Thunderbird support?

[ghost]

Hi,

I didn't see it anywhere but would this work with Thunderbird/be supported? Thunderbird is based off the Firefox ESR and a lot of the options are relevant.

[Atavic]

Maybe https://github.com/CHEF-KOCH/TBCK

[ghost]

Maybe

Hah, love how you say maybe 😉.

Part of what makes ghacks-user.js good is the comments. If that's all there is I'll probably branch the ghacks-user.js and make a specific one for Thunderbird, you know because I'm not into stealing other people's work and claiming it as my own. #323.

I also wouldn't fork any of CHIEF-KOCH's repositories because then I'd have to make sure links to child porn weren't in there https://github.com/privacytoolsIO/privacytools.io/issues/566#issuecomment-438308901. I also don't think it's significant enough to warranty a GPL license. If I had to put any license in there, I'd probably just go with a MIT license.

[bogachenko]

@tya99

you know because I'm not into stealing other people's work and claiming it as my own. #323.

why steal? specify a link about what used this repository in the README file...

---

I am finite not ghack, but I have it

[ghost]

@Atavic It would seem Chef Koch has pretty much grabbed a bunch out of the Tor Browser Bundle. I don't see the point in doing that considering a lot of the keys don't make any sense because they don't actually exist in Thunderbird, for example stuff to do with URL bar.

I don;t see the need (I don't allow pictures etc in email, and I don't browse the web in it - sure

Me neither, and I don't think using the ghacks-user.js would be appropriate because it would add a lot of keys that don't actually correspond to any code.

If all remote code is disabled, cookies and JavaScript the surface area is going to be pretty low. There isn't much you can do with plain HTML. None of the privacy stuff or fingerprinting stuff will be relevant either. Would you agree with that assessment @Thorin-Oakenpants?

[ghost]

As it happens I am going through all the keys in about:config in a fresh Thunderbird profile, and comparing what is in ghacks/user.js. The ones which are not set but set exist in ghacks/user.js i am copying into a text file. I am about 50% done. I decided to start with a fresh Thunderbird 60.5.1 profile.

I am adding a few 'extra' ones like for example disabling chat mail.chat.enabled and things like that so I think we certainly could work with a micro Thunderbird user.js

It would probably not be appropriate to branch the main repo, maybe a hard fork. The reason is because I expect we will toggle things like:

network.cookie.cookieBehavior = 2 // 2 = (Block) All cookies
javascript.enabled = false

did mine manually years ago (from about config or the ui),

hah yeah me too. I like to have all user config settings in a user.js seeing as there's no way to "export" easily from about:config, plus many of the options I don't care about.

[nostromov]

Maybe https://github.com/CHEF-KOCH/TBCK

`TBCK doesn't document every toggle because everyone can Google what each setting really changes and most of them are self-explaining anyway or they getting changed/removed by Mozilla after a short time.

Yes agreed 100∆ so, WHY-EVEN-DO-IT™

It's my anti-NIKE thingy +until they start start naming ALL of the whales which Japanese whalers are killing (legally, again!) in 2019. ☮️ on Earth, my friends!

[ghost]

Let's see what you come up with. I don't think it needs a hell of a lot.

Exactly. I have 211 lines, and it could probably be trimmed down a bit.

I went through all the about:config settings in Thunderbird that have been set by the ghacks/user.js and copied them into this file.

I also then went and checked through the settings I'd manually set in about:config over my usage.

This is what I have got, obviously needs tidying up and commenting and re-indexing. What I might do is keep the "same" categories" you've got in the ghacks/user.js but then completely purge unrelated keys.

I could easily create a new repo under https://github.com/ghacksuserjs and give you admin rights to it - so it could have it's own issues and discussions and a user.js etc

I think that would be best as it's really a hard fork and doesn't make sense to add keys that have no code in Thunderbird.

