ToDo: diffs FF54-FF55

[earthlng]

v54.0 vs v55.0

432 diffs ( 207 new, 66 gone, 159 different )

new in v55.0:

• pref("browser.onboarding.enabled", true); 4e36051
• pref("browser.tabs.remote.allowLinkedWebInFileUriProcess", true); - 1343184 , 1351358 - 911a98c
• pref("dom.ipc.processCount.file", 1); - 1352359 - cda46d8
• extensions.formautofill.* - 8081967
  • pref("extensions.formautofill.heuristics.enabled", true);
    • disable Form Autofill on forms without @autocomplete attributes - 1349490
  • pref("extensions.formautofill.addresses.enabled", true); 1364334
  • pref("extensions.formautofill.experimental", false); 1364334
• pref("extensions.screenshots.disabled", false); 16499e9
• pref("media.eme.chromium-api.enabled", true); - ebcf5be
• pref("network.auth.subresource-img-cross-origin-http-auth-allow", true); - 31b1f66
• pref("privacy.resistFingerprinting", false); 2699 - no longer hidden - 1345322, 6ef86fb
• pref("toolkit.cosmeticAnimations.enabled", true); 1352069 - bc58c10
• toolkit.telemetry* - 4397bc9
  • pref("toolkit.telemetry.newProfilePing.enabled", true); 1364068
  • pref("toolkit.telemetry.shutdownPingSender.enabled", true); 1336360
• pref("browser.uidensity", 0); 1365912
  • leaving up here for easy spotting, but no need to add to the user.js. Maybe in the future for the personal section
• pref("security.data_uri.unique_opaque_origin", false); - added to items to watch sticky
• pref("pdfium.enabled", false); - added to items to watch sticky
• pref("dom.allow_named_properties_object_for_xrays", 1); - 1353150
  • leaving up here for easy reference but no action taken regards user.js

removed, renamed or hidden in v55.0:

All DONE - see 48511d1

• pref("browser.formautofill.enabled", false); 1364334
• pref("browser.formfill.saveHttpsForms", true); 1361220
• pref("browser.fullscreen.animate", true); 1352069
• pref("browser.newtabpage.directory.ping", "blah blah"); 1241390
• pref("browser.selfsupport.url", "blah blah"); 1361578
  • also removes browser.selfsupport.enabled
• pref("browser.tabs.animate", true); 1352069
• pref("dom.enable_user_timing", true); 1344669
• pref("dom.keyboardevent.code.enabled", true); 1352949
• pref("geo.security.allowinsecure", true); 1072859

changed in v55.0:

• pref("browser.tabs.remote.separateFileUriProcess", true); // prev: false - 1104
  • change to active eb532d6
• pref("geo.wifi.uri", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%"); // prev: "https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_API_KEY%" - 0201
  • NOTE: this was not changed in the end in FF55, but we blanked the value and moved the Mozilla API key info to a comment - 29ce831 & 98698c8
• pref("media.wmf.vp9.enabled", true); // prev: false ea713ab
• pref("privacy.trackingprotection.annotate_channels", true); // prev: false - 595eaf5
• pref("security.tls.enable_0rtt_data", true); // prev: false - (FF51+) - e95d2af
• pref("app.update.staging.enabled", false); // prev: true - 0304
• pref("browser.safebrowsing.provider.google4.updateURL", "https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=%GOOGLE_API_KEY%&$httpMethod=POST"); // prev: "https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=%GOOGLE_API_KEY%" - 0413
• pref("browser.urlbar.oneOffSearches", true); // prev: false - 0850e
• pref("browser.urlbar.suggest.searches", true); // prev: false - 0808
• pref("dom.IntersectionObserver.enabled", true); // prev: false - 2426
• pref("dom.popup_allowed_events", "change click dblclick mouseup pointerup notificationclick reset submit touchend"); // prev: "change click dblclick mouseup notificationclick reset submit touchend" - 2415b
• pref("dom.vr.enabled", true); // prev: false - 2504
• pref("network.jar.block-remote-files", true); // prev: false - 2629
• pref("network.predictor.enable-prefetch", true); // prev: false - 0608

ignore

==NEW

53 font.name* prefs

pref("font.name.cursive.ja", "");
pref("font.name.cursive.x-armn", "");
pref("font.name.cursive.x-beng", "");
pref("font.name.cursive.x-cans", "");
pref("font.name.cursive.x-devanagari", "");
pref("font.name.cursive.x-geor", "");
pref("font.name.cursive.x-gujr", "");
pref("font.name.cursive.x-guru", "");
pref("font.name.cursive.x-khmr", "");
pref("font.name.cursive.x-knda", "");
pref("font.name.cursive.x-mlym", "");
pref("font.name.cursive.x-orya", "");
pref("font.name.cursive.x-sinh", "");
pref("font.name.cursive.x-tamil", "");
pref("font.name.cursive.x-telu", "");
pref("font.name.cursive.x-tibt", "");
pref("font.name-list.cursive.ar", "Comic Sans MS");
pref("font.name-list.cursive.el", "Comic Sans MS");
pref("font.name-list.cursive.th", "Tahoma");
pref("font.name-list.cursive.x-cyrillic", "Comic Sans MS");
pref("font.name-list.cursive.x-ethi", "Visual Geez Unicode Title");
pref("font.name-list.cursive.x-math", "Comic Sans MS");
pref("font.name-list.cursive.x-unicode", "Comic Sans MS");
pref("font.name-list.cursive.x-western", "Comic Sans MS");
pref("font.name-list.cursive.zh-HK", "DFKai-SB");
pref("font.name-list.cursive.zh-TW", "DFKai-SB");
pref("font.name-list.monospace.ar", "Courier New");
pref("font.name-list.monospace.el", "Courier New");
pref("font.name-list.monospace.th", "Tahoma");
pref("font.name-list.monospace.x-cyrillic", "Courier New");
pref("font.name-list.monospace.x-math", "Courier New");
pref("font.name-list.monospace.x-unicode", "Courier New");
pref("font.name-list.monospace.x-western", "Courier New");
pref("font.name-list.sans-serif.el", "Arial");
pref("font.name-list.sans-serif.he", "Arial");
pref("font.name-list.sans-serif.th", "Tahoma");
pref("font.name-list.sans-serif.x-armn", "Arial AMU");
pref("font.name-list.sans-serif.x-cans", "Aboriginal Sans");
pref("font.name-list.sans-serif.x-cyrillic", "Arial");
pref("font.name-list.sans-serif.x-ethi", "GF Zemen Unicode");
pref("font.name-list.sans-serif.x-geor", "BPG Classic 99U");
pref("font.name-list.sans-serif.x-gujr", "Shruti");
pref("font.name-list.sans-serif.x-guru", "");
pref("font.name-list.sans-serif.x-khmr", "Khmer OS");
pref("font.name-list.sans-serif.x-math", "Arial");
pref("font.name-list.sans-serif.x-unicode", "Arial");
pref("font.name-list.sans-serif.x-western", "Arial");
pref("font.name-list.serif.ar", "Times New Roman");
pref("font.name-list.serif.el", "Times New Roman");
pref("font.name-list.serif.th", "Tahoma");
pref("font.name-list.serif.x-cyrillic", "Times New Roman");
pref("font.name-list.serif.x-unicode", "Times New Roman");
pref("font.name-list.serif.x-western", "Times New Roman");

pref("app.releaseNotesURL", "https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=whatsnew");
pref("app.update.doorhanger", true);
pref("app.update.download.promptMaxAttempts", 2);
pref("app.update.elevation.promptMaxAttempts", 2);
pref("app.update.link.updateAvailableWhatsNew", "update-available-whats-new");
pref("app.update.link.updateManualWhatsNew", "update-manual-whats-new");
pref("apz.drag.initial.enabled", true);
pref("apz.one_touch_pinch.enabled", false);
pref("browser.migrate.automigrate.inpage.ui.enabled", false);
pref("browser.photon.structure.enabled", false);
pref("browser.preferences.defaultPerformanceSettings.enabled", true);
pref("browser.preferences.offlineGroup.enabled", true);
pref("browser.preferences.search", false);
pref("browser.preferences.useOldOrganization", true);
pref("browser.shell.didSkipDefaultBrowserCheckOnFirstRun", false);
pref("browser.search.widget.inNavBar", true);
  // ^^ https://dxr.mozilla.org/mozilla-central/source/browser/components/customizableui/test/browser_694291_searchbar_preference.js
pref("browser.sessionstore.dom_storage_limit", 2048);
pref("browser.sessionstore.idleDelay", 180000);
pref("browser.sessionstore.interval.idle", 3600000);
pref("browser.sessionstore.restore_tabs_lazily", true);
pref("browser.suppress_first_window_animation", true);
   // ^^ https://bugzilla.mozilla.org/show_bug.cgi?id=1362103
pref("browser.urlbar.timesBeforeHidingSuggestionsHint", 4);
pref("devtools.computed.boxmodel.opened", true);
pref("devtools.debugger.expressions", "[]");
pref("devtools.debugger.file-search-case-sensitive", true);
pref("devtools.debugger.file-search-regex-match", false);
pref("devtools.debugger.file-search-whole-word", false );
pref("devtools.debugger.pending-breakpoints", "[]");
pref("devtools.debugger.prefs-schema-version", "1.0.0");
pref("devtools.debugger.ui.framework-grouping-on", true);
pref("devtools.gridinspector.showGridAreas", false);
pref("devtools.layout.boxmodel.opened", true);
pref("devtools.layout.grid.opened", true);
pref("devtools.netmonitor.hiddenColumns", "[\"cookies\",\"duration\",\"endTime\",\"latency\",\"protocol\",\"remoteip\",\"responseTime\",\"scheme\",\"setCookies\",\"startTime\"]");
pref("devtools.source-map.client-service.enabled", true);
pref("dom.forms.datetime.others", false);
pref("dom.input.skip_cursor_move_for_same_value_set", true);
pref("dom.ipc.processPrelaunch.enabled", false);
pref("dom.min_tracking_background_timeout_value", 10000);
pref("dom.min_tracking_timeout_value", 4);
  // ^^ https://caniuse.com/payment-request
  // ^^ https://bugzilla.mozilla.org/show_bug.cgi?id=1345361
pref("dom.payments.request.enabled", false);
pref("dom.promise_rejection_events.enabled", false);
pref("dom.script_loader.bytecode_cache.enabled", false);
pref("dom.script_loader.bytecode_cache.strategy", 0);
pref("dom.storageManager.prompt.testing", false);
pref("dom.storageManager.prompt.testing.allow", false);
  // ^^ https://bugzilla.mozilla.org/show_bug.cgi?id=1286717
pref("dom.timeout.max_consecutive_callbacks_ms", 4);
pref("dom.timeout.tracking_throttling_delay", 30000);
pref("dom.vr.autoactivate.enabled", false);
pref("dom.vr.controller_trigger_threshold", "0.1");
pref("dom.vr.navigation.timeout", 5000);
pref("dom.vr.oculus.present.timeout", 10000);
pref("dom.vr.oculus.quit.timeout", 30000);
pref("dom.vr.puppet.submitframe", 0);
pref("dom.vr.require-gesture", true);
pref("dom.w3c_pointer_events.dispatch_by_pointer_messages", false);
pref("dom.xhr.lowercase_header.enabled", false);
pref("editor.use_div_for_default_newlines", false);
pref("extensions.allow-non-mpc-extensions", true);
pref("extensions.formautofill.loglevel", "Warn");
pref("extensions.geckoProfiler.acceptedExtensionIds", "geckoprofiler@mozilla.com,quantum-foxfooding@mozilla.com");
pref("extensions.geckoProfiler.getSymbolRules", "localBreakpad,remoteBreakpad");
pref("extensions.geckoProfiler.symbols.url", "http://symbols.mozilla.org/");
pref("extensions.legacy.enabled", true);
pref("extensions.legacy.exceptions", "{972ce4c6-7e08-4474-a285-3208198ce6fd},testpilot@cliqz.com,@testpilot-containers,jid1-NeEaf3sAHdKHPA@jetpack,@activity-streams,pulse@mozilla.com,@testpilot-addon,@min-vid,tabcentertest1@mozilla.com,snoozetabs@mozilla.com,speaktome@mozilla.com,hoverpad@mozilla.com");
pref("extensions.startupScanScopes", 0);
  // ^^ https://bugzilla.mozilla.org/show_bug.cgi?id=1356826
pref("extensions.webextensions.themes.icons.buttons", "back,forward,reload,stop,bookmark_star,bookmark_menu,downloads,home,app_menu,cut,copy,paste,new_window,new_private_window,save_page,print,history,full_screen,find,options,addons,developer,synced_tabs,open_file,sidebars,share_page,subscribe,text_encoding,email_link,forget,pocket");
pref("extensions.webextensions.themes.icons.enabled", false);
pref("extensions.webextOptionalPermissionPrompts", true);
pref("extensions.webextPermissionPrompts", true);
pref("font.size.systemFontScale", 100);
pref("gfx.webrender.force-angle", true);
pref("gfx.webrender.profiler.enabled", false);
pref("gfx.webrendest.enabled", false);
pref("layers.advanced.background-color", 2);
pref("layers.advanced.background-image", 2);
pref("layers.advanced.boxshadow-inset-layers", 2);
pref("layers.advanced.boxshadow-outer-layers", 2);
pref("layers.advanced.bullet-layers", 2);
pref("layers.advanced.button-foreground-layers", 2);
pref("layers.advanced.canvas-background-color", 2);
pref("layers.advanced.columnRule-layers", 2);
pref("layers.advanced.displaybuttonborder-layers", 2);
pref("layers.advanced.filter-layers", 2);
pref("layers.advanced.image-layers", 2);
pref("layers.advanced.outline-layers", 2);
pref("layers.advanced.solid-color", 2);
pref("layers.advanced.table", 2);
pref("layers.advanced.text-layers", 2);
pref("layers.geometry.d3d11.enabled", true);
pref("layers.gpu-process.max_restarts", 3);
pref("layers.popups.compositing.enabled", false);
pref("layout.css.column-span.enabled", false);
pref("layout.css.frames-timing.enabled", false);
pref("layout.css.scoped-style.enabled", false);
pref("layout.css.servo.enabled", false);
pref("layout.css.style-attr-with-xml-base.disabled", true);
pref("media.cache.resource-index", 8192);
pref("media.decoder-doctor.decode-errors-allowed", "NS_ERROR_DOM_MEDIA_DEMUXER_ERR, NS_ERROR_DOM_MEDIA_METADATA_ERR");
pref("media.decoder-doctor.decode-warnings-allowed", "NS_ERROR_DOM_MEDIA_DEMUXER_ERR, NS_ERROR_DOM_MEDIA_METADATA_ERR");
pref("media.decoder-doctor.new-issue-endpoint", "https://webcompat.com/issues/new");
pref("media.eme.chromium-api.video-shmems", 4);
pref("media.playback.warnings-as-errors", false);
pref("media.throttle-factor", 2);
pref("media.throttle-regardless-of-download-rate", false);
pref("media.webvtt.pseudo.enabled", true);
pref("network.dns.forceResolve", "");
pref("network.http.focused_window_transaction_ratio", "0.9");
pref("network.http.max-urgent-start-excessive-connections-per-host", 3);
pref("network.http.originextension", false);
// RCWN = Race Cache With Network: https://bugzilla.mozilla.org/show_bug.cgi?id=1366224
pref("network.http.rcwn.cache_queue_normal_threshold", 8);
pref("network.http.rcwn.cache_queue_priority_threshold", 2);
pref("network.http.rcwn.enabled", false);
pref("network.http.rcwn.small_resource_size_kb", 256);
pref("network.http.throttle.enable", false);
pref("network.http.throttle.resume-background-in", 1000);
pref("network.http.throttle.resume-for", 100);
pref("network.http.throttle.suspend-for", 900);
// TCP Fast Open: https://bugzilla.mozilla.org/show_bug.cgi?id=1188435
pref("network.tcp.tcp_fastopen_consecutive_failure_limit", 5);
pref("network.tcp.tcp_fastopen_enable", false);
pref("plugins.http_https_only", true);
pref("plugins.remember_infobar_dismissal", true);
pref("plugins.show_infobar", false);
pref("security.allow_chrome_frames_inside_content", false);
// ^^ https://hg.mozilla.org/mozilla-central/rev/09ee763947c3
pref("security.insecure_field_warning.ignore_local_ip_address", true);
pref("security.OCSP.timeoutMilliseconds.hard", 10000);
pref("security.OCSP.timeoutMilliseconds.soft", 2000);
pref("security.sandbox.gpu.level", 0);
pref("services.sync.maxResyncs", 5);
pref("sidebar.position_start", true);
  // ^^ https://dxr.mozilla.org/mozilla-central/source/browser/base/content/browser-sidebar.js
pref("svg.context-properties.content.enabled", false);
pref("toolkit.dump.emit", false);
pref("urlclassifier.flashInfobarTable", "except-flashinfobar-digest256");
pref("urlclassifier.update.response_timeout_ms", 15000);
pref("urlclassifier.update.timeout_ms", 60000);
pref("webgl.force-index-validation", false);
pref("webrender.highlight-painted-layers", false);

==REMOVED or HIDDEN

pref("alerts.disableSlidingEffect", false);
pref("app.update.badge", false);
pref("apz.allow_with_webrender", false);
pref("browser.addon-watch.ignore", "[\"mochikit@mozilla.org\",\"special-powers@mozilla.org\",\"fxdevtools-adapters@mozilla.org\",\"fx-devtools\",\"webcompat-reporter@mozilla.org\"]");
pref("browser.addon-watch.interval", -1);
pref("browser.download.showPanelDropmarker", false);
pref("browser.formautofill.experimental", false);
pref("browser.formautofill.loglevel", "Warn");
pref("browser.reader.detectedFirstArticle", false);
pref("browser.shell.skipDefaultBrowserCheck", true);
pref("devtools.source-map.locations.enabled", false);
pref("devtools.webide.autosaveFiles", true);
pref("devtools.webide.showProjectEditor", true);
pref("devtools.webide.widget.autoinstall", true);
pref("devtools.webide.widget.enabled", false);
pref("devtools.webide.widget.inNavbarByDefault", false);
pref("dom.audiochannel.mutedByDefault", false);
pref("dom.forms.requestAutocomplete", false);
pref("dom.mms.defaultServiceId", 0);
pref("dom.mms.requestReadReport", true);
pref("dom.mms.requestStatusReport", true);
pref("dom.mms.retrieval_mode", "manual");
pref("dom.mms.retrievalRetryCount", 4);
pref("dom.mms.retrievalRetryIntervals", "60000,300000,600000,1800000");
pref("dom.mms.sendRetryCount", 3);
pref("dom.mms.sendRetryInterval", "10000,60000,180000");
pref("dom.mms.version", 19);
pref("dom.timeout.max_consecutive_callbacks", 5);
pref("dom.url.encode_decode_hash", true);
pref("dom.url.getters_decode_hash", false);
pref("extensions.dss.enabled", false);
pref("gfx.vr.openvr-runtime", "");
pref("identity.fxaccounts.profile_image.enabled", true);
pref("jsloader.reuseGlobal", false);
pref("layers.frame-counter", false);
pref("layout.accessiblecaret.timeout_ms", 0);
pref("layout.css.background-clip-text.enabled", true);
pref("layout.css.display-flow-root.enabled", true);
pref("layout.css.variables.enabled", true);
pref("layout.frame_rate.precise", false);
pref("marionette.enabled", false);
pref("marionette.forcelocal", true);
pref("media.directshow.enabled", true);
pref("mms.debugging.enabled", false);
pref("network.http.bypass-cachelock-threshold", 200000);
pref("network.http.enablePerElementReferrer", true);
pref("network.throttle.enable", true);
pref("network.throttle.resume-for", 2000);
pref("network.throttle.suspend-for", 2000);
pref("plugins.navigator_hide_disabled_flash", false);
pref("ril.numRadioInterfaces", 0);
pref("security.data_uri.inherit_security_context", true);
pref("services.sync.prefs.sync.javascript.enabled", true);
pref("social.sidebar.unload_timeout_ms", 10000);
pref("urlclassifier.max-complete-age", 2700);
pref("wap.UAProf.tagname", "x-wap-profile");
pref("wap.UAProf.url", "");

==CHANGED

114 font.name* prefs

pref("font.name.cursive.ar", ""); // prev: "Comic Sans MS"
pref("font.name.cursive.el", ""); // prev: "Comic Sans MS"
pref("font.name.cursive.he", ""); // prev: "Guttman Yad"
pref("font.name.cursive.ko", ""); // prev: "Gungsuh"
pref("font.name.cursive.th", ""); // prev: "Tahoma"
pref("font.name.cursive.x-cyrillic", ""); // prev: "Comic Sans MS"
pref("font.name.cursive.x-ethi", ""); // prev: "Visual Geez Unicode Title"
pref("font.name.cursive.x-math", ""); // prev: "Comic Sans MS"
pref("font.name.cursive.x-unicode", ""); // prev: "Comic Sans MS"
pref("font.name.cursive.x-western", ""); // prev: "Comic Sans MS"
pref("font.name.cursive.zh-CN", ""); // prev: "KaiTi"
pref("font.name.cursive.zh-HK", ""); // prev: "DFKai-SB"
pref("font.name.cursive.zh-TW", ""); // prev: "DFKai-SB"
pref("font.name.monospace.ar", ""); // prev: "Courier New"
pref("font.name.monospace.el", ""); // prev: "Courier New"
pref("font.name.monospace.he", ""); // prev: "Fixed Miriam Transparent"
pref("font.name.monospace.ja", ""); // prev: "MS Gothic"
pref("font.name.monospace.ko", ""); // prev: "GulimChe"
pref("font.name.monospace.th", ""); // prev: "Tahoma"
pref("font.name.monospace.x-armn", ""); // prev: "Arial AMU"
pref("font.name.monospace.x-beng", ""); // prev: "Mitra Mono"
pref("font.name.monospace.x-cans", ""); // prev: "Aboriginal Sans"
pref("font.name.monospace.x-cyrillic", ""); // prev: "Courier New"
pref("font.name.monospace.x-devanagari", ""); // prev: "Mangal"
pref("font.name.monospace.x-ethi", ""); // prev: "Ethiopia Jiret"
pref("font.name.monospace.x-geor", ""); // prev: "BPG Classic 99U"
pref("font.name.monospace.x-gujr", ""); // prev: "Shruti"
pref("font.name.monospace.x-guru", ""); // prev: "Raavi"
pref("font.name.monospace.x-khmr", ""); // prev: "Khmer OS"
pref("font.name.monospace.x-knda", ""); // prev: "Tunga"
pref("font.name.monospace.x-math", ""); // prev: "Courier New"
pref("font.name.monospace.x-mlym", ""); // prev: "Rachana_w01"
pref("font.name.monospace.x-orya", ""); // prev: "ori1Uni"
pref("font.name.monospace.x-sinh", ""); // prev: "Iskoola Pota"
pref("font.name.monospace.x-tamil", ""); // prev: "Latha"
pref("font.name.monospace.x-telu", ""); // prev: "Gautami"
pref("font.name.monospace.x-tibt", ""); // prev: "Tibetan Machine Uni"
pref("font.name.monospace.x-unicode", ""); // prev: "Courier New"
pref("font.name.monospace.x-western", ""); // prev: "Courier New"
pref("font.name.monospace.zh-CN", ""); // prev: "SimSun"
pref("font.name.monospace.zh-HK", ""); // prev: "MingLiu_HKSCS"
pref("font.name.monospace.zh-TW", ""); // prev: "MingLiU"
pref("font.name.sans-serif.ar", ""); // prev: "Segoe UI"
pref("font.name.sans-serif.el", ""); // prev: "Arial"
pref("font.name.sans-serif.he", ""); // prev: "Arial"
pref("font.name.sans-serif.ja", ""); // prev: "MS PGothic"
pref("font.name.sans-serif.ko", ""); // prev: "Gulim"
pref("font.name.sans-serif.th", ""); // prev: "Tahoma"
pref("font.name.sans-serif.x-armn", ""); // prev: "Arial AMU"
pref("font.name.sans-serif.x-beng", ""); // prev: "Vrinda"
pref("font.name.sans-serif.x-cans", ""); // prev: "Aboriginal Sans"
pref("font.name.sans-serif.x-cyrillic", ""); // prev: "Arial"
pref("font.name.sans-serif.x-devanagari", ""); // prev: "Nirmala UI"
pref("font.name.sans-serif.x-ethi", ""); // prev: "GF Zemen Unicode"
pref("font.name.sans-serif.x-geor", ""); // prev: "BPG Classic 99U"
pref("font.name.sans-serif.x-gujr", ""); // prev: "Shruti"
pref("font.name.sans-serif.x-khmr", ""); // prev: "Khmer OS"
pref("font.name.sans-serif.x-knda", ""); // prev: "Tunga"
pref("font.name.sans-serif.x-math", ""); // prev: "Arial"
pref("font.name.sans-serif.x-mlym", ""); // prev: "Rachana_w01"
pref("font.name.sans-serif.x-orya", ""); // prev: "ori1Uni"
pref("font.name.sans-serif.x-sinh", ""); // prev: "Iskoola Pota"
pref("font.name.sans-serif.x-telu", ""); // prev: "Gautami"
pref("font.name.sans-serif.x-tibt", ""); // prev: "Tibetan Machine Uni"
pref("font.name.sans-serif.x-unicode", ""); // prev: "Arial"
pref("font.name.sans-serif.x-western", ""); // prev: "Arial"
pref("font.name.sans-serif.zh-CN", ""); // prev: "Microsoft YaHei"
pref("font.name.sans-serif.zh-HK", ""); // prev: "Arial"
pref("font.name.sans-serif.zh-TW", ""); // prev: "Arial"
pref("font.name.serif.ar", ""); // prev: "Times New Roman"
pref("font.name.serif.el", ""); // prev: "Times New Roman"
pref("font.name.serif.he", ""); // prev: "Narkisim"
pref("font.name.serif.ja", ""); // prev: "MS PMincho"
pref("font.name.serif.ko", ""); // prev: "Batang"
pref("font.name.serif.th", ""); // prev: "Tahoma"
pref("font.name.serif.x-armn", ""); // prev: "Sylfaen"
pref("font.name.serif.x-beng", ""); // prev: "Vrinda"
pref("font.name.serif.x-cans", ""); // prev: "Aboriginal Serif"
pref("font.name.serif.x-cyrillic", ""); // prev: "Times New Roman"
pref("font.name.serif.x-devanagari", ""); // prev: "Kokila"
pref("font.name.serif.x-ethi", ""); // prev: "Visual Geez Unicode"
pref("font.name.serif.x-geor", ""); // prev: "Sylfaen"
pref("font.name.serif.x-gujr", ""); // prev: "Shruti"
pref("font.name.serif.x-guru", ""); // prev: "Raavi"
pref("font.name.serif.x-khmr", ""); // prev: "PhnomPenh OT"
pref("font.name.serif.x-knda", ""); // prev: "Tunga"
pref("font.name.serif.x-math", ""); // prev: "Latin Modern Math"
pref("font.name.serif.x-mlym", ""); // prev: "Rachana_w01"
pref("font.name.serif.x-orya", ""); // prev: "ori1Uni"
pref("font.name.serif.x-sinh", ""); // prev: "Iskoola Pota"
pref("font.name.serif.x-tamil", ""); // prev: "Latha"
pref("font.name.serif.x-telu", ""); // prev: "Gautami"
pref("font.name.serif.x-tibt", ""); // prev: "Tibetan Machine Uni"
pref("font.name.serif.x-unicode", ""); // prev: "Times New Roman"
pref("font.name.serif.x-western", ""); // prev: "Times New Roman"
pref("font.name.serif.zh-CN", ""); // prev: "SimSun"
pref("font.name.serif.zh-HK", ""); // prev: "Times New Roman"
pref("font.name.serif.zh-TW", ""); // prev: "Times New Roman"
pref("font.name-list.monospace.x-beng", "Mitra Mono, Likhan, Mukti Narrow"); // prev: "Likhan, Mukti Narrow"
pref("font.name-list.monospace.x-mlym", "Rachana_w01, AnjaliOldLipi, Kartika, ThoolikaUnicode"); // prev: "AnjaliOldLipi, Kartika, ThoolikaUnicode"
pref("font.name-list.monospace.x-orya", "ori1Uni, Kalinga"); // prev: "Kalinga, ori1Uni"
pref("font.name-list.monospace.zh-CN", "SimSun, MS Song, SimSun-ExtB"); // prev: "MS Song, SimSun, SimSun-ExtB"
pref("font.name-list.sans-serif.x-mlym", "Rachana_w01, AnjaliOldLipi, Kartika, ThoolikaUnicode"); // prev: "AnjaliOldLipi, Kartika, ThoolikaUnicode"
pref("font.name-list.sans-serif.x-orya", "ori1Uni, Kalinga"); // prev: "Kalinga, ori1Uni"
pref("font.name-list.sans-serif.zh-HK", "Arial, MingLiU_HKSCS, Ming(for ISO10646), MingLiU, MingLiU_HKSCS-ExtB"); // prev: "MingLiU_HKSCS, Ming(for ISO10646), MingLiU, MingLiU_HKSCS-ExtB"
pref("font.name-list.sans-serif.zh-TW", "Arial, PMingLiU, MingLiU, MingLiU-ExtB"); // prev: "PMingLiU, MingLiU, MingLiU-ExtB"
pref("font.name-list.serif.x-mlym", "Rachana_w01, AnjaliOldLipi, Kartika, ThoolikaUnicode"); // prev: "AnjaliOldLipi, Kartika, ThoolikaUnicode"
pref("font.name-list.serif.x-orya", "ori1Uni, Kalinga"); // prev: "Kalinga, ori1Uni"
pref("font.name-list.serif.zh-CN", "SimSun, MS Song, SimSun-ExtB"); // prev: "MS Song, SimSun, SimSun-ExtB"
pref("font.name-list.serif.zh-HK", "Times New Roman, MingLiu_HKSCS, Ming(for ISO10646), MingLiU, MingLiU_HKSCS-ExtB"); // prev: "MingLiu_HKSCS, Ming(for ISO10646), MingLiU, MingLiU_HKSCS-ExtB"
pref("font.name-list.serif.zh-TW", "Times New Roman, PMingLiu, MingLiU, MingLiU-ExtB"); // prev: "PMingLiu, MingLiU, MingLiU-ExtB"

pref("app.update.badgeWaitTime", 345600); // prev: 0
pref("apz.drag.enabled", true); // prev: false
// ^^ part of onboarding for new profiles/installs which we have disabled
pref("browser.safebrowsing.provider.mozilla.lists", "base-track-digest256,mozstd-trackwhite-digest256,content-track-digest256,mozplugin-block-digest256,mozplugin2-block-digest256,block-flash-digest256,except-flash-digest256,allow-flashallow-digest256,except-flashallow-digest256,block-flashsubdoc-digest256,except-flashsubdoc-digest256,except-flashinfobar-digest256"); // prev: "base-track-digest256,mozstd-trackwhite-digest256,content-track-digest256,mozplugin-block-digest256,mozplugin2-block-digest256,block-flash-digest256,except-flash-digest256,allow-flashallow-digest256,except-flashallow-digest256,block-flashsubdoc-digest256,except-flashsubdoc-digest256"
pref("browser.shell.skipDefaultBrowserCheckOnFirstRun", true); // prev: false
pref("browser.startup.firstrunSkipsHomepage", true); // prev: false
pref("datareporting.policy.firstRunURL", "https://www.mozilla.org/privacy/firefox/"); // prev: ""
pref("devtools.debugger.ignore-caught-exceptions", false); // prev: true
pref("devtools.inspector.mdnDocsTooltip.enabled", false); // prev: true
pref("devtools.storage.enabled", true); // prev: false
pref("dom.gamepad.extensions.enabled", true); // prev: false
pref("dom.ipc.cpows.allow-cpows-in-compat-addons", "<long-string>"); // prev: "<long-string>"
pref("dom.requestIdleCallback.enabled", true); // prev: false
pref("dom.vr.openvr.enabled", true); // prev: false
pref("dom.vr.poseprediction.enabled", true); // prev: false
pref("extensions.webextensions.themes.enabled", true); // prev: false
pref("gfx.webrender.enabled", false); // prev: true
pref("image.mem.animated.discardable", true); // prev: false
pref("intl.tsf.hack.ms_japanese_ime.do_not_associate_imc_on_win10", false); // prev: true
pref("javascript.options.mem.gc_incremental_slice_ms", 5); // prev: 10
pref("javascript.options.shared_memory", true); // prev: false
pref("layers.advanced.border-layers", 2); // prev: false
pref("layers.advanced.caret-layers", 2); // prev: false
pref("layout.css.float-logical-values.enabled", true); // prev: false
pref("layout.css.text-justify.enabled", true); // prev: false
pref("lightweightThemes.recommendedThemes", "<long-string>"); // prev: "<long-string>"
pref("media.cache_readahead_limit", 60); // prev: 999999
pref("media.cache_resume_threshold", 30); // prev: 999999
pref("media.wmf.disable-d3d11-for-dlls", "<long-string>"); // prev: "<long-string>"
pref("network.http.spdy.timeout", 170); // prev: 180
pref("plugins.favorfallback.mode", "follow-ctp"); // prev: "never"
pref("plugins.favorfallback.rules", "nosrc,video"); // prev: ""
pref("plugins.flashBlock.enabled", true); // prev: false
pref("print.use_simplify_page", true); // prev: false
pref("svg.transform-box.enabled", true); // prev: false
pref("urlclassifier.disallow_completions", "<long-string>"); // prev: "<long-string>"

[earthlng]

432 diffs!! man this is gonna suck!! I think I'm gonna be MIA until you and hopefully an army of contributors are done with this.
idea: changelog for 55alpha => "ignored 432 pref-changes for FF55" - there, done, easy peacy :)

[Atavic]

new in v55.0b1:

pref("app.releaseNotesURL", "https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=whatsnew");

All the crap after ? is Urchin Google tracking, totally unneeded: https://www.mozilla.org/en-US/firefox/55.0beta/releasenotes/

[earthlng]

toolkit.cosmeticAnimations.enabled - https://bugzilla.mozilla.org/show_bug.cgi?id=1352069

Introduce a pref that allows for disabling animations

This rolls browser.tabs.animate, browser.fullscreen.animate, and
alerts.disableSlidingEffect into a single pref; if any of these are disabled,
we'll disable the new pref too (toolkit.cosmeticAnimations.enabled). Most
future animations will also be subject to this pref.

[earthlng]

and credited to Mozilla

... money, money, money. They realized they miss out on "credits" for "follow-on" searches.
If what they say is true then disabling telemetry will also never send out this kind of stuff. As long as it remains a system-addon that gets downloaded and installed, the fact that we have auto-install disabled will prevent this addon from ever seeing our harddiscs.

We are ready to roll out to release as soon as blog is public

at least they are transparent about it

[earthlng]

/* 12xx: disable TLS1.3 0-RTT (round-trip time)
   [1] https://github.com/tlswg/tls13-spec/issues/1001
   [2] https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/ ***/
user_pref("security.tls.enable_0rtt_data", false); // false in FF51+, true in FF55+

[earthlng]

from new ...

pref("plugins.http_https_only", true);
pref("plugins.remember_infobar_dismissal", true);
pref("plugins.show_infobar", true);
pref("urlclassifier.flashInfobarTable", "except-flashinfobar-digest256");

IMO can all be ignored because it's Flash stuff

extensions.legacy.exceptions - looks like this could be used to prevent certain mozilla addons from being loaded, not that I think we should do that, it's more of an FYI

security.data_uri.unique_opaque_origin - is the renamed pref for security.data_uri.inherit_security_context - see #87 (comment) - no progress made in https://bugzilla.mozilla.org/show_bug.cgi?id=1324406 so this is still not ready to try IMO

[earthlng]

browser.onboarding.enabled
https://dxr.mozilla.org/mozilla-central/source/browser/extensions/onboarding/README.md
great reviews: https://addons.mozilla.org/en-US/firefox/addon/firefox-onboarding-tour/reviews/
https://github.com/mozilla/onboard

edit: WTF! this shit even includes google-analytics! [ 💩 💩 💩 💩 💩 - edit, Thorin, 5-turd award]
mozilla/onboard@db4d6c8

[earthlng]

IMO...

• extensions.startupScanScopes - is fine as is. It's done for faster startup and I don't see a problem with keeping FF's default value. Not even worth adding to the user.js
• security.sandbox.gpu.level - we shouldn't mess with this. Can add to the list of "donotuse" prefs.
• security.insecure_field_warning.ignore_local_ip_address - safe to ignore
• pdfium.enabled;false - we can ignore this for now and look into it when they change it to true
  • https://bugzilla.mozilla.org/show_bug.cgi?id=1338476

[earthlng]

• > pref("media.wmf.vp9.force.enabled", false); - add to 3025?
  • done, moved to ignore

When I installed nightly 56 I also created a quick diff and this pref showed up under removed, renamed or hidden in v56.0nightly. And it's "force enable", which will very likely never be set to true by mozilla anyway. IMO we can move it to the ignored list.

• app.releaseNotesURL
  I agree, we can ignore it.
• browser.preferences.*
  no need to include those either IMO.
• plugins.*
  or those. Just stupid flash stuff
• dom.vr.poseprediction.enabled
  probably covered by dom.vr.enabled. To get rid of some dead weight, I wouldn't mind removing all additional dom.vr.* prefs we already have in the user.js either, and only keep dom.vr.enabled. I don't have a VR device anyway, do you? PK's also only has the master switch pref. Should be enough. (Thorin - see c7cd524 )
• media.eme.chromium-api.enabled (added to checklist - thorin)
  Idk if it's really necessary but just in case - let's include this. Simply adding it under 1830 is fine IMO; no need to explain anything or make it a new item
• privacy.trackingprotection.annotate_channels (added to checklist - thorin)
  If I remember correctly, this will cause the TP lists to be downloaded/updated even if TP itself is disabled. For that reason alone we should include this somewhere for people who want to disable TP completely.

[earthlng]

Maybe we should put oculus back in?

nope, dom.vr.enabled state gets stored in VREnabled and it's always checked first and returns if it's false ( it's the same for OSVR, OpenVR, Puppet, Oculus - so basically everything because PosePrediction is part of Oculus and test is, well, just test xD)

[earthlng]

are the two prefs for privacy.window.maxInner* hidden?

DXR nightly - they are not in any of the default preferences files = hidden prefs for sure.

In 56nightly: 551x751 = 400x700, 549x749 = 400x700

https://dxr.mozilla.org/mozilla-central/source/dom/base/nsContentUtils.cpp#2447

400 = 551 - (551 % 200) = 551 - 151
700 = 751 - (751 % 100) = 751 - 51

[earthlng]

width needs to be a multiple of 200 (1x200,2x200,etc), height can be any round hundred. It just can't be higher than your real screen resolutions width/height. fe with a 1920x1080 screen resolution you can use width: 200,400,600,800,1000,1200,1400,1600,1800 together with any round hundred height between and including 100 to 1000. No 2:1 ratio at all as long as what you set fits on your screen

[Okamoi]

What's up with dom.enable_user_timing being removed ?

Do you know how Tor Browser reacted to this ? It wouldn't make sense that nothing else happened because both Firefox and Tor teams are in sync for such things.

Like, is privacy.resistFingerprinting taking care of it now or something ?

[Okamoi]

Well the User Timing API now can't be disabled. The Tor team already added time wobble in their patches, and at the same time they disabled the API, so I'm not sure that this kind of imprecision reaching Firefox as opposed to just being a Tor patch is compensating anything regarding the loss of dom.enable_user_timing...

I'm kind of mixed on this, I'd be more open if not for Tor team's decision which I trust. I'm a little surprised that this sounds like a non event to you though :)

[Okamoi]

I'm sold for the time. But is it the name + scope thing mentioned here covered too ? Damn API provides more information than neat timestamps unfortunately.

I trust your pinky, it's actually the reason I'm asking this to you. For some reason you and earthlng appear to be better at searching Bugzilla and Firefox innards than I am, when things get obscure, which drives me crazy.

[earthlng]

• browser.tabs.remote.allowLinkedWebInFileUriProcess - we can set this to false IMO. Most users will never load a file:// anyway. If we want to add this, I'd say as a xxxxB for whatever item browser.tabs.remote.separateFileUriProcess is. They want to remove "read" access for normal content processes, maybe other things as well. Having this pref set to true could allow web content to run under a less restrictive sandbox policy, But I think it's probably not that critical. We can also ignore it and wait for them to set it to false by default, or we add it as inactive with value false. IDC, I'm on ESR now xD
  • enforcing active at false - Thorin
• dom.w3c_pointer_events.dispatch_by_pointer_messages - whatever this is, it doesn't matter because dom.w3c_pointer_events.enabled is default false
• dom.storageManager.enabled + browser.storageManager.enabled are both still defaulting to false, right? the 2 dom.storageManager.prompt.* prefs can be ignored IMO

[earthlng]

• network.dns.forceResolve - 1361099 - moved to ignore
• network.auth.subresource-img-cross-origin-http-auth-allow - 1357835

Sub-resources HTTP-authentication for cross-origin images:
true - it is allowed to present http auth. dialog for cross-origin images.
false - it is not allowed.
If network.auth.subresource-http-auth-allow has values 0 or 1 this pref does not have any effect.

there shouldn't be the capability whereas someone in control of "img src" can make a dialogue that sends credentials

but

Cross origin errors also have the following text: "WARNING: Your password will not be sent to the web site you are currently visiting!" making this attack far less likely.

we can add it as false and it shouldn't cause too much breakage IMO. Depending on what their new telemetry data will show, I expect they will change the pref to false (or even hardcode it to false and remove the pref again) but there's also talk of WONTFIX so IDK.

ESR doesn't have this pref yet and the only alternative there is to change network.auth.subresource-http-auth-allow to 1 (or 0 but I wouldn't recommend that, see comment 13) which restricts all cross-origin subresources from presenting that dialog and not just images.

[2glops]

• pref("dom.ipc.processPrelaunch.enabled", false);
  Safe to ignore until FF56 lands IMO, related to e10s and still "false" in Nightly.
  1363601

[2glops]

• pref("dom.promise_rejection_events.enabled", false);
  Safe to ignore until supported:
  1338059
  Still experimental and false in Nightly :
  https://developer.mozilla.org/en-US/Firefox/Experimental_features

[2glops]

• pref("dom.xhr.lowercase_header.enabled", false);
  Safe to ignore until a couple of releases. Still false in Nightly.
  1370485

[Edit: Agreed, besides it totally looks like a spec/web-compat thing and has no privacy/tracking implications IMO - Thorin ]

[2glops]

• pref("media.webvtt.pseudo.enabled", true);
  IMO, should be a fingerprintable figure, perhaps included later in resist.fingerprinting.
  For FF55, IMO, we could make the pref inactive:
  // pref("media.webvtt.pseudo.enabled", false);
  1318542
  • Thorin - dropped for now, i.e we will ignore it. Tor Uplift are looking into this

Security and Privacy Considerations section for WebVTT:
https://lists.w3.org/Archives/Public/public-texttracks/2016Nov/0005.html

[earthlng]

Thanks for your help here @2glops

👍 or nits

👎 - media.webvtt.pseudo.enabled only disables WebVTT pseudo element and class support. What good does disabling the styling of subtitles really do?

https://developer.mozilla.org/en-US/docs/Web/API/WebVTT_API#CSS_pseudo-classes

there's media.track.enabled as well which should eventually allow for multiple "tracks" but it's still disabled, so atm I guess FF always just uses the first track and therefore the "giving away your language or if you're hard of hearing" part probably doesn't apply.

IMO it's useless to include this pref. If you want to "disable"/block WebVTT there are other ways, fe with uBO: /\.vtt$/$media. [1] also mentions media.webvtt.enabled but that pref no longer exists.

[2glops]

Thanks for the invitation !

[2glops]

• pref("dom.input.skip_cursor_move_for_same_value_set", true);
  Safe to ignore IMO
  https://dxr.mozilla.org/mozilla-central/source/modules/libpref/init/all.js#1354

Edit: Yup, that seems pretty harmless - Thorin

[earthlng]

/* CHANGED: why do we need to disable this exactly? ***/
pref("security.tls.enable_0rtt_data", true); // (FF51+, turned on in 55+)

Because it's the one major flaw in TLS1.3

#144 (comment)

tlswg/tls13-spec#1001

... security review of the TLS 1.3 0-RTT section ...

The review focused on two known-issues: the absence of forward secrecy for all data, and the replayability of 0-RTT data. As it turns out, these issues can be worked around, and it is possible to to provide 0RTT, Forward Secrecy and anti-replayability (save for the Gilmor downgrade attack case) at the same time.

However TLS1.3 0-RTT is insecure by default, and based on the current draft, it is likely that TLS implementations not using work arounds will create real-world vulnerabilities. I believe that the attacks enabled by these vulnerabilities are more practical, and more serious, than is generally appreciated.

Conclusion

TLS 1.3 0-RTT is not secure by default ...

They've since implemented some anti-replay mechanisms @ https://bugzilla.mozilla.org/show_bug.cgi?id=1295163 - no idea how effective that is though or when that landed.
IDK if they even tried to do something about the forward-secrecy problem.
IMHO the TLS1.3 guys should have just removed 0-rtt from the spec.

We can ignore this pref if we disable TLS1.3 again instead. Or not give a shit, idc tbh, I know what I will do.

[2glops]

• pref("dom.allow_named_properties_object_for_xrays", 1);
  From 1353150 my feeling is that we should ignore it.

Edit: Thorin - Yup, see my comment a few posts up with exploit link and bugzilla link. Was wondering what effect adding it and ramping up to 2 would have, but yeah, ignore for now. It is a good security fix though, so at least its documented and can be easily found in the repo

[Theemim]

Add a passive (detection only) mode for Tracking Protection
https://bugzilla.mozilla.org/show_bug.cgi?id=1170190

I'm planning to make the privacy.trackingprotection.annotate_channels pref only control whether channels are annotated as tracking or non-tracking, and add an API to nsIChannel to query that information. I'm going to create another pref (privacy.trackingprotection.lower_network_priority) to control the behavior in bug 1141814.

Lower priority of HTTP requests for resources on the Tracking Protection list
https://bugzilla.mozilla.org/show_bug.cgi?id=1141814

When Tracking Protection is disabled, we could still use the Tracking Protection list to lower the priority of those HTTP requests to nsISupportsPriority::PRIORITY_LOWEST. Patrick says: to the extent that TP resources are separate origins than other resources it wouldn't actually turn into much of a practical difference. Different origins are basically run in parallel right now and the prioritizations apply within the origin. There are some exceptions to this when different origins are carried on the same connection - and we will see more of that in the H2/CDN world. And generally doing more with priority information is an evolving area of interest, so marking TP channels as low priority at least creates the meta information to do the right thing when the rest of the stack has more creative things to do.

The network tab should flag resources on the tracking protection list
https://bugzilla.mozilla.org/show_bug.cgi?id=1333994

Now that bug 1170190 has landed (currently behind the privacy.trackingprotection.annotate_channels pref), we will start annotating channels with whether or not they are from a URL on the tracking protection list. We should flag these trackers in the network tab of the devtools to help developers know which resources might be blocked and avoid having their sites break when these resources are missing.

[fmarier]

I still have no idea WTF this is. Might help if I knew what annotate meant (attributing sources? idk) and why this is even required and why we should list it (inactive to be sure).

The annotations themselves are a purely internal thing. It means every time we're about to load a URL, we check it against the TP list. If it's on the TP list, we mark that URL as a tracker. It's just a mark though: by itself, it doesn't do anything. Therefore, there's not really any point in disabling that.

The other pref, privacy.trackingprotection.lower_network_priority, will look at whether or not URLs are marked (or "annotated") as trackers and if they are (because annotations are turned on AND the URL is on the TP list) then they get a lower priority.

There's also another pref, I think it's dom.timeout.tracking_throttling_delay, that looks at URLs marked as trackers and limits the amount of time they can fire timeouts when they are in the background. If you disable annotations, then you don't get the timeout throttling or the lower network priorities.

[fmarier]

Maybe one day u can explain this - just internals again?

That's adding an API to let extensions (e.g. Lightbeam) toggle TP on and off.

[Theemim]

Even more reason to leave alone. And they have no privacy/security etc issues AFAIK.

Well, the existence of the annotation feature and its intended uses implies that turning TP off may not completely disable all tracking protection related mechanisms. So I quickly searched, and found this from a Francois Marier (@fmarier ?):

https://bugzilla.mozilla.org/show_bug.cgi?id=1345158#c7

> 2. Maybe this is a question for francois, does disabling tracking protection
> stop us from downloading ths list of trackers?  If so, I think this really
> belongs in privacy.services

We also download the list of trackers if privacy.trackingprotection.annotate_channels is
enabled. If both are disabled, then the list is not downloaded.

If enabling the annotation feature will cause TP list related client<->server communications, we then have to determine what the risks of those are. Is it a pure download which never involves passing hashes, urls, identifiers, or other significant info to the server? Is the list a list and form that multiple people can download and easily compare to verify they are getting the same exact version? Or are we talking about a Safe Browsing protocol that isn't as clean as that?

Plus, there is another potential issue. Which is Firefox messing around with the priority of things which are on Mozilla's list. A list that may contain entries that users do NOT want deprioritized or whatever. Maybe not a problem unless someone does the "it has be enabled for awhile, time to remove the prefs" thing.

[earthlng]

Well, the existence of the annotation feature and its intended uses implies that turning TP off may not completely disable all tracking protection related mechanisms.

Exactly. That's why I suggested to include it in the user.js. IMO we should include the 2 "passive TP" prefs, active and both set to false. They are ignored anyway if "active" TP is enabled.

[earthlng]

But 0420 .. privacy.trackingprotection.enabled is OFF by default and the user.js does not change it.

Oh yeah, I didn't think about that. So I guess that means that once both of the passive TP prefs default to true then TP blocks requests in PB windows, and in normal windows the passive TP kicks in and lowers priority.

[earthlng]

network.auth.subresource-img-cross-origin-http-auth-allow - we can ignore this. One would have to be pretty stupid to fall for this attack...

Attempting to demonstrate a 401 prompt on "bugzilla.mozilla.org"

https://bug1357835.bmoattachments.org/attachment.cgi?id=8859667

Honestly, would any of you have entered your bugzilla account credentials into that prompt? 🤦‍♂️ xD

[crssi]

^^ Hmmm... my parents would fall to trickery. ;)

[crssi]

Apple doesn't fall far from tree. So you know now from where your beer-jar is filling up. :)
At least from that point of view the anonymity is a shit. Otherwise I would be happy to bank transfer you guys for a beer.

[earthlng]

^^ Hmmm... my parents would fall to trickery. ;)

Lol, yeah I guess that's a valid concern. Let's include it then. Where do we put it? 0900 Passwords? or 2600?

/* xxxx: prevent cross-origin images from triggering an HTTP-Authentication prompt (FF55+)
 * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1357835 ***/
user_pref("network.auth.subresource-img-cross-origin-http-auth-allow", false);

IMO the bugzilla link is enough info

[earthlng]

network.auth.subresource-img-cross-origin-http-auth-allow - 31b1f66

[earthlng]

How about this for the passive TP?

/* 04xx: disable passive Tracking Protection
 * Passive TP annotates channels to lower the priority of network loads for resources on the tracking protection list
 * [NOTE] It has no effect if TP is enabled, but keep in mind that by default TP is only enabled in Private Windows 
 * This is included for people who want to completely disable Tracking Protection.
 * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1170190
 * [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1141814 ***/
   // user_pref("privacy.trackingprotection.annotate_channels", false);
   // user_pref("privacy.trackingprotection.lower_network_priority", false);

[fmarier]

Is it a pure download which never involves passing hashes, urls, identifiers, or other significant info to the server? Is the list a list and form that multiple people can download and easily compare to verify they are getting the same exact version?

Yes to both of these. More details can be found here: https://feeding.cloud.geek.nz/posts/how-tracking-protection-works-in-firefox/

Which is Firefox messing around with the priority of things which are on Mozilla's list. A list that may contain entries that users do NOT want deprioritized or whatever.

s/Mozilla's/Disconnect's/

Not sure why a user would want to avoid de-prioritizing trackers given that this feature doesn't break anything (otherwise it's considered a bug). This is purely a performance improvement.

[fmarier]

How about this for the passive TP?
...
// user_pref("privacy.trackingprotection.lower_network_priority", false);

You don't need to disable that second one. If annotations are disabled, the network prioritization code will not do anything.

[earthlng]

You don't need to disable that second one.

I put it in for informational purposes so that people know there's a 2nd pref that can be toggled independently. Later on the annotations will be used for other things as well and maybe someone wants those other things but not the network throttling for example. Or someone on FF55 wants to use the prioritization and doesn't realize that the 2nd pref is still defaulting to false.

Can you comment on this:

once both of the passive TP prefs default to true then TP blocks requests in PB windows, and in normal windows the passive TP kicks in and lowers priority.

is that the desired effect and how it will work for the foreseeable future? Are you putting that into the release-notes or something because how else are "normal" people gonna know about this stuff otherwise?

[fmarier]

is that the desired effect and how it will work for the foreseeable future? Are you putting that into the release-notes or something because how else are "normal" people gonna know about this stuff otherwise?

I think it's scheduled to ship in 57, so I'd look for those release notes when it comes out.

[Theemim]

Given the issue closure I'll keep this to a minimum. @fmarier:

How to stop Firefox from making automatic connections suggests that disabling tracking protection will stop the tracking protection list update connections. Will that page be updated to inform people that they also have to disable privacy.trackingprotection.annotate_channels?

[Theemim]

@Atavic: I asked because of https://bugzilla.mozilla.org/show_bug.cgi?id=1345158#c7 and there is code in https://dxr.mozilla.org/mozilla-release/source/toolkit/components/url-classifier/SafeBrowsing.jsm which appears consistent with that (superficially):

// From lines 202 and 204
this.trackingEnabled = Services.prefs.getBoolPref("privacy.trackingprotection.enabled") || Services.prefs.getBoolPref("privacy.trackingprotection.pbmode.enabled");
this.trackingAnnotations = Services.prefs.getBoolPref("privacy.trackingprotection.annotate_channels");

// Beginning at line 351
for (let i = 0; i < this.trackingProtectionLists.length; ++i) {
  if (this.trackingEnabled || this.trackingAnnotations) {
    listManager.enableUpdate(this.trackingProtectionLists[i]);
  } else {
    listManager.disableUpdate(this.trackingProtectionLists[i]);
  }
}
for (let i = 0; i < this.trackingProtectionWhitelists.length; ++i) {
  if (this.trackingEnabled || this.trackingAnnotations) {
    listManager.enableUpdate(this.trackingProtectionWhitelists[i]);
  } else {
    listManager.disableUpdate(this.trackingProtectionWhitelists[i]);
  }
}

mozilla-central has the same.

[Atavic]

We also download the list of trackers if privacy.trackingprotection.annotate_channels is enabled.

After a glance, I see you are right.

[fmarier]

How to stop Firefox from making automatic connections suggests that disabling tracking protection will stop the tracking protection list update connections. Will that page be updated to inform people that they also have to disable privacy.trackingprotection.annotate_channels?

Yes, that needs to be updated. Feel free to submit a change there. It's a wiki that anybody can edit, though changes are reviewed to prevent spam.