ToDo: diffs FF52-FF53 about user.js HOT 11 CLOSED

services.blocklist.pinning.enabled doesn't fully disable the feature. It still sends out update requests to the following urls (as seen by uMatrix, so last url in the list was requested first) but services.blocklist.pinning.checked remained 0 ie didn't get updated.

https://content-signature.cdn.mozilla.net/chains/pinning-preload.content-signature.mozilla.org-20170510.prod.chain
https://firefox.settings.services.mozilla.com/v1/buckets/pinning/collections/pins
https://firefox.settings.services.mozilla.com/v1/
https://firefox.settings.services.mozilla.com/v1/buckets/pinning/collections/pins/records?_sort=id
https://firefox.settings.services.mozilla.com/v1/
https://content-signature.cdn.mozilla.net/chains/pinning-preload.content-signature.mozilla.org-20170510.prod.chain
https://firefox.settings.services.mozilla.com/v1/buckets/pinning/collections/pins
https://firefox.settings.services.mozilla.com/v1/
https://firefox.settings.services.mozilla.com/v1/buckets/pinning/collections/pins/records?_sort=-last_modified
https://firefox.settings.services.mozilla.com/v1/

curiously it sent the requests twice, once with records?_sort=-last_modified and then with records?_sort=id. If we want to disable the pinning list update between releases we need to also clear services.blocklist.pinning.collection
Not unexpected there's no data at the moment and I personally will disable the feature because I can wait the 6 weeks between releases for the updates.

from user.js.

Passive TrackingProtection

Lower priority of HTTP requests for resources on the Tracking Protection list ( RESOLVED FIXED in FF53 )

We could add a new pref here like "privacy.trackingprotection.annotate_channels" or something like that. If it's off, then we won't update the list or annotate the channels and so none of the perf features will do anything.

Part 1: Enable to update TP list if TP is disabled
Part 2: Lower the priority of channel loading tracking resource

// Annotate channels based on the tracking protection list in all modes
pref("privacy.trackingprotection.annotate_channels",  false);

Add a passive (detection only) mode for Tracking Protection ( RESOLVED FIXED in FF53 )

Part 1: Split out a new pref from privacy.trackingprotection.annotate_channels to explicitly control whether the channel priority is adjusted

// Lower the priority of network loads for resources on the tracking protection list.
// Note that this requires the privacy.trackingprotection.annotate_channels pref to be on in order to have any effect.
pref("privacy.trackingprotection.lower_network_priority",  false);

from user.js.

services.blocklist.pinning.*

Create a services client for augmenting the PKP preload list between releases

The services blocklist client provides a mechanism we can use to get public key pin preloads to the browser between releases.

https://bugzilla.mozilla.org/show_bug.cgi?id=1306470#c12 :

It's a little awkward - we're actively reaching into people's profiles and removing a security state the website set for them. So it moves this service from 'Could be used to DOS people by preloading them with invalid pins' to 'Could be used to actively attack them'. So we should be cognizant of that fact and consider how we secure the update mechanism.

pref("services.blocklist.pinning.enabled", true);
pref("services.blocklist.pinning.bucket", "pinning");
pref("services.blocklist.pinning.collection", "pins");
pref("services.blocklist.pinning.checked", 0);

from user.js.

javascript.options.shared_memory that link mentions 2 new "objects", SharedArrayBuffer + Atomics

from those pages:

The Atomics object provides atomic operations as static methods. They are used with SharedArrayBuffer objects.

APIs accepting SharedArrayBuffer objects:

• WebGLRenderingContext.bufferData()
• WebGLRenderingContext.bufferSubData()
• WebGL2RenderingContext.getBufferSubData()

it seems to be only used by WebGL and we can safely ignore this pref IMO.

from user.js.

• browser.urlbar.decodeURLsOnCopy - 1320061 - this seems interesting. It could be useful in some cases and terribly annoying in others. I'd like to add it in the Personal section
• privacy.userContext.longPressBehavior - also seems nice. There are likely more prefs to come for Containers so we could create a special section or sub-section for those.
  This only works when Containers are enabled:
  https://hg.mozilla.org/mozilla-central/rev/f248d089469d#l2.72
  => 0 disables long press, 1 when clicked, the menu is shown, 2 the menu is shown after X milliseconds
• privacy.permissionPrompts.showCloseButton - this is probably only for testing purposes and will likely get removed again. IMO we don't need this. I'll add the /* don't need */ for now.
• privacy.trackingprotection.annotate_channels + privacy.trackingprotection.lower_network_priority - seems interesting and we should add them. Since we disable TP we should definitely disable the annotate_channels.
  The lower_network_priority can either be force-disabled or commented out
• privacy.history.custom - is a fix for the UI and handled by FF internally https://bugzilla.mozilla.org/show_bug.cgi?id=552434 - we should not touch this
• browser.tabs.remote.separateFileUriProcess - we have it as 2660 but I suspect this requires e10s, and FF53 sets it to false while we currently enforce true - we should comment it out

from user.js.

• I moved the following to ignore because the main pref seems to be services.blocklist.pinning.enabled
  • pref("services.blocklist.pinning.bucket", "pinning");
  • pref("services.blocklist.pinning.collection", "pins");
• svg.disabled - I think we need to comment this out because it breaks youtube player controls.
• browser.storageManager.enabled - from here:

In the last couple of cycles, some strings landed in pref for managing Site Data. To see this section in Preferences (at the bottom of Advanced -> Network), you need to enable (set to “true”) both these keys in about:config
browser.storageManager.enabled
dom.storageManager.enabled
Functionality is still hard to test, since there are no websites using this feature available for testing.