click me for details

user_pref("accessibility.force_disabled", 1);
user_pref("alerts.showFavicons", false); // [DEFAULT: false]
user_pref("app.releaseNotesURL", "");
user_pref("app.support.baseURL", "");
user_pref("app.update.auto", false);
user_pref("app.update.enabled", false);
user_pref("beacon.enabled", false);
user_pref("breakpad.reportURL", "");
user_pref("browser.cache.disk.enable", false);
user_pref("browser.cache.disk.capacity", 0);
user_pref("browser.cache.disk.smart_size.enabled", false);
user_pref("browser.cache.disk.smart_size.first_run", false);
user_pref("browser.cache.disk_cache_ssl", false);
user_pref("browser.cache.offline.enable", false);
user_pref("browser.cache.offline.insecure.enable", false); // [DEFAULT: false in FF62+]
user_pref("browser.chrome.favicons", false);
user_pref("browser.chrome.site_icons", false);
user_pref("browser.chrome.site_icons", false);
user_pref("browser.download.forbid_open_with", true);
user_pref("browser.display.use_document_fonts", 0);
user_pref("browser.download.folderList", 2);
user_pref("browser.download.forbid_open_with", true);
user_pref("browser.download.hide_plugins_without_extensions", false);
user_pref("browser.download.manager.addToRecentDocs", false);
user_pref("browser.download.useDownloadDir", false);
user_pref("browser.fixup.alternate.enabled", false);
user_pref("browser.fixup.hide_user_pass", true); // [DEFAULT: true]
user_pref("browser.formfill.enable", false);
user_pref("browser.helperApps.deleteTempFileOnExit", true);
user_pref("browser.link.open_newwindow", 3);
user_pref("browser.link.open_newwindow.restriction", 0);
user_pref("browser.safebrowsing.blockedURIs.enabled", false);
user_pref("browser.safebrowsing.downloads.remote.enabled", false);
user_pref("browser.safebrowsing.downloads.remote.url", "");
user_pref("browser.safebrowsing.downloads.remote.enabled", false);
user_pref("browser.safebrowsing.downloads.remote.url", "");
user_pref("browser.safebrowsing.provider.google.reportURL", "");
user_pref("browser.safebrowsing.reportPhishURL", "");
user_pref("browser.safebrowsing.provider.google4.reportURL", ""); // [FF50+]
user_pref("browser.safebrowsing.provider.google.reportMalwareMistakeURL", ""); // [FF54+]
user_pref("browser.safebrowsing.provider.google.reportPhishMistakeURL", ""); // [FF54+]
user_pref("browser.safebrowsing.provider.google4.reportMalwareMistakeURL", ""); // [FF54+]
user_pref("browser.safebrowsing.provider.google4.reportPhishMistakeURL", ""); // [FF54+]
user_pref("browser.safebrowsing.provider.google4.dataSharing.enabled", false);
user_pref("browser.safebrowsing.provider.google4.dataSharingURL", "");
user_pref("browser.safebrowsing.updateURL", ""); // browser.safebrowsing.provider.google.updateURL
user_pref("browser.safebrowsing.provider.google4.gethashURL", ""); // [FF50+]
user_pref("browser.safebrowsing.provider.mozilla.updateURL", "");
user_pref("browser.search.countryCode", "US"); // [HIDDEN PREF]
browser.search.defaultenginename
browser.search.defaultenginename.US
user_pref("browser.search.geoSpecificDefaults", false);
user_pref("browser.search.geoSpecificDefaults.url", "");
user_pref("browser.search.region", "US"); // [HIDDEN PREF]
user_pref("browser.search.geoip.url", "");
user_pref("browser.search.suggest.enabled", false);
user_pref("browser.search.update", false);
user_pref("browser.send_pings", false);
user_pref("browser.send_pings.require_same_host", true);
user_pref("browser.tabs.remote.allowLinkedWebInFileUriProcess", false);
user_pref("browser.urlbar.autocomplete.enabled", false);
user_pref("browser.urlbar.usepreloadedtopurls.enabled", false);
user_pref("canvas.capturestream.enabled", false);
user_pref("captivedetect.canonicalURL", "");
user_pref("device.sensors.enabled", false);
user_pref("dom.IntersectionObserver.enabled", false);
user_pref("dom.caches.enabled", false);
user_pref("dom.disable_beforeunload", true);
user_pref("dom.event.clipboardevents.enabled", false);
user_pref("dom.allow_cut_copy", false); // [HIDDEN PREF]
user_pref("dom.caches.enabled", false);
user_pref("dom.forms.datetime", false);
user_pref("dom.imagecapture.enabled", false); // [DEFAULT: false]
user_pref("dom.indexedDB.enabled", true); // [DEFAULT: true] // We don't have containers in Thunderbird - do we need this?
user_pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false);
user_pref("dom.ipc.plugins.reportCrashURL", false);
user_pref("dom.netinfo.enabled", false);
user_pref("dom.push.connection.enabled", false);
user_pref("dom.push.enabled", false);
user_pref("dom.push.serverURL", "");
user_pref("dom.push.userAgentID", "");
user_pref("dom.vibrator.enabled", false);
user_pref("dom.vr.enabled", false);
user_pref("dom.w3c_pointer_events.enabled", false);
user_pref("dom.w3c_touch_events.enabled", 0);
user_pref("dom.webaudio.enabled", false);
user_pref("dom.webnotifications.enabled", false); // [FF22+]
user_pref("dom.webnotifications.serviceworker.enabled", false); // [FF44+]
user_pref("extensions.autoDisableScopes", 15);
user_pref("extensions.getAddons.cache.enabled", false);
user_pref("extensions.getAddons.showPane", false); // [HIDDEN PREF]
user_pref("extensions.update.autoUpdateDefault", false);
user_pref("full-screen-api.enabled", false);
user_pref("geo.enabled", false);
user_pref("gfx.downloadable_fonts.woff2.enabled", false);
user_pref("gfx.font_rendering.graphite.enabled", false);
user_pref("gfx.font_rendering.opentype_svg.enabled", false);
user_pref("gfx.offscreencanvas.enabled", false); // [DEFAULT: false]
user_pref("intl.accept_languages", "en-US, en");
user_pref("intl.regional_prefs.use_os_locales", false);
user_pref("javascript.enabled", false);
user_pref("javascript.options.asmjs", false);
user_pref("javascript.options.wasm", false);
user_pref("keyword.enabled", false);
user_pref("layers.acceleration.disabled", true);
user_pref("layout.css.font-loading-api.enabled", false);
user_pref("layout.css.visited_links_enabled", false);
user_pref("mail.SpellCheckBeforeSend", false);
user_pref("mail.ab_remote_content.migrated", 1); // https://bugzilla.mozilla.org/show_bug.cgi?id=1436947#c12 which is what we want, they might change it in the future.
user_pref("mail.chat.enabled", false);
