ToDo: diffs FF59-FF60

[earthlng]

• FF60 Release Notes
• FF60 for Developers
• FF60 Site Compatibilty

---

new in v59 ^{stuff we forgot}

• layout.css.moz-document.content.enabled=false
  • changed in FF61 with an exception to avoid breakage
  • dom.registerContentHandler.enabled
  • will be changed in FF62

scratchpad scripts

• [x] being an ESR major release, we can redo our scratchpad scripts up to ESR60

---

new in v60.0:

• [x] Normandy / Shield 1436113 - https://github.com/ghacksuserjs/ghacks-user.js/commit/04f14490035d12c059f4a07a124681be1c843c68 https://github.com/ghacksuserjs/ghacks-user.js/commit/bc17b4e450ca4de944f89817e1f5fc6f07bb57eb
  • pref("app.normandy.api_url", "https://normandy.cdn.mozilla.net/api/v1");
  • pref("app.normandy.enabled", true);
  • pref("app.shield.optoutstudies.enabled", true);
• [x] pref("browser.cache.offline.insecure.enable", true); 1354175 - https://github.com/ghacksuserjs/ghacks-user.js/commit/d04ff8457e49877ed8e5f50fffde57a9af3e1e3d
• [x] Browser Error Reporter 1426482 - https://github.com/ghacksuserjs/ghacks-user.js/commit/6309822d336011a05ba454d544abcfdbf35176bb
  • pref("browser.chrome.errorReporter.enabled", false);
  • pref("browser.chrome.errorReporter.submitUrl", "https://sentry.prod.mozaws.net/api/339/store/");
• [x] pref("extensions.screenshots.upload-disabled", false); 1432694 - https://github.com/ghacksuserjs/ghacks-user.js/commit/75534b4e6c6b4dfad135710fcf0b01cb6d6e7118
• [x] pref("extensions.webextensions.restrictedDomains", "accounts-static.cdn.mozilla.net,accounts.firefox.com,addons.cdn.mozilla.net,addons.mozilla.org,api.accounts.firefox.com,content.cdn.mozilla.net,content.cdn.mozilla.net,discovery.addons.mozilla.org,input.mozilla.org,install.mozilla.org,oauth.accounts.firefox.com,profile.accounts.firefox.com,support.mozilla.org,sync.services.mozilla.com,testpilot.firefox.com"); 1415644: Access Denied - https://github.com/ghacksuserjs/ghacks-user.js/commit/cd322f39a4f0212d53fb935b6c31eb179f989d2c
• [x] pref("network.cookie.same-site.enabled", true); 795346 - https://github.com/ghacksuserjs/ghacks-user.js/commit/40db113d07733df58872d54b269505f571a9243d
• [x] pref("network.ftp.enabled", true); - https://github.com/ghacksuserjs/ghacks-user.js/commit/b880c9da61ce97eabd00d7599f69352737ccfda8
• [x] TRR (Trusted Recursive Resolver) 1434852 - see #410 - https://github.com/ghacksuserjs/ghacks-user.js/commit/b89e24726345014d3c8e64a609a82f0549d394c5
  • pref("network.trr.mode", 0);
  • pref("network.trr.bootstrapAddress", "");
  • pref("network.trr.uri", "");
• [x] security.insecure_connection_text* - 1335970 - https://github.com/ghacksuserjs/ghacks-user.js/commit/e373a0f6e10b5727368d6d2b5f5ce9117f5dffb7
  • pref("security.insecure_connection_text.enabled", false);
  • pref("security.insecure_connection_text.pbmode.enabled", false);
• pref("identity.fxaccounts.enabled", true); 5000
• NOT added to the user.js but leaving here for visibility:
  • pref("security.pki.distrust_ca_policy", 1);
    • Symantec certificates issued before June 2016 are now distrusted
  • pref("dom.registerProtocolHandler.insecure.enabled", true);
    • will be changed in FF62

removed, renamed or hidden in v60.0:

ALL DONE - https://github.com/ghacksuserjs/ghacks-user.js/commit/d10c8598f7f150672b9cabd539db0ff5bb000455 & https://github.com/ghacksuserjs/ghacks-user.js/commit/8f2b674910e646780c0fca2e01281f6c9618df99 & https://github.com/ghacksuserjs/ghacks-user.js/commit/c5a1a038d2dc1051ce4510faad54210234d83c17

• [x] pref("browser.newtabpage.activity-stream.enabled", true); 1433324
• [x] pref("browser.newtabpage.directory.source", "https://tiles.services.mozilla.com/..."); 1370930
• [x] pref("browser.newtabpage.enhanced", true); 1433133
• [x] pref("browser.newtabpage.introShown", false); 1433133
• [x] pref("dom.workers.enabled", true); 1434934
• [x] pref("view_source.tab", true); 1418403
• [x] pref("extensions.shield-recipe-client.enabled", true); 1436113
• [x] pref("extensions.shield-recipe-client.api_url", "https://normandy.cdn.mozilla.net/api/v1"); 1436113

changed in v60.0:

• [x] the parrot needs some love - article, 107264, 440908, 1423840 - https://github.com/ghacksuserjs/ghacks-user.js/commit/67360332abd2f6bf8b56b5640eb95c71c44d7214
  • [x] fix wiki stuff about the parrot
• [x] privacy.resistFingerprinting.block_mozAddonManager (4503) -> active - https://github.com/ghacksuserjs/ghacks-user.js/commit/7d65d8c17369793aa338a4afc6c5fc0daca4d33a
  • this is due to the new pref extensions.webextensions.restrictedDomains
• pref("security.tls.version.max", 4); // prev: 3 1202

redundant in 60 due to RFP ^{privacy.resistFingerprinting}

• [x] webgl.enable-debug-renderer-info 2011 1337157 - https://github.com/ghacksuserjs/ghacks-user.js/commit/c4a1583e99355364a6b1c831aee9b4a2a03503f1

