intika / librefox Goto Github PK

https://github.com/intika/Librefox#about

Yesterday I said I don't mind being listed in there, but today I noticed that you accept donations, so I take that back. I'm glad that my work helps you and your project, and I'm grateful for your support ❤️, but so far I've never made a contribution to this project specifically, and I don't accept donations for my work.

If I ever do contribute (I'm not discarding that possibility!), then I won't mind being in that list.

Thanks in advance.

Choice over a settings page:

• No fingerprint protection
• Use Tor fingerprint (1)
• Randomize fingerprint (1)

(1) In both of those cases easy accessible whitelist needs to be available

Also check https://addons.palemoon.org/addon/eclipsedmoon/

Hello is it possible to have the developer edition for librefox?

Based on comment from article about Firefox price tracking feature:

user_pref("dom.push.connection.enabled", false);
user_pref("dom.push.enabled", false);
user_pref("dom.webnotifications.enabled", false);
user_pref("dom.webnotifications.serviceworker.enabled", false);

At the very top of the about:license page, one can read the following statement:

"Binaries of this product have been made available to you by the Mozilla Project under the Mozilla Public License 2.0 (MPL). Know your rights."

We need to change the ”Mozilla Project" part to "Librefox Project" or similar, whatever intika has in mind here should be applied. Furthermore, as long as there is no Librefox website, I think the link leading to the Mozilla homepage should be replaced with this GitHub page.

Furthermore, I noticed that the Waterfox project has a sentence in the "About Waterfox" version info / update checking window which states the following:

"Waterfox is not associated with Mozilla."

It is at the bottom of the window, see here: https://www.ghacks.net/wp-content/uploads/2018/05/waterfox-56.2.0.png

I think we should include this sentence as well, just replacing "Waterfox" with "Librefox" here.

The "Know your rights" part leads to the about:rights page. There it states:

Mozilla Firefox is free and open source software, built by a community of thousands from all over the world. There are a few things you should know:

We need to replace "Firefox" with "Librefox" here. Not sure what to do with the "community of thousands all over the world". Technically this is true, as thousands of people have contributed to the Firefox code upon which Librefox is built, but then, this statement might be a bit gross in relation to the Librefox project if we let it stand as is.

Firefox is made available to you under the terms of the Mozilla Public License. This means you may use, copy and distribute Firefox to others. You are also welcome to modify the source code of Firefox as you want to meet your needs. The Mozilla Public License also gives you the right to distribute your modified versions.

We need to replace "Firefox" with "Librefox" throughout this paragraph, I think the rest is true still.

You are not granted any trademark rights or licenses to the trademarks of the Mozilla Foundation or any party, including without limitation the Firefox name or logo. Additional information on trademarks may be found here.

Again, we need to replace "Firefox" with "Librefox" here. Additionally, we need to replace "Mozilla Foundation" with "Librefox Project" or similar here. The "here" word has a link attached to it leading to a Mozilla page. As that info is applicable to Firefox and was not released by us, I think we shouldn't keep the last sentence at all.

Some features in Firefox, such as the Crash Reporter, give you the option to provide feedback to Mozilla. By choosing to submit feedback, you give Mozilla permission to use the feedback to improve its products, to publish the feedback on its websites, and to distribute the feedback.

This can be deleted completely.

How we use your personal information and feedback submitted to Mozilla through Firefox is described in the Firefox Privacy Policy.

This does not seem to be applicable to the Librefox project at all, as almost all telemetry is gutted. However, once (if ever) Librefox introduces a working updater, the operating system and version of the browser must be submitted to the Librefox Project at least, as there is no other way to deliver the correct data. That being said, the Waterfox project has set up a privay notice that could inspire such a page for the Librefox project. See here: https://www.waterfoxproject.org/en-US/privacy/waterfox/ Some snippets of this are applicable to use, some are not (due to the gHacks-user.js being very strict in terms of the connections it allows).

Some Firefox features make use of web-based information services, however, we cannot guarantee they are 100% accurate or error-free. More details, including information on how to disable the features that use these services, can be found in the service terms.