user_pref("mail.collect_addressbook", false); // Use a proper addressbook lik cardbook
user_pref("mail.collect_email_address_outgoing", false); // Use a proper addressbook lik cardbook
user_pref("mail.default_html_action", 3);
user_pref("mail.html_compose", false);
user_pref("mailnews.reply_in_default_charset", true); // I like to force UTF-8 8bit or 7bit no silly windows charsets, ie I replied to an email in charset=ISO-8859-1 and thunderbird chose charset=windows-1252 http://forums.mozillazine.org/viewtopic.php?f=28&t=267341
user_pref("intl.fallbackCharsetList.ISO-8859-1", "UTF-8"); // https://bugzilla.mozilla.org/show_bug.cgi?id=214729 http://forums.mozillazine.org/viewtopic.php?f=28&t=267341
user_pref("mailnews.sendformat.auto_downgrade", false);
user_pref("mailnews.start_page.enabled", false);
user_pref("mailnews.view_default_charset", "UTF-8");
user_pref("mailnews.send_default_charset", "UTF-8");
user_pref("media.autoplay.enabled", false);
user_pref("media.gmp-manager.url", "data:text/plain,");
user_pref("media.gmp-manager.url.override", "data:text/plain,"); // [HIDDEN PREF]
user_pref("media.mediasource.enabled", false);
user_pref("media.navigator.enabled", false);
user_pref("media.peerconnection.enabled", false);
user_pref("network.IDN_show_punycode", true);
user_pref("network.allow-experiments", false);
user_pref("network.captive-portal-service.enabled", false); // [FF52+]
user_pref("network.cookie.cookieBehavior", 2);
user_pref("network.dns.disableIPv6", true); // Some users might want this, not sure if this effects sending IPv6 addresses SMTP though
user_pref("network.dns.disablePrefetch", true);
user_pref("network.dns.disablePrefetchFromHTTPS", true); // [HIDDEN PREF]
user_pref("network.ftp.enabled", false);
user_pref("network.http.referer.XOriginPolicy", 2);
user_pref("network.http.referer.XOriginTrimmingPolicy", 2);
user_pref("network.http.referer.defaultPolicy", 3); // [DEFAULT: 3]
user_pref("network.http.referer.defaultPolicy.pbmode", 2); // [DEFAULT: 2]
user_pref("network.http.referer.hideOnionSource", true);
user_pref("network.http.referer.spoofSource", false); // [DEFAULT: false]
user_pref("network.http.referer.trimmingPolicy", 2);
user_pref("network.http.sendRefererHeader", 0);
user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.deps", false);
user_pref("network.http.spdy.enabled.http2", false);
user_pref("network.http.spdy.websockets", false); // [ff65+] // Will probably be in Thunderbird 66
user_pref("network.http.speculative-parallel-limit", 0);
user_pref("network.jar.block-remote-files", true);
user_pref("network.jar.open-unsafe-types", false);
// user_pref("network.manage-offline-status", false); // see bugzilla 620472 // weirdly this is in Thunderbird
user_pref("network.predictor.enable-prefetch", false);
user_pref("network.predictor.enabled", false);
user_pref("network.prefetch-next", false);
user_pref("network.proxy.autoconfig_url.include_path", false); // [DEFAULT: false]
user_pref("offline-apps.allow_by_default", false);
user_pref("permissions.manager.defaultsUrl", "");
user_pref("pfs.datasource.url", "");
user_pref("places.history.enabled", false);
user_pref("plugin.default.state", 0);
user_pref("plugin.defaultXpi.state", 0);
user_pref("plugin.sessionPermissionNow.intervalInMinutes", 0);
user_pref("plugin.state.flash", 0); // Was actually set to 2.
user_pref("plugin.state.java", 0);
user_pref("plugins.click_to_play", true); // Comes set as false
user_pref("privacy.cpd.cache", true);
user_pref("privacy.cpd.cookies", true);
user_pref("privacy.cpd.history", true); // Browsing & Download History
user_pref("privacy.donottrackheader.enabled", true);
user_pref("privacy.firstparty.isolate", true);
user_pref("privacy.firstparty.isolate.restrict_opener_access", true); // [DEFAULT: true]
user_pref("privacy.resistFingerprinting", true);
user_pref("privacy.sanitize.timeSpan", 0);
user_pref("privacy.trackingprotection.enabled", true);
user_pref("privacy.trackingprotection.pbmode.enabled", true); // [DEFAULT: true]
user_pref("privacy.userContext.enabled", true);
user_pref("security.OCSP.enabled", 1);
user_pref("security.OCSP.require", true); // Default was false in Thunderbird
user_pref("security.cert_pinning.enforcement_level", 2);
user_pref("security.csp.enable", true); // [DEFAULT: true]
user_pref("security.csp.enable_violation_events", false);
user_pref("security.csp.experimentalEnabled", true);
user_pref("security.data_uri.block_toplevel_data_uri_navigations", true); // [DEFAULT: true]
user_pref("security.dialog_enable_delay", 700);
user_pref("security.insecure_field_warning.contextual.enabled", true);
user_pref("security.mixed_content.block_active_content", true); // [DEFAULT: true]
user_pref("security.mixed_content.block_display_content", true);
user_pref("security.mixed_content.block_object_subrequest", true);
user_pref("security.password_lifetime", 5);
user_pref("security.pki.sha1_enforcement_level", 1); // By default this is 3
user_pref("security.ssl.enable_ocsp_stapling", true);
user_pref("security.ssl.errorReporting.automatic", false);
user_pref("security.ssl.errorReporting.enabled", false);
user_pref("security.ssl.errorReporting.url", "");
user_pref("security.ssl.require_safe_negotiation", true); // This was set to false in thunderbird
user_pref("security.tls.enable_0rtt_data", false);
// user_pref("security.tls.version.min", 3);
user_pref("security.tls.version.max", 4);
user_pref("signon.autofillForms", false);
user_pref("signon.autofillForms.http", false);
user_pref("signon.formlessCapture.enabled", false);
user_pref("signon.storeWhenAutocompleteOff", true); // [DEFAULT: true]
/* 2610: disable in-content SVG (Scalable Vector Graphics) [FF53+]
 * [SETUP-WEB] Expect breakage incl. youtube player controls. Best left for a "hardened" profile.
 * [1] https://bugzilla.mozilla.org/1216893 ***/
   // user_pref("svg.disabled", true);   // Probably not likely to need in email
user_pref("toolkit.telemetry.cachedClientID", "");
user_pref("webgl.disable-extensions", true);
user_pref("webgl.disable-fail-if-major-performance-caveat", true);
user_pref("webgl.disabled", true);
user_pref("webgl.min_capability_mode", true);
user_pref("xpinstall.whitelist.required", true); // [DEFAULT: true]

