proposed pref changes

[atomGit]

several of the changes i'm proposing are because we aren't using TB as a web browser

/* 1211: control when to use OCSP fetching (to confirm current validity of certificates)

• 0=disabled, 1=enabled (default), 2=enabled for EV certificates only
• OCSP (non-stapled) leaks information about the sites you visit to the CA (cert authority)
• It's a trade-off between security (checking) and privacy (leaking info to the CA)
• [NOTE] This pref only controls OCSP fetching and does not affect OCSP stapling
• [1] https://en.wikipedia.org/wiki/Ocsp ***/ user_pref("security.OCSP.enabled", 0); ? change to 1

/* 1403: disable icon fonts (glyphs) and local fallback rendering

• [1] https://bugzilla.mozilla.org/789788
• [2] https://trac.torproject.org/projects/tor/ticket/8455 ***/ // user_pref("gfx.downloadable_fonts.enabled", false); // [FF41+] // user_pref("gfx.downloadable_fonts.fallback_delay", -1); ? uncomment

/* 1405: disable WOFF2 (Web Open Font Format) [FF35+] ***/ // user_pref("gfx.downloadable_fonts.woff2.enabled", false); ? uncomment

/* 1601: ALL: control when images/links send a referer

• 0=never, 1=send only when links are clicked, 2=for links and images (default) ***/ // user_pref("network.http.sendRefererHeader", 2); // [DEFAULT: 2] ? uncomment, set 0

/* 1606: ALL: set the default Referrer Policy [FF59+]

• 0=no-referer, 1=same-origin, 2=strict-origin-when-cross-origin, 3=no-referrer-when-downgrade
• [NOTE] This is only a default, it can be overridden by a site-controlled Referrer Policy
• [1] https://www.w3.org/TR/referrer-policy/
• [2] https://developer.mozilla.org/docs/Web/HTTP/Headers/Referrer-Policy
• [3] https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers/ ***/ // user_pref("network.http.referer.defaultPolicy", 3); // [DEFAULT: 3] // user_pref("network.http.referer.defaultPolicy.pbmode", 2); // [DEFAULT: 2] ? uncomment, set 0

/* 2212: limit events that can cause a popup [SETUP-WEB]

• default is "change click dblclick auxclick mouseup pointerup notificationclick reset submit touchend contextmenu"
• [1] http://kb.mozillazine.org/Dom.popup_allowed_events ***/ user_pref("dom.popup_allowed_events", "click dblclick"); ? set ""

/ [SECTION 2500]: HARDWARE FINGERPRINTING / ? enable all these prefs

/* 2662: disable webextension restrictions on certain mozilla domains (also see 4503) [FF60+]

• [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/ // user_pref("extensions.webextensions.restrictedDomains", ""); ? uncomment

2701: disable 3rd-party cookies and site-data [SETUP-WEB] ? "3rd-party" should be removed

/* 2710: disable DOM (Document Object Model) Storage

• [WARNING] This will break a LOT of sites' functionality AND extensions!
• You are better off using an extension for more granular control ***/ // user_pref("dom.storage.enabled", false); ? uncomment

/* 2750: disable Storage API [FF51+]

• The API gives sites the ability to find out how much space they can use, how much
• they are already using, and even control whether or not they need to be alerted
• before the user agent disposes of site data in order to make room for other things.
• [1] https://developer.mozilla.org/docs/Web/API/StorageManager
• [2] https://developer.mozilla.org/docs/Web/API/Storage_API
• [3] https://blog.mozilla.org/l10n/2017/03/07/firefox-l10n-report-aurora-54/ ***/ // user_pref("dom.storageManager.enabled", false); ? uncomment

/* 6206: Disable calendar integration ***/ user_pref("mail.calendar-integration.opt-out", false); ? what does this do exactly? disable cal integration, or enable/disable a prompt for integration? see: https://bugzilla.mozilla.org/show_bug.cgi?id=1130852

[HorlogeSkynet]

Hey ! Are you sure all of them are effectively being used in TB internals ? (@dngray's last advice about that : https://github.com/ghacksuserjs/ghacks-user.js/issues/646#issuecomment-554701353)

Once clarified, could we expect a PR from you (easier and quicker to comment and improve :ok_hand:) ?

[atomGit]

Are you sure all of them are effectively being used in TB internals ?

heck no, but all of them exist in TB - i checked using about:config and resetting each one to its default value so i assume they are used, else why would they exist? and even if a pref that's related to some functionality isn't used, how do we know it won't be in the future?

if there's some other verification that needs to be done, let me know

[HorlogeSkynet]

heck no, but all of them exist in TB - i checked using about:config and resetting each one to its default value so i assume they are used, else why would they exist? and even if a pref that's related to some functionality isn't used, how do we know it won't be in the future?

I personally don't know. Maybe 'cause FF & TB share the same core, but without really using each existing pref on their side. We can go really safe from there and disabling them anyhow :man_shrugging:

[atomGit]

i agree - i don't have the technical ability to verify that every pref is actually connected to functionality or whether it's just a leftover from FF, and i'm not a coder, nor am i familiar with the inner workings of TB - that said, i'm not aware of any other option than the one you suggest which is to assume they are active - plus i would suspect that assuming a pref is used when it actually isn't wouldn't cause anything to explode