ToDo: diffs FF52-FF53

[earthlng]

v52.0 vs v53.0

133 diffs ( 74 new, 38 gone, 21 different )

new in v53.0:

• pref("browser.storageManager.enabled", false); 5cf2de5
• pref("browser.tabs.remote.separateFileUriProcess", false); discussion: create 0050 e10s #82 49e2025
• pref("browser.urlbar.decodeURLsOnCopy", false); see comment , 7496b87
• pref("dom.IntersectionObserver.enabled", false); 8ca3176
• pref("extensions.webextensions.remote", false); discussion: create 0050 e10s #82 49e2025
• pref("svg.disabled", false); 2671 551427f
  • FUKYEAH™ 👍 but inactive due to youtube 💩
• since defaults are false, added to investigate/keep an eye on sticky
  • pref("dom.dialog_element.enabled", false);
• since defaults are false, added to investigate/keep an eye on sticky
  • pref("privacy.trackingprotection.annotate_channels", false);
  • pref("privacy.trackingprotection.lower_network_priority", false);
• since defaults are false, added to investigate/keep an eye on sticky
  • pref("security.webauth.webauthn", false);
  • pref("security.webauth.webauthn_enable_softtoken", false);
  • pref("security.webauth.webauthn_enable_usbtoken", false);
• pref("network.http.referer.userControlPolicy", 3); 1606
• pref("privacy.userContext.longPressBehavior", 0);
  • this will be dealt with in discussion: create containers section #91 : create containers section (containers are off by default in 53)
• pref("services.blocklist.pinning.enabled", true);
  • leaving enabled for now, added to investigate/keep an eye on sticky
• pref("plugins.navigator.hidden_ctp_plugin", "");
  • ignoring this. flash needs to die. our user.js blocks flash by default. see earthlng's comments below for more info and/or read 1294341

removed, renamed or hidden in v53.0:

See d87bcfd

• pref("dom.beforeAfterKeyboardEvent.enabled", false); 1322736
• pref("media.getusermedia.screensharing.allow_on_old_platforms", false); 1329562 2d7af132a40c
• pref("plugin.scan.Acrobat", "5.0"); 1317109
• pref("plugin.scan.Quicktime", "5.0"); 1317110
• pref("plugin.scan.WindowsMediaPlayer", "7.0"); 1317108
• pref("security.tls.unrestricted_rc4_fallback", false); 1130670

changed in v53.0:

(striked ones changed in a beta version but the change didn't land in stable)

• pref("webextensions.storage.sync.enabled", true); // prev: false ec5fdfc
• pref("browser.crashReports.unsubmittedCheck.enabled", true); // prev: false 0351
• pref("browser.migrate.automigrate.enabled", true); // prev: false 3023
• pref("browser.safebrowsing.provider.google4.gethashURL", ""); // prev: somethingsomething 0410c
• pref("media.getusermedia.browser.enabled", false); // prev: true 2022
• pref("network.predictor.enable-prefetch", false); // prev: true 0608
• pref("security.pki.certificate_transparency.mode", 0); // prev: 1 already keeping an eye on (sticky: items to investigate keep an eye on #20)
• pref("security.tls.version.max", 4); // prev: 3 1202
• pref("webgl.enable-debug-renderer-info", true); // prev: false 2011

ignore

==NEW

pref("browser.formautofill.experimental", false);
pref("browser.safebrowsing.temporary.take_v4_completion_result", false);
pref("devtools.command-button-pick.enabled", true);
pref("devtools.debugger.call-stack-visible", false);
pref("devtools.debugger.end-panel-collapsed", false);
pref("devtools.debugger.pending-selected-location", "{}");
pref("devtools.debugger.scopes-visible", false);
pref("devtools.debugger.start-panel-collapsed", false);
pref("devtools.debugger.tabs", "[]");
pref("devtools.gridinspector.showGridLineNumbers", false);
pref("devtools.gridinspector.showInfiniteLines", false);
pref("devtools.inspector.colorWidget.enabled", false);
pref("devtools.screenshot.audio.enabled", true);
pref("devtools.screenshot.clipboard.enabled", false);
pref("devtools.webconsole.filter.css", false);
pref("dom.forms.selectSearch", false);
pref("dom.ipc.processCount.webLargeAllocation", 10);
pref("dom.largeAllocationHeader.enabled", true);
pref("dom.select_popup_in_parent.enabled", false);
pref("dom.storage.testing", false);
pref("extensions.getAddons.themes.browseURL", "https://addons.mozilla.org/%LOCALE%/firefox/themes/?src=firefox");
pref("extensions.webcompat-reporter.enabled", false);
pref("extensions.webcompat-reporter.newIssueEndpoint", "https://webcompat.com/issues/new");
pref("extensions.webextensions.identity.redirectDomain", "extensions.allizom.org");
pref("extensions.webextensions.themes.enabled", false);
pref("identity.fxaccounts.settings.devices.uri", "https://accounts.firefox.com/settings/clients?service=sync&context=fx_desktop_v3");
pref("layers.geometry.basic.enabled", true);
pref("layers.geometry.opengl.enabled", true);
pref("layers.gpu-process.enabled", true);
pref("layout.animation.prerender.absolute-limit-x", 4096);
pref("layout.animation.prerender.absolute-limit-y", 4096);
pref("layout.animation.prerender.partial", false);
pref("layout.animation.prerender.viewport-ratio-limit-x", "1.125");
pref("layout.animation.prerender.viewport-ratio-limit-y", "1.125");
pref("layout.css.display-flow-root.enabled", true);
pref("layout.css.font-variations.enabled", false);
pref("media.cubeb.log_level", "");
pref("media.decoder.recycle.enabled", false);
pref("media.gpu-process-decoder", true);
pref("media.wmf.allow-unsupported-resolutions", false);
pref("network.standard-url.enable-rust", false);
pref("places.frecency.redirectSourceVisitBonus", 25);
pref("plugins.flashBlock.enabled", false);
pref("privacy.history.custom", false);
pref("privacy.permissionPrompts.showCloseButton", false);
pref("privacy.temporary_permission_expire_time_ms", 3600000);
pref("security.mixed_content.hsts_priming_request_timeout", 3000);
pref("services.blocklist.pinning.bucket", "pinning");
pref("services.blocklist.pinning.checked", 0);
pref("services.blocklist.pinning.collection", "pins");
pref("urlclassifier.flashAllowExceptTable", "testexcept-flashallow-simple,except-flashallow-digest256");
pref("urlclassifier.flashAllowTable", "test-flashallow-simple,allow-flashallow-digest256");
pref("urlclassifier.flashExceptTable", "testexcept-flash-simple,except-flash-digest256");
pref("urlclassifier.flashSubDocExceptTable", "testexcept-flashsubdoc-simple,except-flashsubdoc-digest256");
pref("urlclassifier.flashSubDocTable", "test-flashsubdoc-simple,block-flashsubdoc-digest256");
pref("urlclassifier.flashTable", "test-flash-simple,block-flash-digest256");
pref("webgl.max-acceptable-fb-status-invals", 0);
pref("webgl.max-perf-warnings", 0);

==REMOVED or HIDDEN

/*** we have none of these ***/
pref("accessibility.ipc_architecture.enabled", true);
pref("browser.preferences.animateFadeIn", false);
pref("browser.tabs.dontfocusfordialogs", true);
pref("browser.uitour.readerViewTrigger", "^https:\\/\\/www\\.mozilla\\.org\\/[^\\/]+\\/firefox\\/reading\\/start");
pref("devtools.apps.forbidden-permissions", "embed-apps");
pref("devtools.netmonitor.statistics", true);
pref("dom.details_element.enabled", true);
pref("dom.mozInputMethod.enabled", false);
pref("dom.mozNetworkStats.enabled", false);
pref("dom.mozPermissionSettings.enabled", false);
pref("dom.mozSettings.allowForceReadOnly", false);
pref("dom.mozSettings.enabled", false);
pref("dom.mozSettings.SettingsDB.debug.enabled", false);
pref("dom.mozSettings.SettingsDB.verbose.enabled", false);
pref("dom.mozSettings.SettingsManager.debug.enabled", false);
pref("dom.mozSettings.SettingsManager.verbose.enabled", false);
pref("dom.mozSettings.SettingsRequestManager.debug.enabled", false);
pref("dom.mozSettings.SettingsRequestManager.verbose.enabled", false);
pref("dom.mozSettings.SettingsService.debug.enabled", false);
pref("dom.mozSettings.SettingsService.verbose.enabled", false);
pref("dom.node.rootNode.enabled", false);
pref("dom.presentation.discovery.legacy.enabled", false);
pref("dom.system_update.debug", false);
pref("dom.system_update.enabled", false);
pref("gecko.handlerService.allowRegisterFromDifferentHost", false);
pref("gfx.prefer-mesa-llvmpipe", false);
pref("image.mozsamplesize.enabled", false);
pref("layout.css.display-contents.enabled", true);
pref("network.standard-url.encode-utf8", true);
pref("network.standard-url.escape-utf8", true);
pref("security.ssl.enable_npn", true);
pref("security.ssl.false_start.require-npn", false);

==CHANGED

pref("browser.addon-watch.ignore", "[\"mochikit@mozilla.org\",\"special-powers@mozilla.org\",\"fxdevtools-adapters@mozilla.org\",\"fx-devtools\",\"webcompat-reporter@mozilla.org\"]"); // prev: "[\"mochikit@mozilla.org\",\"special-powers@mozilla.org\",\"fxdevtools-adapters@mozilla.org\",\"fx-devtools\"]"
pref("browser.migrate.chrome.history.limit", 2000); // prev: 0
pref("browser.migrate.chrome.history.maxAgeInDays", 180); // prev: 0
pref("browser.safebrowsing.provider.mozilla.lists", "base-track-digest256,mozstd-trackwhite-digest256,content-track-digest256,mozplugin-block-digest256,mozplugin2-block-digest256,block-flash-digest256,except-flash-digest256,allow-flashallow-digest256,except-flashallow-digest256,block-flashsubdoc-digest256,except-flashsubdoc-digest256"); // prev: "base-track-digest256,mozstd-trackwhite-digest256,content-track-digest256,mozplugin-block-digest256,mozplugin2-block-digest256"
pref("devtools.jsonview.enabled", true); // prev: false
pref("devtools.netmonitor.har.defaultFileName", "Archive %date"); // prev: "Archive %y-%m-%d %H-%M-%S"
pref("devtools.toolbox.toolbarSpec", '["splitconsole", "paintflashing toggle","scratchpad","resize toggle","screenshot --fullpage --file", "rulers", "measure"]'); // prev: '["splitconsole", "paintflashing toggle","scratchpad","resize toggle","screenshot --fullpage", "rulers", "measure"]'
pref("lightweightThemes.recommendedThemes", /*** big long string ***/); // prev: /*** big long string ***/
pref("media.decoder-doctor.notifications-allowed", /*** big long string ***/); // prev: /*** big long string ***/
pref("media.dormant-on-pause-timeout-ms", 5000); // prev: -1
pref("media.navigator.audio.full_duplex", true); // prev: false
pref("places.frecency.permRedirectVisitBonus", 50); // prev: 0
pref("places.frecency.tempRedirectVisitBonus", 40); // prev: 0
pref("services.sync.engine.tabs.filteredUrls", "^(about:.*|resource:.*|chrome:.*|wyciwyg:.*|file:.*|blob:.*)$"); // prev: "^(about:.*|chrome://weave/.*|wyciwyg:.*|file:.*|blob:.*)$"
pref("urlclassifier.disallow_completions", /*** big long string ***/); // prev: /*** big long string ***/

[earthlng]

Passive TrackingProtection

Lower priority of HTTP requests for resources on the Tracking Protection list ( RESOLVED FIXED in FF53 )

We could add a new pref here like "privacy.trackingprotection.annotate_channels" or something like that. If it's off, then we won't update the list or annotate the channels and so none of the perf features will do anything.

Part 1: Enable to update TP list if TP is disabled
Part 2: Lower the priority of channel loading tracking resource

// Annotate channels based on the tracking protection list in all modes
pref("privacy.trackingprotection.annotate_channels",  false);

---

Add a passive (detection only) mode for Tracking Protection ( RESOLVED FIXED in FF53 )

Part 1: Split out a new pref from privacy.trackingprotection.annotate_channels to explicitly control whether the channel priority is adjusted

// Lower the priority of network loads for resources on the tracking protection list.
// Note that this requires the privacy.trackingprotection.annotate_channels pref to be on in order to have any effect.
pref("privacy.trackingprotection.lower_network_priority",  false);

[earthlng]

services.blocklist.pinning.*

Create a services client for augmenting the PKP preload list between releases

The services blocklist client provides a mechanism we can use to get public key pin preloads to the browser between releases.

https://bugzilla.mozilla.org/show_bug.cgi?id=1306470#c12 :

It's a little awkward - we're actively reaching into people's profiles and removing a security state the website set for them. So it moves this service from 'Could be used to DOS people by preloading them with invalid pins' to 'Could be used to actively attack them'. So we should be cognizant of that fact and consider how we secure the update mechanism.

pref("services.blocklist.pinning.enabled", true);
pref("services.blocklist.pinning.bucket", "pinning");
pref("services.blocklist.pinning.collection", "pins");
pref("services.blocklist.pinning.checked", 0);

[earthlng]

javascript.options.shared_memory that link mentions 2 new "objects", SharedArrayBuffer + Atomics

from those pages:

The Atomics object provides atomic operations as static methods. They are used with SharedArrayBuffer objects.

APIs accepting SharedArrayBuffer objects:

• WebGLRenderingContext.bufferData()
• WebGLRenderingContext.bufferSubData()
• WebGL2RenderingContext.getBufferSubData()

it seems to be only used by WebGL and we can safely ignore this pref IMO.

[earthlng]

• browser.urlbar.decodeURLsOnCopy - 1320061 - this seems interesting. It could be useful in some cases and terribly annoying in others. I'd like to add it in the Personal section
• privacy.userContext.longPressBehavior - also seems nice. There are likely more prefs to come for Containers so we could create a special section or sub-section for those.
  This only works when Containers are enabled:
  https://hg.mozilla.org/mozilla-central/rev/f248d089469d#l2.72
  => 0 disables long press, 1 when clicked, the menu is shown, 2 the menu is shown after X milliseconds
• privacy.permissionPrompts.showCloseButton - this is probably only for testing purposes and will likely get removed again. IMO we don't need this. I'll add the /* don't need */ for now.
• privacy.trackingprotection.annotate_channels + privacy.trackingprotection.lower_network_priority - seems interesting and we should add them. Since we disable TP we should definitely disable the annotate_channels.
  The lower_network_priority can either be force-disabled or commented out
• privacy.history.custom - is a fix for the UI and handled by FF internally https://bugzilla.mozilla.org/show_bug.cgi?id=552434 - we should not touch this
• browser.tabs.remote.separateFileUriProcess - we have it as 2660 but I suspect this requires e10s, and FF53 sets it to false while we currently enforce true - we should comment it out

[earthlng]

• I moved the following to ignore because the main pref seems to be services.blocklist.pinning.enabled
  • pref("services.blocklist.pinning.bucket", "pinning");
  • pref("services.blocklist.pinning.collection", "pins");
• svg.disabled - I think we need to comment this out because it breaks youtube player controls.
• browser.storageManager.enabled - from here:

In the last couple of cycles, some strings landed in pref for managing Site Data. To see this section in Preferences (at the bottom of Advanced -> Network), you need to enable (set to “true”) both these keys in about:config
browser.storageManager.enabled
dom.storageManager.enabled
Functionality is still hard to test, since there are no websites using this feature available for testing.

=> add this to 2706

• plugins.navigator.hidden_ctp_plugin - 1294341 - something to do with Click2Play and Flash not being detected
  From here:

// This only supports one hidden ctp plugin, edit nsPluginArray.cpp if adding a second
pref("plugins.navigator.hidden_ctp_plugin", "Shockwave Flash");

=> the default empty string seems fine since we strongly recommend not to use Flash. IMO we can ignore this pref. If we care about Flash now, we probably also need to look at plugins.flashBlock.enabled

• devtools.jsonview.enabled - Why do you think we need to deal with this one, Pants? seems good to me and we usually ignore devtools.* prefs anyway.

• privacy.temporary_permission_expire_time_ms - 1206232 - seems fine to me. IMO we can ignore this. Why would we want to change or enforce this? If changing it, what would you want to set it to?

• webextensions.storage.sync.enabled - I don't mind setting this to false. There's also webextensions.storage.sync.serverURL

[earthlng]

dom.IntersectionObserver.enabled

https://developer.mozilla.org/en-US/docs/Web/API/Intersection_Observer_API

https://bugzilla.mozilla.org/show_bug.cgi?id=1243846

We're adding a new API and it will help developers move ad viewability checks from Flash to JavaScript.

We're talking to some ad network partners about obtaining any tests they might have.

https://bugzilla.mozilla.org/show_bug.cgi?id=1321865

Given the history of this new API -- it's been the top cause of crashes in Nightly on three different occasions now

By my count, this is now the 4th time this has landed and been backed out for stability issues

https://wicg.github.io/IntersectionObserver/

A notable non-goal is pixel-accurate information about what was actually displayed

[earthlng]

/* 2426: disable Intersection Observer API (FF53+)
 * [1] https://developer.mozilla.org/en-US/docs/Web/API/Intersection_Observer_API
 * [2] https://wicg.github.io/IntersectionObserver/
 * [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1243846 ***/
user_pref("dom.IntersectionObserver.enabled", false);

or

/* 2426: disable Intersection Observer API (FF53+)
 * [1] https://github.com/ghacksuserjs/ghacks-user.js/issues/47#issuecomment-293303172 ***/
user_pref("dom.IntersectionObserver.enabled", false);

Maybe add a note about this allowing for pixel-accurate information about what was actually displayed
and being mostly used by Ad Networks for Ad viewability checks.
But since that's already all quoted in my comment, I think we can just link to my comment and the item is short and sweet. (and we "force" users to visit this gh page ;)

---

/* 3027: decode URLs on copy from the URL bar (FF53+)
 * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1320061 ***/
user_pref("browser.urlbar.decodeURLsOnCopy", true);

---

/* 0403: disable augmenting the PKP preload list between releases (FF53+)
 * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1306470#c12 ***/
   // user_pref("services.blocklist.pinning.enabled", false);

=> commented out or active, idc - you decide

---

/* 0422: disable passive TrackingProtection (FF53+)
 * [1] https://github.com/ghacksuserjs/ghacks-user.js/issues/47#issuecomment-285638216 ***/
user_pref("privacy.trackingprotection.annotate_channels", false);
user_pref("privacy.trackingprotection.lower_network_priority", false);

-> maybe add a note that this requires some URL prefs (0410d ??) are left intact ?

[earthlng]

changes between FF53 beta9 and FF53.0 stable

not changed anymore in stable:

• pref("devtools.devedition.promo.enabled", true); // prev: false
  => still false in FF53.0 (mozilla-release)

• pref("javascript.options.shared_memory", true); // prev: false
  => still false in FF53.0 (mozilla-release)

• pref("security.tls.version.max", 4); // prev: 3
  => still 3 in FF53.0 (mozilla-release) - (Disable TLS 1.3 for Firefox 53 release)

changed in stable:

• pref("security.pki.certificate_transparency.mode", 0); // prev: 1
  => https://dxr.mozilla.org/mozilla-release/source/netwerk/base/security-prefs.js#91
  certificate transparency signature verifications negatively impact TLS handshake performance

[earthlng]

services.blocklist.pinning.enabled doesn't fully disable the feature. It still sends out update requests to the following urls (as seen by uMatrix, so last url in the list was requested first) but services.blocklist.pinning.checked remained 0 ie didn't get updated.

https://content-signature.cdn.mozilla.net/chains/pinning-preload.content-signature.mozilla.org-20170510.prod.chain
https://firefox.settings.services.mozilla.com/v1/buckets/pinning/collections/pins
https://firefox.settings.services.mozilla.com/v1/
https://firefox.settings.services.mozilla.com/v1/buckets/pinning/collections/pins/records?_sort=id
https://firefox.settings.services.mozilla.com/v1/
https://content-signature.cdn.mozilla.net/chains/pinning-preload.content-signature.mozilla.org-20170510.prod.chain
https://firefox.settings.services.mozilla.com/v1/buckets/pinning/collections/pins
https://firefox.settings.services.mozilla.com/v1/
https://firefox.settings.services.mozilla.com/v1/buckets/pinning/collections/pins/records?_sort=-last_modified
https://firefox.settings.services.mozilla.com/v1/

curiously it sent the requests twice, once with records?_sort=-last_modified and then with records?_sort=id. If we want to disable the pinning list update between releases we need to also clear services.blocklist.pinning.collection
Not unexpected there's no data at the moment and I personally will disable the feature because I can wait the 6 weeks between releases for the updates.

[earthlng]

A1 - mozilla - kinto? yes
A2 - we are not. How come I know your baby better than you dude? :)
A3 - installdir/browser/blocklist.xml got updated, but idk if the kinto lists are shipped with the setup, maybe in omni.ja, idk
A4 - yes, blocklist (old) + addons + certs + now maybe pinning
A5 - nothing is strictly necessary

[earthlng]

The feature of getting pinning updates between FF releases is totally independent of the remaining kinto updates. To kill the whole thing you could just clear the URL pref and all the collection prefs and services.blocklist.update_enabled or set the interval to a gazillion years or something. And then there's also extensions.blocklist.enabled. Currently (and I suspect it will stay that way) the pinning data update list is empty. But it does 10 additional requests every 24 hours (11 if you count the ocsp request), basically for no reason because there's nothing to update. (Quiet fox etc)
6 weeks between releases is really not that long and idk what would warrant an update in between.
They wanted to have a way to update it and kinto makes this very easy but I think it's very possible that this will never be used. Maybe they'll eventually get rid of the hardcoded preload list and use the kinto list instead but they never mentioned anything to that effect in the ticket.
Since we already have the other kinto prefs in the user.js I thought we should also include these new ones.