[ghost]

I could easily create a new repo under https://github.com/ghacksuserjs and give you admin rights to it - so it could have it's own issues and discussions and a user.js etc - just like in here.

What do you reckon we should call it? ghacks-tb-user.js? I didn't want people to confuse the tb with Tor Browser, although that's usually referred to as tbb.

[ghost]

ghacks-thunderbird-user.js yes that sounds like a perfect name.

but a lot of those prefs are a waste of time IMO

No you're exactly right. I'll set up a draft repository, on my account and when it's looking good we can add it to the ghacks project.

[ghost]

I have removed obvious things like pocket, hello, urlbar and uitour as they are unlikely to ever appear in Thunderbird or were deprecated and never were in Thunderbird.

I have made a bunch of markers that still need attention:

• tya99Note: Doesn't exist in Thunderbird 60.5
• tya99NoteWindows: next items that might exist in Thunderbird on Windows. I don't have a Windows computer so I'd appreciate someone checking that.
• tya99NoteTB66 next to options I anticipate will actually be in the next Thunderbird (comm-beta) but weren't in 60.5
• tya99NoteCheckExtensions, check if my extensions use these.
• tya99noteNotDeprecated, exists in Thunderbird 60.5, despite being in the deprecated section

[ghost]

Some rough stats on that what is in there still to be looked at

$ grep -o -i tya99Note: user.js | wc -l
99

$ grep -o -i tya99NoteWindows: user.js | wc -l
7

$ grep -o -i tya99NoteTB66: user.js | wc -l
9

$ grep -o -i tya99NoteCheckExtensions: user.js | wc -l
2

$ grep -o -i tya99noteNotDeprecated: user.js | wc -l
4

[beerisgood]

Maybe take a look at Thunderbird user.js from the german privacy-handbuch (in english: privacy book)
https://www.privacy-handbuch.de/download/tb/user.js

[ghost]

I don't think it's a good idea to disable tracking protection/safe browsing so I have left those as they were in ghacksuserjs/ghacks-user.js at least for the time being until uBlock Origin is officially supported on Thunderbird. Experimental at the moment.

gorhill/uBlock#3698
gorhill/uBlock@305cd4d

Some of the other flags in there appeared in the deprecated section.

user_pref("browser.safebrowsing.appRepURL", " ");
user_pref("datareporting.policy.dataSubmissionEnabled", false);

Some of them don't grant any real privacy for example calendar.useragent.extra. If you don't trust your own CalDav server knowing you're using Lightning. If you're not using your own Caldav server then the user agent would be the least of your concern.

Another example is that they disable caching which can cause performance issues, ie extensions.getAddons.cache.enabled and browser.cache.* No real performance gain, use full disk encryption or an amnesic operating system like Tails.

We could use their enigmail options though.

One should not rely on extensions.enigmail.mimeHashAlgorithm and should make a proper gpg.conf. I based mine off this one from Whonix.