---

ignore

click me for details

==NEW ```js pref("app.normandy.dev_mode", false); pref("app.normandy.first_run", true); pref("app.normandy.logging.level", 50); pref("app.normandy.run_interval_seconds", 86400); pref("app.normandy.shieldLearnMoreUrl", "https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield"); pref("browser.chrome.errorReporter.infoURL", "https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/nightly-error-collection"); pref("browser.chrome.errorReporter.logLevel", "Error"); pref("browser.chrome.errorReporter.projectId", "339"); pref("browser.chrome.errorReporter.publicKey", "c709cb7a2c0b4f0882fcc84a5af161ec"); pref("browser.chrome.errorReporter.sampleRate", "0.001"); pref("browser.newtabpage.activity-stream.enableWideLayout", true); pref("browser.newtabpage.activity-stream.section.highlights.includePocket", true); pref("browser.newtabpage.activity-stream.sectionOrder", "topsites,topstories,highlights"); pref("browser.newtabpage.activity-stream.telemetry.ut.events", false); pref("browser.newtabpage.activity-stream.topSitesRows", 1); pref("browser.startup.blankWindow", false); pref("browser.urlbar.openintab", false); pref("device.sensors.ambientLight.enabled", true); pref("device.sensors.motion.enabled", true); pref("device.sensors.orientation.enabled", true); pref("device.sensors.proximity.enabled", true); pref("devtools.browserconsole.filter.css", false); pref("devtools.browserconsole.filter.debug", true); pref("devtools.browserconsole.filter.net", false); pref("devtools.browserconsole.new-frontend-enabled", false); pref("devtools.browserconsole.ui.filterbar", false); pref("devtools.debugger.features.replay", false); pref("devtools.policy.disabled", false); pref("devtools.responsive.reloadConditions.touchSimulation", false); pref("devtools.responsive.reloadConditions.userAgent", false); pref("devtools.responsive.reloadNotification.enabled", true); pref("dom.keyboardevent.keypress.dispatch_non_printable_keys_only_system_group_in_content", false); pref("dom.push.alwaysConnect", false); pref("dom.serviceWorkers.update_delay", 1000); pref("dom.webdriver.enabled", true); pref("dom.webmidi.enabled", false); pref("extensions.getAddons.compatOverides.url", "https://services.addons.mozilla.org/api/v3/addons/compat-override/?guid=%IDS%&lang=%LOCALE%"); pref("extensions.langpacks.signatures.required", false); pref("general.document_open_conversion_depth_limit", 20); pref("identity.fxaccounts.remote.root", "https://accounts.firefox.com/"); pref("image.animated.decode-on-demand.batch-size", 6); pref("image.animated.decode-on-demand.threshold-kb", 4194303); pref("image.mem.animated.use_heap", false); pref("image.mem.volatile.min_threshold_kb", -1); pref("image.multithreaded_decoding.idle_timeout", 600000); pref("intl.tsf.hack.japanist10.do_not_return_no_layout_error_of_composition_string", true); pref("javascript.options.array_prototype_values", true); pref("javascript.options.spectre.jit_to_C++_calls", true); pref("javascript.options.spectre.object_mitigations.barriers", true); pref("javascript.options.spectre.object_mitigations.misc", true); pref("javascript.options.spectre.string_mitigations", true); pref("javascript.options.spectre.value_masking", true); pref("layers.omtp.dump-capture", false); pref("layout.css.individual-transform.enabled", false); pref("layout.css.paint-order.enabled", true); pref("layout.word_select.stop_at_underscore", false); pref("marionette.debugging.clicktostart", false); pref("marionette.enabled", false); pref("media.cubeb.sandbox", false); pref("media.getusermedia.camera.off_while_disabled.delay_ms", 3000); pref("media.getusermedia.camera.off_while_disabled.enabled", true); pref("media.getusermedia.microphone.off_while_disabled.delay_ms", 3000); pref("media.getusermedia.microphone.off_while_disabled.enabled", true); pref("network.dns.native-is-localhost", false); pref("network.trr.allow-rfc1918", false); pref("network.trr.blacklist-duration", 259200); pref("network.trr.confirmationNS", "example.com"); pref("network.trr.credentials", ""); pref("network.trr.early-AAAA", false); pref("network.trr.request-timeout", 3000); pref("network.trr.useGET", false); pref("network.trr.wait-for-portal", true); pref("pdfjs.textLayerMode", 1); pref("privacy.resistFingerprinting.reduceTimerPrecision.jitter", true); pref("security.mixed_content.upgrade_display_content", false); pref("services.sync.engine.bookmarks.buffer", false); pref("services.sync.engine.passwords.validation.interval", 86400); pref("services.sync.engine.passwords.validation.maxRecords", 1000); pref("services.sync.engine.passwords.validation.percentageChance", 10); pref("services.sync.prefs.sync.browser.urlbar.matchBuckets", true); pref("services.sync.prefs.sync.privacy.resistFingerprinting.reduceTimerPrecision.jitter", true); ``` ==REMOVED or HIDDEN ```js pref("browser.newtabpage.activity-stream.aboutHome.enabled", true); pref("browser.newtabpage.activity-stream.topSitesCount", 6); pref("browser.newtabpage.columns", 5); pref("browser.newtabpage.compact", false); pref("browser.newtabpage.rows", 