because tags are e.g.
https://2019.www.torproject.org/about/torusers.html is the link used in the very first wiki to mention "everyday browsing" and I'd rather not re-use it. I use that sentence about using tor browser three times (I think: i have too many tabs/windows open I don't want to lose track right now), and I don't know if I want to link to something else three times, let alone about threat modeling - I don't see this is as my problem, and it's a big topic - i'd rather not link anything
it's a synonym :)
I hate dots, i like minimalism, sorry it triggered you :) |
It actually says it right there .... "Just backing up prefs.js file is not enough ...` (emphasis mine). I really want to keep things clean and simple. IDK what part of "NOT ENOUGH" doesn't explain that it isn't a full backup. especially when it mentions later that a profile contains all the other stuff like cookies and other settings/changes |
OK, that was just my reading experience, which seems to have been mostly irrelevant. I think I have completely lost my time. Sorry for that. Edit: nevertheless, I'd like to add a final word; I think the wiki is worth reading; it's clear, precise, and gives you some links to learn more. However, in my experience, reading the wiki is sometimes not enough; you can still stay with some questions; those questions are sometimes answered in the wiki, but you (especially as a beginner or simply as a non-professional user) may not have understood that it's the case. This is even more true when English is not your native language: sometimes, re-reading the same page 3 or 4 times isn't enough for you to understand, and you'd need to ask a question that others would consider being dumb. What I simply want to say is: OK, the wiki is rewritten; but I think a space where someone could ask questions that are not issues would be useful in addition to the wiki. A few issues have been marked as "invalid" recently, and I think they would have been better asked somewhere else. It could be a sticky post in the Github repo (don't know if it's feasible) where people could comment and ask for anything related to arkenfox; or something like a subreddit, etc. I'm always afraid of asking something that you'd find really dumb when I post here; and I think you shouldn't have to deal with all those questions, especially since sometimes they're more related to privacy in general (for example: why is dFPi better than FPI for me? etc.) than to arkenfox itself. And I also think that such a space where you could more freely ask your questions would help a lot of people to adopt arkenfox. |
not true. I've made changes based on your observations, and am still mulling others edit: look at the first post above and count the six actionable items already done: every single new wiki page got edits |
In section |
Thank you for the new wiki content! In regard to Dupond's note about where questions can be asked, what do you think of Github Discussions? Else what about linking to other communities or reddits in the wiki? |
In section 4.1, it's not clear why Temporary Containers is marked as "DON'T BOTHER". Would you please expand on that? I tried looking for relevant info on this through closed issues, but it seems it's mostly all outdated now. I'm trying to decide on whether continuing to use Temporary Containers+Containerise+CAD is worth it or not. The goal being e.g. stay logged in to Google on a gmail/youtube container, and clear out those cookies in all other containers. This begs the question: if adding an exception for Google to stay logged in on session restore means that the cookies are available when visiting any site (no containers), does that actually matter given we now have Total Cookie Protection and SmartBlock? I realize you did not want comments on this section, but I'm thinking clarification on this would help others in the future as well. I appreciate your thoughts on this. |
what's not to understand. TC partitions stuff - it WAS redundant with FPI, and it is STILL redundant with dFPI + network partitioning - how is this not painfully clear? on the issue of sanitizing in session (or using a new temp container for each visit) - this is NOT proper OpSec and does not mitigate linkability - see IP, see Tor Browser - how is this not painfully clear? |
👍 for Github Discussions
It does more
|
Sorry for blunt question, but what exactly |
https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning |
You're missing the point and asking the wrong questions
Special use and edge cases are not a reason to promote yet another extension that adds virtually nothing - listing edge case arguments like testing or other benefits of Origin Attribute keying which already exist in existing partitioning (such as gwarser does, testing that is, not making up arguments) Answer me this: 99% of users ... WHAT are you trying to achieve and WHAT is so important that you need to clear cookies and site data in a session |
I'm not going to have github discussions - already said no once, recently - that's just shoveling the noise into a different bucket. And I will mark things as invalid if users keep refusing to read the wiki or at least don't try to help themselves. How many times do we need to reply that is it referers, or it is RFP, or explain that keyword is the pref that stops auto searching from the urlbar, or people asking where to put the user.js file FFS, or wondering why something they changed in about:config is reset when they restart FFS, or asking for help with issues where they have added 50 other pref changes from dubious sources FFS, or failing to check if it was an extension causing it ... or failing to understand how the syntax and commenting in a user.js works, or explaining for the tenth time how to add cookies as site exceptions jesus f h christ - these people shouldn't be here if they can't follow basic instructions ... and yet it seems as if the consensus is to add more SHIT for users to misunderstand If users can't/don't read the wiki, then that's not my problem. And it's not my problem if English is not their native language. I spent a LOT of time re-writing so it was better laid out, visually cleaner, smaller + broken up better, and it should be much simpler to understand - in order to help reduce the noise and confusion - and yet it's still not good enough? All that work and a single thumbs up (and an extra rocket) End of story - I don't want the noise |
Yes, the most users don't need it but edge cases and my workflow ... Even if deleting cookies between short visits achieves nothing (probably not for all sites), there are reasons to use it. There's nothing wrong with using it. Using it does not harm (except for more code). It's just not that important like uB or ETP/dFPI+network partitioning stuff.