I suppose we could use:

click me for details

user_pref("extensions.enigmail.addHeaders", false);
user_pref("extensions.enigmail.mimeHashAlgorithm", 5);
user_pref("extensions.enigmail.useDefaultComment", true);
user_pref("extensions.enigmail.protectedHeaders", 2);
user_pref("extensions.enigmail.protectedSubjectText", "Encrypted Message");
user_pref("mailnews.auto_config.guess.enabled", false);
user_pref("mailnews.auto_config.fetchFromISP.sendEmailAddress", false);
user_pref("mailnews.display.disallow_mime_handlers", 3); // https://www.kb.cert.org/vuls/id/661651/ https://bugzilla.mozilla.org/show_bug.cgi?id=677905
user_pref("mailnews.display.html_as", 1);
user_pref("mailnews.display.prefer_plaintext", true);
user_pref("mail.identity.default.compose_html", false); // https://support.mozilla.org/en-US/questions/1004181 
user_pref("mail.inline_attachments", false);
user_pref("mail.compose.big_attachments.notify", false);
user_pref("mail.html_compose", false);
user_pref("mail.server.default.enableAutocrypt", false);
user_pref("mail.showCondensedAddresses", false);
user_pref("mail.smtpserver.default.hello_argument", "[127.0.0.1]");
user_pref("mail.tabs.autoHide", true);
user_pref("mailnews.headers.showSender", true);
user_pref("mailnews.headers.showUserAgent", true);
user_pref("media.hardware-video-decoding.enabled", false);
user_pref("permissions.default.image", 2); // http://kb.mozillazine.org/Permissions.default.image
user_pref("rss.display.disallow_mime_handlers", 3);
user_pref("rss.display.html_as", 1);
user_pref("rss.display.prefer_plaintext", true);
user_pref("rss.show.content-base", 1);
user_pref("security.OCSP.enabled", 0);
user_pref("purple.logging.log_chats", false);
user_pref("purple.logging.log_ims", false);
user_pref("purple.logging.log_system", false);
user_pref("purple.conversations.im.send_typing", false);

I'm also not sure I agree with their cipher options.

[ghost]

Huh? Sorry guys, but I'm really busy. I'm expecting a user.js with about 20 to 30 items.

Yes and I'm going to do some significant trimming, but I do like to keep the comments.

so get the lists organized and trim the fat off :)

I will be working on this in the coming days :).

If we end up with a reasonable product, then I'll create the repo

Yes it's not ready yet.

I'm having trouble following this. So there were 211 prefs, and 99 are not in Thunderbird (but some might be in Windows, so someone needs to check - e.g you do it on DXR, or I could,

I have spooled up a Windows 10 VM for this.

I'm also going to go and look in depth https://dxr.mozilla.org/comm-release/ to see if any of those "missing keys" actually appear in there.

[ghost]

@Thorin-Oakenpants is there a style guide for contributors anywhere?

I think one should be added to the wiki. It should include things such as:

• TOC item example
• Item description good practices
• Line length, indenting etc.

I am styling it like the other stuff in there, but yeah. I think that would be a good idea, for new people.

[ghost]

no need for one, since earthlng and myself do all the commits

Still it would be nice so that we could be as compliant as possible and therefore requiring the most minimal amount of work from you.

Seems like the wiki would be an appropriate place for an article.

[ghost]

When it comes to thunderbird, we want it to be simple, short, and sweet.

Couldn't agree more, I figured though it was easier to hard fork the ghacks-user.js and then work with that. That would at least keep the table of contents intact.

There's no need, esp at the start, to build in things like enigmail (by all means, down the track, you can have an extensions wiki page), or fuck around with rss feeds or chat.

Already complete 6000, 6300. There weren't too many options there anyway. It seems like Enigmail has a lot saner defaults than it used to. It used to love stuffing it's headers, and commits in everywhere but it seems upstream has changed that behavior.

Don't fuck with anything you don;t need to: e.g changing ciphers, SB'ing etc.

Agreed, disabling JavaScript makes it pretty difficult to fingerprint you anyway, or for that matter use any of the WebExtension APIs.

I'm having trouble following this. So there were 211 prefs, and 99 are not in Thunderbird (but some might be in Windows, so someone needs to check - e.g you do it on DXR, or I could, assuming it's not a hidden pref) - so get the lists organized and trim the fat off :)

I'll make sure I do each section as individual commits, in case we want to revert. Now I have finished everything else I think I want to do with this it's a good time.

If we end up with a reasonable product, then I'll create the repo

That will be awesome.

[ghost]

grep -o -i tya99NoteWindows: user.js | wc -l
0

So I have checked tya99NoteWindows, it seems they still exist in comm-beta so I've left them in there. I've removed the tags.

grep -o -i tya99NoteTB66: user.js | wc -l
1

user_pref("media.gmp-widevinecdm.autoupdate", false);

I'm not sure why this one wasn't in comm-beta when the other widevinecdm entries were. Maybe it is yet to still be implemented.

grep -o -i tya99NoteCheckExtensions: user.js | wc -l
0

indexedDB is used by Cardbook and Enigmail, so that's sorted.

grep -o -i tya99NoteNotDeprecated: user.js | wc -l
2

2 of the 4 options were already set to true by default. These two still appear to be set in Thunderbird 60.5.

user_pref("pfs.datasource.url", "");
user_pref("plugins.update.url", "");

grep -o -i 'tya99Note:' user.js | wc -l
0

A lot of these still existed in comm-beta. I'm wondering if that's because Mozilla hasn't purged out all the stuff not relevant to Thunderbird.

