Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

changelog: v67-beta #732

Closed
earthlng opened this issue May 28, 2019 · 19 comments

Comments

@earthlng
Copy link
Member

commented May 28, 2019

  • date: 28-May-2019
  • foreword: These are all the changes since the last changelog (v66-beta).
  • spoiler alert: Pants has officially fucking lost it! Thanks /r/firefox, hackernews and whereever else he's reading all those negative comments, hope you're all happy now

FF67 Release notes
FF67 for developers
FF67 compatibility
FF67 security advisories


⭐️ foreword from 👖 ⭐️

the biggest change / surprise in FF67+ is the pref privacy.resistFingerprinting.letterboxing (4504). This affects everyone: including those who disabled RFP (4501) because it is currently independent of RFP (but expected to get tied into it at some stage after testing).

So if you were wondering what the white borders around the web content in your browser window was, this is the pref (4504). If you're serious about anti-fingerprinting, then this fixes a lot of screen/window measurement shortcomings, and we recommend you use it and get used to it. If you're not using RFP, override it.


changelog: [all changes]

  • all user.js updates for Firefox v67 are detailed in the ToDo: diffs FF66-FF67 issue
    • includes links to the commits made for each pref, links to bugzilla tickets, our discussions etc.
  • for all the rest of the fucking shitshow that is the ghacks-user.js v67+, see the full list of pref changes below

all pref changes:

  • new in 67beta but commented out by default:
//user_pref("browser.aboutConfig.showWarning", false);
//user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false);
//user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false);
  • changed values:
user_pref("extensions.enabledScopes", 5); // 66beta: 1
  • commented out:
//user_pref("browser.display.use_document_fonts", 0);
//user_pref("browser.download.folderList", 2);
//user_pref("browser.download.forbid_open_with", true);
//user_pref("dom.caches.enabled", false);
//user_pref("dom.push.connection.enabled", false);
//user_pref("dom.push.enabled", false);
//user_pref("dom.push.serverURL", "");
//user_pref("dom.push.userAgentID", "");
//user_pref("dom.webnotifications.enabled", false);
//user_pref("dom.webnotifications.serviceworker.enabled", false);
//user_pref("extensions.update.autoUpdateDefault", false);
//user_pref("gfx.downloadable_fonts.woff2.enabled", false);
//user_pref("intl.locale.requested", "en-US");
//user_pref("layers.acceleration.disabled", true);
//user_pref("mathml.disabled", true);
//user_pref("media.gmp-provider.enabled", false);
//user_pref("network.http.referer.defaultPolicy", 3);
//user_pref("network.http.referer.defaultPolicy.pbmode", 2);
//user_pref("network.http.referer.spoofSource", false);
//user_pref("network.http.referer.trimmingPolicy", 0);
//user_pref("network.http.sendRefererHeader", 2);
//user_pref("network.http.spdy.enabled", false);
//user_pref("network.http.spdy.enabled.deps", false);
//user_pref("network.http.spdy.enabled.http2", false);
//user_pref("network.http.spdy.websockets", false);
//user_pref("security.tls.version.max", 4);
  • removed from the user.js:
user_pref("app.update.service.enabled", false);
user_pref("app.update.silent", false);
user_pref("app.update.staging.enabled", false);
user_pref("browser.cache.disk.capacity", 0);
user_pref("browser.cache.disk.smart_size.enabled", false);
user_pref("browser.cache.disk.smart_size.first_run", false);
user_pref("browser.cache.offline.insecure.enable", false);
//user_pref("browser.safebrowsing.blockedURIs.enabled", false);
//user_pref("browser.safebrowsing.downloads.enabled", false);
//user_pref("browser.safebrowsing.downloads.remote.block_dangerous", false);
//user_pref("browser.safebrowsing.downloads.remote.block_dangerous_host", false);
//user_pref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false);
//user_pref("browser.safebrowsing.downloads.remote.block_uncommon", false);
user_pref("browser.safebrowsing.downloads.remote.url", "");
//user_pref("browser.safebrowsing.malware.enabled", false);
//user_pref("browser.safebrowsing.phishing.enabled", false);
//user_pref("browser.safebrowsing.provider.google.gethashURL", "");
user_pref("browser.safebrowsing.provider.google.reportMalwareMistakeURL", "");
user_pref("browser.safebrowsing.provider.google.reportPhishMistakeURL", "");
user_pref("browser.safebrowsing.provider.google.reportURL", "");
//user_pref("browser.safebrowsing.provider.google.updateURL", "");
user_pref("browser.safebrowsing.provider.google4.dataSharing.enabled", false);
user_pref("browser.safebrowsing.provider.google4.dataSharingURL", "");
//user_pref("browser.safebrowsing.provider.google4.gethashURL", "");
user_pref("browser.safebrowsing.provider.google4.reportMalwareMistakeURL", "");
user_pref("browser.safebrowsing.provider.google4.reportPhishMistakeURL", "");
user_pref("browser.safebrowsing.provider.google4.reportURL", "");
//user_pref("browser.safebrowsing.provider.google4.updateURL", "");
//user_pref("browser.safebrowsing.provider.mozilla.gethashURL", "");
//user_pref("browser.safebrowsing.provider.mozilla.updateURL", "");
user_pref("browser.safebrowsing.reportPhishURL", "");
//user_pref("browser.sessionhistory.max_total_viewers", 0);
user_pref("browser.urlbar.filter.javascript", true);
user_pref("browser.urlbar.userMadeSearchSuggestionsChoice", true);
user_pref("canvas.capturestream.enabled", false);
user_pref("dom.imagecapture.enabled", false);
user_pref("dom.popup_maximum", 3);
user_pref("gfx.offscreencanvas.enabled", false);
user_pref("javascript.options.shared_memory", false);
user_pref("media.gmp.trial-create.enabled", false);
user_pref("media.gmp-gmpopenh264.autoupdate", false);
user_pref("media.gmp-gmpopenh264.enabled", false);
user_pref("media.gmp-manager.updateEnabled", false);
user_pref("media.gmp-manager.url", "data:text/plain,");
user_pref("media.gmp-manager.url.override", "data:text/plain,");
user_pref("media.gmp-widevinecdm.autoupdate", false);
user_pref("network.cookie.leave-secure-alone", true);
//user_pref("network.cookie.same-site.enabled", true);
//user_pref("network.dnsCacheEntries", 400);
//user_pref("network.dnsCacheExpiration", 60);
user_pref("network.proxy.autoconfig_url.include_path", false);
user_pref("pdfjs.enableWebGL", false);
user_pref("plugin.default.state", 0);
user_pref("plugin.defaultXpi.state", 0);
user_pref("plugin.scan.plid.all", false);
//user_pref("privacy.trackingprotection.annotate_channels", false);
//user_pref("privacy.trackingprotection.enabled", true);
//user_pref("privacy.trackingprotection.lower_network_priority", false);
//user_pref("privacy.trackingprotection.pbmode.enabled", true);
user_pref("security.data_uri.block_toplevel_data_uri_navigations", true);
user_pref("security.insecure_field_warning.contextual.enabled", true);
user_pref("security.insecure_password.ui.enabled", true);
//user_pref("services.blocklist.addons.collection", "");
//user_pref("services.blocklist.gfx.collection", "");
//user_pref("services.blocklist.onecrl.collection", "");
//user_pref("services.blocklist.plugins.collection", "");
user_pref("signon.autofillForms.http", false);
user_pref("signon.storeWhenAutocompleteOff", true);
//user_pref("urlclassifier.trackingTable", "test-track-simple,base-track-digest256");
user_pref("xpinstall.whitelist.required", true);
  • moved to 4600: RFP ALTERNATIVES:
user_pref("ui.use_standins_for_native_colors", true);
  • moved to 9999: DEPRECATED / REMOVED:
//user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr", false);
user_pref("dom.event.highrestimestamp.enabled", true);

