New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ghacks user.js monster diff #208

Open
pyllyukko opened this Issue Feb 20, 2017 · 32 comments

Comments

Projects
None yet
5 participants
@pyllyukko
Owner

pyllyukko commented Feb 20, 2017

Based on @Roman-Nopantski's diff: https://gist.github.com/pyllyukko/f5184fbb51b5e340f5637adee582c4d9

STARTUP

  • 0101: disable "slow startup" options
    • WONTFIX: Doesn't seem that relevant
  • 0102: set start page (0=blank, 1=home, 2=last visited page, 3=resume previous session)
    • Commented out in the ghacks version
    • Some aspects considered in #218

GEOLOCATION

  • 0201: disable location-aware browsing
    • Should be covered by geo.enabled
    • Also Mozilla bug's 689252 & 692927 talk that geo.wifi.* settings are not used anymore.
  • 0202: disable GeoIP-based search results
  • 0203: disable using OS locale, force APP locale
  • 0204: set APP local
  • 0206: disable geographically specific results/search engines eg: "browser.search.*.US"
  • 0207: set language to match
  • 0208: enforce US English locale regardless of the system locale

QUIET FOX [PART 1]

  • 0301: disable browser auto update
    • WONTFIX: Updates are good for you :)
  • 0305: disable add-ons auto update
    • WONTFIX: Updates are good for you :)
  • 0307: disable auto updating of personas (themes)
  • 0309: disable sending Flash crash reports
  • 0310: disable sending the URL of the website where a plugin crashed
    • Need more info on dom.ipc.plugins.reportCrashURL
  • 0320: disable extension discovery (featured extensions)
    • WONTFIX
  • 0330b: set unifiedIsOptIn to make sure telemetry respects OptIn choice and that telemetry
    • WONTFIX: Telemetry is already disabled
  • 0331: remove url of server telemetry pings are sent to
    • WONTFIX: Telemetry is already disabled
  • 0332: disable archiving pings locally - irrelevant if toolkit.telemetry.unified is false
  • 0333a: disable health report
  • 0333b: disable about:healthreport page (which connects to Mozilla for locale/css+js+json)
    • WONTFIX
  • 0335: remove a telemetry clientID
    • WONTFIX: Telemetry is already disabled
  • 0336: disable "Heartbeat" (Mozilla user rating telemetry)
  • 0340: disable experiments
  • 0341: disable Mozilla permission to silently opt you into tests
  • 0350: disable crash reports
  • 0351: disable sending of crash reports (FF44+)
  • 0360: disable new tab tile ads & preload & marketing junk
    • WONTFIX: Tiles are already disabled
  • 0373: pocket
    • Handled by "master switches" browser.pocket.enabled & extensions.pocket.enabled
    • #143
  • 0374: disable "social" integration
  • 0375: disable "Reader View"
    • No reason to disable AFAIK
  • 0376: disable FlyWeb, a set of APIs for advertising and discovering local-area web servers
  • 0380: disable sync

QUIET FOX [PART 2]

  • 0401: .....sanitize blocklist url
  • 0402: disable/enable various Kinto blocklist updates (FF50+)
  • 0410: disable safe browsing
    • Safe browsing stays enabled
    • fd6cf46
  • 0410a: disable "Block dangerous and deceptive content" This setting is under Options>Security
  • 0410b: disable "Block dangerous downloads" This setting is under Options>Security
  • 0410c: disable Google safebrowsing downloads, updates
    • WONTFIX: Safe browsing stays enabled
  • 0410d: disable mozilla safebrowsing downloads, updates
    • WONTFIX: Safe browsing stays enabled
  • 0410e: disable binaries NOT in local lists being checked by Google (real-time checking)
    • WONTFIX: browser.safebrowsing.downloads.remote.enabled is already disabled
  • 0410f: disable reporting URLs
  • 0410g: show=true or hide=false the 'ignore this warning' on Safe Browsing warnings which
    • Commented out in the ghacks version
  • 0421: enable more Tracking Protection choices under Options>Privacy>Use Tracking Protection
  • 0430: disable SSL Error Reporting - PRIVACY
  • 0440: disable Mozilla's blocklist for known Flash tracking/fingerprinting (48+)
    • WONTFIX

BLOCK IMPLICIT OUTBOUND [not explicitly asked for - eg clicked on]

  • 0603a: disable more Necko/Captive Portal
  • 0607: stop links launching Windows Store on Windows 8/8.1/10
  • 0608: disable predictor / prefetching (FF48+)
    • WONTFIX: Should be handled by the network.predictor.enabled master switch

LOCATION BAR / SEARCH / AUTO SUGGESTIONS / HISTORY / FORMS etc

PASSWORDS

  • 0904: how often in minutes Mozilla should ask for the master password (see pref above)
  • 0906: ignore websites' autocomplete="off" (FF30+)
  • 0907: force warnings for logins on non-secure (non HTTPS) pages
  • 0908: When attempting to fix an entered URL, do not fix an entered password along with it
  • 0909: disabling for now (FF51+)

CACHE

  • 1001: disable disk cache
  • 1006: disable pages being stored in memory. This is not the same as memory cache.
  • 1007: disable the Session Restore service completely
  • 1008: IF you use session restore (see 1007 above), increasing the minimal interval between
  • 1009: DNS cache and expiration time (default 400 and 60 - same as TBB)
  • 1010: disable randomized FF HTTP cache decay experiments
  • 1011: disable permissions manager from writing to disk (requires restart)
  • 1012: disable resuming session from crash

SSL / OCSP / CERTS / ENCRYPTION / HSTS/HPKP/HTTPS

  • 1215: disable Microsoft Family Safety cert (Windows 8.1)
  • 1218: disable HSTS Priming (FF51+)
  • 1220: disable intermediate certificate caching (fingerprinting attack vector)
    • Commented out in the ghacks version
    • WONTFIX: This is the single most important feature to keep the internets working, because people don't know how to configure their servers with proper certificate chains :(
    • #219