I leave it to developer to decide what to make of this. I have no idea, really. Especially the about:rights#webservices page should be reviewed and modified for ourpurposes.

In order to play back certain types of video content, Firefox downloads certain content decryption modules from third parties.

This can be deleted completely.

The Firefox Account feature is disabled, could you explain why?

Is it possible to make portable versions for Windows?

Hello
Can I know why do you say in your README: "unrecommended https-everywhere"?
You should instead recommend it, no?
Thank you

• Introduce more customization options in the Librefox, possibly via a cooperation with CustomCSSforFx (Classic Theme Restorer).

• Something similar to chrome://flags or equivalent

• Enterprise policies (similar to enterprise-policy-generator)

• Also have a look at https://github.com/allo-/firefox-profilemaker this could be helpful

• mozilla.cfg and policy over a setting page

• Include https://ffprofile.com/ ?

• Include #39

• Include #53

• Develop an easy to use firewall system for extensions (button/hosts/allow/deny/per-addon)

• Take in consideration advanced users that want to have a hardened browser by default

Add on suggestions [and other privacy related suggestions] mentioned at the following websites for consideration/integration:

Prism Break: https://prism-break.org/en/categories/windows/#web-browser-addons

• Cookie AutoDelete
• Decentraleyes
• HTTPS Everywhere
• Mailvelope
• NoScript
• Privacy Badger
• uBlock Origin

Privacy Tools: https://www.privacytools.io/#addons

• Privacy Badger
• uBlock
• Cookie AutoDelete
• HTTPS Everywhere
• Decentraleyes
• uMatrix
• NoScript Security Suite

Someday we will see the Android version of Librefox?

Following #34 many settings have to be defaulted to a different value while leaving the choice for the user... Here are some pro developer feedback for Librefox

Eloston

What do you think made ungoogled-chromium successful ?

"Success" is a pretty broad term. I will assume you define "success" based on the number of users, what users say about the project, and the kinds of bug reports this project receives. In that case, there are several points I can note (in no particular order of importance):

• Continual desire to improve the project and oneself. I think this is the most important point. I mainly gather ideas based on feedback, experiences from this and past software projects, and experimenting with software in general. I also gather ideas by reading code and docs from Google, reading technical blog posts about software, and reading about new developments in software engineering.

• Dedicating a lot of time to the project. Especially in the following areas:

• Consistent attention to overall quality of documentation, code, and user experience (building the browser, using the browser, downloading pre-built binaries, reading documentation, etc.)

  • Responding to feedback on GitHub.
  • Considering all aspects of a bug, enhancement, request, question, etc.
  • Leaving a good impression on anyone who comes by. This happens in a number of ways, but a lot of this happened via the points I made above.
  • Contributors keep the momentum going. Particularly in updating Chromium versions.
  • The Chrome/Chromium userbase is large. The number of people concerned about privacy/security and Google's role in privacy is also decently large. Having a number of people interested in a project like this helps a lot.
  • In the beginning (some time before the first spike of users), I went to a few different places to advertise this project. Then, I let other people spread the word. This works because of the number of interested users.

Also one thing, a lot of people asked me about mozilla trademark (Firefox) while i was disturbing a patched version it's curious that uc did not face this problem, i guess google folks are more permissive.

This project is not widely known, and people aren't confusing it with the trademarked Chrome and Chromium. If it becomes an issue, then I'll be fine with changing it.

Do you have any advice/comments regarding the direction of my project ?

I don't know much about Firefox, so I can't give you any specific advice. Hopefully my comments on what made this project successful will help you too. Regardless, I am glad that my project has inspired you to create Librefox. I wish you luck with it!