Depends what a session is but I've running my fox often for more than 2 weeks without restarting. And then I restart with session restore (but FF sometimes fucks up and forgets everything) so deleting cookies/site-data (Ctrl-Shift-Del) happens 1 or 2 times per month. |
|
Still missing the point ... Special use and edge cases are ... even if they automated and slightly easier are still edge cases |
For non technical users ETP set to ❤️ |
"comforting" is not measurable. You may have an example website, IDK (your experience is only anecdata and you fail to provide any), but I also doubt it's that widespread - this is the default for PB mode - by design they only add things when breakage is minimal? And you can set a site exception. So I disagree with your premise as worded. Granted, there are differences: e.g. TP is additional Look we came from FPI with no exceptions and all third party cookies + site data blocked And that wasn't too strict? Now we're using dFPI which is less strict (all third party) and more compatible with shims and heuristics, and it's somehow still strict? Maybe arkenfox isn't for you (or your olds) OK, you're not trying to compare it to FPI. Is this for your olds? Read the wiki - https://github.com/arkenfox/user.js/wiki/1.1-to-arkenfox-or-not - if your mom can't handle it, then don't use it As for the differences, until the roll out dFPI for everyone, then on Standard you will not have dFPI .. which is the WHOLE POINT. Once dFPI is part of ETP Standard, the differences will be what the code says: I am not interested, this is the same BS about custom ETP - but for starters Tracking Protection is not part of standard - it's probably these three things with more to come, such as font protections etc
You can check by setting to standard and checking the value |
Right. Edge case. This is a YOU problem, not an arkenfox problem. By all means use TC to auto-sanitize (and a container ext is the only one that can do this properly AFAIK as it uses a different API), but I'm not adding paragraphs of stuff and recommending another extension for edge cases. You still didn't answer WHAT you are trying to achieve. |
I have no doubt there are many people who have learned from this project and are thankful for all of the work put into it. I didn't mean to stir the pants lol. These things are not clear to me for the same reason it won't be clear to many coming here and (hopefully) reading the wiki first - we're ignorant about the issue. What I'm trying to achieve (outside of edge cases) is 1) prevent other websites from seeing cookies I've made exceptions for (e.g. gmail), and 2) reset those cookies with exceptions whenever possible (e.g. with TC) to limit tracking. With that in mind, is TC+CAD unnecessary or the wrong approach? |
I've simply discovered that TC has a lot of good effects so it's just so deep in my thread models that I can not remember all cases. So to extend my list from above:
|
FFS - that's what dFPI is. It isolates to first party. What exceptions? To keep cookies? Sanitizing has nothing to do with partitioning |
I've found this to be the case as well. Keeping up with all of the changes and understanding them takes more time than I have sometimes. I'm trying to limit the number of addons installed partly in an effort to cut down on the time spent managing the browser.