I am thinking now I might make a branch, and then seriously start culling things, because if I leave stuff in there that might be in Thunderbird 66, I basically have what I started with. Looking here it says:

We typically release 1-3 weeks after published Firefox dates. But it is can be more 1-3 weeks, or it can be less, because we ship when code is ready and tested.

Looking at their calendar, I estimate Thunderbird 66 will probably be a year or so away, Q1/Q2 2020).

In this branch I will have to make sure I check comm-release to see if it's actually used. Sometimes preferences are in there are just cruft and don't actually correlate to any use.

/* 2610: disable in-content SVG (Scalable Vector Graphics) [FF53+]
 * [SETUP-WEB] Expect breakage incl. youtube player controls. Best left for a "hardened" profile.
 * [1] https://bugzilla.mozilla.org/1216893 ***/
user_pref("svg.disabled", true); // tya99NoteNotSure: We aren't using this as a web browser

Along with disabling JavaScript maybe this would also be a good idea @Thorin-Oakenpants? I don't think I've ever received an email with a SVG.

[ghost]

@Thorin-Oakenpants

I've done a bit more investigation and I really think we shouldn't set javascript.enabled = false. If we do that it breaks the autoconfig feature, ie mailnews.auto_config_url which is required in order to determine whether a host supports OAuth2. For example with Google https://autoconfig.thunderbird.net/v1.1/gmail.com a contextually limited window is opened in order to allow the user to authenticate and then supply their 2FA code.

There might be other providers in the future that use this feature so simply saying "don't use Google", "they are bad for privacy" isn't an acceptable solution.

Disabling JavaScript with that pref didn't seem to break JavaScript running within Thunderbird's UI (and from the scratchpad). Ie I was still able to make popup windows with alert('example');

Apparently JavaScript cannot be executed within an email and hasn't been able to for a long time.

JavaScript
Due to various security considerations. Javascript has been disabled completely in message content (the javascript.allow.mailnews preference no longer has any effect). Javascript is enabled for remote content including RSS feeds.

However this brings me to another issue. I tried these:

rss switches and nothing happened, they don't seem to work.

/* 6208: What classes can process incoming data.
 * (0=All classes (default), 1=Don't display HTML, 2=Don't display HTML and inline images,
 * 3=Don't display HTML, inline images and some other uncommon types, 100=Use a hard coded list)
 * [1] https://www.privacy-handbuch.de/handbuch_31j.htm ***/
user_pref("rss.display.disallow_mime_handlers", 3);
/* 6209: How to display HTML parts of a message body
 * (0=Display the HTML normally (default), 1=Convert it to text and then back again
 * 2=Display the HTML source, 3=Sanitize the HTML, 4=Display all body parts)
 * (in trunk builds later than 2011-07-23)
 * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=602718
 * [2] https://hg.mozilla.org/comm-central/rev/c1ef44a22eb2
 * [3] https://www.bucksch.org/1/projects/mozilla/108153/ ***/
user_pref("rss.display.html_as", 1);
/* 6210: Prefer to view as plaintext or html
 * true=Display a message as plain text when there is both a HTML and a plain
 * text version of a message body
 * false=Display a message as HTML when there is both a HTML and a plain text
 * version of a message body. (default) ***/
user_pref("rss.display.prefer_plaintext", true);

From my testing it appears the examples shown by SPI Dynamics in Feed Injection in Web 2.0 do not work even with javascript.enabled = true, which seems to be the expected behavior as those on stackoverflow and stackexchange suggested. It's worth nothing that was paper was published in 2006 (12 years ago).

The unfortunate thing is it is still possible to execute JavaScript if one double clicks on an RSS item in the thread pane as that opens up the <link>.

test rss item

<?xml version="1.0" encoding="UTF-8" ?>
<rss version="2.0">

<channel>
    <title>Test RSS feed</title>
    <link>http://localhost</link>
    <description>Test Page</description>
    <item>
        <title>RSS Item 1</title>
        <link>http://localhost/rss/popup.html</link>

        <description>
            <![CDATA[
            <img align="left" hspace="5" src="https://upload.wikimedia.org/wikipedia/commons/6/66/SMPTE_Color_Bars.svg"/>

            <script type="text/javascript">
                document.write('This JavaScript is not being executed');
            </script>
            ]]>

            <![CDATA[
                This some HTML <b>boldness</b> to show HTML works.
            ]]>
        </description>
    </item>
</channel>
</rss>

with a html page that has some JavaScript

<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="utf-8"/>
    <title>Popup</title>
</head>
<body>
    <script type="text/javascript">
        window.alert("A Wild popup appears!");
   </script>
</body>
</html>

Although Mozilla killed RSS in Firefox I was told by @kewisch that Thunderbird uses different code to that.

As there seems no way to disable JavaScript in the context of RSS, without breaking other features of Thunderbird that actually improve security I think it might just be better to not use RSS in Thunderbird.

Some alternative options could be to use a feed reader plugin for Firefox, then at least you'd have uMatrix and the ghacks-user.js to let you have the control you want. An alternative could be to an external feed reader, possibly canto-ng, or newsboat. There's a couple of reasonable looking self hostable options, like tt-rss, Nexcloud/News.