3); pref("browser.newtabpage.thumbnailPlaceholder", false); pref("browser.places.useAsyncTransactions", true); pref("devtools.highlighter.writingModeAdjust", false); pref("devtools.webide.monitorWebSocketURL", "ws://localhost:9000"); pref("dom.secureelement.enabled", false); pref("extensions.alwaysUnpack", false); pref("extensions.getAddons.getWithPerformance.url", "https://services.addons.mozilla.org/%LOCALE%/firefox/api/%API_VERSION%/search/guid:%IDS%?src=firefox&appOS=%OS%&appVersion=%VERSION%&tMain=%TIME_MAIN%&tFirstPaint=%TIME_FIRST_PAINT%&tSessionRestored=%TIME_SESSION_RESTORED%"); pref("extensions.hotfix.cert.checkAttributes", true); pref("extensions.hotfix.certs.1.sha1Fingerprint", "91:53:98:0C:C1:86:DF:47:8F:35:22:9E:11:C9:A7:31:04:49:A1:AA"); pref("extensions.hotfix.certs.2.sha1Fingerprint", "39:E7:2B:7A:5B:CF:37:78:F9:5D:4A:E0:53:2D:2F:3D:68:53:C5:60"); pref("extensions.hotfix.id", "firefox-hotfix@mozilla.org"); pref("extensions.interposition.enabled", true); pref("extensions.interposition.prefetching", true); pref("extensions.shield-recipe-client.dev_mode", false); pref("extensions.shield-recipe-client.first_run", true); pref("extensions.shield-recipe-client.logging.level", 50); pref("extensions.shield-recipe-client.run_interval_seconds", 86400); pref("extensions.shield-recipe-client.shieldLearnMoreUrl", "https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield"); pref("extensions.shield-recipe-client.startup_delay_seconds", 300); pref("extensions.shield-recipe-client.user_id", ""); pref("gfx.font_loader.families_per_slice", 3); pref("identity.fxaccounts.remote.connectdevice.uri", "https://accounts.firefox.com/connect_another_device?service=sync&context=fx_desktop_v3"); pref("identity.fxaccounts.remote.email.uri", "https://accounts.firefox.com/?service=sync&context=fx_desktop_v3&action=email"); pref("identity.fxaccounts.remote.force_auth.uri", "https://accounts.firefox.com/force_auth?service=sync&context=fx_desktop_v3"); pref("identity.fxaccounts.remote.signin.uri", "https://accounts.firefox.com/signin?service=sync&context=fx_desktop_v3"); pref("identity.fxaccounts.remote.signup.uri", "https://accounts.firefox.com/signup?service=sync&context=fx_desktop_v3"); pref("identity.fxaccounts.remote.webchannel.uri", "https://accounts.firefox.com/"); pref("identity.fxaccounts.settings.devices.uri", "https://accounts.firefox.com/settings/clients?service=sync&context=fx_desktop_v3"); pref("identity.fxaccounts.settings.uri", "https://accounts.firefox.com/settings?service=sync&context=fx_desktop_v3"); pref("layout.css.stylo-blocklist.blocked_domains", ""); pref("layout.css.stylo-blocklist.enabled", false); pref("pdfjs.disableTextLayer", false); pref("pdfjs.enableHandToolOnLoad", false); pref("pdfjs.enhanceTextSelection", false); pref("security.xcto_nosniff_block_images", false); pref("services.sync.errorhandler.networkFailureReportTimeout", 1209600); pref("services.sync.prefs.sync.browser.newtabpage.enhanced", true); pref("services.sync.scheduler.eolInterval", 604800); pref("signed.applets.codebase_principal_support", false); pref("svg.paint-order.enabled", true); ``` ==CHANGED ```js pref("browser.newtabpage.activity-stream.feeds.section.topstories.options", "{\"api_key_pref\":\"extensions.pocket.oAuthConsumerKey\",\"hidden\":true,\"provider_description\":\"pocket_description\",\"provider_icon\":\"pocket\",\"provider_name\":\"Pocket\",\"read_more_endpoint\":\"https://getpocket.com/explore/trending?src=fx_new_tab\",\"stories_endpoint\":\"https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=en-US&feed_variant=default_spocs_off\",\"stories_referrer\":\"https://getpocket.com/recommendations\",\"privacy_notice_link\":\"https://www.mozilla.org/privacy/firefox/#suggest-relevant-content\",\"disclaimer_link\":\"https://getpocket.com/firefox/new_tab_learn_more\",\"topics_endpoint\":\"https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_lang=en-US\",\"show_spocs\":false,\"personalized\":true}"); // prev: "{\"api_key_pref\":\"extensions.pocket.oAuthConsumerKey\",\"hidden\":true,\"provider_header\":\"pocket_feedback_header\",\"provider_description\":\"pocket_description\",\"provider_icon\":\"pocket\",\"provider_name\":\"Pocket\",\"read_more_endpoint\":\"https://getpocket.com/explore/trending?src=fx_new_tab\",\"stories_endpoint\":\"https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=2&consumer_key=$apiKey&locale_lang=en-US\",\"stories_referrer\":\"http://getpocket.com/recommendations\",\"info_link\":\"https://www.mozilla.org/privacy/firefox/#pocketstories\",\"disclaimer_link\":\"https://getpocket.com/firefox/new_tab_learn_more.php\",\"topics_endpoint\":\"https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_lang=en-US\",\"show_spocs\":false,\"personalized\":true}" pref("browser.safebrowsing.provider.mozilla.lists", "long-string"); // prev: "long-string" pref("browser.schedulePressure.timeoutMs", 300); // prev: 1000 pref("devtools.debugger.features.root", true); // prev: false pref("dom.ipc.useNativeEventProcessing.content", false); // prev: true pref("editor.use_div_for_default_newlines", true); // prev: false pref("extensions.getAddons.get.url", "https://services.addons.mozilla.org/api/v3/addons/search/?guid=%IDS%&lang=%LOCALE%"); // prev: "https://services.addons.mozilla.org/%LOCALE%/firefox/api/%API_VERSION%/search/guid:%IDS%?src=firefox&appOS=%OS%&appVersion=%VERSION%" pref("font.name-list.sans-serif.ko", "Malgun Gothic, Gulim"); // prev: "Gulim, Malgun Gothic" pref("gfx.webrender.blob-images", 1); // prev: 2 pref("gfx.webrender.hit-test", true); // prev: false pref("layout.css.servo.chrome.enabled", true); // prev: false pref("dom.moduleScripts.enabled", true); // prev: false pref("privacy.resistFingerprinting.reduceTimerPrecision.microseconds", 1000); // prev: 2000 pref("security.sandbox.content.level", 5); // prev: 4 pref("security.webauth.webauthn", true); // prev: false pref("urlclassifier.disallow_completions", "long-string"); // prev: "long-string" ```

