spring cleaning part 2

[earthlng]

@Thorin-Oakenpants wrote:

Am trying to cut down the user.js if I can

a few things we can remove IMO:

• user_pref("dom.allow_scripts_to_close_windows", false); - 449e32a
  • default false (even in ESR52)
  • 1 of the prefs in PK's ignore.list
• user_pref("dom.disable_window_flip", true); - 449e32a
  • default true (even in ESR52)
  • in PK's ignore.list
• 2733 (offline-apps.quota.warn) & maybe 2732 (browser.offline-apps.notify) - f60a87f
  • was never active and we enforce sites to ask with 2731 + 2732 regardless of any quota
  • not in PK's user.js either
  • the text could be misunderstood to mean that FF will bypass the prompt enforced by 2731:
    FF will store small amounts of data in the offline cache without asking for permission.
• user_pref("network.http.fast-fallback-to-IPv4", true); - c66d1b0
  • default true (including ESR52)
  • I'd also like to disable IPv6 but that's another issue
• double entry for 0422 - 01bd2a4
  • Basic is the default anyway but another problem is that selecting strict via the UI just adds ,content-track-digest256 to the default value. If that default value changes or they change/rename the part that gets appended, we would fuck up people's configs. We will see changes to the default value in the diffs but not changes to the to-be-appended part.
• 0101: browser.slowStartup.maxSamples & browser.slowStartup.samples & browser.slowStartup.notificationDisabled - 3edf7af & 3e5667f
  • see comment below
• 0101 browser.rights.3.shown - f113cf8
• 0101 4 x new profile/update welcomes/whatsnew -> personal, inactive - acc5a1c
• 0101 browser.laterrun.enabled - 9b1cf28
• add removed prefs to scratchpad script - 8e60f41

[Atavic]

Never worked here in years.

[earthlng]

testpage: http://webdbg.com/test/appcache/ - you need to allow appcache on insecure sites!

1. All of 273x IS about the same thing ie offline cache aka appCache
   • you can also verify that this is the case via about:cache. It's listed under appcache but the file is called OfflineCache and when you set browser.cache.offline.enable to false the Storage disk location changes to none, only stored in memory
2. offline cache is kinda useless anyway in our case because we clear it on shutdown
3. the warning pref DOES work but isn't of much use (all 3 prefs DO work, at least to some extent: maybe the warning isn't displayed if it's in an iframe, IDK). If you set it to 1kb you'll get this message:
   
   By default you'll only get this message when a site stores more than 50MB
4. 2732 browser.offline-apps.notify is default true even in ESR52 so we can remove that as well IMO. If you'd set this to false you would not get the above warning message
5. the important pref here is offline-apps.allow_by_default which controls the prompt to allow or block appcache access

[earthlng]

I'd prefer something like this (without listing the pref):

/* 0422: enable "strict" Tracking Protection list
 * [SETTING] Privacy & Security>Tracking Protection>Change Block List
 * [SETTING-ESR52] Privacy>Use Tracking Protection>Change Block List ***/

maybe with a note like "There's a pref for this but it's hard to keep track of and we don't recommend to add it to your user.js."

There's also this: https://www.bleepingcomputer.com/news/software/firefox-63-to-get-improved-tracking-protection-that-blocks-in-browser-miners/

The Firefox browser's Settings >> Privacy section now features an enhanced Tracking Protection panel that also allows users to select what anti-tracking features they can enable.

with Firefox 63, Tracking Protection will also receive support for blocking user fingerprinting scripts and in-browser miners (also called cryptojackers).

which I guess will change the TP prefs + their values quite a bit.

[fmarier]

Haven't read the articles yet, but saw them earlier (eg reddit). I would suspect that the pref will just concatenate the selected lists with a delimiter

Yes, that's what it does. Switching to the "strict" list for example, adds the content-track-digest256 list to urlclassifier.trackingTable. That's the difference between basic and strict.

This crypto-mining and fingerprinting stuff will show up as new lists (probably something like miners-track-digest256 and fingerprinting-track-digest256 TBD).

[earthlng]

Found 2 more to remove

user_pref("browser.slowStartup.maxSamples", 0);
user_pref("browser.slowStartup.samples", 0);

the slowStartup function immediately returns when browser.slowStartup.notificationDisabled is true, in which case those 2 prefs are never used.

IDK if we need to disable the slowStartup check at all. It's kind of nice to be able to see the average startup time (stored in browser.slowStartup.averageTime). And I don't think disabling it improves startup time by all that much.

All it does is measure average startup time and if it's higher than the value of browser.slowStartup.timeThreshold (+ the profile age is older than 3 months) it shows a message with 2 buttons: help + disableNotification. Clicking "Help" just opens https://support.mozilla.org/kb/reset-firefox-easily-fix-most-problems in a new tab.

[earthlng]

then why not remove browser.slowStartup.notificationDisabled too? it's not security/privacy related

[earthlng]

Can we draw a line in the sand somewhere?

yeah np, was just an idea

[earthlng]

browser.rights.3.shown was removed in FF62 but there's a ticket for maybe bringing it back as part of Activity-Stream: https://bugzilla.mozilla.org/1463277

also see this comment

In ESR I think it's shown on the FF Start Page (about:home) the 1st time it loads.

Up to you whether you want to remove it now or wait for FF62 and then move it to 9999.

---

while digging in the code I also noticed that the following 3 prefs are never used when browser.startup.homepage_override.mstone is set to ignore

user_pref("startup.homepage_welcome_url", "");
user_pref("startup.homepage_welcome_url.additional", "");
user_pref("startup.homepage_override_url", ""); // what's new page after updates

these pages are just shown once after each update/upgrade or in new profiles. If someone actually wants to see (some of) them, commenting out just (some of) those 3 prefs won't do anything.
We could do something like this:

/* 010x: disable all "Welcome" and "What's new" pages ***/
   // user_pref("browser.startup.homepage_override.mstone", "ignore");
/* 010xb: disable the "Welcome" or "What's new" pages ***/
   // user_pref("startup.homepage_welcome_url", "");
   // user_pref("startup.homepage_welcome_url.additional", "");
   // user_pref("startup.homepage_override_url", ""); // What's New page after updates

[nostromov]

Not trying to spam (just an honest question!), bt the whole trackingprotection deal; do you guys, actually, use it?!

As we've got various ad-blockers, script-blockers and /or other Add-ons - who's using the built-in lists?.. Would it not make more sense to go around Mozilla, since we're excluding - pretty much - everything else??

o.0

[earthlng]

I will dig some more into laterrun

looking forward to hear what you uncover

browser.newtab.url was removed a long time ago.
The 2 drop down option prefs are browser.startup.homepage and browser.newtabpage.enabled

[Atavic]

Prevent Firefox from opening a page on a second or later run and/or after some amount of time

Source

[Atavic]

Supported on: Windows 10

Source

[earthlng]

do we want to do anything about the default check pref?

no