search

arkenfox / user.js

Firefox privacy, security and anti-tracking: a comprehensive user.js template for configuration and hardening
MIT License
10.15k stars 516 forks source link

ToDo: diffs FF108-FF109 #1623

Closed earthlng closed 1 year ago

earthlng commented 1 year ago

FF109 is scheduled for release Jan. 17th

FF109 release notes FF109 for developers FF109 security advisories

72 diffs ( 40 new, 11 gone, 21 different )

new in v109.0:

changed in v109.0:

ignore

click me for details

==NEW ```js pref("browser.migrate.content-modal.enabled", false); pref("browser.migrate.opera-gx.enabled", false); pref("browser.migrate.vivaldi.enabled", false); pref("browser.places.snapshots.relevancy.timeOfDayIntervalSeconds", 3600); pref("browser.places.snapshots.score.CurrentSession", 1); pref("browser.places.snapshots.score.IsUserPersisted", 1); pref("browser.places.snapshots.score.IsUserRemoved", -10); pref("browser.places.snapshots.score.Visit", 1); pref("browser.places.snapshots.source.CommonReferrer", 3); pref("browser.places.snapshots.source.Overlapping", 3); pref("browser.places.snapshots.source.TimeOfDay", 3); pref("browser.urlbar.contextualSearch.enabled", false); pref("browser.urlbar.resultMenu", false); pref("browser.urlbar.searchEngagementTelemetry.enabled", false); pref("dom.forms.always_allow_pointer_events.enabled", false); pref("dom.mozTextStyle.enabled", true); pref("dom.range_element.magnet_effect_threshold", "10.0"); pref("extensions.install_origins.enabled", false); pref("extensions.webapi.testing", false); pref("extensions.webapi.testing.http", false); pref("gfx.canvas.accelerated.aa-stroke.enabled", true); pref("gfx.canvas.accelerated.gpu-path-complexity", 4000); pref("gfx.canvas.accelerated.stroke-to-fill-path", false); pref("gfx.direct2d.target-independent-rasterization.disabled", false); pref("gfx.webrender.dcomp-use-virtual-surfaces", true); pref("javascript.options.mem.gc_parallel_marking", false); pref("layout.css.allow-mixed-page-sizes", false); pref("layout.css.content-visibility-relevant-content-margin", "50.0"); pref("layout.css.mod-rem.enabled", false); pref("media.wmf.dxva.d3d9.amd-pre-uvd4.disabled", true); pref("network.cookie.sameSite.laxByDefault.allowBoomerangRedirect", true); pref("network.webtransport.datagrams.enabled", false); pref("network.webtransport.enabled", false); pref("security.sandbox.rdd.acg.enabled", true); pref("security.sandbox.utility-wmf.acg.enabled", true); pref("svg.nearestAndFarthestViewportElement.enabled", true); pref("toolkit.telemetry.dap_task1_enabled", false); pref("toolkit.telemetry.shutdownPingSender.backgroundtask.enabled", false); pref("widget.windows.messages_to_log", 6); ``` ==REMOVED, RENAMED or HIDDEN ```js pref("browser.migrate.showBookmarksToolbarAfterMigration", true); pref("browser.snapshots.relevancy.timeOfDayIntervalSeconds", 3600); pref("browser.snapshots.score.CurrentSession", 1); pref("browser.snapshots.score.IsUserPersisted", 