[earthlng]

bugzilla tickets

* app.normandy.api_url Bug [1436113](https://bugzilla.mozilla.org/show_bug.cgi?id=1436113) - Part 2: Refactor "shield-recipe-client" to "normandy" * app.normandy.dev_mode Bug [1436113](https://bugzilla.mozilla.org/show_bug.cgi?id=1436113) - Part 2: Refactor "shield-recipe-client" to "normandy" * app.normandy.enabled Bug [1436113](https://bugzilla.mozilla.org/show_bug.cgi?id=1436113) - Part 2: Refactor "shield-recipe-client" to "normandy" * app.normandy.logging.level Bug [1436113](https://bugzilla.mozilla.org/show_bug.cgi?id=1436113) - Part 2: Refactor "shield-recipe-client" to "normandy" * app.normandy.run_interval_seconds Bug [1436113](https://bugzilla.mozilla.org/show_bug.cgi?id=1436113) - Part 2: Refactor "shield-recipe-client" to "normandy" * app.normandy.shieldLearnMoreUrl Bug [1436113](https://bugzilla.mozilla.org/show_bug.cgi?id=1436113) - Part 2: Refactor "shield-recipe-client" to "normandy" * app.shield.optoutstudies.enabled Bug [1436113](https://bugzilla.mozilla.org/show_bug.cgi?id=1436113) - Part 2: Refactor "shield-recipe-client" to "normandy" * browser.cache.offline.insecure.enable Bug [1354175](https://bugzilla.mozilla.org/show_bug.cgi?id=1354175) - Disable AppCache in insecure contexts. * browser.chrome.errorReporter.enabled Bug [1426482](https://bugzilla.mozilla.org/show_bug.cgi?id=1426482) Report browser errors in Nightly to Mozilla. * browser.chrome.errorReporter.infoURL Bug [1426482](https://bugzilla.mozilla.org/show_bug.cgi?id=1426482) Report browser errors in Nightly to Mozilla. * browser.chrome.errorReporter.logLevel Bug [1426482](https://bugzilla.mozilla.org/show_bug.cgi?id=1426482) Report browser errors in Nightly to Mozilla. * browser.chrome.errorReporter.projectId Bug [1426482](https://bugzilla.mozilla.org/show_bug.cgi?id=1426482) Report browser errors in Nightly to Mozilla. * browser.chrome.errorReporter.publicKey Bug [1426482](https://bugzilla.mozilla.org/show_bug.cgi?id=1426482) Report browser errors in Nightly to Mozilla. * browser.chrome.errorReporter.sampleRate Bug [1426482](https://bugzilla.mozilla.org/show_bug.cgi?id=1426482) Report browser errors in Nightly to Mozilla. * browser.chrome.errorReporter.submitUrl Bug [1426482](https://bugzilla.mozilla.org/show_bug.cgi?id=1426482) Report browser errors in Nightly to Mozilla. * browser.newtabpage.activity-stream.aboutHome.enabled Bug [1433324](https://bugzilla.mozilla.org/show_bug.cgi?id=1433324) - Part 1. Assume true for browser.newtabpage.activity-stream.aboutHome.enabled. Bug [1396274](https://bugzilla.mozilla.org/show_bug.cgi?id=1396274) - Disable Activity Stream about:home in browser_aboutHome.js Bug [1392324](https://bugzilla.mozilla.org/show_bug.cgi?id=1392324) - Add pref to enable Activity Stream on about:home. * browser.newtabpage.activity-stream.enabled Bug [1433324](https://bugzilla.mozilla.org/show_bug.cgi?id=1433324) - Part 3. Assume true for browser.newtabpage.activity-stream.enabled * browser.newtabpage.columns Bug [1433133](https://bugzilla.mozilla.org/show_bug.cgi?id=1433133) - remove unused prefs and exported bits from NewTabUtils.jsm, * browser.newtabpage.compact Bug [1433133](https://bugzilla.mozilla.org/show_bug.cgi?id=1433133) - remove unused prefs and exported bits from NewTabUtils.jsm, * browser.newtabpage.directory.source Bug [1370930](https://bugzilla.mozilla.org/show_bug.cgi?id=1370930) - remove DirectoryLinksProvider, * browser.newtabpage.enhanced Bug [1433133](https://bugzilla.mozilla.org/show_bug.cgi?id=1433133) - remove unused prefs and exported bits from NewTabUtils.jsm, * browser.newtabpage.introShown Bug [1433133](https://bugzilla.mozilla.org/show_bug.cgi?id=1433133) - remove unused prefs and exported bits from NewTabUtils.jsm, * browser.newtabpage.rows Bug [1433133](https://bugzilla.mozilla.org/show_bug.cgi?id=1433133) - remove unused prefs and exported bits from NewTabUtils.jsm, * browser.newtabpage.thumbnailPlaceholder Bug [1433133](https://bugzilla.mozilla.org/show_bug.cgi?id=1433133) - remove unused prefs and exported bits from NewTabUtils.jsm, * browser.places.useAsyncTransactions Bug [1131491](https://bugzilla.mozilla.org/show_bug.cgi?id=1131491) - Remove browser.places.useAsyncTransactions preference - async transactions are now the only version. * browser.policies.enabled Bug [1442759](https://bugzilla.mozilla.org/show_bug.cgi?id=1442759) - Enable the policy engine by default on Nightly and early Betas. * browser.safebrowsing.provider.mozilla.lists Bug [1423229](https://bugzilla.mozilla.org/show_bug.cgi?id=1423229) - [4.0] Add support for category-based tracking lists. * browser.schedulePressure.timeoutMs Bug [1436423](https://bugzilla.mozilla.org/show_bug.cgi?id=1436423) - Reduce the schedule pressure limit closer to the values that users are reporting. Bug [1406414](https://bugzilla.mozilla.org/show_bug.cgi?id=1406414) - Switch to an APNG loading indicator when the browser is under schedule pressure. * browser.startup.blankWindow Bug [1336227](https://bugzilla.mozilla.org/show_bug.cgi?id=1336227) - Show about:blank as soon as possible during startup (pref'ed off), * browser.urlbar.openintab Bug [1394304](https://bugzilla.mozilla.org/show_bug.cgi?id=1394304): Part 1 - Use pref to control whether to open url bar results in a new tab. * device.sensors.ambientLight.enabled Bug [1359076](https://bugzilla.mozilla.org/show_bug.cgi?id=1359076): Disable all Device Sensor APIs except orientation by default * device.sensors.motion.enabled Bug [1359076](https://bugzilla.mozilla.org/show_bug.cgi?id=1359076): Disable all Device Sensor APIs except orientation by default * device.sensors.orientation.enabled Bug [1359076](https://bugzilla.mozilla.org/show_bug.cgi?id=1359076): Disable all Device Sensor APIs except orientation by default * device.sensors.proximity.enabled Bug [1359076](https://bugzilla.mozilla.org/show_bug.cgi?id=1359076): Disable all Device Sensor APIs except orientation by default * devtools.browserconsole.filter.css Bug [1435092](https://bugzilla.mozilla.org/show_bug.cgi?id=1435092) - Add a util object to manage preferences; Bug [1204808](https://bugzilla.mozilla.org/show_bug.cgi?id=1204808) - Move devtools prefs to its own file in /devtools folder. * devtools.browserconsole.filter.debug Bug [1435092](https://bugzilla.mozilla.org/show_bug.cgi?id=1435092) - Add a util object to manage preferences; * devtools.browserconsole.filter.net Bug [1435092](https://bugzilla.mozilla.org/show_bug.cgi?id=1435092) - Add a util object to manage preferences; Bug [1204808](https://bugzilla.mozilla.org/show_bug.cgi?id=1204808) - Move devtools prefs to its own file in /devtools folder. * devtools.browserconsole.new-frontend-enabled Bug [1435084](https://bugzilla.mozilla.org/show_bug.cgi?id=1435084) - Create a pref to enable the