Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ghacks user.js monster diff #208

Closed
pyllyukko opened this issue Feb 20, 2017 · 33 comments
Closed

ghacks user.js monster diff #208

pyllyukko opened this issue Feb 20, 2017 · 33 comments

Comments

@pyllyukko
Copy link
Owner

pyllyukko commented Feb 20, 2017
edited
Loading

Based on @Roman-Nopantski's diff: https://gist.github.com/pyllyukko/f5184fbb51b5e340f5637adee582c4d9

STARTUP

  • 0101: disable "slow startup" options
    • WONTFIX: Doesn't seem that relevant
  • 0102: set start page (0=blank, 1=home, 2=last visited page, 3=resume previous session)

GEOLOCATION

  • 0201: disable location-aware browsing
    • Should be covered by geo.enabled
    • Also Mozilla bug's 689252 & 692927 talk that geo.wifi.* settings are not used anymore.
  • 0202: disable GeoIP-based search results
  • 0203: disable using OS locale, force APP locale
  • 0204: set APP local
  • 0206: disable geographically specific results/search engines eg: "browser.search.*.US"
  • 0207: set language to match
  • 0208: enforce US English locale regardless of the system locale

QUIET FOX [PART 1]

  • 0301: disable browser auto update
    • WONTFIX: Updates are good for you :)
  • 0305: disable add-ons auto update
    • WONTFIX: Updates are good for you :)
  • 0307: disable auto updating of personas (themes)
  • 0309: disable sending Flash crash reports
  • 0310: disable sending the URL of the website where a plugin crashed
    • Need more info on dom.ipc.plugins.reportCrashURL
  • 0320: disable extension discovery (featured extensions)
    • WONTFIX
  • 0330b: set unifiedIsOptIn to make sure telemetry respects OptIn choice and that telemetry
    • WONTFIX: Telemetry is already disabled
  • 0331: remove url of server telemetry pings are sent to
    • WONTFIX: Telemetry is already disabled
  • 0332: disable archiving pings locally - irrelevant if toolkit.telemetry.unified is false
  • 0333a: disable health report
  • 0333b: disable about:healthreport page (which connects to Mozilla for locale/css+js+json)
    • WONTFIX
  • 0335: remove a telemetry clientID
    • WONTFIX: Telemetry is already disabled
  • 0336: disable "Heartbeat" (Mozilla user rating telemetry)
  • 0340: disable experiments
  • 0341: disable Mozilla permission to silently opt you into tests
  • 0350: disable crash reports
  • 0351: disable sending of crash reports (FF44+)
  • 0360: disable new tab tile ads & preload & marketing junk
    • WONTFIX: Tiles are already disabled
  • 0373: pocket
  • 0374: disable "social" integration
  • 0375: disable "Reader View"
    • No reason to disable AFAIK
  • 0376: disable FlyWeb, a set of APIs for advertising and discovering local-area web servers
  • 0380: disable sync

QUIET FOX [PART 2]

  • 0401: .....sanitize blocklist url
  • 0402: disable/enable various Kinto blocklist updates (FF50+)
  • 0410: disable safe browsing
    • Safe browsing stays enabled
    • fd6cf46
  • 0410a: disable "Block dangerous and deceptive content" This setting is under Options>Security
  • 0410b: disable "Block dangerous downloads" This setting is under Options>Security
  • 0410c: disable Google safebrowsing downloads, updates
    • WONTFIX: Safe browsing stays enabled
  • 0410d: disable mozilla safebrowsing downloads, updates
    • WONTFIX: Safe browsing stays enabled
  • 0410e: disable binaries NOT in local lists being checked by Google (real-time checking)
    • WONTFIX: browser.safebrowsing.downloads.remote.enabled is already disabled
  • 0410f: disable reporting URLs
  • 0410g: show=true or hide=false the 'ignore this warning' on Safe Browsing warnings which
    • Commented out in the ghacks version
  • 0421: enable more Tracking Protection choices under Options>Privacy>Use Tracking Protection
  • 0430: disable SSL Error Reporting - PRIVACY
  • 0440: disable Mozilla's blocklist for known Flash tracking/fingerprinting (48+)
    • WONTFIX

BLOCK IMPLICIT OUTBOUND [not explicitly asked for - eg clicked on]

