sticky: items to investigate keep an eye on

[Thorin-Oakenpants]

Locked sticky issue for tracking of old stuff and reminders of new stuff etc

changelog at end of this issue

KEEP AN EYE ON

• :small_red_triangle_down: FF65
  • dom.storage_access.enabled - revisit to see if they have stopped this
  • network.trr.custom_uri
• :small_red_triangle_down: FF64
  • network.security.esni.enabled 1473736
• :small_red_triangle_down: FF57
  • security.all_resource_uri_content_accessible - see resource URI 863246
• :small_red_triangle_down: FF53
  • webauth.webauthn* (FF53+): https://www.w3.org/TR/webauthn/#use-cases
• :small_red_triangle_down: FF52
  • security.pki.certificate_transparency.mode (FF52+)
• :small_red_triangle_down: other
  • plugin.disable_full_page_plugin_for_types

DONE

click to expland

* [x] disable passive TrackingProtection - https://github.com/ghacksuserjs/ghacks-user.js/commit/595eaf540cf02b7d2b5c2896149a139c37e21450 * pref("privacy.trackingprotection.annotate_channels", false); * pref("privacy.trackingprotection.lower_network_priority", false); * [x] browser.crashReports.unsubmittedCheck.* - https://github.com/ghacksuserjs/ghacks-user.js/commit/bc70023b54c6bbf9831a41b4c335856e0963dc00 * [x] privacy.userContext.* (Containers) - see #91 * [x] dom.maxHardwareConcurrency - see #127 * [x] security.data_uri.block_toplevel_data_uri_navigations - https://github.com/ghacksuserjs/ghacks-user.js/commit/0912b03f625bea673516969c5b96bf2389c251df * [x] `javascript.options.shared_memory`

WONTFIX

click to expland

* `datareporting.policy.firstRunURL` (FF51+) - default blank so far 51-53 * If set, a browser tab will be opened on first run instead of the infobar * will pick up on diffs if it changes, also it should never trigger due to master switches * `network.http.enablePerElementReferrer` - see #59 * will get removed in FF55 (see https://hg.mozilla.org/mozilla-central/rev/0041706d6e43) * `extensions.hideSystemAddons` - does not exist (yet, if ever) * https://bugzilla.mozilla.org/show_bug.cgi?id=1231202 * update: RESOLVED INVALID * `extensions.systemAddon*` - we will pick up from release diffs * `browser.newtabpage.remote*` - we will pick up from release diffs (currently off) * looks like they are legacy/deprecated #87 (FF53->54 diffs) * `javascript.options.mem.high_water_mark` * Garbage collector releases memory back to the system. Default 128 * RAM is good, default 128mb is minuscule * `browser.safebrowsing.provider.google.lists` and `browser.safebrowsing.provider.mozilla.lists` * the URL is gone, that's enough for future-proofing. I know that's not what this was proposed for, but the speed gain by blanking them is practically zero * deprecated (at least in FF53+; not on DXR) * `browser.search.redirectWindowsSearch` * `config.trim_on_minimize` * `content.interrupt.parsing` * `toolkit.crashreporter.enabled` * timer intervals - not playing with these since we know allow update checks, otherwise master switches eg for search updates or experiments, will do (365 days in seconds = 31536000) * user_pref("app.update.interval", 31536000); // default = 43200 = 12hrs * user_pref("browser.search.update.interval", 31536000); // default = 21600 = 6hrs * user_pref("experiments.manifest.fetchIntervalSeconds", 31536000); // default = 86400 = 24 hrs * user_pref("extensions.update.interval", 31536000); // default = 86400 = 24 hrs * nine prefs `urlclassifier.*Table` - no need to blank these IMO * `browser.download.manager.scanWhenDone` - [removed in 55](https://bugzilla.mozilla.org/show_bug.cgi?id=1254558) * `pdfium.enabled` - mortar pdf is [dead](https://wiki.mozilla.org/Mortar_Project) * `devtools.webide.widget.autoinstall` - [removed in FF55](https://hg.mozilla.org/releases/mozilla-beta/rev/03cfa568b940#l11.28) - `devtools.webide.adaptersAddonURL` - [removed in 57, 1393497](https://hg.mozilla.org/mozilla-central/rev/9815926c3bc1) - `devtools.webide.addonsURL` - [removed in 57, 1398061](https://hg.mozilla.org/releases/mozilla-beta/rev/3cdddb3af232) - `devtools.webide.simulatorAddonsURL` - [removed in 57, 1398061](https://hg.mozilla.org/releases/mozilla-beta/rev/3cdddb3af232) - `browser.search.isUS` - [removed in 62](https://bugzilla.mozilla.org/show_bug.cgi?id=1462010) - `devtools.telemetry.tools.opened.version` - [removed in 62](https://hg.mozilla.org/mozilla-central/rev/f755fe79a51b)