=> add this to 2706

• plugins.navigator.hidden_ctp_plugin - 1294341 - something to do with Click2Play and Flash not being detected
  From here:

// This only supports one hidden ctp plugin, edit nsPluginArray.cpp if adding a second
pref("plugins.navigator.hidden_ctp_plugin", "Shockwave Flash");

=> the default empty string seems fine since we strongly recommend not to use Flash. IMO we can ignore this pref. If we care about Flash now, we probably also need to look at plugins.flashBlock.enabled

• devtools.jsonview.enabled - Why do you think we need to deal with this one, Pants? seems good to me and we usually ignore devtools.* prefs anyway.

• privacy.temporary_permission_expire_time_ms - 1206232 - seems fine to me. IMO we can ignore this. Why would we want to change or enforce this? If changing it, what would you want to set it to?

• webextensions.storage.sync.enabled - I don't mind setting this to false. There's also webextensions.storage.sync.serverURL

from user.js.

dom.IntersectionObserver.enabled

https://developer.mozilla.org/en-US/docs/Web/API/Intersection_Observer_API

https://bugzilla.mozilla.org/show_bug.cgi?id=1243846

We're adding a new API and it will help developers move ad viewability checks from Flash to JavaScript.

We're talking to some ad network partners about obtaining any tests they might have.

https://bugzilla.mozilla.org/show_bug.cgi?id=1321865

Given the history of this new API -- it's been the top cause of crashes in Nightly on three different occasions now

By my count, this is now the 4th time this has landed and been backed out for stability issues

https://wicg.github.io/IntersectionObserver/

A notable non-goal is pixel-accurate information about what was actually displayed

from user.js.

/* 2426: disable Intersection Observer API (FF53+)
 * [1] https://developer.mozilla.org/en-US/docs/Web/API/Intersection_Observer_API
 * [2] https://wicg.github.io/IntersectionObserver/
 * [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1243846 ***/
user_pref("dom.IntersectionObserver.enabled", false);

or

/* 2426: disable Intersection Observer API (FF53+)
 * [1] https://github.com/ghacksuserjs/ghacks-user.js/issues/47#issuecomment-293303172 ***/
user_pref("dom.IntersectionObserver.enabled", false);

Maybe add a note about this allowing for pixel-accurate information about what was actually displayed
and being mostly used by Ad Networks for Ad viewability checks.
But since that's already all quoted in my comment, I think we can just link to my comment and the item is short and sweet. (and we "force" users to visit this gh page ;)

/* 3027: decode URLs on copy from the URL bar (FF53+)
 * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1320061 ***/
user_pref("browser.urlbar.decodeURLsOnCopy", true);

/* 0403: disable augmenting the PKP preload list between releases (FF53+)
 * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1306470#c12 ***/
   // user_pref("services.blocklist.pinning.enabled", false);

=> commented out or active, idc - you decide

/* 0422: disable passive TrackingProtection (FF53+)
 * [1] https://github.com/ghacksuserjs/ghacks-user.js/issues/47#issuecomment-285638216 ***/
user_pref("privacy.trackingprotection.annotate_channels", false);
user_pref("privacy.trackingprotection.lower_network_priority", false);

-> maybe add a note that this requires some URL prefs (0410d ??) are left intact ?

from user.js.

changes between FF53 beta9 and FF53.0 stable

not changed anymore in stable:

• pref("devtools.devedition.promo.enabled", true); // prev: false
  => still false in FF53.0 (mozilla-release)

• pref("javascript.options.shared_memory", true); // prev: false
  => still false in FF53.0 (mozilla-release)

• pref("security.tls.version.max", 4); // prev: 3
  => still 3 in FF53.0 (mozilla-release) - (Disable TLS 1.3 for Firefox 53 release)

changed in stable:

• pref("security.pki.certificate_transparency.mode", 0); // prev: 1
  => https://dxr.mozilla.org/mozilla-release/source/netwerk/base/security-prefs.js#91
  certificate transparency signature verifications negatively impact TLS handshake performance

from user.js.

A1 - mozilla - kinto? yes
A2 - we are not. How come I know your baby better than you dude? :)
A3 - installdir/browser/blocklist.xml got updated, but idk if the kinto lists are shipped with the setup, maybe in omni.ja, idk
A4 - yes, blocklist (old) + addons + certs + now maybe pinning
A5 - nothing is strictly necessary

from user.js.

The feature of getting pinning updates between FF releases is totally independent of the remaining kinto updates. To kill the whole thing you could just clear the URL pref and all the collection prefs and services.blocklist.update_enabled or set the interval to a gazillion years or something. And then there's also extensions.blocklist.enabled. Currently (and I suspect it will stay that way) the pinning data update list is empty. But it does 10 additional requests every 24 hours (11 if you count the ocsp request), basically for no reason because there's nothing to update. (Quiet fox etc)
6 weeks between releases is really not that long and idk what would warrant an update in between.
They wanted to have a way to update it and kinto makes this very easy but I think it's very possible that this will never be used. Maybe they'll eventually get rid of the hardcoded preload list and use the kinto list instead but they never mentioned anything to that effect in the ticket.
Since we already have the other kinto prefs in the user.js I thought we should also include these new ones.

from user.js.