FONTS

  • 1402: allow icon fonts (glyphs) (FF41+)
  • 1404: use more legible default fonts
  • 1405: disable woff2
  • 1406: disable CSS Font Loading API
  • 1407: remove special underline handling for a few fonts which you will probably never use.
  • 1408: disable graphite which FF49 turned back on by default

HEADERS / REFERERS

  • 1601: disable referer from an SSL Website
  • 1602: DNT HTTP header - essentially USELESS - default is off. I recommend off.
    • Commented out in the ghacks version
  • 1605: referer, HOW to handle cross origins
    • Commented out in the ghacks version
  • 1606: referer, WHAT to send (limit the information)
    • Commented out in the ghacks version

PLUGINS

  • 1801: set default plugin state (i.e new plugins on discovery) to never activate
  • 1802: enable click to play and set to 0 minutes
    • WONTFIX: We'll stick with the default of 60m
  • 1805: disable scanning for plugins
  • 1806: Acrobat, Quicktime, WMP are handled separately from 1805 above.
  • 1807: disable auto-play of HTML5 media
  • 1808: disable audio auto-play in non-active tabs (FF51+)
  • 1820: disable all GMP (Gecko Media Plugins)
  • 1825: disable widevine CDM
  • 1830: disable all DRM content (EME: Encryption Media Extension)
  • 1840: disable the OpenH264 Video Codec by Cisco to "Never Activate"
  • 1850: disable the Adobe EME "Primetime CDM" (Content Decryption Module)

MEDIA / CAMERA / MIKE

  • 2001: disable WebRTC
    • WONTFIX: Disabled via media.peerconnection.enabled master switch
  • 2010: disable WebGL, force bare minimum feature set if used & disable WebGL extensions
  • 2012: two more webgl preferences (FF51+)
  • 2021: disable speech recognition
  • 2022: disable screensharing
    • Screensharing disabled via media.getusermedia.screensharing.enabled master switch
    • bdd9b15
  • 2024: enable/disable MSE (Media Source Extensions)
  • 2025: enable/disable various media types - end user personal choice
  • 2026: disable canvas capture stream
  • 2027: disable camera image capture
  • 2028: disable offscreen canvas

UI MEDDLING

  • 2202: UI SPOOFING: disable scripts hiding or disabling the following on new windows
  • 2203: POPUP windows - prevent or allow javascript UI meddling
  • 2204: disable links opening in a new window

SERVICE WORKERS

  • 2301: disable workers API and service workers API
  • 2302: disable service workers cache and cache storage
  • 2303: disable push notifications (FF44+) [requires serviceWorkers to be enabled]
  • 2304: disable web/push notifications

DOM & JAVASCRIPT

  • 2403: disable clipboard commands (cut/copy) from "non-priviledged" content
  • 2410: disable User Timing API
  • 2411: disable resource/navigation timing
  • 2414: disable shaking the screen
  • 2415: max popups from a single non-click event - default is 20!
  • 2415b: limit events that can cause a popup
  • 2416: disable idle observation
  • 2418: disable full-screen API
    • WONTFIX
  • 2421: in addition to 2420, these settings will help harden JS against exploits such as CVE-2015-0817
  • 2425: disable ArchiveAPI i.e reading content of archives, such as zip files, directly
  • 2450: force FF to tell you if a website asks to store data for offline use

HARDWARE FINGERPRINTING

  • 2504: disable virtual reality devices
    • WONTFIX: Should be handled by the dom.vr.enabled master switch
  • 2507: disable keyboard fingerprinting (FF38+) (physical keyboards)
  • 2509: disable touch events
  • 2511: disable MediaDevices change detection (FF51+) (enabled by default starting FF52+)

MISC - LEAKS / FINGERPRINTING / PRIVACY / SECURITY

  • 2605: don't integrate activity into windows recent documents
  • 2606: disable hiding mime types (Options>Applications) not associated with a plugin
  • 2612: disable SimpleServiceDiscovery - which can bypass proxy settings - eg Roku
  • 2614: disable SPDY as it can contain identifiers
  • 2615: disable http2 for now as well
  • 2619: limit HTTP redirects (this does not control redirects with HTML meta tags or JS)
    • WONTFIX: Don't think we need to change this
  • 2620: disable middle mouse click opening links from clipboard
  • 2621: disable IPv6 (included for knowledge ONLY - not recommended)
  • 2622: ensure you have a security delay when installing add-ons (milliseconds)
  • 2626: strip optional user agent token, default is false, included for completeness
    • Doesn't seem to do anything
  • 2627: Spoof default UA & relevant (navigator) parts (also see 0204 for UA language)
  • 2628: disable UITour backend so there is no chance that a remote page can use it
  • 2629: disable remote JAR files being opened, regardless of content type
  • 2650: start the browser in e10s mode (48+)
    • Commented out in the ghacks version
    • #172
  • 2651: control e10s number of container processes
    • Commented out in the ghacks version
    • #172
  • 2652: enable console shim warnings for extensions that don't have the flag
  • 2660: enforce separate content process for file://URLs (FF53+?)
  • 2662: disable "open with" in download dialog (FF50+)
  • 2663: disable MathML (FF51+)
  • 2664: disable DeviceStorage API
  • 2665: sanitize webchannel whitelist
  • 2666: disable HTTP Alternative Services
  • 2668: lock down allowed extension directories
  • 2669: strip paths when sending URLs to PAC scripts (FF51+)
  • 2670: close bypassing of CSP via image mime types (FF51+)
  • 2671: disable SVG (FF53+)
    • WONTFIX

FIRST PARTY ISOLATION (PFI)

These are commented out in the ghacks version

  • 2698a: enable first party isolation pref and OriginAttribute (FF51+)
  • 2698b: this also isolates OCSP requests by first party domain