1); pref("browser.snapshots.score.IsUserRemoved", -10); pref("browser.snapshots.score.Visit", 1); pref("browser.snapshots.source.CommonReferrer", 3); pref("browser.snapshots.source.Overlapping", 3); pref("browser.snapshots.source.TimeOfDay", 3); pref("dom.security.credentialmanagement.identity.wait_for_timeout", true); pref("print.print_via_parent", true); ``` ==CHANGED ```js pref("apz.scrollend-event.content.enabled", true); // prev: false pref("browser.newtabpage.activity-stream.asrouter.providers.cfr", "{\"id\":\"cfr\",\"enabled\":true,\"type\":\"remote-settings\",\"collection\":\"cfr\",\"updateCycleInMs\":3600000}"); // prev: "{\"id\":\"cfr\",\"enabled\":true,\"type\":\"remote-settings\",\"bucket\":\"cfr\",\"updateCycleInMs\":3600000}" pref("browser.newtabpage.activity-stream.asrouter.providers.message-groups", "{\"id\":\"message-groups\",\"enabled\":true,\"type\":\"remote-settings\",\"collection\":\"message-groups\",\"updateCycleInMs\":3600000}"); // prev: "{\"id\":\"message-groups\",\"enabled\":true,\"type\":\"remote-settings\",\"bucket\":\"message-groups\",\"updateCycleInMs\":3600000}" pref("browser.newtabpage.activity-stream.asrouter.providers.whats-new-panel", "{\"id\":\"whats-new-panel\",\"enabled\":true,\"type\":\"remote-settings\",\"collection\":\"whats-new-panel\",\"updateCycleInMs\":3600000}"); // prev: "{\"id\":\"whats-new-panel\",\"enabled\":true,\"type\":\"remote-settings\",\"bucket\":\"whats-new-panel\",\"updateCycleInMs\":3600000}" pref("browser.opaqueResponseBlocking.syntheticBrowsingContext", true); // prev: false pref("browser.opaqueResponseBlocking.syntheticBrowsingContext.filter", true); // prev: false pref("browser.pdfjs.feature-tour", "{\"screen\":\"\",\"complete\":false}"); // prev: "{\"screen\":\"FEATURE_CALLOUT_1\",\"complete\":false}" pref("devtools.remote.adb.extensionURL", "https://ftp.mozilla.org/pub/labs/devtools/adb-extension/#OS#/adb-extension-latest-#OS#.xpi"); // prev: "https://ftp.mozilla.org/pub/mozilla.org/labs/devtools/adb-extension/#OS#/adb-extension-latest-#OS#.xpi" pref("dom.webidl.crosscontext_hasinstance.enabled", false); // prev: true pref("extensions.manifestV3.enabled", true); // prev: false pref("extensions.unifiedExtensions.enabled", true); // prev: false pref("extensions.webextensions.default-content-security-policy.v3", "script-src 'self'; upgrade-insecure-requests;"); // prev: "script-src 'self';" pref("javascript.options.mem.gc_small_heap_incremental_limit", 150); // prev: 140 pref("media.seamless-looping-video", true); // prev: false pref("network.cache.shutdown_purge_in_background_task", true); // prev: false pref("network.ssl_tokens_cache_use_only_once", true); // prev: false pref("security.csp.unsafe-hashes.enabled", true); // prev: false pref("toolkit.telemetry.dap_helper", "https://helper1.dap.cloudflareresearch.com/v02"); // prev: "https://helper1.dap.cloudflareresearch.com/v01" pref("toolkit.telemetry.dap_leader", "https://dap-02.api.divviup.org"); // prev: "https://interop-00.api.divviup.org" ```

earthlng commented 1 year ago
some bugzilla tickets

* apz.scrollend-event.content.enabled Bug [1803435](https://bugzilla.mozilla.org/show_bug.cgi?id=1803435) - Enable scrollend for content by default. Bug [1785105](https://bugzilla.mozilla.org/show_bug.cgi?id=1785105) - Fire scrollend events. * browser.migrate.content-modal.enabled Bug [1795334](https://bugzilla.mozilla.org/show_bug.cgi?id=1795334) - Add a pref that opens the existing migration.xhtml document in a tab dialog box modal. * browser.migrate.opera-gx.enabled Bug [1795462](https://bugzilla.mozilla.org/show_bug.cgi?id=1795462) - Importing data from OperaGX. * browser.migrate.showBookmarksToolbarAfterMigration Bug [1673047](https://bugzilla.mozilla.org/show_bug.cgi?id=1673047) - Remove browser.migrate.showBookmarksToolbarAfterMigration pref and set the default behavior to the 'true' branch. * browser.migrate.vivaldi.enabled Bug [1795739](https://bugzilla.mozilla.org/show_bug.cgi?id=1795739) - Make it possible to import data from Vivaldi. * browser.newtabpage.activity-stream.asrouter.providers.cfr Bug [1800087](https://bugzilla.mozilla.org/show_bug.cgi?id=1800087) - Fix ASRouter references to RS collections. * browser.newtabpage.activity-stream.asrouter.providers.message-groups Bug [1800087](https://bugzilla.mozilla.org/show_bug.cgi?id=1800087) - Fix ASRouter references to RS collections. * browser.newtabpage.activity-stream.asrouter.providers.whats-new-panel Bug [1800087](https://bugzilla.mozilla.org/show_bug.cgi?id=1800087) - Fix ASRouter references to RS collections. * browser.opaqueResponseBlocking.syntheticBrowsingContext Bug [1801664](https://bugzilla.mozilla.org/show_bug.cgi?id=1801664) - Make <object> and <embed> behave like <iframe>. * browser.opaqueResponseBlocking.syntheticBrowsingContext.filter Bug [1801664](https://bugzilla.mozilla.org/show_bug.cgi?id=1801664) - Make <object> and <embed> behave like <iframe>. * browser.pdfjs.feature-tour Bug [1804309](https://bugzilla.mozilla.org/show_bug.cgi?id=1804309) - [Cleanup] Set default value of browser.pdfjs.feature-tour to have a message id of empty string Bug [1793657](https://bugzilla.mozilla.org/show_bug.cgi?id=1793657) - Created messages for Feature Callout tour in pdf.js Bug [1793655](https://bugzilla.mozilla.org/show_bug.cgi?id=1793655) - Add progress and device syncing prefs for pdf.js feature callout tour * browser.places.snapshots.relevancy.timeOfDayIntervalSeconds Bug [1804223](https://bugzilla.mozilla.org/show_bug.cgi?id=1804223): Normalise snapshot pref names and allow enabling interaction logging without turning on snapshotting. * browser.places.snapshots.score.CurrentSession Bug [1804223](https://bugzilla.mozilla.org/show_bug.cgi?id=1804223): Normalise snapshot pref names and allow enabling interaction logging without turning on snapshotting. * browser.places.snapshots.score.IsUserPersisted Bug [1804223](https://bugzilla.mozilla.org/show_bug.cgi?id=1804223): Normalise snapshot pref names and allow enabling interaction logging without turning on snapshotting. * browser.places.snapshots.score.IsUserRemoved Bug [1804223](https://bugzilla.mozilla.org/show_bug.cgi?id=1804223): Normalise snapshot pref names and allow enabling interaction logging without turning on snapshotting. * browser.places.snapshots.score.Visit Bug [1804223](https://bugzilla.mozilla.org/show_bug.cgi?id=1804223): Normalise snapshot pref names and allow enabling interaction logging without turning on snapshotting. * browser.places.snapshots.source.CommonReferrer Bug [1804223](https://bugzilla.mozilla.org/show_bug.cgi?id=1804223): Normalise snapshot pref names and allow enabling interaction logging without turning on snapshotting. * browser.places.snapshots.source.Overlapping Bug [1804223](https://bugzilla.mozilla.org/show_bug.cgi?id=1804223): Normalise snapshot pref names and allow enabling interaction logging without turning on