[RFC] clean up actually used settings

[boredsquirrel]

I am going through the file and wonder if many even apply, often because Thunderbird doesnt have those features or doesnt even interact with websites apart addons.thunderbird.net

user_pref("browser.fixup.alternate.enabled", false); // [DEFAULT: false FF104+]
user_pref("browser.search.suggest.enabled", false);
user_pref("browser.formfill.enable", false);
user_pref("layout.css.visited_links_enabled", false);
user_pref("signon.autofillForms", false);
user_pref("signon.formlessCapture.enabled", false);
user_pref("browser.cache.disk.enable", false);
user_pref("browser.privatebrowsing.forceMediaMemoryCache", true); // [FF75+user_pref("media.gmp-provider.enabled", false);]
user_pref("media.memory_cache_max_size", 65536);
user_pref("browser.sessionstore.privacy_level", 2);
user_pref("security.family_safety.mode", 0);
user_pref("network.http.referer.XOriginTrimmingPolicy", 2);
user_pref("media.peerconnection.ice.default_address_only", true);
user_pref("media.peerconnection.ice.no_host", true);
user_pref("media.gmp-provider.enabled", false);
user_pref("dom.disable_window_move_resize", true);
user_pref("accessibility.force_disabled", 1); // ????? Why? If those are enabled they should, if not they will not try I suppose
user_pref("permissions.delegation.enabled", false);
user_pref("privacy.partition.serviceWorkers", true); // [DEFAULT: true FF105+] // instead disable them if not by default
user_pref("privacy.sanitize.sanitizeOnShutdown", true); // does nothing on Thunderbird?
user_pref("privacy.clearOnShutdown.cache", true);     // [DEFAULT: true]
user_pref("privacy.clearOnShutdown.downloads", true); // [DEFAULT: true]
user_pref("privacy.clearOnShutdown.formdata", true);  // [DEFAULT: true]
user_pref("privacy.clearOnShutdown.history", true);   // [DEFAULT: true]
user_pref("privacy.clearOnShutdown.sessions", true);  // [DEFAULT: true] // same?
user_pref("privacy.clearOnShutdown.cookies", true); // Cookies
user_pref("privacy.clearOnShutdown.offlineApps", true); // Site Data // same, TB only has "accept cookies" and "remember websites"
user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF]
user_pref("browser.display.use_system_colors", false); // [DEFAULT: false NON-WINDOWS]
everything with autofill and passwords
user_pref("full-screen-api.enabled", false);

Maybe I missed something, or maybe Thunderbird can indeed open more than one website.

It probably doesnt harm to set these not even applying settings, but they should be removed anyways.

[HorlogeSkynet]

Some things to note here :

• additionally to Web pages "purposely" opened by TB, I mostly value malicious Web pages included as URLs in e-mail bodies, that would end up somehow being opened by TB built-in browser and exploiting the attack surface from there ;
• if a setting is actually not being used (now), worst case scenario it does... nothing and only pollutes (mostly) maintainers' eyes. If it is actually used it (let's hope so) helps reducing the attack surface of the built-in browser ;
• I intend to keep the template clean with only effective settings, but :
  • it is very time-consuming and at the moment I only try to leverage them when back-porting upstream patches ;
  • sometimes a setting appears unused whereas it actually is but it is hidden ;
  • platform-specific settings are a PITA 'cause it hardens searches.

Let's only remove settings for which we are absolutely sure they are not used (as done in last release for very old encoding-related settings).

[boredsquirrel]

agree. if it is possible to completely block thunderbird from opening other websites, this would be the way. Similar to just disabling javascript and wasm

[HorlogeSkynet]

I'm closing this one, but be sure that I keep in mind cleaning up the template (version bumps are my milestones to work on it).