COOKIES & DOM STORAGE

  • 2704: set cookie lifetime in days (see above pref) - default is 90 days
  • 2706: disable Storage API (FF51+) which gives sites' code the ability to find out how much space
  • 2707: clear localStorage and UUID when a WebExtension is uninstalled

SHUTDOWN

  • 2803a: include all open windows/tabs when you shutdown
  • 2804: (to match above) - auto selection of items to delete with Ctrl-Shift-Del
  • 2804a: include all open windows/tabs when you run clear recent history
  • 2805: reset default 'Time range to clear' for 'clear recent history' (see 2804 above)

PERSONAL SETTINGS

26.2.2017: Disabled the rest of these as these are just personal preferences and have no security/privacy impact

  • 3001: disable annoying warnings
  • 3001a: disable warning when a domain requests full screen
  • 3002: disable closing browser with last tab
  • 3004: disable backspace (0 = previous page, 1 = scroll up, 2 = do nothing)
    • WONTFIX
  • 3007: open new windows in a new tab instead
  • 3008: disable "Do you really want to leave this site?" popups
  • 3009: turn on APZ (Async Pan/Zoom) - requires e10s
  • 3010: enable ctrl-tab previews
  • 3011: don't open "page/selection source" in a tab. The window used instead is cleaner
  • 3012: spellchecking: 0=none, 1-multi-line controls, 2=multi-line & single-line controls
    • WONTFIX: User can enable/disable this from preferences if needed.
  • 3015: disable tab animation, speed things up a little
    • WONTFIX as cosmetic effect only
  • 3016: disable fullscreeen animation. Test using F11.
    • WONTFIX as cosmetic effect only
  • 3017: submenu in milliseconds. 0=instant while a small number allows
  • 3018: maximum number of daily bookmark backups to keep (default is 15)
  • 3020: FYI: urlbar click behaviour (with defaults)
  • 3021: FYI: tab behaviours (with defaults)
  • 3022: hide recently bookmarked items (you still have the original bookmarks) (FF49+)
  • 3023: disable automigrate, current default is false but may change (FF49+)

Deprecated

Not checking...

  • 2607: (23+) disable page thumbnails, it was around v23, not 100% sure when
  • 2408: (31+) disable network API - fingerprinting vector
  • 2620: (35+) disable WebSockets
  • 2023: (37+) disable camera autofocus callback (was in 36, not in 37)
  • 1804: (41+) disable plugin enumeration
  • 0420: (42+) disable tracking protection
  • 2803: (42+) what to clear on shutdown
  • 0411: (43+) disable safebrowsing urls & download
  • 0420: (43+) disable tracking protection. FF43+ URLs are now part of safebrowsing
  • 1803: (43+) remove plugin finder service
  • 2403: (43+) disable scripts changing images - test link below
  • 2615: (43+) disable http2 for now as well
  • 3001a: (43+) disable warning when a domain requests full screen
  • 3003: (43+) disable new search panel UI [Classic Theme Restorer can restore the old search]
  • 1201: (44+) block rc4 whitelist
  • 2417: (44+) disable SharedWorkers, which allow the exchange of data between iFrames that
  • 1005: (45+) disable deferred level of storing extra session data 0=all 1=http-only 2=none
  • 0334b: (46+) disable FHR (Firefox Health Report) v2 data being sent to Mozilla servers
  • 0410e: (46+) safebrowsing
  • 0333b: (47+) disable about:healthreport page UNIFIED
  • 0807: (47+) disable history manipulation
  • 0806: (48+) disable 'unified complete': 'Search with [default search engine]'
  • 2202: (49+) ONE of the new window UI prefs
  • 2431: (49+) disable ONE of the push notification prefs
  • 1809: (50+) remove Mozilla's plugin update URL
  • 1851: (51+) delay play of videos until they're visible
  • 2504: (51+) disable virtual reality devices
  • 2614: (51+) disable SPDY
@Thorin-Oakenpants

This comment has been minimized.

Show comment
Hide comment
@Thorin-Oakenpants

Thorin-Oakenpants Feb 20, 2017

I know its a list of each numbered items, but a quite a few are inactive for a reason (I hope people don't get the impression these are all on!). You could probably tick or look at those off straight away (I only have them in mine for completeness and to deter people turning them on from bad advice, or they don;t fit our purpose yet). Then again .. it's like a Lolly Scramble, isn't it (the link: I mean the NZ/Aussie game, not that slang definition which sounds painful )

here's two I quickly spotted

  • 1006: no need to disable rendered pages in memory (achieves nothing AFAIK)
  • 2621: disable IPv6 (which is a bad idea)

Here's mine: ghacksuserjs/ghacks-user.js#10 (comment) :) I'm 8 done out of 18. How are you doing :) have fun

Thorin-Oakenpants commented Feb 20, 2017

I know its a list of each numbered items, but a quite a few are inactive for a reason (I hope people don't get the impression these are all on!). You could probably tick or look at those off straight away (I only have them in mine for completeness and to deter people turning them on from bad advice, or they don;t fit our purpose yet). Then again .. it's like a Lolly Scramble, isn't it (the link: I mean the NZ/Aussie game, not that slang definition which sounds painful )

here's two I quickly spotted

  • 1006: no need to disable rendered pages in memory (achieves nothing AFAIK)
  • 2621: disable IPv6 (which is a bad idea)

Here's mine: ghacksuserjs/ghacks-user.js#10 (comment) :) I'm 8 done out of 18. How are you doing :) have fun

pyllyukko referenced this issue Feb 20, 2017

pyllyukko referenced this issue Feb 20, 2017

dom.enable_user_timing -> false
Hopefully this would also mitigate against ASLR^Cache (AnC)

See: http://www.cs.vu.nl//~herbertb/download/papers/anc_ndss17.pdf
@pyllyukko

This comment has been minimized.