new console UI in the browser console;r=nchevobbe * devtools.browserconsole.ui.filterbar Bug [1435092](https://bugzilla.mozilla.org/show_bug.cgi?id=1435092) - Add a util object to manage preferences; * devtools.devedition.promo.enabled Bug [1204808](https://bugzilla.mozilla.org/show_bug.cgi?id=1204808) - Move devtools prefs to its own file in /devtools folder. * devtools.highlighter.writingModeAdjust Bug [1430919](https://bugzilla.mozilla.org/show_bug.cgi?id=1430919) - Enable grid highlighter writing mode support. Bug [1303171](https://bugzilla.mozilla.org/show_bug.cgi?id=1303171) - Adjust highlighters to account for writing mode and text dir. * devtools.responsive.reloadConditions.touchSimulation Bug [1428816](https://bugzilla.mozilla.org/show_bug.cgi?id=1428816) - Add RDM UI to control whether we reload. * devtools.responsive.reloadConditions.userAgent Bug [1428816](https://bugzilla.mozilla.org/show_bug.cgi?id=1428816) - Add RDM UI to control whether we reload. * devtools.responsive.reloadNotification.enabled Bug [1428816](https://bugzilla.mozilla.org/show_bug.cgi?id=1428816) - Show reload help on first RDM open. * dom.ipc.useNativeEventProcessing.content Bug [1430744](https://bugzilla.mozilla.org/show_bug.cgi?id=1430744): Stop processing native events in the content process on Windows in Nightly. * dom.keyboardevent.keypress.dispatch_non_printable_keys_only_system_group_in_content Bug [1443117](https://bugzilla.mozilla.org/show_bug.cgi?id=1443117) - Restart to dispatch "keypress" event for non-printable keys and key combinations on Nightly and early-Beta until Google fixes related bugs of their web apps Bug [1440189](https://bugzilla.mozilla.org/show_bug.cgi?id=1440189) - part 1: Stop dispatching keypress event to the default event group in web content (only Nightly and early Beta) Bug [1433101](https://bugzilla.mozilla.org/show_bug.cgi?id=1433101) - part 1: Add new pref which disables keypress event for non-printable keys only for the default event group in web content * dom.moduleScripts.enabled Bug [1438139](https://bugzilla.mozilla.org/show_bug.cgi?id=1438139) - Enable <script type="module"> by default Bug [1428685](https://bugzilla.mozilla.org/show_bug.cgi?id=1428685) - Use dom.webcomponents.shadowdom.enabled pref for Shadow DOM. * dom.push.alwaysConnect Bug [1440467](https://bugzilla.mozilla.org/show_bug.cgi?id=1440467) - Add a pref to always connect to the Push server without existing subscriptions. * dom.registerContentHandler.enabled Bug [1398169](https://bugzilla.mozilla.org/show_bug.cgi?id=1398169) - Use pref to disable registerContentHandler in non stable builds. * dom.registerProtocolHandler.insecure.enabled Bug [1429732](https://bugzilla.mozilla.org/show_bug.cgi?id=1429732) - Use a pref to disable registerProtocolHandler in insecure contexts. * dom.secureelement.enabled Bug [1353329](https://bugzilla.mozilla.org/show_bug.cgi?id=1353329) - Remove remains of SecureElement API. * dom.serviceWorkers.update_delay Bug [1432846](https://bugzilla.mozilla.org/show_bug.cgi?id=1432846) - Delay update runnables from service workers that don't control any clients. * dom.webdriver.enabled Bug [1169290](https://bugzilla.mozilla.org/show_bug.cgi?id=1169290) - Guard navigator.webdriver behind dom.webdriver.enabled pref. * dom.webmidi.enabled Bug [1201590](https://bugzilla.mozilla.org/show_bug.cgi?id=1201590) - WebMIDI Utility classes; * dom.workers.enabled Bug [1434934](https://bugzilla.mozilla.org/show_bug.cgi?id=1434934) - Remove dom.workers.enabled pref, * editor.use_div_for_default_newlines Bug [1430551](https://bugzilla.mozilla.org/show_bug.cgi?id=1430551) - Make editor use <div> as defaultParagraphSeparator even in release channel * extensions.alwaysUnpack Bug [1444502](https://bugzilla.mozilla.org/show_bug.cgi?id=1444502): Remove support for installing unpacked extensions. * extensions.getAddons.compatOverides.url Bug [1402064](https://bugzilla.mozilla.org/show_bug.cgi?id=1402064) Switch to modern AMO metadata API * extensions.getAddons.get.url Bug [1402064](https://bugzilla.mozilla.org/show_bug.cgi?id=1402064) Switch to modern AMO metadata API * extensions.getAddons.getWithPerformance.url Bug [1402064](https://bugzilla.mozilla.org/show_bug.cgi?id=1402064) Switch to modern AMO metadata API * extensions.hotfix.cert.checkAttributes Bug [1356331](https://bugzilla.mozilla.org/show_bug.cgi?id=1356331) Remove hotfix code from addons manager and related tests * extensions.hotfix.certs.1.sha1Fingerprint Bug [1356331](https://bugzilla.mozilla.org/show_bug.cgi?id=1356331) Remove hotfix code from addons manager and related tests * extensions.hotfix.certs.2.sha1Fingerprint Bug [1356331](https://bugzilla.mozilla.org/show_bug.cgi?id=1356331) Remove hotfix code from addons manager and related tests * extensions.hotfix.id Bug [1356331](https://bugzilla.mozilla.org/show_bug.cgi?id=1356331) Remove hotfix code from addons manager and related tests * extensions.interposition.enabled Bug [1443983](https://bugzilla.mozilla.org/show_bug.cgi?id=1443983): Part 2 - Remove remaining interpositions. Bug [1412456](https://bugzilla.mozilla.org/show_bug.cgi?id=1412456) - Disable add-on interposition * extensions.interposition.prefetching Bug [1443983](https://bugzilla.mozilla.org/show_bug.cgi?id=1443983): Part 2 - Remove remaining interpositions. * extensions.langpacks.signatures.required Bug [1444487](https://bugzilla.mozilla.org/show_bug.cgi?id=1444487) Add preference for langpack signing. * extensions.screenshots.upload-disabled Bug [1432694](https://bugzilla.mozilla.org/show_bug.cgi?id=1432694) - Add a default value for the Screenshots upload-disabled pref; * extensions.webextensions.restrictedDomains Bug [1415644](https://bugzilla.mozilla.org/show_bug.cgi?id=1415644): Create a list of restricted domains. * font.name-list.sans-serif.ko Bug [1431570](https://bugzilla.mozilla.org/show_bug.cgi?id=1431570) - Use Malgun Gothic as default font of Korean on release channel. * general.document_open_conversion_depth_limit Bug [1440663](https://bugzilla.mozilla.org/show_bug.cgi?id=1440663) - Add a preference to limit document opening data conversion recursion depth to nsDocumentOpenInfo, * gfx.font_loader.families_per_slice Bug [1440411](https://bugzilla.mozilla.org/show_bug.cgi?id=1440411) - Remove the obsolete gfx.font_loader.families_per_slice pref (no longer used by any code). * gfx.webrender.blob-images Bug [1362115](https://bugzilla.mozilla.org/show_bug.cgi?id=1362115) - turn on blob-images by default with webrender. Bug [1425260](https://bugzilla.mozilla.org/show_bug.cgi?id=1425260): gfx.webrender.all turns on all preferences that are needed for webrender. * gfx.webrender.hit-test Bug [1421380](https://bugzilla.mozilla.org/show_bug.cgi?id=1421380) - Enable gfx.webrender.hit-test by