LEFTOVERS [from 18 months of ghacks comments]

click to expland

```js // earthling other // prevent handlerService overwrites, see chrome://browser-region/locale/region.properties user_pref("gecko.handlerService.defaultHandlersVersion", "999"); // disable mailto handler // there's actually a ton of network.protocol-handler.external* prefs // we already block the ms-windows-store this way user_pref("network.protocol-handler.external.mailto", false); /*** from earthling Sept 2016 ***/ // (FF49+) enable sites to use much higher max-age values for HPKP (HTTP Public Key Pinning) // [sites set this in the header] // default value in FF49: 5184000 (60 days) -> 31536000 = 365 days in seconds // WARNING: can block domains for 1 year after last visit if the domain-owners mess things up or get hacked // !! this is only a 'max-age' maximum, not enforcing it to one year, only allowing it to be that long if // sites choose to use such a long max-age // -> also see: https://dxr.mozilla.org/mozilla-central/source/netwerk/base/security-prefs.js#100 // https://tools.ietf.org/html/rfc7469#section-4.1 // https://news.netcraft.com/archives/2016/03/22/secure-websites-shun-http-public-key-pinning.html // HPKP can be problematic for domain-owners but is a great privacy/security feature for users of those domains. // If some admins want to set max-age to 1 year f.e., it shows that they are confident in being able to provide // and maintain a secure domain-access for that long and are willing to risk huge damages to their companies if // they fail in doing so. Therefore limiting the usefulness of HPKP for end-users by setting a lower max max-age // is not in the interest of more advanced users who know what they are doing and who would like to get the most // out of HPKP. user_pref("security.cert_pinning.max_max_age_seconds", 31536000); /*** from various ***/ user_pref("mousewheel.system_scroll_override_on_root_content.enabled", false); user_pref("browser.cache.check_doc_frequency", 1); user_pref("devtools.cache.disabled", true); user_pref("devtools.remote.wifi.scan", false); user_pref("devtools.remote.wifi.visible", false); user_pref("devtools.webide.adbAddonURL", ""); user_pref("security.warn_viewing_mixed", true); // also see bug 616712 android? user_pref("browser.display.auto_quality_min_font_size", 0); // from ainatar nov 10 2016 user_pref("full-screen-api.allow-trusted-requests-only", true); user_pref("full-screen-api.pointer-lock.enabled", true); user_pref("layers.async-video.enabled", true); user_pref("layout.css.prefixes.webkit", true); // not in user.js, listed 19-Feb-2017 user_pref("browser.cache.compression_level", 1); // default = 0 user_pref("media.cache_size", 0); // default = 51200 user_pref("media.hardware-video-decoding.enabled", false); // default=true // personal stuff? user_pref("layout.word_select.eat_space_to_next_word", false); user_pref("layout.word_select.stop_at_punctuation", true); user_pref("alerts.disableSlidingEffect", true); user_pref("nglayout.enable_drag_images", false); user_pref("browser.link.open_newwindow.override.external", 3); ```

CHANGELOG:

2019

• 7-May: cleared changelog
• 13-Oct: cleaned up, added some wontfix sources

...

[ghost]

I'm wondering about four about:config settings available on all Firefox versions and related to:

// 2404: disable JS storing data permanently
user_pref("dom.indexedDB.enabled", false);

If, when dom.indexedDB.enabled is set to true there are four related settings:

user_pref("dom.indexedDB.experimental", false); // Default=false 
user_pref("dom.indexedDB.logging.details", false); // Default=true
user_pref("dom.indexedDB.logging.enabled", false); // Default=true
user_pref("dom.indexedDB.logging.profiler-marks", false); // Default=false

As you see I've set second and third to false when their default is true

What do you think of these two default values? When set to true (default) does it mean that, given dom.indexedDB.enabled is set to true, given a site uses dom.indexedDB it would be possible for that site to keep the user's login credentials in his dedicated storage folder? If so, do you believe it is pertinent to set these settings to false as I do or is this insignificant?

[Atavic]

@earthlng https://github.com/pyllyukko/user.js/issues/263#issuecomment-302173998

[earthlng]

Firefox currently continues the connection

then why am I getting a hard fail? Can you test this yourself please

[Atavic]

OCSP Expect-Staple is @ScottHelme own proposal.

Security vs Privacy: https://github.com/schomery/privacy-settings/issues/40#issuecomment-212036350

[ScottHelme]

You can still set hard fail revocation checking in Firefox, have you perhaps configured this at any point? Go to about:config and check security.OCSP.require is set to false.

Depending on your build the OCSP request will currently timeout after 3s or 1s and load the page without completing the revocation check.

[ScottHelme]

In honesty I think we could probably get a long way there with sites supporting stapling. The OCSP response is valid for 7 days so a site only needs to refresh it every 24 hours and they can weather a 6 day outage of the responder.

On top of that, almost no CA actually runs their own responders without fronting them with a CDN. The OCSP request is just a HTTP GET and large providers like Akamai will front up OCSP responders and serve cached responses on behalf of the CA. I could understand historic concerns where the CA didn't have CDN support but it's 2017, I think we should be able to do OCSP properly.