  • 0603a: disable more Necko/Captive Portal
  • 0607: stop links launching Windows Store on Windows 8/8.1/10
  • 0608: disable predictor / prefetching (FF48+)
    • WONTFIX: Should be handled by the network.predictor.enabled master switch

LOCATION BAR / SEARCH / AUTO SUGGESTIONS / HISTORY / FORMS etc

PASSWORDS

  • 0904: how often in minutes Mozilla should ask for the master password (see pref above)
  • 0906: ignore websites' autocomplete="off" (FF30+)
  • 0907: force warnings for logins on non-secure (non HTTPS) pages
  • 0908: When attempting to fix an entered URL, do not fix an entered password along with it
  • 0909: disabling for now (FF51+)

CACHE

  • 1001: disable disk cache
  • 1006: disable pages being stored in memory. This is not the same as memory cache.
  • 1007: disable the Session Restore service completely
  • 1008: IF you use session restore (see 1007 above), increasing the minimal interval between
  • 1009: DNS cache and expiration time (default 400 and 60 - same as TBB)
  • 1010: disable randomized FF HTTP cache decay experiments
  • 1011: disable permissions manager from writing to disk (requires restart)
  • 1012: disable resuming session from crash

SSL / OCSP / CERTS / ENCRYPTION / HSTS/HPKP/HTTPS

  • 1215: disable Microsoft Family Safety cert (Windows 8.1)
  • 1218: disable HSTS Priming (FF51+)
  • 1220: disable intermediate certificate caching (fingerprinting attack vector)

FONTS

  • 1402: allow icon fonts (glyphs) (FF41+)
  • 1404: use more legible default fonts
  • 1405: disable woff2
  • 1406: disable CSS Font Loading API
  • 1407: remove special underline handling for a few fonts which you will probably never use.
  • 1408: disable graphite which FF49 turned back on by default

HEADERS / REFERERS

PLUGINS

  • 1801: set default plugin state (i.e new plugins on discovery) to never activate
  • 1802: enable click to play and set to 0 minutes
    • WONTFIX: We'll stick with the default of 60m
  • 1805: disable scanning for plugins
  • 1806: Acrobat, Quicktime, WMP are handled separately from 1805 above.
  • 1807: disable auto-play of HTML5 media
  • 1808: disable audio auto-play in non-active tabs (FF51+)
  • 1820: disable all GMP (Gecko Media Plugins)
  • 1825: disable widevine CDM
  • 1830: disable all DRM content (EME: Encryption Media Extension)
  • 1840: disable the OpenH264 Video Codec by Cisco to "Never Activate"
  • 1850: disable the Adobe EME "Primetime CDM" (Content Decryption Module)

MEDIA / CAMERA / MIKE

  • 2001: disable WebRTC
    • WONTFIX: Disabled via media.peerconnection.enabled master switch
  • 2010: disable WebGL, force bare minimum feature set if used & disable WebGL extensions
  • 2012: two more webgl preferences (FF51+)
  • 2021: disable speech recognition
  • 2022: disable screensharing
    • Screensharing disabled via media.getusermedia.screensharing.enabled master switch
    • bdd9b15
  • 2024: enable/disable MSE (Media Source Extensions)
  • 2025: enable/disable various media types - end user personal choice
  • 2026: disable canvas capture stream
  • 2027: disable camera image capture
  • 2028: disable offscreen canvas

UI MEDDLING

  • 2202: UI SPOOFING: disable scripts hiding or disabling the following on new windows
  • 2203: POPUP windows - prevent or allow javascript UI meddling
  • 2204: disable links opening in a new window

SERVICE WORKERS

DOM & JAVASCRIPT

  • 2403: disable clipboard commands (cut/copy) from "non-priviledged" content
  • 2410: disable User Timing API
  • 2411: disable resource/navigation timing
  • 2414: disable shaking the screen
  • 2415: max popups from a single non-click event - default is 20!
  • 2415b: limit events that can cause a popup
  • 2416: disable idle observation
  • 2418: disable full-screen API
    • WONTFIX
  • 2421: in addition to 2420, these settings will help harden JS against exploits such as CVE-2015-0817
  • 2425: disable ArchiveAPI i.e reading content of archives, such as zip files, directly
  • 2450: force FF to tell you if a website asks to store data for offline use

HARDWARE FINGERPRINTING

  • 2504: disable virtual reality devices
    • WONTFIX: Should be handled by the dom.vr.enabled master switch
  • 2507: disable keyboard fingerprinting (FF38+) (physical keyboards)
  • 2509: disable touch events
  • 2511: disable MediaDevices change detection (FF51+) (enabled by default starting FF52+)

MISC - LEAKS / FINGERPRINTING / PRIVACY / SECURITY

  • 2605: don't integrate activity into windows recent documents
  • 2606: disable hiding mime types (Options>Applications) not associated with a plugin
  • 2612: disable SimpleServiceDiscovery - which can bypass proxy settings - eg Roku
  • 2614: disable SPDY as it can contain identifiers
  • 2615: disable http2 for now as well
  • 2619: limit HTTP redirects (this does not control redirects with HTML meta tags or JS)
    • WONTFIX: Don't think we need to change this
  • 2620: disable middle mouse click opening links from clipboard
  • 2621: disable IPv6 (included for knowledge ONLY - not recommended)
  • 2622: ensure you have a security delay when installing add-ons (milliseconds)
  • 2626: strip optional user agent token, default is false, included for completeness
    • Doesn't seem to do anything
  • 2627: Spoof default UA & relevant (navigator) parts (also see 0204 for UA language)
  • 2628: disable UITour backend so there is no chance that a remote page can use it
  • 2629: disable remote JAR files being opened, regardless of content type
  • 2650: start the browser in e10s mode (48+)
  • 2651: control e10s number of container processes
  • 2652: enable console shim warnings for extensions that don't have the flag
  • 2660: enforce separate content process for file://URLs (FF53+?)
  • 2662: disable "open with" in download dialog (FF50+)
  • 2663: disable MathML (FF51+)
  • 2664: disable DeviceStorage API
  • 2665: sanitize webchannel whitelist
  • 2666: disable HTTP Alternative Services
  • 2668: lock down allowed extension directories
  • 2669: strip paths when sending URLs to PAC scripts (FF51+)
  • 2670: close bypassing of CSP via image mime types (FF51+)
  • 2671: disable SVG (FF53+)
    • WONTFIX

FIRST PARTY ISOLATION (PFI)

These are commented out in the ghacks version

  • 2698a: enable first party isolation pref and OriginAttribute (FF51+)
  • 2698b: this also isolates OCSP requests by first party domain

COOKIES & DOM STORAGE

  • 2704: set cookie lifetime in days (see above pref) - default is 90 days
  • 2706: disable Storage API (FF51+) which gives sites' code the ability to find out how much space
  • 2707: clear localStorage and UUID when a WebExtension is uninstalled

SHUTDOWN

  • 2803a: include all open windows/tabs when you shutdown
  • 2804: (to match above) - auto selection of items to delete with Ctrl-Shift-Del
  • 2804a: include all open windows/tabs when you run clear recent history
  • 2805: reset default 'Time range to clear' for 'clear recent history' (see 2804 above)

PERSONAL SETTINGS

26.2.2017: Disabled the rest of these as these are just personal preferences and have no security/privacy impact

  • 3001: disable annoying warnings
  • 3001a: disable warning when a domain requests full screen
  • 3002: disable closing browser with last tab
  • 3004: disable backspace (0 = previous page, 1 = scroll up, 2 = do nothing)
    • WONTFIX
  • 3007: open new windows in a new tab instead
  • 3008: disable "Do you really want to leave this site?" popups
  • 3009: turn on APZ (Async Pan/Zoom) - requires e10s
  • 3010: enable ctrl-tab previews
  • 3011: don't open "page/selection source" in a tab. The window used instead is cleaner
  • 3012: spellchecking: 0=none, 1-multi-line controls, 2=multi-line & single-line controls
    • WONTFIX: User can enable/disable this from preferences if needed.
  • 3015: disable tab animation, speed things up a little
    • WONTFIX as cosmetic effect only
  • 3016: disable fullscreeen animation. Test using F11.
    • WONTFIX as cosmetic effect only
  • 3017: submenu in milliseconds. 0=instant while a small number allows
  • 3018: maximum number of daily bookmark backups to keep (default is 15)
  • 3020: FYI: urlbar click behaviour (with defaults)
  • 3021: FYI: tab behaviours (with defaults)
  • 3022: hide recently bookmarked items (you still have the original bookmarks) (FF49+)
  • 3023: disable automigrate, current default is false but may change (FF49+)

Deprecated

Not checking...