Show comment
Hide comment
@pyllyukko

pyllyukko Feb 20, 2017

Owner

Just indent with two more spaces below, e.g.:

* [x] Issue
  * Note
Owner

pyllyukko commented Feb 20, 2017

Just indent with two more spaces below, e.g.:

* [x] Issue
  * Note

pyllyukko referenced this issue Feb 20, 2017

security.dialog_enable_delay -> 1000
This is the default value
@publicarray

This comment has been minimized.

Show comment
Hide comment
@publicarray

publicarray Feb 20, 2017

Contributor

@pyllyukko just letting you know that your last few commits are "unverified" because GitHub does not know about your new key.

Contributor

publicarray commented Feb 20, 2017

@pyllyukko just letting you know that your last few commits are "unverified" because GitHub does not know about your new key.

@pyllyukko

This comment has been minimized.

Show comment
Hide comment
@pyllyukko

pyllyukko Feb 21, 2017

Owner

@pyllyukko just letting you know that your last few commits are "unverified" because GitHub does not know about your new key.

I know :/ It's because I created new subkey with ED25519 curves, and it's only supported by the very latest versions of GnuPG. Last time I tried, GitHub refused to update the key with that particular subkey. Need to try it again.

Owner

pyllyukko commented Feb 21, 2017

@pyllyukko just letting you know that your last few commits are "unverified" because GitHub does not know about your new key.

I know :/ It's because I created new subkey with ED25519 curves, and it's only supported by the very latest versions of GnuPG. Last time I tried, GitHub refused to update the key with that particular subkey. Need to try it again.

@pyllyukko

This comment has been minimized.

Show comment
Hide comment
@pyllyukko

pyllyukko Feb 21, 2017

Owner

Small update on the PGP issue. So in here it even states "EdDSA, except Ed25519". I queried GitHub on the issue and they sayd: "Ed25519 keys are likely to be supported in the future, but we don't have a timeline of when that may be."

In the meanwhile, you can check my signatures from the command line with recent enough GnuPG:

$ git log --show-signature
commit e6592f9b8c304eead1595b978f7663fcfa373532 (HEAD -> master, origin/master, origin/HEAD)
gpg: Signature made Tue 21 Feb 2017 12:17:27 AM EET
gpg:                using EDDSA key 6760F995F5DD2C1A5805744C8043380FC109A370
gpg: Good signature from "pyllyukko <pyllyukko@maimed.org>" [ultimate]
Primary key fingerprint: B284 21D6 03DE 0A1D 17AE  4415 78C2 DF2D 1A17 0CC6
     Subkey fingerprint: 6760 F995 F5DD 2C1A 5805  744C 8043 380F C109 A370
Author: pyllyukko <pyllyukko@maimed.org>
Date:   Tue Feb 21 00:17:11 2017 +0200

    security.dialog_enable_delay -> 1000
    
    This is the default value
Owner

pyllyukko commented Feb 21, 2017

Small update on the PGP issue. So in here it even states "EdDSA, except Ed25519". I queried GitHub on the issue and they sayd: "Ed25519 keys are likely to be supported in the future, but we don't have a timeline of when that may be."

In the meanwhile, you can check my signatures from the command line with recent enough GnuPG:

$ git log --show-signature
commit e6592f9b8c304eead1595b978f7663fcfa373532 (HEAD -> master, origin/master, origin/HEAD)
gpg: Signature made Tue 21 Feb 2017 12:17:27 AM EET
gpg:                using EDDSA key 6760F995F5DD2C1A5805744C8043380FC109A370
gpg: Good signature from "pyllyukko <pyllyukko@maimed.org>" [ultimate]
Primary key fingerprint: B284 21D6 03DE 0A1D 17AE  4415 78C2 DF2D 1A17 0CC6
     Subkey fingerprint: 6760 F995 F5DD 2C1A 5805  744C 8043 380F C109 A370
Author: pyllyukko <pyllyukko@maimed.org>
Date:   Tue Feb 21 00:17:11 2017 +0200

    security.dialog_enable_delay -> 1000
    
    This is the default value

pyllyukko referenced this issue Feb 21, 2017

pyllyukko referenced this issue Feb 22, 2017

pyllyukko referenced this issue Feb 22, 2017

pyllyukko referenced this issue Feb 23, 2017

pyllyukko referenced this issue Feb 23, 2017

nodiscc added a commit to nodiscc/user.js that referenced this issue Feb 25, 2017

nodiscc added a commit to nodiscc/user.js that referenced this issue Feb 25, 2017

nodiscc added a commit to nodiscc/user.js that referenced this issue Feb 25, 2017

Disable speech synthesis
Add additional documentation links
Fixes item 2021 of pyllyukko#208

pyllyukko added a commit that referenced this issue Feb 25, 2017

Disable speech synthesis
Add additional documentation links
Fixes item 2021 of #208

pyllyukko referenced this issue Feb 26, 2017

pyllyukko referenced this issue Feb 26, 2017

@Thorin-Oakenpants

This comment has been minimized.

Show comment
Hide comment
@Thorin-Oakenpants

Thorin-Oakenpants Feb 27, 2017

nvm, no one listens to me anyway

Thorin-Oakenpants commented Feb 27, 2017

nvm, no one listens to me anyway

@pyllyukko

This comment has been minimized.

Show comment
Hide comment
@pyllyukko

pyllyukko Feb 27, 2017

Owner

I see you;'re dragging the chain on the monster diff :)

Where's the rush?

pref("browser.aboutHomeSnippets.updateUrl", ""); // ghacks: "https://127.0.0.1"
    pyllyukko should match .. use HTTPS re MiTM re as per TBB and discussions there over this in tor tickets

? I don't get it.

And you are inconsistent with data plain text thingie - see comment ghacksuserjs/ghacks-user.js#18 (comment) - I just matched TBB. I don't think it;s all that important

True.

but I think they were used as a null/zero-length string causes issues in linux? IDK

Not that I know of.

Owner

pyllyukko commented Feb 27, 2017

I see you;'re dragging the chain on the monster diff :)

Where's the rush?

pref("browser.aboutHomeSnippets.updateUrl", ""); // ghacks: "https://127.0.0.1"
    pyllyukko should match .. use HTTPS re MiTM re as per TBB and discussions there over this in tor tickets

? I don't get it.

And you are inconsistent with data plain text thingie - see comment ghacksuserjs/ghacks-user.js#18 (comment) - I just matched TBB. I don't think it;s all that important

True.

but I think they were used as a null/zero-length string causes issues in linux? IDK

Not that I know of.

@nodiscc nodiscc referenced this issue Feb 28, 2017

Closed

Move the wiki to user.js comments or README #220

17 of 17 tasks complete

nodiscc added a commit to nodiscc/user.js that referenced this issue Mar 9, 2017

issue 208 item 401 (extensions.blocklist), improve OCSP docn enable O…
…CSP must-staple

 * Add extensions.blocklist.url pref, Fixes item 0401 Sanitize blocklist url of pyllyukko#208
 * improve documentation on extensions.blocklist.enabled
 * add services.blocklist.update_enabled = true
 * improve documentation on OCSP
 * enable OCSP must-staple extension

nodiscc added a commit to nodiscc/user.js that referenced this issue Mar 9, 2017

issue 208 item 401 (extensions.blocklist), improve OCSP docn enable O…
…CSP must-staple

 * Add extensions.blocklist.url pref, Fixes item 0401 Sanitize blocklist url of pyllyukko#208
 * improve documentation on extensions.blocklist.enabled
 * add services.blocklist.update_enabled = true
 * improve documentation on OCSP
 * enable OCSP must-staple extension
@nodiscc

This comment has been minimized.

Show comment
Hide comment
@nodiscc

nodiscc Apr 4, 2017

Contributor

browser.urlbar.suggest.openpage = true

  • I'd rather set it to false as per policy to enforce the most hardened settings (in this case against shoulder surfing), but with a NOTICE: breaks tab switching from the URL bar. Then it will be easier to spot/change when wanting to tweak things for convenience. (#231)
Contributor

nodiscc commented Apr 4, 2017

browser.urlbar.suggest.openpage = true

  • I'd rather set it to false as per policy to enforce the most hardened settings (in this case against shoulder surfing), but with a NOTICE: breaks tab switching from the URL bar. Then it will be easier to spot/change when wanting to tweak things for convenience. (#231)
@Thorin-Oakenpants

This comment has been minimized.

Show comment
Hide comment
@Thorin-Oakenpants

Thorin-Oakenpants Apr 4, 2017

Are there? Which ones?

Deprecated : browser.crashReports.unsubmittedCheck.enabled
Deprecated : privacy.clearOnShutdown.cache
Deprecated : privacy.clearOnShutdown.cookies
Deprecated : privacy.clearOnShutdown.downloads
Deprecated : privacy.clearOnShutdown.formdata
Deprecated : privacy.clearOnShutdown.history
Deprecated : privacy.clearOnShutdown.offlineApps
Deprecated : privacy.clearOnShutdown.passwords
Deprecated : privacy.clearOnShutdown.sessions
Deprecated : privacy.cpd.cache
Deprecated : privacy.cpd.cookies
Deprecated : privacy.cpd.downloads
Deprecated : privacy.cpd.formdata
Deprecated : privacy.cpd.history
Deprecated : privacy.cpd.offlineApps
Deprecated : privacy.cpd.sessions
Deprecated : privacy.resistFingerprinting
Deprecated : privacy.sanitize.sanitizeOnShutdown
Deprecated : privacy.sanitize.timeSpan

Do I need to list more? Something is clearly wrong if these are marked as actually deprecated by your script

ALSO: you are not taking into account hidden prefs which are not listed in these js files

Thorin-Oakenpants commented Apr 4, 2017

Are there? Which ones?

Deprecated : browser.crashReports.unsubmittedCheck.enabled
Deprecated : privacy.clearOnShutdown.cache
Deprecated : privacy.clearOnShutdown.cookies
Deprecated : privacy.clearOnShutdown.downloads
Deprecated : privacy.clearOnShutdown.formdata
Deprecated : privacy.clearOnShutdown.history
Deprecated : privacy.clearOnShutdown.offlineApps
Deprecated : privacy.clearOnShutdown.passwords
Deprecated : privacy.clearOnShutdown.sessions
Deprecated : privacy.cpd.cache
Deprecated : privacy.cpd.cookies
Deprecated : privacy.cpd.downloads
Deprecated : privacy.cpd.formdata
Deprecated : privacy.cpd.history
Deprecated : privacy.cpd.offlineApps
Deprecated : privacy.cpd.sessions
Deprecated : privacy.resistFingerprinting
Deprecated : privacy.sanitize.sanitizeOnShutdown
Deprecated : privacy.sanitize.timeSpan

Do I need to list more? Something is clearly wrong if these are marked as actually deprecated by your script

ALSO: you are not taking into account hidden prefs which are not listed in these js files

@nodiscc

This comment has been minimized.

Show comment
Hide comment
@nodiscc

nodiscc Apr 4, 2017

Contributor

Something is clearly wrong if these are marked as actually deprecated by your script

Thanks, it appears we are missing https://hg.mozilla.org/mozilla-central/raw-file/tip/browser/app/profile/firefox.js where these prefs are located.

  • add https://hg.mozilla.org/mozilla-central/raw-file/$$SOURCEVERSION/browser/app/profile/firefox.js to list of source files.

you are not taking into account hidden prefs which are not listed in these js files

Yes, some prefs are created at runtime by Firefox itself. Fortunatefely most of these are covered in Mozilla unit tests prefs files, which the script also considers; but it's possible we are still missing some of them. Do you have an example of a missing preference?