[earthlng]

have you perhaps configured this at any point?

No, security.OCSP.require is and was set to false. I've tested 2 FF's, ESR52.2.1 + FF54.0.1, and I can't get your testsite to soft fail. I've also tried 2 different ways of blocking the OCSP server - HOSTS + uBlock Origin - same result. It's actually the same behavior when security.OCSP.enabled is set to 0 (=disabled) ie

A required TLS feature is missing. Error code: MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING

... no soft fail. IDK why. Maybe FF just doesn't soft fail atm?

but it's 2017, I think we should be able to do OCSP properly.

Would be nice. ATM IMHO OCSP without stapling seems worse than useless because of the privacy concerns. I would just set security.OCSP.enabled to 0 but I fear that would also disable OCSP stapling.

[ScottHelme]

Ah... wait. I just had a thought and this is a serious derp. The certificate has the OCSP Must-Staple flag set and I'm not stapling to for an online OCSP check...

https://report-uri.io/home/certificate_analyser/https%3A%2F%2Frevoked.scotthelme.co.uk

Yeah... I'm going to go fix this now.

[ScottHelme]

Ok I renewed without the OCSP Must-Staple flag and revoked, we're good :)

[ScottHelme]

It'd be awesome if you could use the link to my site 👍

[earthlng]

Ok I renewed without the OCSP Must-Staple flag and revoked, we're good :)

Thanks, now it works as expected ie soft-fail

@Thorin-Oakenpants what do you think, should we enable hard-fail by setting OSCP.require=true? IMO yes

[earthlng]

security.pki.certificate_transparency.mode

This is the meta ticket for Certificate Transparency

Btw atm they disabled it again because certificate transparency signature verifications negatively impact TLS handshake performance

Re-enable Certificate Transparency telemetry collection - NEW Unassigned

[earthlng]

@Thorin-Oakenpants totally OT but holy shit, just in case you missed the details of this as I did until today: (and it kinda fits in this issue of "to investigate / keep an eye on")

https://www.lgraham.senate.gov/public/_cache/files/4766f54d-d433-4055-9f3d-c94f97eeb1c0/testimony-of-sean-edgett-acting-general-counsel-twitter.pdf

With respect to #DNCLeak, approximately 23,000 users posted around 140,000 unique Tweets with that hashtag in the relevant period. Of those Tweets, roughly 2% were from potentially Russian-linked accounts. As noted above, our automated systems at the time detected, labeled, and hid just under half (48%) of all the original Tweets with #DNCLeak. Of the total Tweets with the hashtag, 0.84% were hidden and also originated from accounts that met at least one of the criteria for a Russian-linked account.

TWITTER censored 48% of tweets with #DNCLeak and only 0.84% of those were from potentially Russian-linked accounts - WTF?! Thank god RT now needs to register as agents of a foreign country :man_facepalming: ... and the bitch still lost - oh the irony xD

oh and that's not all:

In the two months preceding the election, around 57,000 users posted approximately 426,000 unique Tweets containing variations of the #PodestaEmails hashtag. Approximately one quarter (25%) of those Tweets received internal tags from our automation detection systems that hid them from searches.

[earthlng]

I started working on a NoRedirect replacement but there's no good way to stop refreshes yet.

[Atavic]

If true, it gives a pop-up like this: This web page is being redirected to a new location. Would you like to resend the form data you have typed to the new location?

It's companion entry is: accessibility.blockautorefresh

[Atavic]

About

/* 2421: disable Ion and baseline JIT to help harden JS against exploits such as CVE-2015-0817

...there are more recent exploits, listed here.

Source follows: https://rh0dev.github.io/blog/2017/the-return-of-the-jit/

[Atavic]

This is bad:

Send telemetry events for each action on an extension

I posted in this issue, although I suggest to create a sticky for telemetry issues only.

[earthlng]

I suggest to create a sticky for telemetry issues only.

we have telemetry disabled in more ways than it's probably necessary so telemetry is really not an issue and we don't need a sticky for that.

[Atavic]

Regarding Certificates, there's a VPN Guide linked here where it says to remove the trust on the certificates you don't use.

[Atavic]

Entry:

plugin.disable_full_page_plugin_for_types

Value:

application/pdf,application/doc,application/xls,application/bat,application/ppt,application/mdb,application/mde,application/fdf,application/xfdf,application/lsl,application/lso,appliation/lss,application/iqy,application/rqy,application/xlk,application/pot,application/pps,application/dot,application/wbk,application/ps,application/eps,application/wch,application/wcm,application/wbi,application/wb1,application/wb3,application/rtf,application/wch,application/wcm,application/ad,application/adp,application/xlt,application/dos,application/wks

Source listed here

[earthlng]

nvm, I should have read the patch more carefully. The pref is still there and it's no longer hidden either. sorry about that

[Thorin-Oakenpants]

closing this locked topic - it's only used by myself, and I don't need it anymore