snapshotting. * browser.places.snapshots.source.TimeOfDay Bug [1804223](https://bugzilla.mozilla.org/show_bug.cgi?id=1804223): Normalise snapshot pref names and allow enabling interaction logging without turning on snapshotting. * browser.snapshots.relevancy.timeOfDayIntervalSeconds Bug [1804223](https://bugzilla.mozilla.org/show_bug.cgi?id=1804223): Normalise snapshot pref names and allow enabling interaction logging without turning on snapshotting. Bug [1768164](https://bugzilla.mozilla.org/show_bug.cgi?id=1768164) - MR2-1400 - Initial Time of Day heuristic for Snapshots. * browser.snapshots.score.CurrentSession Bug [1804223](https://bugzilla.mozilla.org/show_bug.cgi?id=1804223): Normalise snapshot pref names and allow enabling interaction logging without turning on snapshotting. * browser.snapshots.score.IsUserPersisted Bug [1804223](https://bugzilla.mozilla.org/show_bug.cgi?id=1804223): Normalise snapshot pref names and allow enabling interaction logging without turning on snapshotting. * browser.snapshots.score.IsUserRemoved Bug [1804223](https://bugzilla.mozilla.org/show_bug.cgi?id=1804223): Normalise snapshot pref names and allow enabling interaction logging without turning on snapshotting. Bug [1778663](https://bugzilla.mozilla.org/show_bug.cgi?id=1778663): Correct isUsedRemoved typo in snapshot scorer. * browser.snapshots.score.Visit Bug [1804223](https://bugzilla.mozilla.org/show_bug.cgi?id=1804223): Normalise snapshot pref names and allow enabling interaction logging without turning on snapshotting. * browser.snapshots.source.CommonReferrer Bug [1804223](https://bugzilla.mozilla.org/show_bug.cgi?id=1804223): Normalise snapshot pref names and allow enabling interaction logging without turning on snapshotting. Bug [1761932](https://bugzilla.mozilla.org/show_bug.cgi?id=1761932): Call recommendation sources in parallel and apply source-specific weights. * browser.snapshots.source.Overlapping Bug [1804223](https://bugzilla.mozilla.org/show_bug.cgi?id=1804223): Normalise snapshot pref names and allow enabling interaction logging without turning on snapshotting. Bug [1761932](https://bugzilla.mozilla.org/show_bug.cgi?id=1761932): Call recommendation sources in parallel and apply source-specific weights. * browser.snapshots.source.TimeOfDay Bug [1804223](https://bugzilla.mozilla.org/show_bug.cgi?id=1804223): Normalise snapshot pref names and allow enabling interaction logging without turning on snapshotting. Bug [1768164](https://bugzilla.mozilla.org/show_bug.cgi?id=1768164) - MR2-1400 - Initial Time of Day heuristic for Snapshots. * browser.urlbar.contextualSearch.enabled Bug [1794823](https://bugzilla.mozilla.org/show_bug.cgi?id=1794823) - port site specific search from pine to central * browser.urlbar.resultMenu Bug [1790019](https://bugzilla.mozilla.org/show_bug.cgi?id=1790019) - Implement placeholder urlbar result menu button and popup. * browser.urlbar.searchEngagementTelemetry.enabled Bug [1797265](https://bugzilla.mozilla.org/show_bug.cgi?id=1797265): Implement the engagement event. * devtools.remote.adb.extensionURL Bug [1800985](https://bugzilla.mozilla.org/show_bug.cgi?id=1800985) - [devtools] Update adb extension URL to new location * dom.forms.always_allow_pointer_events.enabled Bug [1799565](https://bugzilla.mozilla.org/show_bug.cgi?id=1799565) - Allow pointer events on disabled form elements on Nightly * dom.mozTextStyle.enabled Bug [1799319](https://bugzilla.mozilla.org/show_bug.cgi?id=1799319) - Disable mozTextStyle in early beta. * dom.range_element.magnet_effect_threshold Bug [1803118](https://bugzilla.mozilla.org/show_bug.cgi?id=1803118) - Snap mouse to <input type=range> tick marks * dom.security.credentialmanagement.identity.wait_for_timeout Bug [1803171](https://bugzilla.mozilla.org/show_bug.cgi?id=1803171) - FedCM Promise rejections on timeout cause tab crashes, Bug [1782085](https://bugzilla.mozilla.org/show_bug.cgi?id=1782085), part 3 - Add