Any and all help, suggestions, recommendations, links, tips and tricks, questions, thank you's or what have you are welcome - signup/login and start typing - thanks

@earthlng earthlng added the changelog label May 28, 2019

@Thorin-Oakenpants

This comment has been minimized.

Copy link
Member

commented May 28, 2019

No, I haven't officially lost it. The vast bulk of the changes have no effect. But there were some items flipped etc.. a small part of the equation also was that this is a template, and some of these changes just strike a better balance. The risk factor is also lacking - you're going to get 90% of your "protection" from 50% of the prefs - the others are a law of diminishing returns. Remember, you're free to use overrides.

🔻 Removed Items

  • They were either at default (since at least ESR60), or inactive, or covered by other prefs, or require user interaction. As for the Safe Browsing prefs removed: I refuse to document it any more - you have three clicks in the UI to achieve that. Note that we still have some SB prefs in the user.js.

🔻 made inactive: these are the changes you should look at

  • 0302b extensions auto update - more responsible as an opt-out
  • 0702: HTTP2: it no longer makes sense, read the warning. TB don't disable this now.
  • 1401: document fonts : your font FP is pretty much screwed until RFP deals with it.
  • 1405: WOFF2 fonts: control your third parties with an extension. You have FPI, and you should know how to anonymize yourself (VPN) etc. TB don't disable this.
  • 2508: hardware acceleration : becoming more of a performance. Given that WebGL and timing attacks are well controlled, I do not see enabling HWA as a risk at all. TB don't disable it.
  • 2609: mathml - TB don't disable it, and it just breaks math for those who see it.
  • 2650 + 2654: these are chrome/workflow settings and probably just annoy people. I know E questioned one about 6 months ago.

🔻 made inactive: a fixup

  • 0205: "intl.locale.requested" - this doesn't do anything (tested to death), at least not anymore, except control your interface: it's not a web content thing. This must have happened around FF59

🔻 made inactive: they are not needed

  • web notifications, push, service worker cache: all controlled by the SW pref which hasn't changed
  • media.gmp-provider.enabled is covered by something else
  • a bunch of referer prefs: all at default
  • security.tls.version.max : was at default

That's about it. If you have any specific question about why something was removed or made inactive, ask away.

@Thorin-Oakenpants

This comment has been minimized.

Copy link
Member

commented May 28, 2019

PS: The other 800 changes were removing the deprecated pre current ESR to the sticky, and cleaning up and correcting descriptions, and applying all the [setup and warning tags. It should be a breeze to troubleshoot now - only three or four items left to revisit. That took me mega hours. So I hope you find it a better product and more accessible.

@claustromaniac

This comment has been minimized.

Copy link
Contributor

commented May 29, 2019

for all the rest of the fucking shitshow that is the ghacks-user.js v67+, see the full list of pref changes below

It seems I'm partly to blame for that. I gotta admit your reaction kinda took me by surprise though. I recall comments of yours where you were clearly against keeping some FYI kind of stuff, and I'm pretty sure you at least once said you considered the number of prefs excessive. Then again, maybe those memories are from before previous cleanups...

@Thorin-Oakenpants

This comment has been minimized.

Copy link
Member

commented May 29, 2019

No one is to blame for anything. No-one, myself included, did anything wrong.

The changes look excessive but they're not. All I've done is remove a lot of dead wood, simplify troubleshooting, make corrections and consistencies, and flip 3 major things (HWA, HTTP2, and some font shit). You're all big girls now, who know how to use overrides.

It's certainly nothing like a fucking shitshow, and no offense, but if anyone was paying attention over the last 6 weeks (i.e they were here), they would have seen the 100+ tiny incremental changes and had input (as some of you did).

Anything changed can be put back. It's a living document. Calm down and chill out and all that 💋

@Aeriem

This comment has been minimized.

Copy link
Contributor

commented May 29, 2019

Just popping in to give my two cents.
I really appreciate the work you put into this spring cleaning.
All that dead wood cluttered the .js and I was actually working on my own to suggest some of the changes you made (like the removal of prefs at default values, or those relating to master switches that were already disabled), but you beat me to it, you're that fast hehe.
This project really improved usability from many perspectives, like troubleshooting, monitoring, research, pref-switching and overrides. The updated descriptions, tags and links as well as the overall user.js refactoring add a super clean and professional feeling to it.
I'm grateful for everything you did to ensure removed prefs indeed became irrelevant, and for constantly listening to user input during the lengthy process that was this spring cleaning.

On a side note, I really hope I'm misinterpreting because I feel like some tension arose on this issue and it saddens me. stalker mode: on The lurker I am follows this repo as closely as I follow some of my favorite TV shows. stalker mode: off
I really hope everything will sort itself out.

I know I'm no expert, but I read every commit and issue, and I really think the level of protection offered by the .js did not weaken at all. Removed prefs were useless and commented out prefs are still listed for anyone to add to their overrides. I made my own research when something felt off, and I always ended up agreeing to the changes.
Lastly, like Pants said, everything's revertible, so in case something's amiss, all of you can still change it. :)
Thanks again for this awesome repo, stay woke.

@Thorin-Oakenpants

This comment has been minimized.

Copy link
Member

commented May 30, 2019

I really hope I'm misinterpreting because I feel like some tension arose on this issue

No. That's just me being insecure and getting all defensive. I highly value E's input, and would have thought everything I did was backed up by practicality and solid logic.

@Aeriem

This comment has been minimized.

Copy link
Contributor

commented May 31, 2019

Okay then, have a hug.
And if you're not a hug person, have some fluffy cuteness.

@Okamoi

This comment has been minimized.

Copy link

commented Jun 1, 2019

Hi,

Thanks for all the work you've done! I noticed that the pref differential, which I always use first before checking in here, hasn't been updated for Firefox 67. Is it abandoned for good ?

I can see that the issue we're posting in right now uses a pref differential, but I really liked the presentation of Earthlng's repo. If it is to be dropped, would you mind making public the tool used to build the diffs, with maybe a short explanation on how to use it ?

@Thorin-Oakenpants

This comment has been minimized.

Copy link
Member

commented Jun 1, 2019

Earthlng makes them for us to use in the diffs issues. Maybe he forgot to add the last one to his repo. I would go badger, poke, prod, and name him to get his attention. Say you're from the Save the Polar Bear Movement, and when he opens his door, pounce on him.

@Okamoi

This comment has been minimized.

Copy link

commented Jun 2, 2019

I went to my bathroom, turned off the lights and said Earthlng's name twice in front of the mirror. After taking in some water to clean up the blood from the mouthful, I'm ready. Don't blame me as we all die in the most twisted and excruciatingly painful way.

@earthlng !

Would you mind updating your pref differential repo, or maybe sharing the diff-making tool if you can't be bothered with this repo any more ?

@earthlng

This comment has been minimized.

Copy link
Member Author

commented Jun 2, 2019

Hi, my pref differential repo is not abandoned, I just forgot to update it. Must have been the shock of seeing 70 prefs removed from the user.js, I guess ;)

Here you go: https://github.com/earthlng/FFprefs-diffs/blob/master/diffs/6x/diff-v66.0-vs-v67.0.log.js

@Okamoi

This comment has been minimized.

Copy link

commented Jun 2, 2019

No death whatsoever, not even a polar bear ? Neat.

155 diffs ( 94 new, 37 gone, 24 different )

Shit that's a big one. Gonna take a while. I have dreaded memories of 62 --> 63 with its 199 diffs ( 122 new, 56 gone, 21 different ), but gotta do it.

Thanks for the update :)

I ALWAYS end up updating Firefox within 0-10 days from the release, by which point this repo is done with the work. I should somehow find a sweet spot where I can contribute back.

@claustromaniac

This comment has been minimized.

Copy link
Contributor

commented Jun 9, 2019

Would I seem any weirder of a person flerkin if I said that I kinda miss the good ol' days of annoying earthlng (and every other watcher of this repo) with my frequent PRs?

Maybe I should drop my current privileges and start doing that again...

@Thorin-Oakenpants

This comment has been minimized.

Copy link
Member

commented Jun 9, 2019

I know what you get up to

@claustromaniac

This comment has been minimized.

Copy link
Contributor

commented Jun 9, 2019

Damn NSA cats...

@broski93

This comment has been minimized.

Copy link

commented Jun 26, 2019

About the removed safe browsing prefs, I'm not going to complain about them or anything else being removed or changed, but I'd like to know if the same results can be fully achieved in the UI or if I should copy the entries and re-add them on my personal user.js. I don't follow reddit or any other of the mentioned places you guys supposedly had issues with, I don't really know what happened and I don't want to stir up any trouble, but I just don't want anything google related on my browser unless google is what I'm using as a search engine.
Thanks for all your work by the way, I really appreciate it.

@claustromaniac

This comment has been minimized.

Copy link
Contributor

commented Jun 27, 2019

I'd like to know if the same results can be fully achieved in the UI

Technically, no, because you can't blank out all those URL prefs via GUI (if that's what you're referring to), but those were there only as fallbacks, I guess. In practice, blanking those out is not necessary to disable SB, so they are redundant.

I don't really know what happened and I don't want to stir up any trouble, but I just don't want anything google related on my browser unless google is what I'm using as a search engine.

Pants simply removed a bunch of redundant (unnecessary) prefs. Nothing else happened. There were other unrelated changes but nothing major Edit: well... I still can't fully get over HTTP/2, so I guess that one was pretty major.

I hope that helps.

@broski93

This comment has been minimized.

Copy link

commented Jun 27, 2019

URL prefs

I don't care much about those if they're just fallbacks, I just wanted to be sure the GUI settings were effectively and completely disabling the "feature" on their own. Thanks.

other unrelated changes

That's never been an issue for me, especially if they are single entries about different things, I always compare and edit my user.js according to new releases, changes, things I find out to be breaking stuff and so on.

@Thorin-Oakenpants

This comment has been minimized.

Copy link
Member

commented Jun 27, 2019

items I removed in 67-beta are our scratchpad , or of course you can just grab an older version and get want you want. The URL prefs are a defense-in-depth and not really needed. The three checkboxes in the UI is sufficient (under about:preferences#privacy > Security) .. but there is also the real-time binary check pref still in the user.js (0403)

PS: the reason I removed it was twofold threefold: 1 there's a UI with three checkboxes, we don't need to document it. 2 the prefs were inactive. 3. I do not want to feed the trolls/idiots who can do nothing but scream spyware at people and only see the world in black and white

However, I may put them back in (the 3 SB prefs): I need to talk to @earthlng privately

Truck on :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
6 participants
You can’t perform that action at this time.