Moonchild

• Block third-party cookies: Can block some sites (Add it as a choice)
• Completely disable the password manager how does this improve privacy, exactly, by forcing users to type their credentials every time? ( ... )
• Completely disables IPv6 support. ( ... )
• Completely disables all parts of the blocklist, including known broken gfx driver issues. This will expose users to many issues with known graphics driver problems ( ... )
• Completely disables integration with the add-ons site. (addon can still be installed its just that there is no integration - add it as a choice ?)
• Completely disables extension updates (Add it as a choice)
• Completely disables Windows jumplists, because.... ( ... )
• Completely disables pre-loading of known HSTS domains; this opens the user up to first-time-visit spoofing. HSTS preloading is harmless, blocked because it's supplied by Mozilla? ( ... )
• Completely disables OCSP, but enables OCSP stapling, which won't work with disabled OCSP. ( ... )
• Conflicting prefs with result that at best a CRL fallback is used, and at worst no checking is performed at all and revoked certs are accepted as secure. Well done Librefox, you broke https authentication checks. ( ... )
• Not forced but default; WebGL and layers acceleration is force-enabled. This will break the browser on many more systems because of GFX issues (especially hybrid and mobile chips), especially if blocklist entries aren't checked or used. ( ... )
• Completely disables webgl2 and forces webgl minimum-capability mode. This pretty much makes webgl useless. No reason to do this, since the (already enforced) fingerprinting protection already mitigates any potential webgl leaks. Fingerprinting protection doesn't enforce minimum capability mode for a reason. ( ... )
• Disables clipboard events, breaking many sites that use JS to place data on the clipboard... ( ... copy button still works)
• Done with lockPref (Add it as a choice)
• Considering there are plenty of duplicate entries in there you may find it frustrating that it doesn't take unless you hunt down all copies of a setting ( ... There is no duplicate but related settings).
• IMHO it's just another example of copy-pasta of insane configurations ( ... Settings have been tested but any way)
• It's not even a rebuild, it's just reconfigured ( ... )
• Check wolfbeast reply

Pants

• Extensions update notice
• Warn and provide a checklist (because of insane niche settings)
• Provide the support for users to make changes and understand wtf just happened
• Librefox is breaking shit left right and center - it's too much mate! It's a shell of a browser and it's kinda dangerous.
• The project needs to be differentiated (Currently it's reinventing the wheel)
• The "Dangerousness" of some settings
• Added prefs from god knows where (We don't add everything for a reason, so you'll need to look at that as well)
• There's the lock pref stuff
• Stripping important things out like Safe Browsing
• Dropping recommending extensions
• New users may be put at risk.
• People can achieve what you're done with a user.js - sure, I haven't exactly followed what core FF changes you have done, but they aren't needed IMO.
• You have to assume that anyone who uses your product has no knowledge or skills :)
• Wiki full of things like important stuff to check when first getting it. recommended extensions.
• You have a lot of work in front of you, and I can't help but feel you had no idea that this will suck the life out of you, and consume all your time. I don't want you to die intika , I like ya. kiss
• Don't listen to some of the rabid commentators on your repo. Just because that's how they like it, doesn't mean it's a good default (I have read some ludicrous ideas from some of them already).

Also, already looked at, but need to re review for new version

/* ALREADY COVERED: by master pref extensions.pocket.enabled ***/
    extensions.pocket.api                                                ""
    extensions.pocket.oAuthConsumerKey                                   ""
    extensions.pocket.site                                               ""
/* INFO URLS ETC: require user interaction (e.g Help>Submit Feedback) ***/
    app.feedback.baseURL                                                 ""
    app.releaseNotesURL                                                  ""
    browser.contentblocking.reportBreakage.url                           ""
    datareporting.healthreport.infoURL                                   ""
    toolkit.crashreporter.infoURL                                        ""
    toolkit.telemetry.infoURL                                            ""
    privacy.trackingprotection.introURL                                  ""
/* DEFAULT IS SAME
   this is generally a bad idea: if FF disables something due to a security concern, the
   end user who doesn't keep up to date with changes 
   (IF you do them) is now fucked over) ***/
    browser.offline-apps.notify                                          true
    browser.safebrowsing.passwords.enabled                               false
    html5.offmainthread                                                  true
    security.sri.enable                                                  true
    security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256                         true
    security.ssl3.ecdhe_ecdsa_aes_256_sha                                true
    security.ssl3.ecdhe_ecdsa_chacha20_poly1305_sha256                   true
    security.ssl3.ecdhe_rsa_aes_128_gcm_sha256                           true
    security.ssl3.ecdhe_rsa_aes_256_sha                                  true
    security.ssl3.ecdhe_rsa_chacha20_poly1305_sha256                     true
/* NOT PRIVACY etc related ***/
[i] browser.download.animateNotifications                                false
    browser.tabs.closeTabByDblclick                                      true
/* covered by dom.enable_performance (& also RFP) ***/
    dom.enable_performance_navigation_timing                             false
/* is only exposed to chrome 
   ( https://trac.torproject.org/projects/tor/ticket/27268#comment:2 ) ***/
    dom.mozTCPSocket.enabled                                             false
/* only used in a single test ***/
    browser.formfill.expire_days                                         0
/* specifically removed because people don't understand it 
   (and we don't want to encourage Tor over FF) ***/
[i] network.dns.blockDotOnion                                            true

Use GPG signatures with sha256 / blake instead.

How do you feel about creation a Privafox edition based on the current Firefox ESR version? In this case, you can even use Tor Browser as a base of your set.

Also add install instruction for linux (ubuntu)... windows etc.

in privafox "privacy.sanitize.sanitizeOnShutdown" is defaulted to true...

when the config file is used normally with pref("privacy.sanitize.sanitizeOnShutdown", true); the setting is not applied

when used with mozilla.cfg the setting is enforced BUT its value is string type even if it's set true without quotes... (but the setting work even if its a wrong var)

to be able to default this settings the used value is string so pref("privacy.sanitize.sanitizeOnShutdown", "true"); it works but the side effect is this option can not be disabled in the ffox settings anymore and the gui show a wrong value.

in short this seems to be a ffox bug where this value is incorrectly set to string instead of bool.

This could affect ghacks too where the setting is just ignored... when set without quotes which is the case.

Any way temporary solution is set with quotes

Appimage for Linux and portable for Windows (paf format ?)

I noticed that all releases can only work on 64-bit platforms, but sometimes we may have to run firefox on 32-bit ones. It would be prefect if Librefox can run on 32-bit OSes!

This is more of a general concept than about a specific fingerprinting method.

The TOR browser and many privacy focused addons attempt to limit the fingerprinting potential by reducing the amount of unique information. however that information in itself can be used for fingerprinting as well and the same is true for a browser with a relatively small user base. this gets even worse if users make custom changes. so there appears to be an upper bound for privacy.

however this does necessarily not have to be the case. instead of limiting information and advising users to not make any changes do the opposite: spew out randomized fake information. this is even more effective as adversaries think they got valuable information and populate their databases with it. this is theoretically possible to do with every bit of information that does not inevitably affect usability but that is already the case with common anti fingerprint methods.

there are some obstacles though. inconsistencies between different bits of information could theoretically be detected. however this requires extra effort and is only viable if enough information is being collected in the first place. in the worst case though an adversary would still only know you are faking data and thus use a browser that does this which is as good as the best case for classical methods. to counteract this you need a logic that keeps consistency that immitates common browsers in varying configurations and keeps the decoy over the lifetime of a website session.

it is more challanging overall becuase it requires dynamic changes instead of just static ones but is best to lay the foundations early on.

Add android version (main firefox)

Various secondary to-do:

• Update all settings descriptions (http://kb.mozillazine.org/About:config_entries and @Atavic reply)
• Complete bench tests on all 0 values
• Check the mozilla perf addon https://perf-html.io/
• Update build instructions
• Reddit videos playback
• Youtube hd videos hanging (with indexedDB disabled and other...)
• Review un-reviewed addons code
• Remove sites from start page (like fb etc...)
• #96 Addons install compatibility because of RFP and Zero-Comm
• #99 Addons manual update
• arkenfox/user.js#492 & reddit url color integrated with css ?
• #67 remove url bar spacing by default
• Librefox developer edition #24 ?
• Check Librefox with different language pack and "add button" on addons site (for language pack) #103
• ESNI #106
• Check "undefined" wrong word #113
• Check closed issues with "way-too-soon" tag
• Update the additional wiki page ? #111

Addons code to check:

• https://addons.mozilla.org/en-US/firefox/addon/dont-track-me-google1/
• https://addons.mozilla.org/en-US/firefox/addon/decentraleyes/
• https://addons.mozilla.org/en-US/firefox/addon/canvasblocker/
• https://addons.mozilla.org/en-US/firefox/addon/temporary-containers/
• https://addons.mozilla.org/en-US/firefox/addon/switch-container/
• https://addons.mozilla.org/en-US/firefox/addon/smart-referer/

Please consider incorporating Ubuntu's global menubar patch for better integration with desktop environments that support global menus, such as KDE Plasma and MATE or XFCE with the appmenu extension.

Is there an about:config setting that affects this?

Hi

Every browser except Librefox can access my Jellyfin (fork of Emby) no problem, but librefox shows me a constant loading circle when I try to open the Jellyfin web page :( The page load seems to take forever and never reaches to the landing page of Jellyfin

I am using LF on Win 10 x64

thanks

This include changing the logo, trademarking and using Librefox own user profile etc.

It seems that "Apply Librefox Manually" section is a duplicate of "Building And Packaging".

• Change the Mozilla trademark to Librefox in next release
• This include changing the logo
• And using Librefox own user profile

Hello,

I try to logon onto https://web.whatsapp.com/, but QR code doesn't appear.

https://forum.palemoon.org/viewtopic.php?f=4&t=21123&sid=75f9612f87b1ee17fa26e4a237c8c696#p158485

The palemoon creator took his time to list a couple of problematic things about this project.

IMHO it's just another example of copy-pasta of insane configurations, and it's not something new or better or different than any of the other similar things I've seen out there. It's not even a rebuild, it's just reconfigured, and questionably so.

I agree with this criticism 100% and I suggest a general discussion about of where the project should be going.

There's only one niche where Librefox can be successful: Create an up-to-date Firefox-copy that does essentially the same; simply with less Mozilla, less Google and more customization, flexibility and control.

There isn't a demand for a locked-up hardcore user.js that makes browsing a pain.

Question: Which files do I need to execute to install/run?
(sorry for noobish-ness)

Design a Librefox logo to replace the temporary one on this page

I've just scanned the latest version and Virus Total presented these issues - https://www.virustotal.com/en-gb/file/0028f58b9498659884f173d995bdbda15c02b91564c8954de321db16f31d688d/analysis/1545598643/

Should we be concerned? If not why not?

Thanks

Hi there! I'm a member of privacytools.io, and today I've created a discussion on https://github.com/privacytoolsIO/privacytools.io/issues/698. I think it would be quite beneficial to join the forces, review and merge existing tweaks from both projects (our recommended settings are listed here: https://www.privacytools.io/#about_config, and add-ons are available here: https://www.privacytools.io/#addons), and eventually refer you guys there. Feel free to comment here and there in the project and let us know what you think! Cheers!

Hello,

Google Translate doesn't work on RU domain (https://translate.google.ru), but work without any problem on COM domain (https://translate.google.com). Maybe issue can appear on other domains.

https://cat-in-136.github.io/

This makes project unappealing for new users. Just saying 😄

Hello intika,

I found that you have developed this browser which includes the gHacks-user.js. And that's great! We definitely need more browsers respecting user privacy by default. I am currently using this browser along with Ungoogled-Chromium.

Previously, I have used (and contributed some small code snippets to) Waterfox as well, but it seems to be stuck at the Firefox 56 base for too long. Not sure why, as Mozilla has removed all legacy add-ons from AMO anyway. Therefore, even as support for them is nice, most users have no way to download them as it stands. Anyway... I wanted a newer code base, and this project is what I have searched for. Thank you very much for your efforts.

Now, I think this project can be improved in some ways. I have a few ideas, and would like to present them to the dev for consideration and to the community for discussion.

I believe that Mozilla, as it stands, introduces more and more unwanted changes into Firefox. Some things I personally consider annoying and / or redundant are as follows:

• Pocket integration
• Activity Stream in the new tab page (I prefer to see the most viewed pages there only)
• Add-on recommendations
• Removal of the option to never update the browser (I know that this is not recommended anyway, but the CHOICE should be there at least)
• Firefox experiments like Cliqz and Mr. Robot / Firefox experiments in general are enabled.
  etc. etc. etc.

Moreover, I feel like the customization options in Firefox Quantum are pretty limited due to the removal of legacy add-ons. While I don't miss many legacy add-ons, I feel like Firefox should offer more UI customization options, much like Vivaldi does.

How does all this relate to Librefox? Well, I think Librefox does a great job of disabling a great deal of the unwanted features above. However, some things like the option to never download browser updates cannot be restored via the gHacks-user.js. This would require deeper changes. I have read somewhere that Firefox allegedly still supports the option do disable updates entirely in the enterprise policy editor.
Furthermore, I don't think offering a more privacy-oriented Firefox is enough to attract a wider scope of potential users. Vivaldi's success is built upon its many customization features, for example. I strongly believe that this project should include CustomCSSforFx by default. CustomCSSforFx is a set of userChrome.css code that can alter the entire Firefox appearance, much like it has been possible with Classic Theme Restorer historically. The developer is the very same person.
I would like to see those customization options introduced in the regular "Customize..." menu of the browser. I want to check a box and the change in appearance should occur. As it stands, I have to tackle things in userChrome.css quite a bit, involving restarts of the browser to make the changes apparent. This is not user-friendly at all. A browser introducing those options by default would be a dream come true.

Somewhat connected to this, I'd like to see a those customization options in Librefox ESR only. The code base, including UI code, changes too much across major versions for those changes to be reasonably maintainable for each major Firefox release. Therefore, I'd limit those customization options to Librefox ESR.

TL;DR:

• Introduce more customization options in the Librefox ESR builds, possibly via a cooperation with CustomCSSforFx.
• Make settings which are only available in the Enterprise policies of Firefox accessible in the normal settings dialog.

Thanks again for your great effort, intika. Thanks to all for their attention.

Below are some my analysis inside HA and VT.

Hybrid Analysis - HERE
VirusTotal - HERE

But there is 2 file detected as malicious

Check it out for file intergrity

I think it's a good idea to recommend EME-free builds for Windows and macOS instead regular ones.

They can be found here, for example: https://ftp.mozilla.org/pub/firefox/releases/64.0/

Test/Fix compatibility on those sites:

• https://github.com/jellyfin/
• https://developer.mozilla.org/en-US/docs/Web/Demos_of_open_web_technologies
• Videos pause when adjusting volume (youtube, twitter, etc.)
• https://translate.google.ru
• https://web.whatsapp.com (qr code)
• https://directory.shoutcast.com/ (play content)
• https://www.pixiv.net (gallery #68)
• https://www.verkkokauppa.com/ (#83)
• https://www.w3schools.com/tags/tryit.asp?filename=tryhtml_iframe

1 . I extracted the Librefox-2.1-Firefox-Win-64.0.0-x64.zip to a folder in D drive .

2 . Then I clicked on the setup.exe .

3 . It told me to close my firefox . I knew at this moment it gonna use default firefox profile . So I created two firefox profile . Unhecked " Use the selected profile without asking at start up.

4 . Again clicked on the setup.exe . When installed finished , firefox showed me the profile manager .

5 . I created a new profile called librefox . Tested some websites & played with it. So there are now 3 profiles.

6 . But when I closed firefox & opened my default profile .Everything was changed .

7 . Unable to access passwords. It is greyed out. History is gone . That is my default firefox profile.

I want to know what I did wrong . Why & how did it change my default profile when I created a new profile to begin with ? Also , I want to know how to install , use librefox with default firefox side by side. .

Hello,

I can't open legal site like https://flow.polar.com/ and can't change options security.ssl.require_safe_negotiation to false. How I can use my favorite site?

STR:

1. install Librefox HTTP Watcher and navigate to an HTTP site.
2. use Ctrl & F to toggle the search box.

Actual Result:
the search box is now colorized as well as the address box.

This is simply my thank you for making this happen. I've seen Firefox getting worse and worse over time and while I always had to do stuff manually, you provided a fully built and ready-to-go version with so much more than I could ever have done.

Thank you for caring about privacy.

Add new contributors