  • 2607: (23+) disable page thumbnails, it was around v23, not 100% sure when
  • 2408: (31+) disable network API - fingerprinting vector
  • 2620: (35+) disable WebSockets
  • 2023: (37+) disable camera autofocus callback (was in 36, not in 37)
  • 1804: (41+) disable plugin enumeration
  • 0420: (42+) disable tracking protection
  • 2803: (42+) what to clear on shutdown
  • 0411: (43+) disable safebrowsing urls & download
  • 0420: (43+) disable tracking protection. FF43+ URLs are now part of safebrowsing
  • 1803: (43+) remove plugin finder service
  • 2403: (43+) disable scripts changing images - test link below
  • 2615: (43+) disable http2 for now as well
  • 3001a: (43+) disable warning when a domain requests full screen
  • 3003: (43+) disable new search panel UI [Classic Theme Restorer can restore the old search]
  • 1201: (44+) block rc4 whitelist
  • 2417: (44+) disable SharedWorkers, which allow the exchange of data between iFrames that
  • 1005: (45+) disable deferred level of storing extra session data 0=all 1=http-only 2=none
  • 0334b: (46+) disable FHR (Firefox Health Report) v2 data being sent to Mozilla servers
  • 0410e: (46+) safebrowsing
  • 0333b: (47+) disable about:healthreport page UNIFIED
  • 0807: (47+) disable history manipulation
  • 0806: (48+) disable 'unified complete': 'Search with [default search engine]'
  • 2202: (49+) ONE of the new window UI prefs
  • 2431: (49+) disable ONE of the push notification prefs
  • 1809: (50+) remove Mozilla's plugin update URL
  • 1851: (51+) delay play of videos until they're visible
  • 2504: (51+) disable virtual reality devices
  • 2614: (51+) disable SPDY
@pyllyukko pyllyukko mentioned this issue Feb 20, 2017
Closed
@Thorin-Oakenpants
Copy link

I know its a list of each numbered items, but a quite a few are inactive for a reason (I hope people don't get the impression these are all on!). You could probably tick or look at those off straight away (I only have them in mine for completeness and to deter people turning them on from bad advice, or they don;t fit our purpose yet). Then again .. it's like a Lolly Scramble, isn't it (the link: I mean the NZ/Aussie game, not that slang definition which sounds painful )

here's two I quickly spotted

  • 1006: no need to disable rendered pages in memory (achieves nothing AFAIK)
  • 2621: disable IPv6 (which is a bad idea)

Here's mine: arkenfox/user.js#10 (comment) :) I'm 8 done out of 18. How are you doing :) have fun

pyllyukko referenced this issue Feb 20, 2017
@pyllyukko
dom.disable_beforeunload -> true
fca0827
pyllyukko referenced this issue Feb 20, 2017
@pyllyukko
dom.enable_user_timing -> false
f37fceb 
Hopefully this would also mitigate against ASLR^Cache (AnC)

See: http://www.cs.vu.nl//~herbertb/download/papers/anc_ndss17.pdf
@pyllyukko
Copy link
Owner Author

Just indent with two more spaces below, e.g.:

* [x] Issue
  * Note

pyllyukko referenced this issue Feb 20, 2017
@pyllyukko
security.dialog_enable_delay -> 1000
e6592f9 
This is the default value
@publicarray
Copy link
Contributor

@pyllyukko just letting you know that your last few commits are "unverified" because GitHub does not know about your new key.

@pyllyukko
Copy link
Owner Author

@pyllyukko just letting you know that your last few commits are "unverified" because GitHub does not know about your new key.

I know :/ It's because I created new subkey with ED25519 curves, and it's only supported by the very latest versions of GnuPG. Last time I tried, GitHub refused to update the key with that particular subkey. Need to try it again.

@Thorin-Oakenpants Thorin-Oakenpants mentioned this issue Feb 21, 2017
Closed
15 tasks
@pyllyukko
Copy link
Owner Author

pyllyukko commented Feb 21, 2017
edited
Loading

Small update on the PGP issue. So in here it even states "EdDSA, except Ed25519". I queried GitHub on the issue and they sayd: "Ed25519 keys are likely to be supported in the future, but we don't have a timeline of when that may be."

In the meanwhile, you can check my signatures from the command line with recent enough GnuPG:

$ git log --show-signature
commit e6592f9b8c304eead1595b978f7663fcfa373532 (HEAD -> master, origin/master, origin/HEAD)
gpg: Signature made Tue 21 Feb 2017 12:17:27 AM EET
gpg:                using EDDSA key 6760F995F5DD2C1A5805744C8043380FC109A370
gpg: Good signature from "pyllyukko <[email protected]>" [ultimate]
Primary key fingerprint: B284 21D6 03DE 0A1D 17AE  4415 78C2 DF2D 1A17 0CC6
     Subkey fingerprint: 6760 F995 F5DD 2C1A 5805  744C 8043 380F C109 A370
Author: pyllyukko <[email protected]>
Date:   Tue Feb 21 00:17:11 2017 +0200

    security.dialog_enable_delay -> 1000
    
    This is the default value

pyllyukko referenced this issue Feb 21, 2017
@pyllyukko
Respect when sites state autocomplete=off
5e2e577
pyllyukko referenced this issue Feb 22, 2017
@pyllyukko
security.insecure_password.ui.enabled -> true
66f5ea1
pyllyukko referenced this issue Feb 22, 2017
@pyllyukko
media.getusermedia.audiocapture.enabled -> false
bdd9b15
pyllyukko referenced this issue Feb 23, 2017
@pyllyukko
Few more WebGL settings
b530c2f
pyllyukko referenced this issue Feb 23, 2017
@pyllyukko
dom.serviceWorkers.enabled -> false
c65632f
This was referenced Feb 25, 2017
Closed
Merged
Merged
pyllyukko pushed a commit that referenced this issue Feb 25, 2017
@nodiscc @pyllyukko
Disable speech synthesis
4459532 
Add additional documentation links
Fixes item 2021 of #208
pyllyukko referenced this issue Feb 26, 2017
@pyllyukko
GeoIP-based search -> "US"
00b102e
pyllyukko referenced this issue Feb 26, 2017
@pyllyukko
intl.accept_languages -> "en-US"
d80e674
@Thorin-Oakenpants
Copy link

Thorin-Oakenpants commented Feb 27, 2017
edited
Loading

nvm, no one listens to me anyway

@pyllyukko
Copy link
Owner Author

pyllyukko commented Feb 27, 2017
edited
Loading

I see you;'re dragging the chain on the monster diff :)

Where's the rush?

pref("browser.aboutHomeSnippets.updateUrl", ""); // ghacks: "https://127.0.0.1"
    pyllyukko should match .. use HTTPS re MiTM re as per TBB and discussions there over this in tor tickets

? I don't get it.

And you are inconsistent with data plain text thingie - see comment arkenfox/user.js#18 (comment) - I just matched TBB. I don't think it;s all that important

True.

but I think they were used as a null/zero-length string causes issues in linux? IDK

Not that I know of.

@nodiscc nodiscc mentioned this issue Feb 28, 2017
Closed
17 tasks
@earthlng earthlng mentioned this issue Mar 9, 2017
Closed
@nodiscc nodiscc mentioned this issue Mar 26, 2017
Merged
@pyllyukko pyllyukko assigned pyllyukko and unassigned pyllyukko Apr 3, 2017
@pyllyukko
Copy link
Owner Author

@nodiscc: I tried to mark everything from #255 as done. It would be good to double check, that I didn't miss anything.

@nodiscc
Copy link
Contributor

nodiscc commented Apr 4, 2017

0340: disable experiments can also be marked as done. Other than that, everything looks fine. thanks

@Thorin-Oakenpants
Copy link

It's the line 7805 of the test output: Deprecated : browser.urlbar.maxRichResults.

Ahh .. had to fiddle with NS, uBo & uMatrix to get that part to load (I just looked at the commit listed at the top)

I assume this is your internal list of items to ignore, because clearly there are many items marked as "deprecated" that aren't, including ones in your js. I'm just pointing out that browser.urlbar.maxRichResults is actually deprecated so you can correct your js, not to ignore it (although I am not sure if it is still in ESR). At least you now know for the future.

@nodiscc
Copy link
Contributor

nodiscc commented Apr 4, 2017
edited
Loading

What does that commit have to do with maxRichResults? ;)
I assume this is your internal list of items to ignore

Sorry, linking directly to line 7805 of the travis log did not work. The build script compares prefs found in user.js against prefs present in Firefox source. In latest firefox revisions this pref is no longer present (hence on line 7805 of https://travis-ci.org/pyllyukko/user.js#L7805 the script outputs Deprecated : browser.urlbar.maxRichResults)

clearly there are many items marked as "deprecated" that aren't, including ones in your js

Are there? Which ones? Note that this is an automated comparison of user.js with the latest known Firefox source code revision (unreleased FF version), so they might still be present in a specific version. These are the URLs we use to compare against. You can set SOURCEVERSION to something else (tag names found at https://hg.mozilla.org/mozilla-central/tags) to compare with a fixed version (eg. FIREFOX_AURORA_50_BASE for Firefox 50). Maybe we are missing a Firefox source file to compare against?

@nodiscc
Copy link
Contributor

nodiscc commented Apr 4, 2017
edited
Loading

browser.urlbar.suggest.openpage = true

  • I'd rather set it to false as per policy to enforce the most hardened settings (in this case against shoulder surfing), but with a NOTICE: breaks tab switching from the URL bar. Then it will be easier to spot/change when wanting to tweak things for convenience. (Question/discussion: relaxed settings variant/branch #231)

@Thorin-Oakenpants
Copy link

Are there? Which ones?

Deprecated : browser.crashReports.unsubmittedCheck.enabled
Deprecated : privacy.clearOnShutdown.cache
Deprecated : privacy.clearOnShutdown.cookies
Deprecated : privacy.clearOnShutdown.downloads
Deprecated : privacy.clearOnShutdown.formdata
Deprecated : privacy.clearOnShutdown.history
Deprecated : privacy.clearOnShutdown.offlineApps
Deprecated : privacy.clearOnShutdown.passwords
Deprecated : privacy.clearOnShutdown.sessions
Deprecated : privacy.cpd.cache
Deprecated : privacy.cpd.cookies
Deprecated : privacy.cpd.downloads
Deprecated : privacy.cpd.formdata
Deprecated : privacy.cpd.history
Deprecated : privacy.cpd.offlineApps
Deprecated : privacy.cpd.sessions
Deprecated : privacy.resistFingerprinting
Deprecated : privacy.sanitize.sanitizeOnShutdown
Deprecated : privacy.sanitize.timeSpan

Do I need to list more? Something is clearly wrong if these are marked as actually deprecated by your script

ALSO: you are not taking into account hidden prefs which are not listed in these js files

@nodiscc
Copy link
Contributor

nodiscc commented Apr 4, 2017
edited
Loading

Something is clearly wrong if these are marked as actually deprecated by your script

Thanks, it appears we are missing https://hg.mozilla.org/mozilla-central/raw-file/tip/browser/app/profile/firefox.js where these prefs are located.

  • add https://hg.mozilla.org/mozilla-central/raw-file/$$SOURCEVERSION/browser/app/profile/firefox.js to list of source files.

you are not taking into account hidden prefs which are not listed in these js files

Yes, some prefs are created at runtime by Firefox itself. Fortunatefely most of these are covered in Mozilla unit tests prefs files, which the script also considers; but it's possible we are still missing some of them. Do you have an example of a missing preference?

@Thorin-Oakenpants
Copy link

Thorin-Oakenpants commented Apr 4, 2017
edited
Loading

I don't know of any hidden prefs that aren't in tests - all the hidden ones we're using are maked as "(hidden pref)" in the ghacks js, so you could scrape that

EDIT: 29 of them (1 in the deprecated section)

PS: this also doesn't account for legacy code: eg, yup, I'll say it again :) .. browser.urlbar.maxRichResults because its still in the js :) .. seriously, test it (FF52+, not sure about earlier). It has no effect on the dropdown whatsoever.

@nodiscc
Copy link
Contributor

nodiscc commented Apr 4, 2017
edited
Loading

Indeed preferences that are marked (hidden pref) in ghacks user.js can not be found in our copies of Firefox source files:

$ make downloadffprefs 
2017-04-04 21:54:28 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/toolkit/components/telemetry/datareporting-prefs.js [717/717] -> "-" [1]
2017-04-04 21:54:30 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/toolkit/components/telemetry/healthreport-prefs.js [547/547] -> "-" [1]
2017-04-04 21:54:32 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/security/manager/ssl/security-prefs.js [5802/5802] -> "-" [1]
2017-04-04 21:54:38 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/modules/libpref/init/all.js [245079/245079] -> "-" [1]
2017-04-04 21:54:42 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/testing/profiles/prefs_general.js [19377/19377] -> "-" [1]
2017-04-04 21:54:46 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/layout/tools/reftest/reftest-preferences.js [6579/6579] -> "-" [1]
2017-04-04 21:54:48 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/js/src/tests/user.js [1912/1912] -> "-" [1]
2017-04-04 21:54:53 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/browser/app/profile/firefox.js [77214/77214] -> "-" [1]


$ curl --silent 'https://raw.githubusercontent.com/ghacksuserjs/ghacks-user.js/master/user.js' | grep 'hidden pref' | awk -F'"' '{print $2}' > ghacks-hidden.js

$ for line in $(cat ghacks-hidden.js); do grep "$line" sourceprefs.js >/dev/null || echo "hidden pref $line not found in Firefox source"; done

hidden pref browser.search.region not found in Firefox source
hidden pref javascript.use_us_english_locale not found in Firefox source
hidden pref toolkit.telemetry.unifiedIsOptIn not found in Firefox source
hidden pref datareporting.healthreport.service.enabled not found in Firefox source
hidden pref browser.selfsupport.enabled not found in Firefox source
hidden pref social.enabled not found in Firefox source
hidden pref services.sync.enabled not found in Firefox source
hidden pref network.dns.disablePrefetchFromHTTPS not found in Firefox source
hidden pref permissions.memory_only not found in Firefox source
hidden pref security.ssl.disable_session_identifiers not found in Firefox source
hidden pref security.nocertdb not found in Firefox source
hidden pref font.system.whitelist not found in Firefox source
hidden pref media.gmp-gmpopenh264.enabled not found in Firefox source
hidden pref dom.allow_cut_copy not found in Firefox source
hidden pref browser.tabs.remote.force-enable not found in Firefox source
hidden pref general.useragent.override not found in Firefox source
hidden pref general.buildID.override not found in Firefox source
hidden pref general.appname.override not found in Firefox source
hidden pref general.appversion.override not found in Firefox source
hidden pref general.platform.override not found in Firefox source
hidden pref general.oscpu.override not found in Firefox source
hidden pref ui.submenuDelay not found in Firefox source
hidden pref privacy.donottrackheader.value not found in Firefox source
  • identify where in Firefox source these preferences are created, whether they are still in use, and adapt the Makefile to detect them

@Thorin-Oakenpants
Copy link

So I guess I'm not useless after all :) You owe me a 🍺

That last one hidden pref privacy.donottrackheader.value not found in Firefox source is legacy. Francois told me.

@nodiscc
Copy link
Contributor

nodiscc commented Apr 4, 2017
edited
Loading

Regarding privacy.donottrackheader.value: Searching for this string on DXR reveals that:

// Deprecated Do Not Track setting, Firefox <36, https://hg.mozilla.org/mozilla-central/rev/9a16137bc7b4
"privacy.donottrackheader.value"

So I guess I'm not useless after all :) You owe me a 🍺

Never said you were (I think? Sorry if I sounded rude in any way, English is not my native language). Have some. 🍺🍺🍺☕🍺🍺🍺☕🍺🍺🍺☕🍺🍺

Same investigation method can be applied to other prefs if needed. Eg. https://dxr.mozilla.org/mozilla-central/search?q=browser.search.region&redirect=false... There are definitely some prefs that are created/checked randomly through the code (eg https://dxr.mozilla.org/mozilla-central/source/dom/base/Navigator.cpp?q=general.oscpu.override&redirect_type=single#479). We can move this to a new issue. -> Moved #261

Edit: (Note that you can run make checknotcovered to see all detected Firefox prefs that are not covered by user.js. Outdated log for reference)

@nodiscc
Copy link
Contributor

nodiscc commented Apr 4, 2017
edited
Loading

Re: browser.urlbar.maxRichResults, it seems we are also missing many prefs files in https://dxr.mozilla.org/mozilla-central/source/obj-x86_64-pc-linux-gnu/dist/bin/browser/defaults/preferences/ and https://dxr.mozilla.org/mozilla-central/source/browser/app/profile. Thanks!

add https://dxr.mozilla.org/mozilla-central/source/obj-x86_64-pc-linux-gnu/dist/bin/browser/defaults/preferences/debugger.js https://dxr.mozilla.org/mozilla-central/source/obj-x86_64-pc-linux-gnu/dist/bin/browser/defaults/preferences/devtools.js https://dxr.mozilla.org/mozilla-central/source/browser/branding/unofficial/pref/firefox-branding.js https://dxr.mozilla.org/mozilla-central/source/obj-x86_64-pc-linux-gnu/dist/bin/browser/defaults/preferences/firefox-l10n.js https://dxr.mozilla.org/mozilla-central/source/obj-x86_64-pc-linux-gnu/dist/bin/browser/defaults/preferences/firefox.js https://dxr.mozilla.org/mozilla-central/source/obj-x86_64-pc-linux-gnu/dist/bin/browser/defaults/preferences/webide-prefs.js https://dxr.mozilla.org/mozilla-central/source/browser/app/profile/channel-prefs.js those files are generated from:

@nodiscc
Copy link
Contributor

nodiscc commented Apr 5, 2017
edited
Loading

pyllyukko added a commit that referenced this issue Apr 9, 2017
@pyllyukko
Merge pull request #257 from nodiscc/more-sourceprefs
1138174 
Makefile: downloadffprefs: add Firefox source reference files from #208
This was referenced Apr 12, 2017
Closed
Merged
@nodiscc nodiscc mentioned this issue Apr 24, 2017
Closed
pyllyukko added a commit that referenced this issue May 21, 2017
@pyllyukko
Removed browser.urlbar.maxRichResults
116d986 
As discussed in #208

The URL suggestion is controlled by browser.urlbar.autocomplete.enabled
pyllyukko added a commit that referenced this issue May 21, 2017
@pyllyukko
Disable Archive API
e629cda 
This is already disabled by default

Relates to #208
pyllyukko added a commit that referenced this issue May 21, 2017
@pyllyukko
Removed browser.urlbar.maxRichResults
ff9cbee 
As discussed in #208

The URL suggestion is controlled by browser.urlbar.autocomplete.enabled
pyllyukko added a commit that referenced this issue May 21, 2017
@pyllyukko
Disable Archive API
6e49ce4 
This is already disabled by default

Relates to #208
pyllyukko added a commit that referenced this issue May 26, 2017
@pyllyukko
browser.offline-apps.notify -> true
a6199e1 
TODO: offline-apps.allow_by_default

Relates to #208
pyllyukko referenced this issue Jun 27, 2017
@pyllyukko
Disable resource timing API
cd544fc
@pyllyukko
Copy link
Owner Author

@pyllyukko just letting you know that your last few commits are "unverified" because GitHub does not know about your new key.

FYI: It's working again.

@nodiscc nodiscc mentioned this issue Dec 18, 2017
Open
7 tasks
@claustromaniac
Copy link

claustromaniac commented Jun 30, 2018
edited
Loading

I don't mean to go off-topic, but I want to share with the folks here this tool I made for comparing user.js files, before [insert random asshole's name here] plagiarises it.

That's all. Keep up the good fight 👍

@pyllyukko
Copy link
Owner Author

I don't mean to go off-topic, but I want to share with the folks here this tool I made for comparing user.js files

Thanks!

ranisalt pushed a commit to ranisalt/user.js that referenced this issue Jul 18, 2018
@pyllyukko @ranisalt
Removed browser.urlbar.maxRichResults
1aa9362 
As discussed in pyllyukko#208

The URL suggestion is controlled by browser.urlbar.autocomplete.enabled
ranisalt pushed a commit to ranisalt/user.js that referenced this issue Jul 18, 2018
@pyllyukko @ranisalt
Removed browser.urlbar.maxRichResults
0d51f89 
As discussed in pyllyukko#208

The URL suggestion is controlled by browser.urlbar.autocomplete.enabled
ranisalt pushed a commit to ranisalt/user.js that referenced this issue Jan 21, 2019
@pyllyukko @ranisalt
Removed browser.urlbar.maxRichResults
4d299a3 
As discussed in pyllyukko#208

The URL suggestion is controlled by browser.urlbar.autocomplete.enabled
@Gitoffthelawn
Copy link
Contributor

Gitoffthelawn commented Oct 17, 2022
edited
Loading

In the event that the link that @claustromaniac provided becomes invalid, here is the new official link to their Compare-UserJS tool:
https://github.com/claustromaniac/Compare-UserJS

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@pyllyukko @nodiscc @publicarray @Gitoffthelawn @Thorin-Oakenpants @claustromaniac