I also observed that when I clicked on Tools > Addons and navigated around addons.thunderbird.net the only links that would open in Thunderbird were from

• accounts.firefox.com
• settings.services.mozilla.com
• addons.thunderbird.net
• addons.cdn.mozilla.net
• The release notes also opened within Thunderbird (from Help > About Mozilla Thunderbird) which is also hosted on thunderbird.net

the rest would open in the browser. Including links to mozilla.org

[ghost]

I have posted about this on BMO bug 1530593 as I feel RSS feeds should behave the same way as emails does, especially in regard to remote content.

Based on the way that feeds currently behave and the fact that the

rss dispay options

/* 6208: What classes can process incoming data.
 * (0=All classes (default), 1=Don't display HTML, 2=Don't display HTML and inline images,
 * 3=Don't display HTML, inline images and some other uncommon types, 100=Use a hard coded list)
 * [1] https://www.privacy-handbuch.de/handbuch_31j.htm ***/
user_pref("rss.display.disallow_mime_handlers", 3);
/* 6209: How to display HTML parts of a message body
 * (0=Display the HTML normally (default), 1=Convert it to text and then back again
 * 2=Display the HTML source, 3=Sanitize the HTML, 4=Display all body parts)
 * (in trunk builds later than 2011-07-23)
 * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=602718
 * [2] https://hg.mozilla.org/comm-central/rev/c1ef44a22eb2
 * [3] https://www.bucksch.org/1/projects/mozilla/108153/ ***/
user_pref("rss.display.html_as", 1);
/* 6210: Prefer to view as plaintext or html
 * true=Display a message as plain text when there is both a HTML and a plain
 * text version of a message body
 * false=Display a message as HTML when there is both a HTML and a plain text
 * version of a message body. (default) ***/
user_pref("rss.display.prefer_plaintext", true);

don't in fact work, as they are not implemented, despite being exposed as prefs I think using RSS in Thunderbird should be avoided at this time.

I think we can still go ahead with thunderbird-user.js and just warn those users they may need to temporarily enable JavaScript in order to associate their email account with their Google Account. Once authenticated and permission is granted for Thunderbird you don't need JavaScript anymore and it can be disabled ie by setting javascript.enabled = false.

[ghost]

@Thorin-Oakenpants

I have been testing our Thunderbird config this with my friend @dngray and we believe this is ready for transfer to the ghacks project.

[dngray]

Hmm, seems I need permission:

You don’t have the permission to create repositories on ghacksuserjs

[dngray]

I would create the repo and then give you permissions for that repo, not the whole organization.

That's cool. I wasn't sure what was involved.

Just hang tight - I need to think about this - i.e having the repo under the ghacksuser.js org - it would need to follow the same high standards and format etc,

@tya99 and I believe this is also very important and we love what you've done with the Firefox version. We have maintained the documentation and formatting that previously existed and added our own where necessary. https://github.com/dngray/ghacks-thunderbird-user.js

and it may just be easier to create your own repo ... will think some MOAR

I would have liked it under ghacksuser.js as it will give it more exposure. Particularly for pull/issues etc. It also means that @tya99 and I can maintain it more openly.

Perhaps you could create the repo and I could commit to it?

[dngray]

Edit: the readme needs some changes: e.g removing all the stuff about the firefox user.js and sticking you two in as the perps behind it etc

That's cool. If you could make a PR I will accept.

[dngray]

the user.js also needs some love: e.g replace "Firefox" with "Thunderbird" etc, versioning of FF* etc - and it seems massively long for what was meant to be a small simple bunch of items - then again, it's meant to be comprehensive I spose.

Thunderbird is based off Firefox ESR code. Thunderbird releases tend to come out a month after a new Firefox ESR is released. This being said I think it's better to leave the FF versioning in there as it makes more sense because there is no "non ESR" version of Thunderbird.

Thunderbird target is much slower than even ESR of Firefox, so we won't be seeing Thunderbird 66 for some time. When Thunderbird 66 is released I'll do the investigation to see what new config options are available and in use.

Give me a few days, and see if you can clean up your readme and user.js a bit. I still need to look the whole thing over

That's cool. I just figured it would be easier to make the changes as you go, rather than type them all in the comments box and have me look/replace/act on them 😀.

[dngray]

Why am I doing it? You can edit your repo before I get around to looking at it :)

Done, I don't think I missed anything.

[dngray]

I'm trying to not be picky here. And please, no offense meant. I'm a bit of a perfectionist.

None taken, and I will get to work so anything else you can think of...

Part of the problem (and again no offense), the two of you have no track record on github - well tya99 has a tiny bit. So I'm finding it very hard to judge this and if I even want it to go ahead - i.e in this organization.

In regard to that he had been maintaining it. I know him IRL and we live together, so I had as much to do with it as he did.

[dngray]

Sweet. Good to know you're level headed, and I can talk bluntly :)

Don't worry I won't get my feels in a knot. 😀

[dngray]

You have 🔶 we will take 🔷. I have decided that we will clone what articles are relevant from your wiki and rework what needs reworking. Some does not apply, some needs changing, you are 100% right.

[dngray]

I just want to say I have not forgotten about this. I have been busy the last couple of weeks but intend to re-write the wiki stuff where necessary to be more contextually appropriate to Thunderbird.