default. Bug [1423982](https://bugzilla.mozilla.org/show_bug.cgi?id=1423982) - Only do the WR-based hit-test if WR is enabled. * identity.fxaccounts.enabled Bug [1434706](https://bugzilla.mozilla.org/show_bug.cgi?id=1434706) - Add identity.fxaccounts.enabled pref to disable Sync and FxA. * identity.fxaccounts.remote.connectdevice.uri Bug [1427674](https://bugzilla.mozilla.org/show_bug.cgi?id=1427674) - Unify FxA content server URL preferences. Bug [1418466](https://bugzilla.mozilla.org/show_bug.cgi?id=1418466) - Add Connect Another Device button to relevant Sync UI. * identity.fxaccounts.remote.email.uri Bug [1427674](https://bugzilla.mozilla.org/show_bug.cgi?id=1427674) - Unify FxA content server URL preferences. Bug [1411714](https://bugzilla.mozilla.org/show_bug.cgi?id=1411714) - Handle action=email in about:accounts. * identity.fxaccounts.remote.force_auth.uri Bug [1427674](https://bugzilla.mozilla.org/show_bug.cgi?id=1427674) - Unify FxA content server URL preferences. * identity.fxaccounts.remote.root Bug [1427674](https://bugzilla.mozilla.org/show_bug.cgi?id=1427674) - Unify FxA content server URL preferences. * identity.fxaccounts.remote.signin.uri Bug [1427674](https://bugzilla.mozilla.org/show_bug.cgi?id=1427674) - Unify FxA content server URL preferences. * identity.fxaccounts.remote.signup.uri Bug [1427674](https://bugzilla.mozilla.org/show_bug.cgi?id=1427674) - Unify FxA content server URL preferences. * identity.fxaccounts.remote.webchannel.uri Bug [1427674](https://bugzilla.mozilla.org/show_bug.cgi?id=1427674) - Unify FxA content server URL preferences. * identity.fxaccounts.settings.devices.uri Bug [1427674](https://bugzilla.mozilla.org/show_bug.cgi?id=1427674) - Unify FxA content server URL preferences. * identity.fxaccounts.settings.uri Bug [1427674](https://bugzilla.mozilla.org/show_bug.cgi?id=1427674) - Unify FxA content server URL preferences. * image.animated.decode-on-demand.batch-size Bug [523950](https://bugzilla.mozilla.org/show_bug.cgi?id=523950) - Part 3. Add preferences to control animated image decoding behaviour. * image.animated.decode-on-demand.threshold-kb Bug [523950](https://bugzilla.mozilla.org/show_bug.cgi?id=523950) - Part 3. Add preferences to control animated image decoding behaviour. * image.mem.animated.use_heap Bug [1427639](https://bugzilla.mozilla.org/show_bug.cgi?id=1427639) - Part 1. Add preferences to control image frame allocations in volatile memory or the heap. * image.mem.volatile.min_threshold_kb Bug [1427639](https://bugzilla.mozilla.org/show_bug.cgi?id=1427639) - Part 1. Add preferences to control image frame allocations in volatile memory or the heap. * image.multithreaded_decoding.idle_timeout Bug [1436247](https://bugzilla.mozilla.org/show_bug.cgi?id=1436247) - Part 2. Shutdown idle image decoder threads after the configured timeout. * intl.tsf.hack.japanist10.do_not_return_no_layout_error_of_composition_string Bug [1435730](https://bugzilla.mozilla.org/show_bug.cgi?id=1435730) - part 1: Make TSFTextStore::GetTextExt() not return TS_E_NOLAYOUT error to Japanist 10 when the range is in composition string * javascript.options.array_prototype_values Bug [1420101](https://bugzilla.mozilla.org/show_bug.cgi?id=1420101) - Add default enabled pref for Array.prototype.values. * javascript.options.spectre.jit_to_C++_calls Bug [1438886](https://bugzilla.mozilla.org/show_bug.cgi?id=1438886) - Prevent speculative execution after returning from GC-capable C++ code. * javascript.options.spectre.object_mitigations.barriers Bug [1437483](https://bugzilla.mozilla.org/show_bug.cgi?id=1437483) part 3 - Enable Ion object type barrier mitigations by default. Bug [1437483](https://bugzilla.mozilla.org/show_bug.cgi?id=1437483) part 1 - Add pref for Spectre mitigations for Ion object type barriers. * javascript.options.spectre.object_mitigations.misc Bug [1442561](https://bugzilla.mozilla.org/show_bug.cgi?id=1442561) part 3 - Flip the pref. Bug [1442561](https://bugzilla.mozilla.org/show_bug.cgi?id=1442561) part 1 - Add browser pref for misc Spectre object type mitigations. * javascript.options.spectre.string_mitigations Bug [1434230](https://bugzilla.mozilla.org/show_bug.cgi?id=1434230) part 4 - Enable Spectre string mitigations by default. Bug [1434230](https://bugzilla.mozilla.org/show_bug.cgi?id=1434230) part 1 - Some Spectre mitigations for loadStringChars. * javascript.options.spectre.value_masking Bug [1433111](https://bugzilla.mozilla.org/show_bug.cgi?id=1433111) - Add JS Shell and about:config switch for Value masking. * layers.omtp.dump-capture Add 'layers.omtp.dump-capture' for logging DrawTargetCapture (bug [1435938](https://bugzilla.mozilla.org/show_bug.cgi?id=1435938), * layout.css.individual-transform.enabled Bug [1207734](https://bugzilla.mozilla.org/show_bug.cgi?id=1207734) - Part 2. Add a preference to enable/disable individual transform. * layout.css.paint-order.enabled Bug [1435684](https://bugzilla.mozilla.org/show_bug.cgi?id=1435684) - Enable the paint-order property for HTML text. Bug [1426146](https://bugzilla.mozilla.org/show_bug.cgi?id=1426146) - patch 2 - Support the paint-order property for HTML text (in addition to SVG); currently preffed-off by default. * layout.css.servo.chrome.enabled Bug [1417138](https://bugzilla.mozilla.org/show_bug.cgi?id=1417138) part 2 - Enable stylo-chrome by default. Bug [1430014](https://bugzilla.mozilla.org/show_bug.cgi?id=1430014) - Part 1: Add --enable-stylo=only configure option and MOZ_OLD_STYLE define. * layout.css.stylo-blocklist.blocked_domains Bug [1426223](https://bugzilla.mozilla.org/show_bug.cgi?id=1426223) - remove Stylo domain blocklist mechanism. * layout.css.stylo-blocklist.enabled Bug [1426223](https://bugzilla.mozilla.org/show_bug.cgi?id=1426223) - remove Stylo domain blocklist mechanism. * layout.display-list.retain Bug [1413546](https://bugzilla.mozilla.org/show_bug.cgi?id=1413546) - Add pref to allow retained display lists within the parent process. * layout.word_select.stop_at_underscore Bug [1431672](https://bugzilla.mozilla.org/show_bug.cgi?id=1431672) - Add a pref to control whether underscore is treated as a word-forming character. * media.cubeb.sandbox Bug [1434156](https://bugzilla.mozilla.org/show_bug.cgi?id=1434156) - Remove nightly gate from AudioIPC for Linux. Bug [1425788](https://bugzilla.mozilla.org/show_bug.cgi?id=1425788) - Disable AudioIPC on macOS while investigating fallout. * media.getusermedia.camera.off_while_disabled.delay_ms Bug [1299515](https://bugzilla.mozilla.org/show_bug.cgi?id=1299515) - Disable turning off camera while disabled by default on android. * media.getusermedia.camera.off_while_disabled.enabled Bug [1299515](https://bugzilla.mozilla.org/show_bug.cgi?id=1299515) - Disable turning off camera while disabled by default