tests for partial FedCM API, * dom.webidl.crosscontext_hasinstance.enabled Bug [1769620](https://bugzilla.mozilla.org/show_bug.cgi?id=1769620) - Disable dom.webidl.crosscontext_hasinstance.enabled by default * extensions.install_origins.enabled Bug [1800703](https://bugzilla.mozilla.org/show_bug.cgi?id=1800703) - Disable `extensions.install_origins.enabled` pref everywhere. * extensions.manifestV3.enabled Bug [1801291](https://bugzilla.mozilla.org/show_bug.cgi?id=1801291) - Enable MV3 by default. Bug [1789796](https://bugzilla.mozilla.org/show_bug.cgi?id=1789796) - Enable Manifest V3 on Nightly and early Beta. Bug [1765316](https://bugzilla.mozilla.org/show_bug.cgi?id=1765316) - Explicitly set 'extensions.manifestV3.enabled' and 'extensions.eventPages.enabled' to false at toolkit level. * extensions.unifiedExtensions.enabled Bug [1801129](https://bugzilla.mozilla.org/show_bug.cgi?id=1801129) - Enable unified extensions UI in all channels. Bug [1793626](https://bugzilla.mozilla.org/show_bug.cgi?id=1793626) - Enable unified extensions pref by default on Nightly. Bug [1777481](https://bugzilla.mozilla.org/show_bug.cgi?id=1777481) - Introduce a new extension button on the toolbar. * extensions.webapi.testing Bug [1443925](https://bugzilla.mozilla.org/show_bug.cgi?id=1443925) - Part 7: Make AddonManagerWebAPI::IsValidSite threadsafe, * extensions.webapi.testing.http Bug [1443925](https://bugzilla.mozilla.org/show_bug.cgi?id=1443925) - Part 7: Make AddonManagerWebAPI::IsValidSite threadsafe, * extensions.webextensions.default-content-security-policy.v3 Bug [1797086](https://bugzilla.mozilla.org/show_bug.cgi?id=1797086) add upgrade-insecure-requests to the base csp for MV3 Bug [1766881](https://bugzilla.mozilla.org/show_bug.cgi?id=1766881) - Drop object-src requirement from extension CSP Bug [1740263](https://bugzilla.mozilla.org/show_bug.cgi?id=1740263) - Continue to allow WASM by default in Webextensions v2. * gfx.canvas.accelerated.aa-stroke.enabled Bug [1803604](https://bugzilla.mozilla.org/show_bug.cgi?id=1803604) - Use aa-stroke to accelerate stroked paths in Canvas2D. * gfx.canvas.accelerated.gpu-path-complexity Bug [1801446](https://bugzilla.mozilla.org/show_bug.cgi?id=1801446) - Limit the maximum complexity of paths used with wpf-gpu-raster. * gfx.canvas.accelerated.stroke-to-fill-path Bug [1803604](https://bugzilla.mozilla.org/show_bug.cgi?id=1803604) - Use aa-stroke to accelerate stroked paths in Canvas2D. * gfx.direct2d.target-independent-rasterization.disabled Bug [1800930](https://bugzilla.mozilla.org/show_bug.cgi?id=1800930) - Add a pref to disable target independent rasterization with D2D. * gfx.webrender.dcomp-use-virtual-surfaces Bug [1773596](https://bugzilla.mozilla.org/show_bug.cgi?id=1773596) - Reimplement non-virtual surface rendering * javascript.options.mem.gc_parallel_marking Bug [1802897](https://bugzilla.mozilla.org/show_bug.cgi?id=1802897) - Part 1: Add a pref for parallel marking, disabled by default * javascript.options.mem.gc_small_heap_incremental_limit Bug [1801076](https://bugzilla.mozilla.org/show_bug.cgi?id=1801076) - Increase small heap incremental limit * layout.css.allow-mixed-page-sizes Bug [1802238](https://bugzilla.mozilla.org/show_bug.cgi?id=1802238) - Don't allow using mixed page sizes when printing unless layout.css.allow-mixed-page-sizes is set * layout.css.content-visibility-relevant-content-margin Bug [1791759](https://bugzilla.mozilla.org/show_bug.cgi?id=1791759) - Add support for `content-visibility: auto` * layout.css.mod-rem.enabled Bug [1785117](https://bugzilla.mozilla.org/show_bug.cgi?id=1785117) - Implement CSS mod() and rem() functions. * media.seamless-looping-video Bug [1799205](https://bugzilla.mozilla.org/show_bug.cgi?id=1799205) - enable video seamless looping. Bug [1262276](https://bugzilla.mozilla.org/show_bug.cgi?id=1262276) - part18 : add a pref to control video seamless