Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

2698 & 2699 format tweak #143

Closed
Thorin-Oakenpants opened this issue Jun 14, 2017 · 8 comments
Closed

2698 & 2699 format tweak #143

Thorin-Oakenpants opened this issue Jun 14, 2017 · 8 comments
Labels
enhancement

Comments

@Thorin-Oakenpants
Copy link
Contributor

Thorin-Oakenpants commented Jun 14, 2017
edited

need to tweak the format of 2698 & 2699. These sections are generally one or two preference(s) but lots of items/numbers. Suggest we put the preference(s) first. eg

/*** 2698: FIRST PARTY ISOLATION (FPI) ***/
user_pref("privacy.firstparty.isolate", true); // (FF51+)
user_pref("privacy.firstparty.isolate.restrict_opener_access", true); // (FF54+)
/** Items controlled by FPI ***/
/* 2698a: enable first party isolation pref and OriginAttribute (FF51+)
 * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1260931 ***/
/* 2698b: isolate favicons (FF52+)
 * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1277803 ***/
etc

It's even a little weirder in 2699 as we have the 2699a pref at the end currently under G, but other prefs in the middle under D.
@earthlng
Copy link
Contributor

We could remove most of the info (keep the window resizing how-to) from the user.js and instead add a link to a sticky.
Or what would also be nice is to group the infos into categories for (a) bundled behind privacy.resistFingerprinting and (b) behind PRF with additional prefs, fe something like this

/*** 2699: privacy.resistFingerprinting
 ** limit window.screen & CSS media queries
   [1] https://bugzilla.mozilla.org/show_bug.cgi?id=418986
 ** spoof screen orientation
   [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1281949
 ***/
user_pref("privacy.resistFingerprinting", true);
/* 2699a: set new window sizes to round to hundreds (FF55+) [SETUP]
 * [NOTE] If override values are too big, the code determines it for you
 * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1330882
 * [2] https://metrics.mozilla.com/firefox-hardware-report/ ***/
   // user_pref("privacy.window.maxInnerWidth", 1366);
   // user_pref("privacy.window.maxInnerHeight", 768);

@earthlng
Copy link
Contributor

I copied it from your comment - ask yourself xD

@earthlng
Copy link
Contributor

we should add the bugzilla ticket for .restrict_opener_access and make that 2698b, and we can activate 2698b because it's default enabled+true anyway since FF54.
I'm using privacy.firstparty.isolate;true for a while now and wanted to suggest to activate that as well.
It has a warning tag that should be enough IMO. I don't use cross-domain logins (bad practice anyway) and didn't notice any other problems so far, so I think we can activate it and see if someone reports some of the "breaks site functionality" part

@earthlng
Copy link
Contributor

2698b: reduce FPI restriction (less breakage)

for less breakage the value needs to be false. TBB's implementation was less restrictive and they can set the pref to false to have the same behavior as they did before so it won't cause any breakage.

Either we set the value to false and keep this title but then we should make it inactive IMO, or we change the title fe. "restrict the access of window.opener" maybe with a note "In fact, this does not only affect the access of window.opener, but every access which is protected by JS wrappers." although IDK what those other JS wrappers are.

@earthlng
Copy link
Contributor

Maybe we should also mention that it breaks (or used to break IDK?!?) Self-destructing-cookies, as Atavic pointed out.

Thorin-Oakenpants added a commit that referenced this issue Jun 19, 2017
@Thorin-Oakenpants
2698 revamp #143 & FPI=>active
5e0f37c
@earthlng
Copy link
Contributor

earthlng commented Jun 19, 2017
edited

nits:

  • enable First Party Isolation and Origin Attributes the firstPartyURI origin attributes
    "Origin Attributes" are set and used regardless of FPI afaik - it's the firstPartyURI OA specifically that gets enabled by this
    => or just "enable First Party Isolation"

  • enforce FPI restriction across window.opener
    there we have "enforce" again. Didn't we want to get rid of that? And "across"? Why not use "restrict the access of window.opener" which is paraphrasing from that bugzilla comment we link to?

This pref controls the restriction of the access of window.opener

@earthlng
Copy link
Contributor

each description should be self contained

= "enforce FPI restriction for window.opener"

@earthlng
Copy link
Contributor

earthlng commented Jun 19, 2017
edited

NOTE: I removed the info on how to resize

I don't like that at all. It's easily the most important info about the pref atm.

is not needed once 55 lands

still important to know for ESR users for a while

IMO it doesn't matter if it's 5 lines or 15 lines - without the described adjustment it turns the pref from 'resistFingerprinting' to 'FingerprintingMadeEasy'

ps: are you "typing under the influence" (TUI) again? xD

Thorin-Oakenpants added a commit that referenced this issue Jun 19, 2017
@Thorin-Oakenpants
2699 revamp #143
8cdc6e7
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Thorin-Oakenpants @earthlng