on android. * media.getusermedia.microphone.off_while_disabled.delay_ms Bug [1436352](https://bugzilla.mozilla.org/show_bug.cgi?id=1436352) - Enable turning microphone off on track-disable by default. * media.getusermedia.microphone.off_while_disabled.enabled Bug [1436352](https://bugzilla.mozilla.org/show_bug.cgi?id=1436352) - Enable turning microphone off on track-disable by default. * network.dns.native-is-localhost bug [1434852](https://bugzilla.mozilla.org/show_bug.cgi?id=1434852) - introducing TRR (DOH); * network.ftp.enabled Bug [1374114](https://bugzilla.mozilla.org/show_bug.cgi?id=1374114) - Add a pref to disable ftp. * network.tcp.tcp_fastopen_enable Bug [1431738](https://bugzilla.mozilla.org/show_bug.cgi?id=1431738) - We will disable TFO on late beta and release. Bug [1426367](https://bugzilla.mozilla.org/show_bug.cgi?id=1426367) - Turn on TFO for Windows. * network.trr.allow-rfc1918 bug [1434852](https://bugzilla.mozilla.org/show_bug.cgi?id=1434852) - introducing TRR (DOH); * network.trr.blacklist-duration bug [1434852](https://bugzilla.mozilla.org/show_bug.cgi?id=1434852) - introducing TRR (DOH); * network.trr.bootstrapAddress bug [1434852](https://bugzilla.mozilla.org/show_bug.cgi?id=1434852) - introducing TRR (DOH); * network.trr.confirmationNS bug [1434852](https://bugzilla.mozilla.org/show_bug.cgi?id=1434852) - introducing TRR (DOH); * network.trr.credentials bug [1434852](https://bugzilla.mozilla.org/show_bug.cgi?id=1434852) - introducing TRR (DOH); * network.trr.early-AAAA bug [1443489](https://bugzilla.mozilla.org/show_bug.cgi?id=1443489) - TRR: require a pref set to allow early AAAA responses * network.trr.mode bug [1434852](https://bugzilla.mozilla.org/show_bug.cgi?id=1434852) - introducing TRR (DOH); * network.trr.request-timeout bug [1434852](https://bugzilla.mozilla.org/show_bug.cgi?id=1434852) - introducing TRR (DOH); * network.trr.uri bug [1434852](https://bugzilla.mozilla.org/show_bug.cgi?id=1434852) - introducing TRR (DOH); * network.trr.useGET bug [1434852](https://bugzilla.mozilla.org/show_bug.cgi?id=1434852) - introducing TRR (DOH); * network.trr.wait-for-portal bug [1434852](https://bugzilla.mozilla.org/show_bug.cgi?id=1434852) - introducing TRR (DOH); * privacy.resistFingerprinting.reduceTimerPrecision.jitter Bug [1425462](https://bugzilla.mozilla.org/show_bug.cgi?id=1425462) Turn jitter on by default. Bug [1425462](https://bugzilla.mozilla.org/show_bug.cgi?id=1425462) When reducing the precision of timestamps, also apply fuzzytime to them * security.insecure_connection_text.enabled Bug [1335970](https://bugzilla.mozilla.org/show_bug.cgi?id=1335970) - Add prefs to add "Not Secure" text to insecure pages. * security.insecure_connection_text.pbmode.enabled Bug [1335970](https://bugzilla.mozilla.org/show_bug.cgi?id=1335970) - Add prefs to add "Not Secure" text to insecure pages. * security.mixed_content.upgrade_display_content Bug [1440709](https://bugzilla.mozilla.org/show_bug.cgi?id=1440709) - Disabling mixed content upgrading for now. Bug [1435733](https://bugzilla.mozilla.org/show_bug.cgi?id=1435733) - Upgrade mixed display content pref. * security.pki.distrust_ca_policy Bug [1442075](https://bugzilla.mozilla.org/show_bug.cgi?id=1442075) - Enforce Symantec distrust in Firefox 60 Bug [1437754](https://bugzilla.mozilla.org/show_bug.cgi?id=1437754) - Add a pref and disable the Symantec distrust algorithm * security.sandbox.content.level Bug [1441824](https://bugzilla.mozilla.org/show_bug.cgi?id=1441824): Let level 5 (Alternate Desktop) for the Windows content sandbox ride the trains. Bug [1126437](https://bugzilla.mozilla.org/show_bug.cgi?id=1126437) - Add Linux content sandbox level 4 for blocking socket APIs. Bug [1417959](https://bugzilla.mozilla.org/show_bug.cgi?id=1417959): Bump Alternate Desktop to Level 5 and make that the Default on Nightly. Bug [1417959](https://bugzilla.mozilla.org/show_bug.cgi?id=1417959) - Bump Alternate Desktop to Level 5 and make that the Default on Nightly. Bug [1415250](https://bugzilla.mozilla.org/show_bug.cgi?id=1415250) Part 2: Make level 4 the default for the Windows content process sandbox. Bug [1402351](https://bugzilla.mozilla.org/show_bug.cgi?id=1402351) - Make the Linux level 3 / read sandbox ride the trains. Bug [1402340](https://bugzilla.mozilla.org/show_bug.cgi?id=1402340) - On non-Nightly revert back to Windows content process sandbox level 3 to fix suspected top crashes. Bug [1229829](https://bugzilla.mozilla.org/show_bug.cgi?id=1229829) - Part 2 - Use an alternate desktop on the local winstation for content processes; Bug [1388046](https://bugzilla.mozilla.org/show_bug.cgi?id=1388046) - Disable sandbox read restrictions (level 3) on beta/release. * security.webauth.webauthn Bug [1432542](https://bugzilla.mozilla.org/show_bug.cgi?id=1432542) - Enable Web Authentication Bug [1428918](https://bugzilla.mozilla.org/show_bug.cgi?id=1428918) - Enable Web Authentication in Nightly Bug [1399959](https://bugzilla.mozilla.org/show_bug.cgi?id=1399959) - Prefer hardware instead of software U2F tokens * security.xcto_nosniff_block_images Bug [1397740](https://bugzilla.mozilla.org/show_bug.cgi?id=1397740) - Removed security.xcto_nosniff_block_images from about:config * services.sync.prefs.sync.browser.newtabpage.enhanced Bug [1433133](https://bugzilla.mozilla.org/show_bug.cgi?id=1433133) - remove unused prefs and exported bits from NewTabUtils.jsm, * services.sync.prefs.sync.browser.urlbar.matchBuckets Bug [1430994](https://bugzilla.mozilla.org/show_bug.cgi?id=1430994) - Sync the browser.urlbar.matchBuckets pref. * services.sync.prefs.sync.privacy.resistFingerprinting.reduceTimerPrecision.jitter Bug [1425462](https://bugzilla.mozilla.org/show_bug.cgi?id=1425462) When reducing the precision of timestamps, also apply fuzzytime to them * signed.applets.codebase_principal_support Bug [1434952](https://bugzilla.mozilla.org/show_bug.cgi?id=1434952) - Remove signed.applets.codebase_principal_support pref. * svg.paint-order.enabled Bug [1437267](https://bugzilla.mozilla.org/show_bug.cgi?id=1437267) - Remove the svg.paint-order.enabled pref. Bug [1362115](https://bugzilla.mozilla.org/show_bug.cgi?id=1362115) - turn on blob-images by default with webrender. * urlclassifier.disallow_completions Bug [1423229](https://bugzilla.mozilla.org/show_bug.cgi?id=1423229) - [4.0] Add support for category-based tracking lists. Bug [1407879](https://bugzilla.mozilla.org/show_bug.cgi?id=1407879) - Check password field url against the local whitelist. Bug [1385484](https://bugzilla.mozilla.org/show_bug.cgi?id=1385484) - Cleanup Safe Browsing prefs and sync the download protection setting. * view_source.tab Bug [1418403](https://bugzilla.mozilla.org/show_bug.cgi?id=1418403) - Remove viewing source in a standalone window.