looping. * media.wmf.dxva.d3d9.amd-pre-uvd4.disabled Bug [1798052](https://bugzilla.mozilla.org/show_bug.cgi?id=1798052) - Disable D3D9DXVA2Manager on AMD pre UVD4 * network.cache.shutdown_purge_in_background_task Bug [1786256](https://bugzilla.mozilla.org/show_bug.cgi?id=1786256) - Let network.cache.shutdown_purge_in_background_task=true ride the trains * network.cookie.sameSite.laxByDefault.allowBoomerangRedirect Bug [1774857](https://bugzilla.mozilla.org/show_bug.cgi?id=1774857) - Send (only) laxByDefault cookies on boomerang-redirects. * network.ssl_tokens_cache_use_only_once Bug [1800751](https://bugzilla.mozilla.org/show_bug.cgi?id=1800751) - Enable network.ssl_tokens_cache_use_only_once, Bug [1720601](https://bugzilla.mozilla.org/show_bug.cgi?id=1720601) - Allow token cache to store more than one token per key, * network.webtransport.datagrams.enabled Bug [1790676](https://bugzilla.mozilla.org/show_bug.cgi?id=1790676): WebTransport DOM API initial framework * network.webtransport.enabled Bug [1790676](https://bugzilla.mozilla.org/show_bug.cgi?id=1790676): WebTransport DOM API initial framework * print.print_via_parent Bug [1800684](https://bugzilla.mozilla.org/show_bug.cgi?id=1800684) - Remove print_via_parent. * privacy.partition.always_partition_third_party_non_cookie_storage Bug [1800960](https://bugzilla.mozilla.org/show_bug.cgi?id=1800960) - Enable Always Partitioning Storage beyond nightly and without sessionStorage carveout, * privacy.partition.always_partition_third_party_non_cookie_storage.exempt_sessionstorage Bug [1800960](https://bugzilla.mozilla.org/show_bug.cgi?id=1800960) - Enable Always Partitioning Storage beyond nightly and without sessionStorage carveout, * privacy.resistFingerprinting.block_mozAddonManager Bug [1443925](https://bugzilla.mozilla.org/show_bug.cgi?id=1443925) - Part 7: Make AddonManagerWebAPI::IsValidSite threadsafe, * security.csp.unsafe-hashes.enabled Bug [1343950](https://bugzilla.mozilla.org/show_bug.cgi?id=1343950) - CSP: Enable the 'unsafe-hashes' keyword by default. Bug [1797070](https://bugzilla.mozilla.org/show_bug.cgi?id=1797070) - CSP: Add a basic implementation of unsafe-hashes behind a flag. * security.sandbox.rdd.acg.enabled Bug [1800933](https://bugzilla.mozilla.org/show_bug.cgi?id=1800933) - Let ACG in RDD and WMF ride the trains. * security.sandbox.utility-wmf.acg.enabled Bug [1800933](https://bugzilla.mozilla.org/show_bug.cgi?id=1800933) - Let ACG in RDD and WMF ride the trains. * svg.nearestAndFarthestViewportElement.enabled Bug [1133174](https://bugzilla.mozilla.org/show_bug.cgi?id=1133174) - Disable SVGGraphicsElement.{nearest,farthest}ViewportElement in early beta * toolkit.telemetry.dap_helper Bug [1804413](https://bugzilla.mozilla.org/show_bug.cgi?id=1804413): Update remote server prefs for new version. Improve error handling. Bug [1791394](https://bugzilla.mozilla.org/show_bug.cgi?id=1791394) - Add DAP frontend which handles sending/receiving of data. * toolkit.telemetry.dap_leader Bug [1804413](https://bugzilla.mozilla.org/show_bug.cgi?id=1804413): Update remote server prefs for new version. Improve error handling. Bug [1791394](https://bugzilla.mozilla.org/show_bug.cgi?id=1791394) - Add DAP frontend which handles sending/receiving of data. * toolkit.telemetry.dap_task1_enabled Bug [1802204](https://bugzilla.mozilla.org/show_bug.cgi?id=1802204) - Add feature for DAP telemetry - * toolkit.telemetry.shutdownPingSender.backgroundtask.enabled Bug [1746983](https://bugzilla.mozilla.org/show_bug.cgi?id=1746983) - Add Nimbus feature (and Gecko preference) enabling pingsender background task. * widget.windows.messages_to_log Bug [1793834](https://bugzilla.mozilla.org/show_bug.cgi?id=1793834) - part 8: add preference for number of messages to keep

Thorin-Oakenpants commented 1 year ago

Thanks E ... at the time of writing I see I am the only one to give you some love .. here's an additional mooncake 🥮