[atomGit]

haven't done a lot of work with TB, but here's what i use

[dngray]

I have taken the advice you suggested in #646 (comment).

The wiki has been ported https://github.com/dngray/ghacks-thunderbird-user.js/wiki and new articles have been written by me where appropriate. Where I could use the old ones (with changes) I did.

[atomGit]

... I'll re-open so I don;t ...

that's interesting - i do the same thing a lot - ; instead of '

@overdodactyl @earthlng @ema-pe, @claustromaniac ...

if you fellas are interested, i reworked the updater.sh script so it will work with both t-bird and FF - i did this originally to suit my purposes to update the user.js for t-bird on the @dngray repo

someone would need to go through and check it since scripting isn't my area of expertise ... come to think of it, i don;t have an area of expertise

[dngray]

At this point I am waiting for Thunderbird 68.0 which should be around the corner.

I do expect to give it a further cleanup and review what exists in source.

I am also waiting for the 68-beta: Knock on Pants release to go final.

[dngray]

Just to let those know who are subscribed to this issue. I am still working on this and I plan to incorporate some of the other changes from Torbirdy.js. Further updates will be over at https://github.com/dngray/thunderbird-user.js

[atomGit]

thanks for the update :)

[dngray]

Change in plans. this is now unmaintained for these reasons:

1. Able to use a proper text editor when writing emails which is useful for re-formatting badly formatted incoming email: eg:
   • Replying to Gmail messages where quoted text occurs.
   • Blue 'quoted text' cannot simply be copied to a text editor and then back into Thunderbird
2. Far less memory resources, which can be used for useful computing such as local VMs.
3. Easily able to edit headers eg :set edit_headers useful for replying to email on mailing lists where I do not have References:, In-Reply-To: and MessageID set (this keeps conversation threading). There was an extension but it is now unmaintained and messing with about:config settings is annoying
4. Extensible and flexible
5. I don't use the RSS support, I use newsboat instead. I rarely use Lightning and am going to use Calcurse instead.
6. Enigmail is going away in Thunderbird 78 so none of those options are going to be relevant. It also seems that the PGP used will not use Gnupg's keyring, therefore requiring import/export between two keyring storage systems.
7. Text config files can be committed to a dotfiles repository
8. Multi platform
9. Can be used remotely over SSH.
10. Allows for an offline storage and synchronization with mbsync in Maildir format. I prefer this to Mbox as I can easily make cold-storage backups with rsync ie rsync -av --delete ~/.local/share/mail {{ backup location }} I am aware of the experimental Maildir support in Thunderbird however the above issues are not solved.

For new users I suggest mutt-wizard.
Videos demonstrating it's abilities 1, 2

Also I am keeping an eye on Aerc and Meli.

[sergeevabc]

So we're back to square one… especially Windows users of Thunderbird. Aggrrhh!

[dngray]

So we're back to square one… especially Windows users of Thunderbird. Aggrrhh!

I don't have time right now to maintain something I don't use. On Windows I just open a ssh session to my server.

Though if you're interested in maintaining this, (it's not that hard, just a bit time consuming):

What is required is that someone:

• Checks out 68.0 of the user.js from ghacks and compares with what is implemented in Thunderbird.
  • This can be done by checking to see if the key exists in about:config (ie Edit → Preferences → Advanced → Config Editor).
  • Some of the keys do exist but don't actually do anything, ie the rss.display options so one would need to check the source to see if there's actually any code corresponding to the config option.
• Checking the source of comm-release and possibly comm-central if you get any hits for the keys that related to source then you know that it does something.

[HorlogeSkynet]

Hi everyone.

Daniel, I think I may be able to take other this.
Would you mind transferring me the repository's ownership, or should I fork and detach-with-the-help-of-the-GitHub-support it ?

I don't know whether someone has already done it or not, but a quick GitHub search seems to invalidate this possibility.

'waiting for your feedback.
Cheers 👋

[dngray]

Daniel, I think I may be able to take other this.
Would you mind transferring me the repository's ownership, or should I fork and detach-with-the-help-of-the-GitHub-support it ?

I can transfer it :-) I have put in the request so you should be able to get it now.

I don't know whether someone has already done it or not, but a quick GitHub search seems to invalidate this possibility.

Nobody has opted to do it. Everybody wants to use it but nobody wants to put the work i guess.

[HorlogeSkynet]

Thanks Daniel, that has been fast !
You all may find it there now : https://github.com/HorlogeSkynet/thunderbird-user.js.

I've started to work on the v68 (locally), you can expect it to be drafted out within some hours/days.

Bye 👋 🙇

PS : I'm counting on the community to watch out for changes, and the project will stay open for internal (@tya99 and @dngray of course) and external (yours, young reader !) contributions anyway.

PS 2 : [@ghacksuserjs] If they exist, could you update the links to point to the new repository location ?

[dngray]

PS 2 : [@ghacksuserjs] If they exist, could you update the links to point to the new repository location ?

I don't think there are any as @Thorin-Oakenpants never decided on making it official. That is why i named it thunderbird-user.js and not ghacks-thunderbird-user.js because it was never part of the official project.