[crssi]

^^I have asked/pointed the CSS Exfill author to your question.

Cheers

[mlgualtieri]

Hi all, I'm the author of CSS Exfil Protection. To answer Thorin's question, no I don't believe this removal would make the plugin obsolete as the plugin guards against several other methods that could be used to exfil data (background-image, list-style, cursor, & content).

Actually, the plugin as it stands today does not block anything related to the -moz-document selector. Today is the first I've heard of this selector, although it sounds like it's getting phased out so it's likely I won't need to add protection.

(PS - I would love for a day when my plugin becomes completely obsolete. Although it's fun hacking away at it, I'd rather see the protection offered by default in major browsers.)

[Atavic]

Bug 1446470: Make the moz-document-in-content pref false by default.

See here.

The @document at-rule has been limited to use only in user and UA sheets (bug 1035091)

See here.

While @mlgualtieri plugin works by pre-processing the CSS which is loaded onto a web page.

Inspection and sanitization of each CSSRule is done through the browser's native CSSStyleSheet JavaScript API. If a CSSRule.selectorText is detected that: 1) Parses the value attribute of an element, and 2) If the corresponding CSSRule.cssText includes a call to a remote URL, a new rule is created to override the call to the remote URL.

See Defense for Web Users.

[earthlng]

certain syntax errors stop the parsing and the debug pref is still useful in those cases. We just need to change the last one to something less definite.

[earthlng]

60b9 changes since 60b5

new

pref("browser.cache.offline.insecure.enable", true); // 60b5: false pref("browser.policies.enabled", true); pref("device.sensors.ambientLight.enabled", true); // 60b5: false pref("device.sensors.proximity.enabled", true); // 60b5: false pref("services.sync.engine.bookmarks.validation.enabled", true); pref("services.sync.engine.passwords.validation.enabled", true);

removed, renamed or hidden

pref("geo.provider.ms-windows-location", false);

changed

pref("dom.registerContentHandler.enabled", false); // prev: true pref("geo.wifi.uri", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%"); // prev: "https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_API_KEY%" pref("layout.css.moz-document.content.enabled", false); // prev: true pref("network.tcp.tcp_fastopen_enable", true); // prev: false pref("security.mixed_content.block_object_subrequest", true); // prev: false

EDIT: updated 1st post

[earthlng]

WTF! where did all our sticky issues go??

[earthlng]

Pants is gone too???!!!! https://github.com/Thorin-Oakenpants

[claustromaniac]

It seems all of Pants' issues are gone, not just the sticky ones. They must have been banned, or hacked, or this is their way of saying "fuck it".

Can anyone contact them?

Thorin - Someone has vindictively flagged my account (100 points if you can guess who). Shame on you for thinking I was hacked. Edit: WTF are you referring to me in plural?

[earthlng]

Indeed, all his issues are gone.

from https://help.github.com/articles/deleting-your-user-account/ :

Deleting your user account removes all repositories, forks of private repositories, wikis, issues, pull requests, and pages owned by your account. Issues and pull requests you've created and comments you've made in repositories owned by other users will not be deleted

but the wiki is still here, no idea how that is possible. and

If you’re the only owner of an organization, you must transfer ownership to another person or delete the organization before you can delete your user account.

Pants is/was the only owner of the organization and the repo but he apparently was able to delete his account without transferring ownership to me or someone else. Maybe his account was banned? IDK

really shitty way to say fuck it if that's the case. He could've just abandoned his account or at least say something first so that I could have copied the stickies, etc. All the infos he's collected over months in the stickies is now just totally gone.

I've written him an email asking what's going on.

Thorin - woah! I would never do anything like that. This is a community based project, and I would never do anything as shitty as that, besides, I'm an adult, not some vindictive baby (and I'm big/wise/old enough to know that any differences over minor aspects are just that, minor). Anyway, I have zero issues with anyone here. I suspect that CK laid a complaint, and my account has been flagged - that guy needs help. I haven't given him a second thought for months, but to him, it eats away at his brain. I have contacted GitHub support to get to the bottom of it. Everything is still here, just hidden.

[grauenwolfe]

Whoa! Did I miss something over the weekend like an argument or something or is this from out of nowhere?

really shitty way to say fuck it if that's the case.

Why would he? Was there talk of this before? I typically don't ready through every single Issue or Commit so again I'm not sure if I've missed something.

They must have been banned, or hacked, or this is their way of saying "fuck it".

Can anyone contact them?

How many Pants' are there?

[claustromaniac]

I've written him an email asking what's going on.

Nice. