1
0
Commit Graph

1416 Commits

Author SHA1 Message Date
Thorin-Oakenpants
8860c90abf
make service workers inactive
currently 3rd party service workers are blocked in FF95 when dFPI is enabled (which this version has should anyone update to 96-alpha)
   - but I get an error even on first party - https://arkenfox.github.io/TZP/tzp.html#storage
   - I get : service worker | test : enabled | failed: SecurityError
in FF96+ service workers they are covered by dFPI
  - see https://bugzilla.mozilla.org/show_bug.cgi?id=1731999
2021-12-09 14:31:41 +00:00
Thorin-Oakenpants
4d5abd6cc3
tweak 8000 title
lets not encourage non-RFP users to see this as a sign to use them
2021-12-09 14:18:25 +00:00
Thorin-Oakenpants
de28689e76
flip from FPI to dFPI
I will tidy and expand 2700 entries later
2021-12-09 14:13:39 +00:00
Thorin-Oakenpants
5d508e4242
move LSNG to don't touch 2021-12-09 14:05:47 +00:00
Thorin-Oakenpants
1fc43574d6
move "cookie" permission info into 2801 2021-12-09 14:00:21 +00:00
Thorin-Oakenpants
0634a568ef
remove redundant site data prefs
we've never used these
- service workers are disabled (or soon to be covered by dFPI when enabled) and sanitizing is already done (or will be done via enhanced cookie cleaning)
- storage API, storage access API: we sanitize on close, and sites are isolated by eTLD+1
2021-12-09 13:45:46 +00:00
Thorin-Oakenpants
f7bba92c71
cleanout FPI section
farewell parrot
2021-12-09 12:28:45 +00:00
Thorin-Oakenpants
fe75baa79f
move DNT to DON'T BOTHER 2021-12-09 11:44:51 +00:00
Thorin-Oakenpants
72cc4d176e
0706: network.proxy.allow_bypass, closes #1292 2021-12-09 11:41:18 +00:00
Thorin-Oakenpants
7e1b92567c
95 final 2021-12-08 12:13:47 +00:00
Thorin-Oakenpants
fec5168203
95 deprecated 2021-12-08 04:28:47 +00:00
Thorin-Oakenpants
b60a888da3
update WebRTC, closes #1282 2021-12-06 14:45:47 +00:00
Thorin-Oakenpants
ec595c3b95
fixup duplicate line 2021-12-05 19:59:33 +00:00
Thorin-Oakenpants
9d61992c8c
don't clear offlineApps on shutdown, #1291
- in v94 we switched to cookies lifetime as session, so users could use site exceptions to retain selected cookies (to stay logged in one assumes)
- that mean not deleting all cookies on shutdown
- but some login methods/types require more than cookies and also need the "site data" part of "cookies + site data" - that's the offlineApps part
- note: all site data (and cookies) is still cleared on close except site exceptions
2021-12-05 19:49:32 +00:00
Thorin-Oakenpants
fd860e6c69
flip RFP newwin max values, closes #1286 2021-12-04 10:23:59 +00:00
Thorin-Oakenpants
cf0102f71e
fixup: from being flogged to death by overseers
thanks @dngray, also save some precious bytes .. polar bears know about scarce resources
2021-12-02 09:34:34 +00:00
Thorin-Oakenpants
4dc5372257
0603: network.predictor.enable-prefetch
make active for Nighty users - see https://bugzilla.mozilla.org/show_bug.cgi?id=1506194
2021-11-30 13:29:19 +00:00
Thorin-Oakenpants
47de4f520b
tidy 5505 2021-11-28 09:01:39 +00:00
Thorin-Oakenpants
27977a16ad
2652: browser.download.alwaysOpenPanel
FYI: https://bugzilla.mozilla.org/1738372

There is a small privacy issue with shoulder surfers, but in reality, this just needs to happen IMO
- we already prompt where to save, but even if we didn't, we also know we clicked or initiated a download
   - unless it's a drive by or user-gesture trickery - which is why we prompt
- the download icon is shown (if hidden) and the throbber/accent color go to work
- users can always click the icon to show entries (and open folder etc)
- this maintains the current behavior in FF94
2021-11-25 06:49:38 +00:00
Thorin-Oakenpants
4b393b9b12
start 95-alpha 2021-11-24 01:09:10 +00:00
Thorin-Oakenpants
6027aaa45d
fixup warnOnQuitShortcut 2021-11-23 12:02:50 +00:00
Thorin-Oakenpants
cbfb8abf15
94 final 2021-11-23 07:11:43 +00:00
Thorin-Oakenpants
58d0161b67
add warnOnQuitShortcut, closes #1270 2021-11-23 07:05:01 +00:00
Thorin-Oakenpants
6b351a9458
fixup trade-offs
anti-fingerprinting doesn't fit here: it's not a major component or priority of this user.js, and only a few prefs outside RFP (as a robust built-in browser solution that defeats naive scripts) have anything to do with it
2021-11-22 18:15:53 +00:00
Thorin-Oakenpants
c9e4cac618
tweak webRTC
webRTC will be overhauled... but not today... in the meantime
- remove dead link before @dngray has a hernia
- correctly refer to the type of IP leak
2021-11-22 18:08:07 +00:00
Thorin-Oakenpants
34bd3c5a04
consolidate/simplify sanitizing, fixes #1256
move all sanitizing on exit prefs into 2800

switch to cookie lifetime as session
- now users can utilize exceptions (as allow)
- session cookies still block service workers (which we disable anyway)
- we still block 3rd party cookies (until we move to dFPI)
- we still have defense in depth for 3rd party cookies with 2803
- we still bulk sanitize offlineApps on exit: localStorage, service worker cache, QuotaManager (IndexedDB, asm-cache)
   - i.e you get to keep the cookies only IF you add an exception

add `privacy.clearsitedata.cache.enabled`
2021-11-22 05:40:49 +00:00
Thorin-Oakenpants
2f88ca2e40
misc
- move DoH so it has room to grow
- tidy privacy.clearOnShutdown, privacy.cpd
2021-11-18 01:28:21 +00:00
Thorin-Oakenpants
e2e7f9c647
font vis changes (#1275) 2021-11-16 11:56:20 +00:00
Thorin-Oakenpants
f8932dced1
remove ambiguous line
The point was that google have said (stated in policy, but fuck knows where that is located these days) that it is anonymized and not used for tracking. It's an API used by **_4 billion devices_** - the API has privacy policies for use. If a whistleblower or someone else found out that google was using this to enhance their user profiling, then all hell would break loose. And they don't even need this to fuel their ad revenue. It is provided, gratis, to the web to help ensure security - they wouldn't dare taint it and get it caught up in a privacy scandal involving **+4 billion devices_**. And in all this time (since 2007), there has been no such whistleblower or proof it is used to track or announcements by google of changes to the contrary.

Anyway, a quick search brings up
- Here is their policy - https://www.google.com/intl/en_us/privacy/browsing.html - it's empty and points to
- https://www.google.com/intl/en/chrome/privacy/
   - and if you scroll down to "Safe Browsing practices" it doesn't say anything about privacy policies for the API itself (or the owner of the API) - it just spells out what happens in chrome
- I'm not going to bother to look any further and find a history of policy changes

Anyway, this is Firefox and hashes are part hashes bundled with other real hashes - and we turned off real time binary checks. So this line can fuck the fuck off. It was meant to reassure those who want the security of real-time binary checks, that privacy "shouldn't" be an issue, but I'm not going to expand on it
2021-11-07 06:48:45 +00:00
Thorin-Oakenpants
17beb468f1
tweak 1510 default info 2021-11-04 22:44:23 +00:00
Thorin-Oakenpants
bd59131d3e
default changes, missed one 2021-11-04 22:38:16 +00:00
Thorin-Oakenpants
0f8217ad60
cleanup sanitizing-on-close prefs 2021-11-04 16:18:35 +00:00
Thorin-Oakenpants
1515897449
default changes 2021-11-02 16:07:42 +00:00
Thorin-Oakenpants
ba92918d38
don't disable system addon updates, closes #1251 2021-10-26 10:16:42 +00:00
Thorin-Oakenpants
094356e073
0706: add reference 2021-10-25 20:56:18 +00:00
Thorin-Oakenpants
7d68a32971
start 94-alpha
- and remove obsolete ESR78 notations
- note: we leave the deprecated ESR78.x section and item 6050 until v95 so users upgrading to ESR91 can easily reset those prefs with prefsCleaner
2021-10-25 17:41:16 +00:00
Thorin-Oakenpants
85438d00e4
v93 deprecated 2021-10-12 08:23:46 +00:00
Thorin-Oakenpants
a764149520
v92 2021-10-11 13:56:38 +00:00
Thorin-Oakenpants
412c8f9f94
0807 urlbar contextual suggestions, #1257 2021-10-09 07:14:20 +00:00
Thorin-Oakenpants
380a88ee57
oophs 2021-10-05 11:14:16 +00:00
Thorin-Oakenpants
8404e8a59c
tidy, closes #1260 2021-10-05 03:04:14 +00:00
Thorin-Oakenpants
b37df0bcfe
embiggen 4500, #1218 2021-09-25 02:32:48 +00:00
Thorin-Oakenpants
044e3e76e8
make 0706 more cromulent 2021-09-25 01:47:54 +00:00
Thorin-Oakenpants
1c6d633144
more nits 2021-09-11 05:35:39 +00:00
Thorin-Oakenpants
278336196c
nit 2021-09-11 05:31:21 +00:00
Thorin-Oakenpants
76c1aad4be
grammar 2021-09-10 13:07:04 +00:00
Thorin-Oakenpants
e5c128804c
remove locale in link 2021-09-10 05:09:05 +00:00
Thorin-Oakenpants
c9956d85b1
92-alpha 2021-09-10 04:32:09 +00:00
Thorin-Oakenpants
524823fd05
proxy direct failover (#1247) 2021-09-07 13:35:32 +00:00
Thorin-Oakenpants
283bfd744a
fixup missing 1022 reference 2021-08-29 14:32:37 +00:00
Thorin-Oakenpants
a1b4aa6000
add DoH rollout pref, closes #1027 2021-08-29 07:42:24 +00:00
Thorin-Oakenpants
a308878b11
finish removal of 500s and cleanup of 300s 2021-08-29 04:50:36 +00:00
Thorin-Oakenpants
453fcd32cb
remove 2003, fixes #1245 2021-08-29 04:10:48 +00:00
Thorin-Oakenpants
7e80231ac5
was 6005: remove mixed active 2021-08-28 08:38:31 +00:00
Thorin-Oakenpants
6df03e1a74
add removed from arkenfox section
- this helps mitigate the need for scratchpad for those who use prefsCleaner
- in future, if anything was active during the ESR cycle, then it goes in here when removed
- similar to deprecated items: clean out after ESR EOL
2021-08-28 08:30:12 +00:00
Thorin-Oakenpants
4b437771fa
oophs, thanks @eleius
fixup 3b52557143
2021-08-28 07:11:44 +00:00
Thorin-Oakenpants
4043467ad9
tidy 2021-08-28 06:03:13 +00:00
Thorin-Oakenpants
5ac8fd8f70
0906: tweak, #1243 2021-08-28 05:57:19 +00:00
Thorin-Oakenpants
2cf20c56a7
standardize cross origin/domain 2021-08-28 05:48:54 +00:00
Thorin-Oakenpants
3b52557143
start removal of section 0500s
- I am no longer short one parrot
- move inactive screenshots to personal
- move FORM autofill to `0800... FORMS` - can't find it now, but this is slated to cease being a system addon and instead be "built-in"
- the rest will get swallowed into a revamped, split QUIETER FOX
2021-08-28 05:19:13 +00:00
Thorin-Oakenpants
08395de188
1273: remove inactive pref 2021-08-27 10:37:54 +00:00
Thorin-Oakenpants
4ac17eaf78
tidy last commit 2021-08-26 06:50:46 +00:00
Thorin-Oakenpants
b5a3b54d3f
clipboard to don't bother 2021-08-26 06:43:28 +00:00
Thorin-Oakenpants
80f69a6f3d
2406: remove
This doesn't achieve anything. AFAICT, it's an old gecko only API, not used on the web: superseded by the Clipboard API (added in FF21+)
2021-08-26 06:26:41 +00:00
Thorin-Oakenpants
498a25c759
0806: remove confusing line 2021-08-26 06:04:57 +00:00
Thorin-Oakenpants
64e8dfad0a
1004: remove setup tag
IDK if this is true: no one has ever complained, and I'm not interested in maintaining/testing it
2021-08-26 05:55:11 +00:00
Thorin-Oakenpants
5ec4fef4ed
dedupe 0808 2021-08-26 05:40:59 +00:00
Thorin-Oakenpants
881a2d22eb
cleanup tags
- there was only one perf left
- warning is down to 5: two in section headers, 3 on inactive prefs: no need to mention it, people will see them if they read each item/section
2021-08-25 16:14:59 +00:00
Thorin-Oakenpants
76c8ecd10d
tidy 2021-08-25 15:56:57 +00:00
Thorin-Oakenpants
677b81765f
tidy webgl 2021-08-25 15:36:15 +00:00
Thorin-Oakenpants
9f43d48a32
targetBlankNoOpener -> don't touch 2021-08-25 14:09:39 +00:00
Thorin-Oakenpants
6077d09b9f
window.name -> don't touch
Also FPI FF65+ patch is not part of FPI, it is part of 4002 which is a separate pref
2021-08-25 14:04:50 +00:00
Thorin-Oakenpants
7144f8b7f8
cleanup continued, #1239
More minor tweaks to come. This isn't final
- 0102: ambiguous that the clearing was related to PB mode
- 0900s:
   - get rid of 0901, it has no pref, stick link in header
   - 0905: values on multi-lines use spaces = more readable
- 1000s:
   - rename as disk avoidance and remove sub-section headers
   - remove the outdated section header
- 4001: it will never be perfected, it's doing it's job
- 5500s: optional hardening
   - legit security measures, but commonality in caveats, so I made them a separate section
   - this flips graphite, asm.js and wasm from active to inactive: these are overkill: exhibit A: hundreds of millions of Firefox users
   - e.g. graphite and wasm are enabled on Tor Browser
   - new CVE keyword links
- 7000s: don't bother - two more items added
- 5000s: optional opsec and cleanout 0800s header
- re-number
   - 0900s, 1000s, 1400s, 2400s

PS: I need a new parrot: "9000 syntax error: I ran out of parrots"
2021-08-24 22:51:48 +00:00
Thorin-Oakenpants
778421cad4
#1241 2021-08-24 08:59:11 +00:00
Thorin-Oakenpants
35ccaff58e
calrify password prompt, #1241 2021-08-24 08:52:12 +00:00
Thorin-Oakenpants
69132b588f
7000s: mathml, svg, #1235 2021-08-24 05:43:38 +00:00
Thorin-Oakenpants
51748ea25a
leverage cve keyword 2021-08-24 03:09:33 +00:00
Thorin-Oakenpants
269cf965bd
renumber 1700s 2021-08-23 10:03:13 +00:00
Thorin-Oakenpants
b177c73f0d
typo
technically it's "or" - FPI overrides network partitioning
2021-08-23 09:47:34 +00:00
Thorin-Oakenpants
613e55ae8c
7000s: add MOAR; renumber 0700s, #1235 2021-08-23 09:42:21 +00:00
Thorin-Oakenpants
3697bd8d3a
1603 -> inactive
Yes it's pretty much useless. Yes it's fingerprintable, and what that entropy is, who knows. Since it's sent regardless with ETP, which we enable in all windows, then who cares. And if you don't use ETP in all windows, then I don't care either - just saying
2021-08-23 06:26:45 +00:00
Thorin-Oakenpants
9f08c7c0f4
7000s: referer policy #1235
and re-number 1600s
2021-08-23 06:04:19 +00:00
Thorin-Oakenpants
05b7d61735
7000s: non cross origin referers 2021-08-23 04:54:49 +00:00
Thorin-Oakenpants
e31a6876e6
section 6000 2021-08-23 04:40:29 +00:00
Thorin-Oakenpants
47be7ba42f
1203 is a reset not enforce 2021-08-23 04:08:49 +00:00
Thorin-Oakenpants
033977fe10
move personal to last
probably more professional to keep it at the end since it isn't strictly project related. It also opens up space for `DON'T TOUCH` and `OPTIONAL OPSEC`
2021-08-23 03:39:15 +00:00
Thorin-Oakenpants
ab42deb541
Four more items to 7000s, #1235 2021-08-23 02:55:36 +00:00
icpantsparti
8a22a90804
colon insertion (#1238) 2021-08-22 16:23:51 +00:00
Thorin-Oakenpants
cf379bcce0
typos 2021-08-22 05:45:08 +00:00
Thorin-Oakenpants
2b26cd4f41
7000s: ciphers, #1235
- merged 3DES cipher to bottom: it is still the same order of [1]
- 3DES pref will be deprecated: pref name changes, and the cipher slated to be unavailable unless you downgrade to < TLS1.2 - see https://bugzilla.mozilla.org/show_bug.cgi?id=1724072
   - FYI: we reset TLS downgrades to session only by resetting the pref currently in 1203
- "Minimal/non-existent threat of downgrade attacks"
   - FYI: these old ciphers are about 1-2% of traffic (from memory) - but that's still significant breakage
   - So the only reason to do this would be to harden against downgrade attacks (and inadvertently use weak sites = breakage): but that doesn't fit most user's threat model: and is probably never going to happen for them. Not sure if I can word that much better and just as succinct
2021-08-22 05:18:54 +00:00
Thorin-Oakenpants
04d648d55b
remove 2508
- inactive in user.js since
   - v55: gfx.direct2d.disabled
   - v67: layers.acceleration.disabled
- the way to counter hardware fingerprinting is within each API that may expose it
- this may have made some sense way back in the day, when there were less options/protections, but not any more
- [are we web render yet](https://arewewebrenderyet.com/) - yes, 100% - there is no need to cripple your browser's perf
2021-08-22 01:53:01 +00:00
Thorin-Oakenpants
aded0707a4
misc
- renumber 0200s, 2500s
- remove 2414: doesn't apply to desktop, and I think it has been neutered in android
2021-08-21 04:39:08 +00:00
Thorin-Oakenpants
213467d91b
remove 2517
- inactive since we added it in v63
- this is not how you defeat fingerprinting (unless done in an enforced set)
- for the record: not even tor browser disable this
- fingerprinting this is not cheap in gecko (for now)
- from [2]
   - decoding/encoding capabilities: "it is expected that the entropy ... isn’t going to be significant"
   - HDR detection: "... has the potential to add significant entropy .. however .. but ... thus minimizing effective entropy" - it is what it is
   - note that RFP has some mitigations in FF82+ 1461454
2021-08-21 03:21:32 +00:00
Thorin-Oakenpants
27ce48f319
trim fluff 2021-08-21 02:00:43 +00:00
Thorin-Oakenpants
37ded2a519
remove redundant warning 2021-08-20 14:10:09 +00:00
Thorin-Oakenpants
c9bdceb8d6
1244: fix no upgrade test 2021-08-20 13:23:59 +00:00
Thorin-Oakenpants
95136382e1
improve 1244, closes #1047 again 2021-08-20 13:18:43 +00:00
Thorin-Oakenpants
78d953bfda
remove 1032
dead wood: marked as default false since at least v68, inactive since at least v78, and web notifications are controlled in 2300s
2021-08-20 03:16:25 +00:00
Thorin-Oakenpants
cef08b63f1
4520 -> personal 2021-08-20 02:52:55 +00:00
Thorin-Oakenpants
a8e95e7310
dexter would be proud #1235
- just to be clear, this section is not supported: not interested in references or explanations or  FF version numbers or default info etc
- "do more harm than good" - ambiguous, not interested in explaining why exactly: but FYI
  - some leak
  - most break shit
  - almost all are easily fingerprinted and the combo of them would make you really stand out
- removed the duplicate `ui.prefersReducedMotion` - this should move to personal as well
- moved `ui.systemUsesDarkTheme` to personal
2021-08-20 02:13:53 +00:00