Comments (11)
services.blocklist.pinning.enabled
doesn't fully disable the feature. It still sends out update requests to the following urls (as seen by uMatrix, so last url in the list was requested first) but services.blocklist.pinning.checked
remained 0
ie didn't get updated.
https://content-signature.cdn.mozilla.net/chains/pinning-preload.content-signature.mozilla.org-20170510.prod.chain
https://firefox.settings.services.mozilla.com/v1/buckets/pinning/collections/pins
https://firefox.settings.services.mozilla.com/v1/
https://firefox.settings.services.mozilla.com/v1/buckets/pinning/collections/pins/records?_sort=id
https://firefox.settings.services.mozilla.com/v1/
https://content-signature.cdn.mozilla.net/chains/pinning-preload.content-signature.mozilla.org-20170510.prod.chain
https://firefox.settings.services.mozilla.com/v1/buckets/pinning/collections/pins
https://firefox.settings.services.mozilla.com/v1/
https://firefox.settings.services.mozilla.com/v1/buckets/pinning/collections/pins/records?_sort=-last_modified
https://firefox.settings.services.mozilla.com/v1/
curiously it sent the requests twice, once with records?_sort=-last_modified
and then with records?_sort=id
. If we want to disable the pinning list update between releases we need to also clear services.blocklist.pinning.collection
Not unexpected there's no data at the moment and I personally will disable the feature because I can wait the 6 weeks between releases for the updates.
from user.js.
Passive TrackingProtection
Lower priority of HTTP requests for resources on the Tracking Protection list ( RESOLVED FIXED in FF53 )
We could add a new pref here like "privacy.trackingprotection.annotate_channels" or something like that. If it's off, then we won't update the list or annotate the channels and so none of the perf features will do anything.
Part 1: Enable to update TP list if TP is disabled
Part 2: Lower the priority of channel loading tracking resource
// Annotate channels based on the tracking protection list in all modes
pref("privacy.trackingprotection.annotate_channels", false);
Add a passive (detection only) mode for Tracking Protection ( RESOLVED FIXED in FF53 )
// Lower the priority of network loads for resources on the tracking protection list.
// Note that this requires the privacy.trackingprotection.annotate_channels pref to be on in order to have any effect.
pref("privacy.trackingprotection.lower_network_priority", false);
from user.js.
services.blocklist.pinning.*
Create a services client for augmenting the PKP preload list between releases
The services blocklist client provides a mechanism we can use to get public key pin preloads to the browser between releases.
https://bugzilla.mozilla.org/show_bug.cgi?id=1306470#c12 :
It's a little awkward - we're actively reaching into people's profiles and removing a security state the website set for them. So it moves this service from 'Could be used to DOS people by preloading them with invalid pins' to 'Could be used to actively attack them'. So we should be cognizant of that fact and consider how we secure the update mechanism.
pref("services.blocklist.pinning.enabled", true);
pref("services.blocklist.pinning.bucket", "pinning");
pref("services.blocklist.pinning.collection", "pins");
pref("services.blocklist.pinning.checked", 0);
from user.js.
javascript.options.shared_memory
that link mentions 2 new "objects", SharedArrayBuffer + Atomics
from those pages:
The Atomics object provides atomic operations as static methods. They are used with SharedArrayBuffer objects.
APIs accepting SharedArrayBuffer objects:
- WebGLRenderingContext.bufferData()
- WebGLRenderingContext.bufferSubData()
- WebGL2RenderingContext.getBufferSubData()
it seems to be only used by WebGL and we can safely ignore this pref IMO.
from user.js.
browser.urlbar.decodeURLsOnCopy
- 1320061 - this seems interesting. It could be useful in some cases and terribly annoying in others. I'd like to add it in the Personal sectionprivacy.userContext.longPressBehavior
- also seems nice. There are likely more prefs to come for Containers so we could create a special section or sub-section for those.