Right, that's what I thought after reading, but just wanted confirmation hence why I asked "does that actually matter given we now have Total Cookie Protection and SmartBlock"?" The reason for the addons though is my second point. By "limit tracking", I mean limit any potential tracking that I don't know about, and there's a lot I don't know! Perhaps this is also pointless given the new state partitioning technologies? |
Thank you! Granular control of what? And what would be the reason for wanting that? |
If anyone of you can explain me where FF or Arkenfox wants to go in therms of anonymity, I would be happy:) It's become so complex no one is able to tell the truth. But today(Since 2 years) I don't agree with all their decisions. |
From a privacy perspective there is really no reason because containers are basically ad hoc private browsing sessions without the benefit of clearing out browsing history as soon as the private window is closed. I think that granular control refers to possibility to have multiple "sessions" with a single site, do you have multiple accounts with a site? In essence in a new container you are in a mint clean fresh condition with no cookies or local storage. When interacting with a site inside a container, that site won't have any previous state about you (in that container), and that's pretty much about it. Please correct me if I said something wrong, thanks! |
If you look at wiki 1.1 you can see this (bold is mine)
But I would stress more on the most important part of this snippet
It's a very complicated and deep subject, but in my opinion IF you can't really tell what a threat is to you, then potentially you can go on without much bothering about this thing, because AF and other tools mentioned in the wiki will take care of most common things for you. If you look at the resources and links in the wiki, a lot about this subject can be found where you can surely get a grasp of what are possible threats for you and what you should care about and what not. |
Thanks a lot for this clean and lean new wiki, I appreciate the structure and approach. 1.1 "We hope that arkenfox will one day become obsolete." |
Yep, love the new wiki, good job. |
Sorry if this is not the right place to write this, but I have a suggestion about "Overrides [Common]" section. At least in italy (idk about other countries) there are a lot of government sites that don't support RFC 5746, so maybe a suggestion about changing 1201 "security.ssl.require_safe_negotiation" to false can be useful. As always: thanks for your work |
@DonPicciotto This was brought up elsewhere a couple of days ago by the fish: and we've had two issues on it in arkenfox my reply last time was the user gets a error that says unsafe negotiation, just search for it. I even added the actual error code I am loath to add more and more items to the list. Most prefs will potentially break something - there's a reason why they're not default The other one is the 1212 (OCSP require) seems to cause a few issues depending on the ISP. Along with 1223 strict pinning, maybe I can group these three together? @fxbrit what do you think |
@githubuniqu the old one wasn't "bad", it had the right info - but it wasn't clean and simple and was the left overs of five years of edits and changes - do you not find the new one more streamlined and simple? As for adding uBO stuff - no thanks. not my job to tell you how to tweak uBO
It's not about privacy in that respect - so what if you connect to a third party in an iframe - this is the same BS argument about LocalCDN. If you want to stop connecting to other parties to protect your IP, then mask your fucking IP That said, if you want to configure your web experience to enumerating goodness, that's on you |
I would at least put the
|
Italy is very specific... I haven't seen anywhere I have been (around the globe), so many bad written pages with so many trackers and privacy issues (despite GDPR) as I have seen in Italy. |
yes, it is about privacy and adding something we haven't got - it reduces navigational tracking. uBO blocking 3p iframes except when clicking is not adding privacy - that tracking is already mitigated by dFPI. I can compare it to LocalCDN in that regard - i.e localCDN users' argument is about not connecting to the third party because "tracking" I did not say it didn't improve security. Setting up your mode and tweaking your uBO is a YOU problem, not an AF one. These things are best left for their respective repos and wikis - I am not going to post instructions on everything or second guess what users want/need - I am not going to reinvent the wheel The last fucking thing I want is people asking me questions on how to configure uBO, or asking for help or information on this suggested rule in the wiki, or people saying the WIKI IS SHIT AND NEEDS MORE INFO ABOUT THE UBO RULE can you see where this is going. I am the only person maintaining this repo (excluding E providing diffs) - and have been for the last 2 years. Either it stays super fucking simple, or I archive it and get on with other things |
IMHO there's a different between block 3p resources that are required (e.g. a library served by an CDN) and blocking 3p frames if you don't need the frame. |
how do I know if you need the frame or not |
You misunderstood. I meant the REPO |
1ba6a21#diff-417e8f625f16252f8ace3b0791d24c9b073d7394e9216c7b5d14a516d2572277R459 exactly: if it's a govt website or two that is always the issue and you need to use those sites all the time (because its the govt), then consider your secondary browser - everyone should have one
|
It's pretty clear that AF without some overrides is not a thing. And not every override directly affects websites - e.g. the startup page, enabling keyword search especially if a user switches to a privacy respecting search engine. And some are subjective such as session restore (if you protect your device this becomes a bit moot). And then there is the threat model and tolerance level - which is also dependent on the user's experience The main browser needs to be usable, the browser they can do MOST their stuff in. What is the point in a browser if you can't enjoy and use it. What is being suggested and hinted at, is if a few sites cause issues, consider those in a secondary browser Of course, everyone can do what they like. Have as many profiles or firefoxes (dev, beta, nightly) or other engines (e.g. safari on macOS is always a pretty good private browser - see https://privacytests.org/ and the 🐟 would agree on that one, he is a mac nerd). Use whatever configs of prefs you want. That's the whole beauty of it
quote : "We hope that arkenfox will one day become obsolete" .. also ... "Hopefully before the Canadian Rockies wear away to a plain"
well not 100% because some issues can never be solved as a default. But it can almost certainly get to a stage where we can't do any more and/or a stage where very little all needs to be done or ever changes (we're down to 147 prefs flipped - in the early days it was double that) and is handled by an extension (e.g. referers, content blockers)
Well, it's a balance: it's good that things like webrtc, clipboard, being able to keep logins, being able to use cross-domain logins, bigger newwin sizes, and so on has reduced the usability issues without really compromising anything - and simpler toggles to change things such as one DRM pref, one webGL pref etc. I consider the current setup to be quite "hardened" but very simple to change - see less than 10 items cover 99% of issues. Personally, all my overrides are cosmetics (and two for hardening) - i.e i have no need for webgl, drm, nothing ever breaks any of those networking prefs. But I'm anecdotal. |
This. Oh boy, I hate when some very obscure old or gov site do weird sh..enanigans with pages placing frames pointing to other gov sites, or even other pages of the very same site! The point IMO is that other people will just copy paste without really understand why, just because is recommended, and then get upset for (un?)expected side effects on their side. Being conservative is generally a sensed and good approach. A wiki linking to a wiki, golly how meta! 🧐 |
|
Do you plan to include links to real-world user-overrides.js examples? |
no - there is no such thing as one size fits all and other people's overrides can be dumb (and change: not going to keep an eye on them). The only way to get what you want is to read, change, experience it yourself |
whoops, 5.1 still needs updating, re-opening to remind me |
they are on the user.js .. which is a template .. so I use overrides ... and no, you can't ask :)
media devices - even without RFP, device ids are temporary (even per tab, or instance - not 100% sure on exactly what all the outcomes are, except that it is nothing to worry about and certainly not cross-domain). RFP will report you have one audioinput and one videoinput When you allow/start a webrtc connection, the device names are reported as "Internal Camera" and "Internal Microphone" and the ondevicechange event is supppressed |
Actionable
1.1
: explain "state"2.2
: explain why (or drop) prefs.js is insufficient and a stupid idea3.1
,3.4
: don't refer to "starting with Arkenfox v97"3.2
: "Cookies" options3.2
: be consistent with 'override this/these`: either do say it for all or say it for none3.3
: add pic/example of RFP canvas3.5
: add warning not to delete prefs.jsALL
: excluding bullet points: sentences should end with a periodALL
: add anchors so it's easy to link to various bits4.1
: Cookie Extensions API link isnow a dead bugzilla (marked invalid)4.1
: add pic for uBO add custom filter4.1
: add pic/info on Smart Referer whitelist4.1
: rework FPing extensions into a single don't bother entry5.1
: update prefs in windows updater merge exampledom.netinfo.enabled
to go: am tracking this elsewhere5.2
: troubleshooting: DONEAppendix A
: cleanupAppendix B
: split FP test sites into a new wiki pageAppendix B
: add foreword = FPing tests that give entropy (or advice) are BS etcAppendix C
: cleanupit's not complete
5
itemsBut for everything up to the 5's - comments welcome
Speak now or forever hold your penis
The text was updated successfully, but these errors were encountered: