sticky: items to investigate keep an eye on

[Thorin-Oakenpants]

Locked sticky issue for tracking of old stuff and reminders of new stuff etc

changelog at end of this issue

KEEP AN EYE ON

• 🔻 FF65
  • dom.storage_access.enabled - revisit to see if they have stopped this
  • network.trr.custom_uri
• 🔻 FF64
  • network.security.esni.enabled 1473736
• 🔻 FF57
  • security.all_resource_uri_content_accessible - see resource URI 863246
• 🔻 FF53
  • webauth.webauthn* (FF53+): https://www.w3.org/TR/webauthn/#use-cases
• 🔻 FF52
  • security.pki.certificate_transparency.mode (FF52+)
• 🔻 other
  • plugin.disable_full_page_plugin_for_types

DONE

click to expland

• disable passive TrackingProtection - 595eaf5
  • pref("privacy.trackingprotection.annotate_channels", false);
  • pref("privacy.trackingprotection.lower_network_priority", false);
• browser.crashReports.unsubmittedCheck.* - bc70023
• privacy.userContext.* (Containers) - see discussion: create containers section #91
• dom.maxHardwareConcurrency - see dom.maxHardwareConcurrency #127
• security.data_uri.block_toplevel_data_uri_navigations - 0912b03
• javascript.options.shared_memory

WONTFIX

click to expland

• datareporting.policy.firstRunURL (FF51+) - default blank so far 51-53
  • If set, a browser tab will be opened on first run instead of the infobar
  • will pick up on diffs if it changes, also it should never trigger due to master switches
• network.http.enablePerElementReferrer - see What about network.http.enablePerElementReferrer ? #59
  • will get removed in FF55 (see https://hg.mozilla.org/mozilla-central/rev/0041706d6e43)
• extensions.hideSystemAddons - does not exist (yet, if ever)
  • https://bugzilla.mozilla.org/show_bug.cgi?id=1231202
  • update: RESOLVED INVALID
• extensions.systemAddon* - we will pick up from release diffs
• browser.newtabpage.remote* - we will pick up from release diffs (currently off)
  • looks like they are legacy/deprecated ToDo: diffs FF53-FF54 #87 (FF53->54 diffs)
• javascript.options.mem.high_water_mark
  • Garbage collector releases memory back to the system. Default 128
  • RAM is good, default 128mb is minuscule
• browser.safebrowsing.provider.google.lists and browser.safebrowsing.provider.mozilla.lists
  • the URL is gone, that's enough for future-proofing. I know that's not what this was proposed for, but the speed gain by blanking them is practically zero
• deprecated (at least in FF53+; not on DXR)
  • browser.search.redirectWindowsSearch
  • config.trim_on_minimize
  • content.interrupt.parsing
  • toolkit.crashreporter.enabled
• timer intervals - not playing with these since we know allow update checks, otherwise master switches eg for search updates or experiments, will do (365 days in seconds = 31536000)
  • user_pref("app.update.interval", 31536000); // default = 43200 = 12hrs
  • user_pref("browser.search.update.interval", 31536000); // default = 21600 = 6hrs
  • user_pref("experiments.manifest.fetchIntervalSeconds", 31536000); // default = 86400 = 24 hrs
  • user_pref("extensions.update.interval", 31536000); // default = 86400 = 24 hrs
• nine prefs urlclassifier.*Table - no need to blank these IMO
• browser.download.manager.scanWhenDone - removed in 55
• pdfium.enabled - mortar pdf is dead
• devtools.webide.widget.autoinstall - removed in FF55

• devtools.webide.adaptersAddonURL - removed in 57, 1393497
• devtools.webide.addonsURL - removed in 57, 1398061
• devtools.webide.simulatorAddonsURL - removed in 57, 1398061
• browser.search.isUS - removed in 62
• devtools.telemetry.tools.opened.version - removed in 62

LEFTOVERS [from 18 months of ghacks comments]

click to expland

// earthling other
// prevent handlerService overwrites, see chrome://browser-region/locale/region.properties
user_pref("gecko.handlerService.defaultHandlersVersion", "999");

// disable mailto handler
  // there's actually a ton of network.protocol-handler.external* prefs
  // we already block the ms-windows-store this way
user_pref("network.protocol-handler.external.mailto", false);

/*** from earthling Sept 2016 ***/
// (FF49+) enable sites to use much higher max-age values for HPKP (HTTP Public Key Pinning)
   // [sites set this in the header]
   // default value in FF49: 5184000 (60 days) -> 31536000 = 365 days in seconds
   // WARNING: can block domains for 1 year after last visit if the domain-owners mess things up or get hacked
   // !! this is only a 'max-age' maximum, not enforcing it to one year, only allowing it to be that long if
   // sites choose to use such a long max-age
   // -> also see: https://dxr.mozilla.org/mozilla-central/source/netwerk/base/security-prefs.js#100
   // https://tools.ietf.org/html/rfc7469#section-4.1
   // https://news.netcraft.com/archives/2016/03/22/secure-websites-shun-http-public-key-pinning.html
   // HPKP can be problematic for domain-owners but is a great privacy/security feature for users of those domains.
   // If some admins want to set max-age to 1 year f.e., it shows that they are confident in being able to provide
   // and maintain a secure domain-access for that long and are willing to risk huge damages to their companies if
   // they fail in doing so. Therefore limiting the usefulness of HPKP for end-users by setting a lower max max-age
   // is not in the interest of more advanced users who know what they are doing and who would like to get the most
   // out of HPKP.
user_pref("security.cert_pinning.max_max_age_seconds", 31536000);

/*** from various ***/
user_pref("mousewheel.system_scroll_override_on_root_content.enabled", false);
user_pref("browser.cache.check_doc_frequency", 1);
user_pref("devtools.cache.disabled", true);
user_pref("devtools.remote.wifi.scan", false);
user_pref("devtools.remote.wifi.visible", false);
user_pref("devtools.webide.adbAddonURL", "");
user_pref("security.warn_viewing_mixed", true); // also see bug 616712 android?
user_pref("browser.display.auto_quality_min_font_size", 0);

// from ainatar nov 10 2016
user_pref("full-screen-api.allow-trusted-requests-only", true);
user_pref("full-screen-api.pointer-lock.enabled", true);
user_pref("layers.async-video.enabled", true);
user_pref("layout.css.prefixes.webkit", true);

// not in user.js, listed 19-Feb-2017
user_pref("browser.cache.compression_level", 1); // default = 0
user_pref("media.cache_size", 0); // default = 51200
user_pref("media.hardware-video-decoding.enabled", false); // default=true

// personal stuff?
user_pref("layout.word_select.eat_space_to_next_word", false);
user_pref("layout.word_select.stop_at_punctuation", true);
user_pref("alerts.disableSlidingEffect", true);
user_pref("nglayout.enable_drag_images", false);
user_pref("browser.link.open_newwindow.override.external", 3);

CHANGELOG:

2019

• 7-May: cleared changelog
• 13-Oct: cleaned up, added some wontfix sources

...

[Thorin-Oakenpants]

closing this locked topic - it's only used by myself, and I don't need it anymore