This only works when Containers are enabled:
https://hg.mozilla.org/mozilla-central/rev/f248d089469d#l2.72
=> 0 disables long press, 1 when clicked, the menu is shown, 2 the menu is shown after X millisecondsprivacy.permissionPrompts.showCloseButton
- this is probably only for testing purposes and will likely get removed again. IMO we don't need this. I'll add the/* don't need */
for now.privacy.trackingprotection.annotate_channels
+privacy.trackingprotection.lower_network_priority
- seems interesting and we should add them. Since we disable TP we should definitely disable theannotate_channels
.
Thelower_network_priority
can either be force-disabled or commented outprivacy.history.custom
- is a fix for the UI and handled by FF internally https://bugzilla.mozilla.org/show_bug.cgi?id=552434 - we should not touch thisbrowser.tabs.remote.separateFileUriProcess
- we have it as2660
but I suspect this requires e10s, and FF53 sets it tofalse
while we currently enforcetrue
- we should comment it out
from user.js.
- I moved the following to ignore because the main pref seems to be
services.blocklist.pinning.enabled
- pref("services.blocklist.pinning.bucket", "pinning");
- pref("services.blocklist.pinning.collection", "pins");
svg.disabled
- I think we need to comment this out because it breaks youtube player controls.browser.storageManager.enabled
- from here:
In the last couple of cycles, some strings landed in pref for managing Site Data. To see this section in Preferences (at the bottom of Advanced -> Network), you need to enable (set to “true”) both these keys in about:config
browser.storageManager.enabled
dom.storageManager.enabled
Functionality is still hard to test, since there are no websites using this feature available for testing.
=> add this to 2706
plugins.navigator.hidden_ctp_plugin
- 1294341 - something to do with Click2Play and Flash not being detected
From here:
// This only supports one hidden ctp plugin, edit nsPluginArray.cpp if adding a second
pref("plugins.navigator.hidden_ctp_plugin", "Shockwave Flash");
=> the default empty string seems fine since we strongly recommend not to use Flash. IMO we can ignore this pref. If we care about Flash now, we probably also need to look at plugins.flashBlock.enabled
-
devtools.jsonview.enabled
- Why do you think we need to deal with this one, Pants? seems good to me and we usually ignoredevtools.*
prefs anyway. -
privacy.temporary_permission_expire_time_ms
- 1206232 - seems fine to me. IMO we can ignore this. Why would we want to change or enforce this? If changing it, what would you want to set it to? -
webextensions.storage.sync.enabled
- I don't mind setting this to false. There's alsowebextensions.storage.sync.serverURL
from user.js.
dom.IntersectionObserver.enabled
https://developer.mozilla.org/en-US/docs/Web/API/Intersection_Observer_API
https://bugzilla.mozilla.org/show_bug.cgi?id=1243846
We're adding a new API and it will help developers move ad viewability checks from Flash to JavaScript.
We're talking to some ad network partners about obtaining any tests they might have.
https://bugzilla.mozilla.org/show_bug.cgi?id=1321865
Given the history of this new API -- it's been the top cause of crashes in Nightly on three different occasions now
By my count, this is now the 4th time this has landed and been backed out for stability issues
https://wicg.github.io/IntersectionObserver/
A notable non-goal is pixel-accurate information about what was actually displayed
from user.js.
/* 2426: disable Intersection Observer API (FF53+)
* [1] https://developer.mozilla.org/en-US/docs/Web/API/Intersection_Observer_API
* [2] https://wicg.github.io/IntersectionObserver/
* [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1243846 ***/
user_pref("dom.IntersectionObserver.enabled", false);
or
/* 2426: disable Intersection Observer API (FF53+)
* [1] https://github.com/ghacksuserjs/ghacks-user.js/issues/47#issuecomment-293303172 ***/
user_pref("dom.IntersectionObserver.enabled", false);
Maybe add a note about this allowing for pixel-accurate information about what was actually displayed
and being mostly used by Ad Networks for Ad viewability checks.
But since that's already all quoted in my comment, I think we can just link to my comment and the item is short and sweet. (and we "force" users to visit this gh page ;)
/* 3027: decode URLs on copy from the URL bar (FF53+)
* [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1320061 ***/
user_pref("browser.urlbar.decodeURLsOnCopy", true);
/* 0403: disable augmenting the PKP preload list between releases (FF53+)
* [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1306470#c12 ***/
// user_pref("services.blocklist.pinning.enabled", false);
=> commented out or active, idc - you decide
/* 0422: disable passive TrackingProtection (FF53+)
* [1] https://github.com/ghacksuserjs/ghacks-user.js/issues/47#issuecomment-285638216 ***/
user_pref("privacy.trackingprotection.annotate_channels", false);
user_pref("privacy.trackingprotection.lower_network_priority", false);
-> maybe add a note that this requires some URL prefs (0410d ??) are left intact ?
from user.js.
changes between FF53 beta9 and FF53.0 stable
not changed anymore in stable:
-
pref("devtools.devedition.promo.enabled", true); // prev: false
=> still false in FF53.0 (mozilla-release) -
pref("javascript.options.shared_memory", true); // prev: false
=> still false in FF53.0 (mozilla-release) -
pref("security.tls.version.max", 4); // prev: 3
=> still 3 in FF53.0 (mozilla-release) - (Disable TLS 1.3 for Firefox 53 release)
changed in stable:
- pref("security.pki.certificate_transparency.mode", 0); // prev: 1
=> https://dxr.mozilla.org/mozilla-release/source/netwerk/base/security-prefs.js#91
certificate transparency signature verifications negatively impact TLS handshake performance
from user.js.
A1 - mozilla - kinto? yes
A2 - we are not. How come I know your baby better than you dude? :)
A3 - installdir/browser/blocklist.xml got updated, but idk if the kinto lists are shipped with the setup, maybe in omni.ja, idk
A4 - yes, blocklist (old) + addons + certs + now maybe pinning
A5 - nothing is strictly necessary
from user.js.
The feature of getting pinning updates between FF releases is totally independent of the remaining kinto updates. To kill the whole thing you could just clear the URL pref and all the collection prefs and services.blocklist.update_enabled or set the interval to a gazillion years or something. And then there's also extensions.blocklist.enabled. Currently (and I suspect it will stay that way) the pinning data update list is empty. But it does 10 additional requests every 24 hours (11 if you count the ocsp request), basically for no reason because there's nothing to update. (Quiet fox etc)
6 weeks between releases is really not that long and idk what would warrant an update in between.
They wanted to have a way to update it and kinto makes this very easy but I think it's very possible that this will never be used. Maybe they'll eventually get rid of the hardcoded preload list and use the kinto list instead but they never mentioned anything to that effect in the ticket.
Since we already have the other kinto prefs in the user.js I thought we should also include these new ones.
from user.js.
Related Issues (20)
- changelog v126 [important: read upcoming changes for FF128] HOT 38
- Typo in user.js HOT 2
- Clipboard pref default changed HOT 1
- Add I still dont care about cookies to optional extensions HOT 1
- ToDo: work out WTF this all means and fixup if required HOT 5
- Privacy-Preserving Attribution (FF 128) HOT 4
- Make Updater.sh shell agnostic HOT 3
- Is it necessary to disable canvas from the browser if it offers to disable or allow them on the site? As well as browser security settings presets HOT 3
- add FPP granularOverrides for the FYI factor HOT 30
- Overrides won't work HOT 2
- ToDo: diffs FF126-FF127 HOT 12
- v128 SOCKS change HOT 2
- RFP: exclude timezone as UTC/GMT and use my real one HOT 2
- How to enable click to copy? HOT 2
- Quarantined domains aren't enforced if a certain add-on is disabled HOT 3
- extensions.enabledScopes HOT 1
- Noob (likely invalid) question about TZP'ing vanilla AF (also vanilla FF + RFP) HOT 6
- Are `network.dns.disablePrefetch`/`network.dns.disablePrefetchFromHTTPS` master switches of `dom.prefetch_dns_for_anchor_http_document`/`dom.prefetch_dns_for_anchor_https_document`? HOT 2
- So i installed arkenfox user.js and for some reason now i have these thick lines on the edges of the screen and even that i did a backup they are still in there it kinda looks like it is in box. HOT 1
- ToDo: diffs FF127-FF128 HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from user.js.