cleanup of the about:config section [continued] #1430
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#1430
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
carrying on from #1212 ... I'll keep editing this first comment as the checklist.
PS: FYI, you generally have to @ me (I rarely watch anything to limit the noise), but I'll stay subscribed to this issue
PPS: mods feel free to fixup all the labels :)
💩 Part 1: Finish Cleanup
Remove (from the last issue)
browser.sessionstore.max_tabs_undo
see this comment and the subsequent replyAlso remove
🚑 Part 2a: Easy Quick Additions
Add these [just plonk it anywhere, we'll deal with the order/sectioning later]. These are all zero breakage
enabled
probably makesprefetch
redundant but no time or inclination to dig into thiszero breakage pref details
beacon
prefetch
dns prefetching
predictor & pre-fetching
sb remote checks [edit: here is the source of that description, but I personally would just link the URL without the anchor]
🚑
Part 2b: Add Sanitizing on close infoI'll dump a draft in a subsequent comment: but this is a way better method to emulate session control of persistent local web data (a la PB mode)🎱 Part 3: ETP/cookies and sanitize on close
dom.event.clipboardevents.enabled
(see https://github.com/privacytoolsIO/privacytools.io/issues/1430#issuecomment-609794486):: Part 4: Sectionize
🍺 Part 5: Get Wrecked
...
Just a heads up: I am incentivized to get to Part 5 🍺 so lets get this done or I'll lose interest / time to do it
Hey thorin, thanks for starting out the work, shall we open up a pull request to work on this?
go for it: all the info is already in the first post for parts 1 and 2a
e.g.
becomes
beacon.enabled = false
disable sending additional analytics to web servers. Source
@blacklight447-ptio Any news about this? I am assigning myself too in case I would end up looking at this sometime when looking at issues assigned to me while this doesn't seem too difficult PR as Thorin-Oakenpants has already done most of the thinking, but I guess I should finish #1580 first.
Take notes:
Breaking the Nextcloud text editor, pasting text on Twitter Web UI and a lot of things.
I found it breaking the "animate" feature on windy.com.
Breaking the Live Streaming on Youtube. And it is unnecessary, Firefox will asked you Camera and Microphone permission.
Was this ever finished? It probably should be before we progress onto https://github.com/privacytoolsIO/privacytools.io/issues/1328 and https://github.com/privacytoolsIO/privacytools.io/issues/1257
I am afraid not
A piece of string walks into a bar and walks up to the counter.
The bartender says, "Sorry mate, we don't serve pieces of string in here, get lost."
Upset, the piece of string walks out the door. A sudden thought strikes him. He tangles himself all up and messes his hair up.
He walks back into the bar and approaches the counter. The bartender says, "Oi, aren't you that piece of string from before...?"
"No," says the piece of string, "I'm a frayed knot."
So part2b and part3 are much the same: with a backtrack on 2b being added to the list (instead I think it should be treated same as ETP: i.e part3)
Sanitizing on close, and ETP have a UI. There's no need to list
ETP's fingerprinters and cryptominers are enabled by default anyway. And setting custom settings from user.js can result in them not being applied - see 1607249
I would create a new section above the about:config, and tell users to use the UI - that's what it's there for. That's for both ETP and sanitizing on close. I think there's already a page with some pretty pictures about ETP?
Not sure about the other two issues, but I'm assuming that the FPing gets it's own page, and extensions gets it's own page? IDK. I have no idea how you want to structure it
https://old.reddit.com/r/privacytoolsIO/comments/fvue9m/firefox_issues_after_aboutconfig_adjustments/
I actually think you should also remove
dom.event.clipboardevents.enabled
- I honestly believe this is one of those paranoid settings that everyone promotes across the web due to the name without actually understanding itI've added it to the list in OP
question, if i copy my password from my password manager, and accidently go to a tab which is not the site where i want to log in, will this site be able to read my clipboard and therefore my password?
If clipboard contents could just be grabbed by websites, then we'd all be in the shit - just clicking on a tab (which is part of the chrome), the answer would be no. I've tried to get to the bottom of clipboard several times over the years, and can't seem to find any clear-cut answers: the good news is that I can't really find exploits either.
I'm only focusing on the clipboard read aspect, I don't care about write.
It's also a bit confusing (for me at least)
But I've yet to see any permissions in the UIIf someone pastes their password into the wrong form (AFAIK a password field cannot be read by clipboard), and on the wrong site - then that's an OpSec error. The pref mentioned here is old (way older than FF63), but it does still have affect when toggled. How that ties into the new API I'm not sure.
Hope my non-answer helped :)
Edit:
re: permission: you get a dialog to allow or cancel: it's not a "site" permission
Has the about:config list on the website been updated to some extent yet? If not, when will this be finished? I've been wanting to start using them but was unsure if they were outdated or not, since most of this issue is completed.
I think this one might have stalled.
We should decide what other important switches need to be changed. I'm not keen on reproducing the whole work of ghacks-user.js though.
@Thorin-Oakenpants:
You might have noticed i asked for your help in https://github.com/privacytools/privacytools.io/pull/2005#issuecomment-704015427 I'm thinking of getting this cleaned up. We're thinking of not listing umatrix (unmaintained) / decentraleyes (virtually unmaintained), and updating the
about:config
options to be a bit more up to date.The issue we have now is that they don't really apply to Fenix builds. Do you plan to have a separate branch for that? Do you even use a browser on your phone? I remember seeing on your wiki that the
user.js
can't really be used with the Android version of Firefox anymore.Can you edit the about:config on Fenix? Last I remembered you can't.
decentraleyes, localCDN, cookie cleaners ... are all gimmicks - always have been. The proper solution is first party isolation, period. End of story. One assumes you're masking your IP.
decentraleyes has literally been useless for a year - see https://github.com/arkenfox/user.js/issues/948
For those who don't want to use FPI (or dFPI), then those gimmicks may help: but it's not something I'm interested in. Use FPI/dFPI or f-off is my motto (yeah, I get the cross-domain login issues: adapt or die: use another profile/browser for those sites: or wait for dFPI).
Same with FPing (all those anti-FPing extensions can basically be bypassed: you just cannot expect web ext APIs to do what FF can do internally)
Fenix: use FPI and RFP: that's all you need. I use nightly, but also have a release build for testing. about:config is not available in release as it exposes all prefs: many of which can easily break GeckoView leaving end users with no option but to wipe everything and reinstall the browser = a PR nightmare and a waste of support resources
I don't generally care about android browsers. RFP still has a few gaps: so on my nightly I also disable webRTC and webGL. The other would be web audio, but I leave mine on for testing (I do not for a second believe the entropy on audio is very high, at all: it's not hardware dependent)
FYI: my phone has FF release, FF Nightly (main one) with above 4 pref changes), TB for Android release. Chrome browser is pre-installed and never used. I don't use my phone for much: and browsing is limited to tests, a handful of news/techblogs/sports-news sites - zero logins. Banking is via apps. I prefer doing real web browsing in my dual kick ass super high res monitors :)
No. I have never supported an android user.js: it just happened that FF68 and lower was 95% the same. With GeckoView it's radically different (hence I changed the wiki entry). The user.js readme says arkenfox is for desktop only, as does the user.js itself
uMatrix: it hardly ever gets any updates anyway. I'm going to keep using for at least the next six months to a year and see if some features can get added to uBO (such as scope switches like workers and CSP reports) - and meanwhile I've slowly relaxed my hardened-nightmare uM settings and so far everything is already covered by uBO (default block all third party) - remember, I have FPI so third party connections are not an issue
how you handle that on PTIO recommendations, IDK.
I have to admit, my use case is much the same. Curious to know what are those 4 pref changes?
Yup, which is why I've never been a fan of them. I'm not really a fan of too many extensions because it always causes issues when various things are upgraded and nowadays they never truly work as you've said.
@lynn-stephenson had this to say on the matter:
Maybe we will leave uMatrix as is for now, we've got a warning about it being unmaintained. Someone might pick it up. Myself I'm just using uBlock in advanced mode/hard mode.
Obviously it doesn't work on Fenix builds either anymore and that's unlikely to change.
So we're thinking of doing 3 things with this:
told ya already :) FPI, RFP, WebGL, WebRTC
My bad, my mind is in a couple of places at once 😀
@Thorin-Oakenpants i think it might be a good idea to make a
user.js
devel branch/repo for Android. I know what you said about, not supporting it, but I think we could put some basic settings in there that do apply to GeckoView based browsers. It's not like the demand is ever going to go away, nor the questions.You could mention that it isn't a main priority of the arkenfox project if you want. I rather like your comment formatting that you do in your main user.js.
It would also give something for us to cross-link to in worth-mentioning section.
with four prefs in it. not worth it mate :)
For the moment, but of course that could change in the future 😀.
I'm thinking the best way would actually be a separate repo, where discussion can take place about what works or is relevant to Fenix.
Interesting I found this worked with the F-Droid build of Fenix. I wonder if it's only the Google Play release that is the case.
I've started on part 3. I really like the sections arkenfox/user.js uses so I somewhat copied those.
I thought about re-ordering the sections in the same order, but thought maybe we should keep it in order of importance (like I believe it is currently). See https://github.com/privacytools/privacytools.io/pull/2081
I was curious, did you mean all of these? https://github.com/arkenfox/user.js/blob/master/user.js#L1310
As for part 4 do you think any of the sources we currently recommend as references could be better?
I can't visualize that PR very well - i need to "see" things. As far as order goes, there is no such thing as importance IMO: that's subjective (even if you and I know that RFP + RFP do some massive lifting),
For your audience, it's going to be about tolerance: so in my head I was thinking you go
ETP / COOKIES
: here's an article (link to page or blog or whatever) about setting your "cookies+data", cue ETP pics, maybe add a cookie pref in that article like making 2rd party cookies session-only by default. ETP and cookies are tied togetherSANITIZING
: here's an article (linked etc) on what persistent local data you can clear, cue pictures of customizing history from the preferences UI, and setting up ctrl-shift-delThat there removes a lot of about:config entries: and users hate long lists: and it's daunting
So, something like this
🔻 EASY AS FUCK
🔻 ABOUT:CONFIG
firstparty.isolate
=true
privacy.resistFingerprinting
=true
privacy.resistFingerprinting.letterboxing
=true
🔻 ADVANCED
Oh, you know there's a live-preview mode: https://deploy-preview-2081--privacytools-io.netlify.app/browsers/#about_config
It shows the page as it would exactly appear.
I do like your ordering actually for No breakage, some breakage, more breakage.
Ah, yes, these are exposed through the user interface, so I should use screenshots. Is that what you mean?
@dngray I think it'd be a good idea to show screenshots, at least for the easy stuff.
I don't understand. I was using the markup in github comments to emulate some sort of layout. My point was that the bits about using the UI would be elsewhere, because they're a bit long: and they're not
about:config
entries (to the end user). Isn't there already a blog post somewhere about ETP? Anyway I think they need a pic or two and deserve their own page(s) ... but if you think you can do without pictures and keep it short.. up to youand then we can get into about config. So A) simple UI tweaks B) some simple about:config tweaks c) check out some extensions d) advanced (see Pants)
This is what I wasn't so sure about. I honestly don't remember where/if there was. I do know I didn't write it.
We could put a link in there to https://blog.mozilla.org/blog/2019/09/03/todays-firefox-blocks-third-party-tracking-cookies-and-cryptomining-by-default/ and https://blog.mozilla.org/blog/2020/08/04/latest-firefox-rolls-out-enhanced-tracking-protection-2-0-blocking-redirect-trackers-by-default/
I'm thinking this might be a good way to go. Thinking we might split the "Firefox Tweaks" into two pages "Easy Tweaks" and "Advanced Tweaks", the advanced page will contain the about:config stuff and the link to arkenfox/user.js
maybe I was thinking of https://blog.privacytools.io/firefox-privacy-an-introduction-to-safe/ (scroll down to ETP) .. IDK, I seem to remember a smaller entry - but that's almost exactly what you need. It even has a section on sanitizing further down - except it's using the
Cookies + Site Data
section whereas we are talking about the "remember history" section - as it gives you more granular controlRight, well i might work on including that part into the page without the other stuff that isn't relevant. I'm hesitant to link to the blog article as it is a bit outdated, ie the bit mentioning decentraleyes or other unrelated stuff to do with VPNs etc, ghackjs/user.js etc.
I get your point though.
@Thorin-Oakenpants
I noticed this setting isn't enabled in
user.js
. By default it is set to false. When set to false "Tracking content" is "Only in Private Windows". I would have thought this was recommended "In all windows".Wouldn't we want it to be in all windows?
Ie:
It's not even in the user.js
Are you sure?
privacy.trackingprotection.enabled
is default false in about:config in my main FF. I am in a normal window. I have a shield icon in the urlbar, which when clicked shows that it is ONWhen I go to facebook.com, the shield turns blue, indicating something was blocked. It's a bit hard to test shit in my main FF as so much stuff is already blocked via other means: but go ahead in a new profile and tell me ETP wasn't turned on by default for all users about a year ago
make that 19 monthsstupid date formats .. so yeah a year ago : https://blog.mozilla.org/blog/2019/09/03/todays-firefox-blocks-third-party-tracking-cookies-and-cryptomining-by-default/I can't believe it's been almost an entire year since I had a beer. You guys are killing me (not really: I got naked and drunk last weekend.. pics to follow)
I just created a new profile in archlinux with firefox 81.0.2. By default ETP is set to Standard with
privacy.trackingprotection.enabled
set to false. If I then select "Custom" it is still off.Only "Strict" enables that. Standard, Strict and Custom default to "Cross-site and social media trackers", ie option 4 of
network.cookie.cookieBehavior
. I was pretty sure 1 ie "All third-party cookies (may cause websites to break)" was desired. I don't use social logins and am yet to see a breakage.Option 1 seems to be the route Apple wants to take too: https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/
Sounds like how I am always, but then who ever heard of a polar bear wearing pants 🤪
I don't need to see pictures, unless you too are a polar bear.
We don't even have the pref in the user.js so it's not like I care about it (it's not something we need to control: they would flip it on when it was ready: and our user base most likely has uBO) ... What I am saying is that it's on by default for all users/windows. Mozilla said so: I can see it
https://www.huffpost.com/ has trackers
using FF beta (nightly might have some dFPI experiments going on etc)
privacy.trackingprotection.enabled
= false (default)mama (polar) bear
poppa (polar) bear
baby (polar) bear
big bad wolf
Convince me otherwise
I think you just proved what I said above. Only Strict turns on
privacy.trackingprotection.enabled
from the user interface, unless you select "In all Windows" in custom mode.My question was, perhaps we should instruct people to set that like so https://github.com/privacytools/privacytools.io/issues/1430#issuecomment-711155163 for the ETP instructions. That is how I have mine set up. I guess its not necessary as you said if a user has ublock.
Current preview: https://deploy-preview-2081--privacytools-io.netlify.app/browsers/#easy_tweaks
We're working on making a figure there that looks like the screenshot. We don't want to use the raster image screenshot because those look bad on HiDPI screens, make the site slow, don't work with a11y like screen readers.
sorry, I have so much other stuff going on. The pics show that by default, in standard mode, ETP is enabled and working. I do not understand what you're talking about. And now I see you're talking about the sub-item "Tracking" vs "Cross-site tracking cookies". Sheesh Louise: I need a break. Like I said, ETP is not something I really care about :)
Sure, if it's that important, then add that as an option for your users. But please tell me exactly what it is that "Tracking" protects you from: I'm interested. Because to me it sounds like some 1st party extras. It certainly can't hurt but it may produce more breakage and require exceptions depending on each user's mileage
Saw this today (related to cdn caching)
https://wicki.io/posts/2020-11-goodbye-google-fonts/
https://developers.google.com/web/updates/2020/10/http-cache-partitioning