Contributor

nodiscc commented Apr 4, 2017

Something is clearly wrong if these are marked as actually deprecated by your script

Thanks, it appears we are missing https://hg.mozilla.org/mozilla-central/raw-file/tip/browser/app/profile/firefox.js where these prefs are located.

  • add https://hg.mozilla.org/mozilla-central/raw-file/$$SOURCEVERSION/browser/app/profile/firefox.js to list of source files.

you are not taking into account hidden prefs which are not listed in these js files

Yes, some prefs are created at runtime by Firefox itself. Fortunatefely most of these are covered in Mozilla unit tests prefs files, which the script also considers; but it's possible we are still missing some of them. Do you have an example of a missing preference?

@Thorin-Oakenpants

This comment has been minimized.

Show comment
Hide comment
@Thorin-Oakenpants

Thorin-Oakenpants Apr 4, 2017

I don't know of any hidden prefs that aren't in tests - all the hidden ones we're using are maked as "(hidden pref)" in the ghacks js, so you could scrape that

EDIT: 29 of them (1 in the deprecated section)

PS: this also doesn't account for legacy code: eg, yup, I'll say it again :) .. browser.urlbar.maxRichResults because its still in the js :) .. seriously, test it (FF52+, not sure about earlier). It has no effect on the dropdown whatsoever.

Thorin-Oakenpants commented Apr 4, 2017

I don't know of any hidden prefs that aren't in tests - all the hidden ones we're using are maked as "(hidden pref)" in the ghacks js, so you could scrape that

EDIT: 29 of them (1 in the deprecated section)

PS: this also doesn't account for legacy code: eg, yup, I'll say it again :) .. browser.urlbar.maxRichResults because its still in the js :) .. seriously, test it (FF52+, not sure about earlier). It has no effect on the dropdown whatsoever.

@nodiscc

This comment has been minimized.

Show comment
Hide comment
@nodiscc

nodiscc Apr 4, 2017

Contributor

Indeed preferences that are marked (hidden pref) in ghacks user.js can not be found in our copies of Firefox source files:

$ make downloadffprefs 
2017-04-04 21:54:28 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/toolkit/components/telemetry/datareporting-prefs.js [717/717] -> "-" [1]
2017-04-04 21:54:30 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/toolkit/components/telemetry/healthreport-prefs.js [547/547] -> "-" [1]
2017-04-04 21:54:32 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/security/manager/ssl/security-prefs.js [5802/5802] -> "-" [1]
2017-04-04 21:54:38 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/modules/libpref/init/all.js [245079/245079] -> "-" [1]
2017-04-04 21:54:42 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/testing/profiles/prefs_general.js [19377/19377] -> "-" [1]
2017-04-04 21:54:46 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/layout/tools/reftest/reftest-preferences.js [6579/6579] -> "-" [1]
2017-04-04 21:54:48 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/js/src/tests/user.js [1912/1912] -> "-" [1]
2017-04-04 21:54:53 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/browser/app/profile/firefox.js [77214/77214] -> "-" [1]


$ curl --silent 'https://raw.githubusercontent.com/ghacksuserjs/ghacks-user.js/master/user.js' | grep 'hidden pref' | awk -F'"' '{print $2}' > ghacks-hidden.js

$ for line in $(cat ghacks-hidden.js); do grep "$line" sourceprefs.js >/dev/null || echo "hidden pref $line not found in Firefox source"; done

hidden pref browser.search.region not found in Firefox source
hidden pref javascript.use_us_english_locale not found in Firefox source
hidden pref toolkit.telemetry.unifiedIsOptIn not found in Firefox source
hidden pref datareporting.healthreport.service.enabled not found in Firefox source
hidden pref browser.selfsupport.enabled not found in Firefox source
hidden pref social.enabled not found in Firefox source
hidden pref services.sync.enabled not found in Firefox source
hidden pref network.dns.disablePrefetchFromHTTPS not found in Firefox source
hidden pref permissions.memory_only not found in Firefox source
hidden pref security.ssl.disable_session_identifiers not found in Firefox source
hidden pref security.nocertdb not found in Firefox source
hidden pref font.system.whitelist not found in Firefox source
hidden pref media.gmp-gmpopenh264.enabled not found in Firefox source
hidden pref dom.allow_cut_copy not found in Firefox source
hidden pref browser.tabs.remote.force-enable not found in Firefox source
hidden pref general.useragent.override not found in Firefox source
hidden pref general.buildID.override not found in Firefox source
hidden pref general.appname.override not found in Firefox source
hidden pref general.appversion.override not found in Firefox source
hidden pref general.platform.override not found in Firefox source
hidden pref general.oscpu.override not found in Firefox source
hidden pref ui.submenuDelay not found in Firefox source
hidden pref privacy.donottrackheader.value not found in Firefox source
  • identify where in Firefox source these preferences are created, whether they are still in use, and adapt the Makefile to detect them
Contributor

nodiscc commented Apr 4, 2017

Indeed preferences that are marked (hidden pref) in ghacks user.js can not be found in our copies of Firefox source files:

$ make downloadffprefs 
2017-04-04 21:54:28 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/toolkit/components/telemetry/datareporting-prefs.js [717/717] -> "-" [1]
2017-04-04 21:54:30 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/toolkit/components/telemetry/healthreport-prefs.js [547/547] -> "-" [1]
2017-04-04 21:54:32 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/security/manager/ssl/security-prefs.js [5802/5802] -> "-" [1]
2017-04-04 21:54:38 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/modules/libpref/init/all.js [245079/245079] -> "-" [1]
2017-04-04 21:54:42 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/testing/profiles/prefs_general.js [19377/19377] -> "-" [1]
2017-04-04 21:54:46 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/layout/tools/reftest/reftest-preferences.js [6579/6579] -> "-" [1]
2017-04-04 21:54:48 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/js/src/tests/user.js [1912/1912] -> "-" [1]
2017-04-04 21:54:53 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/browser/app/profile/firefox.js [77214/77214] -> "-" [1]


$ curl --silent 'https://raw.githubusercontent.com/ghacksuserjs/ghacks-user.js/master/user.js' | grep 'hidden pref' | awk -F'"' '{print $2}' > ghacks-hidden.js

$ for line in $(cat ghacks-hidden.js); do grep "$line" sourceprefs.js >/dev/null || echo "hidden pref $line not found in Firefox source"; done

hidden pref browser.search.region not found in Firefox source
hidden pref javascript.use_us_english_locale not found in Firefox source
hidden pref toolkit.telemetry.unifiedIsOptIn not found in Firefox source
hidden pref datareporting.healthreport.service.enabled not found in Firefox source
hidden pref browser.selfsupport.enabled not found in Firefox source
hidden pref social.enabled not found in Firefox source
hidden pref services.sync.enabled not found in Firefox source
hidden pref network.dns.disablePrefetchFromHTTPS not found in Firefox source
hidden pref permissions.memory_only not found in Firefox source
hidden pref security.ssl.disable_session_identifiers not found in Firefox source
hidden pref security.nocertdb not found in Firefox source
hidden pref font.system.whitelist not found in Firefox source
hidden pref media.gmp-gmpopenh264.enabled not found in Firefox source
hidden pref dom.allow_cut_copy not found in Firefox source
hidden pref browser.tabs.remote.force-enable not found in Firefox source
hidden pref general.useragent.override not found in Firefox source
hidden pref general.buildID.override not found in Firefox source
hidden pref general.appname.override not found in Firefox source
hidden pref general.appversion.override not found in Firefox source
hidden pref general.platform.override not found in Firefox source
hidden pref general.oscpu.override not found in Firefox source
hidden pref ui.submenuDelay not found in Firefox source
hidden pref privacy.donottrackheader.value not found in Firefox source
  • identify where in Firefox source these preferences are created, whether they are still in use, and adapt the Makefile to detect them
@Thorin-Oakenpants

This comment has been minimized.

Show comment
Hide comment
@Thorin-Oakenpants

Thorin-Oakenpants Apr 4, 2017

So I guess I'm not useless after all :) You owe me a 🍺

That last one hidden pref privacy.donottrackheader.value not found in Firefox source is legacy. Francois told me.

Thorin-Oakenpants commented Apr 4, 2017

So I guess I'm not useless after all :) You owe me a 🍺

That last one hidden pref privacy.donottrackheader.value not found in Firefox source is legacy. Francois told me.

@nodiscc

This comment has been minimized.

Show comment
Hide comment
@nodiscc

nodiscc Apr 4, 2017

Contributor

Regarding privacy.donottrackheader.value: Searching for this string on DXR reveals that:

// Deprecated Do Not Track setting, Firefox <36, https://hg.mozilla.org/mozilla-central/rev/9a16137bc7b4
"privacy.donottrackheader.value"

So I guess I'm not useless after all :) You owe me a 🍺

Never said you were (I think? Sorry if I sounded rude in any way, English is not my native language). Have some. 🍺🍺🍺☕️🍺🍺🍺☕️🍺🍺🍺☕️🍺🍺


Same investigation method can be applied to other prefs if needed. Eg. https://dxr.mozilla.org/mozilla-central/search?q=browser.search.region&redirect=false... There are definitely some prefs that are created/checked randomly through the code (eg https://dxr.mozilla.org/mozilla-central/source/dom/base/Navigator.cpp?q=general.oscpu.override&redirect_type=single#479). We can move this to a new issue. -> Moved #261

Edit: (Note that you can run make checknotcovered to see all detected Firefox prefs that are not covered by user.js. Outdated log for reference)

Contributor

nodiscc commented Apr 4, 2017

Regarding privacy.donottrackheader.value: Searching for this string on DXR reveals that:

// Deprecated Do Not Track setting, Firefox <36, https://hg.mozilla.org/mozilla-central/rev/9a16137bc7b4
"privacy.donottrackheader.value"

So I guess I'm not useless after all :) You owe me a 🍺

Never said you were (I think? Sorry if I sounded rude in any way, English is not my native language). Have some. 🍺🍺🍺☕️🍺🍺🍺☕️🍺🍺🍺☕️🍺🍺


Same investigation method can be applied to other prefs if needed. Eg. https://dxr.mozilla.org/mozilla-central/search?q=browser.search.region&redirect=false... There are definitely some prefs that are created/checked randomly through the code (eg https://dxr.mozilla.org/mozilla-central/source/dom/base/Navigator.cpp?q=general.oscpu.override&redirect_type=single#479). We can move this to a new issue. -> Moved #261

Edit: (Note that you can run make checknotcovered to see all detected Firefox prefs that are not covered by user.js. Outdated log for reference)

@nodiscc

This comment has been minimized.

Show comment
Hide comment
@nodiscc

nodiscc Apr 4, 2017

Contributor

Re: browser.urlbar.maxRichResults, it seems we are also missing many prefs files in https://dxr.mozilla.org/mozilla-central/source/obj-x86_64-pc-linux-gnu/dist/bin/browser/defaults/preferences/ and https://dxr.mozilla.org/mozilla-central/source/browser/app/profile. Thanks!

add https://dxr.mozilla.org/mozilla-central/source/obj-x86_64-pc-linux-gnu/dist/bin/browser/defaults/preferences/debugger.js https://dxr.mozilla.org/mozilla-central/source/obj-x86_64-pc-linux-gnu/dist/bin/browser/defaults/preferences/devtools.js https://dxr.mozilla.org/mozilla-central/source/browser/branding/unofficial/pref/firefox-branding.js https://dxr.mozilla.org/mozilla-central/source/obj-x86_64-pc-linux-gnu/dist/bin/browser/defaults/preferences/firefox-l10n.js https://dxr.mozilla.org/mozilla-central/source/obj-x86_64-pc-linux-gnu/dist/bin/browser/defaults/preferences/firefox.js https://dxr.mozilla.org/mozilla-central/source/obj-x86_64-pc-linux-gnu/dist/bin/browser/defaults/preferences/webide-prefs.js https://dxr.mozilla.org/mozilla-central/source/browser/app/profile/channel-prefs.js those files are generated from:

Contributor

nodiscc commented Apr 4, 2017

Re: browser.urlbar.maxRichResults, it seems we are also missing many prefs files in https://dxr.mozilla.org/mozilla-central/source/obj-x86_64-pc-linux-gnu/dist/bin/browser/defaults/preferences/ and https://dxr.mozilla.org/mozilla-central/source/browser/app/profile. Thanks!

add https://dxr.mozilla.org/mozilla-central/source/obj-x86_64-pc-linux-gnu/dist/bin/browser/defaults/preferences/debugger.js https://dxr.mozilla.org/mozilla-central/source/obj-x86_64-pc-linux-gnu/dist/bin/browser/defaults/preferences/devtools.js https://dxr.mozilla.org/mozilla-central/source/browser/branding/unofficial/pref/firefox-branding.js https://dxr.mozilla.org/mozilla-central/source/obj-x86_64-pc-linux-gnu/dist/bin/browser/defaults/preferences/firefox-l10n.js https://dxr.mozilla.org/mozilla-central/source/obj-x86_64-pc-linux-gnu/dist/bin/browser/defaults/preferences/firefox.js https://dxr.mozilla.org/mozilla-central/source/obj-x86_64-pc-linux-gnu/dist/bin/browser/defaults/preferences/webide-prefs.js https://dxr.mozilla.org/mozilla-central/source/browser/app/profile/channel-prefs.js those files are generated from:

@nodiscc

This comment has been minimized.

Show comment
Hide comment
@nodiscc

nodiscc Apr 5, 2017

Contributor
  • More possibly "hidden" prefs sources to consider (requires some more research, move to other issue) -> Moved to #261
Contributor

nodiscc commented Apr 5, 2017

  • More possibly "hidden" prefs sources to consider (requires some more research, move to other issue) -> Moved to #261

pyllyukko added a commit that referenced this issue Apr 9, 2017

Merge pull request #257 from nodiscc/more-sourceprefs
Makefile: downloadffprefs: add Firefox source reference files from #208

nodiscc added a commit to nodiscc/user.js that referenced this issue Apr 24, 2017

add WONTFIX items from pyllyukko#208 to ignore.list, up to HARDWARE F…
…INGERPRINTING section;

move extra VR API preferencs to ignore.list since VR is globally disabled
move New Tab Page/Tiles prefs next to each other

nodiscc added a commit to nodiscc/user.js that referenced this issue Apr 24, 2017

ignore network.http.redirection-limit, disable in-content SVG rendering
item 2671 of pyllyukko#208 states this pref should not be altered for convenience purposes:
disable SVG spport anyway and add a clear notice about breaking functionality
this setting should be removed in "relaxed" variants; ref pyllyukko#231

nodiscc added a commit to nodiscc/user.js that referenced this issue Apr 24, 2017

pyllyukko added a commit that referenced this issue May 21, 2017

Removed browser.urlbar.maxRichResults
As discussed in #208

The URL suggestion is controlled by browser.urlbar.autocomplete.enabled

pyllyukko added a commit that referenced this issue May 21, 2017

Disable Archive API
This is already disabled by default

Relates to #208

pyllyukko added a commit that referenced this issue May 21, 2017

Removed browser.urlbar.maxRichResults
As discussed in #208

The URL suggestion is controlled by browser.urlbar.autocomplete.enabled

pyllyukko added a commit that referenced this issue May 21, 2017

Disable Archive API
This is already disabled by default

Relates to #208

pyllyukko added a commit that referenced this issue May 26, 2017

browser.offline-apps.notify -> true
TODO: offline-apps.allow_by_default

Relates to #208

pyllyukko referenced this issue Jun 27, 2017

@pyllyukko

This comment has been minimized.

Show comment
Hide comment
@pyllyukko

pyllyukko Oct 8, 2017

Owner

@pyllyukko just letting you know that your last few commits are "unverified" because GitHub does not know about your new key.

FYI: It's working again.

Owner

pyllyukko commented Oct 8, 2017

@pyllyukko just letting you know that your last few commits are "unverified" because GitHub does not know about your new key.

FYI: It's working again.

@nodiscc nodiscc referenced this issue Dec 18, 2017

Open

Improve the makefile #256

2 of 7 tasks complete
@claustromaniac

This comment has been minimized.

Show comment
Hide comment
@claustromaniac

claustromaniac Jun 30, 2018

I don't mean to go off-topic, but I want to share with the folks here this tool I made for comparing user.js files, before [insert random asshole's name here] plagiarises it.

That's all. Keep up the good fight 👍

claustromaniac commented Jun 30, 2018

I don't mean to go off-topic, but I want to share with the folks here this tool I made for comparing user.js files, before [insert random asshole's name here] plagiarises it.

That's all. Keep up the good fight 👍

@pyllyukko

This comment has been minimized.

Show comment
Hide comment
@pyllyukko

pyllyukko Jun 30, 2018

Owner

I don't mean to go off-topic, but I want to share with the folks here this tool I made for comparing user.js files

Thanks!

Owner

pyllyukko commented Jun 30, 2018

I don't mean to go off-topic, but I want to share with the folks here this tool I made for comparing user.js files

Thanks!

ranisalt added a commit to ranisalt/user.js that referenced this issue Jul 18, 2018

Removed browser.urlbar.maxRichResults
As discussed in pyllyukko#208

The URL suggestion is controlled by browser.urlbar.autocomplete.enabled

ranisalt added a commit to ranisalt/user.js that referenced this issue Jul 18, 2018

Removed browser.urlbar.maxRichResults
As discussed in pyllyukko#208

The URL suggestion is controlled by browser.urlbar.autocomplete.enabled
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment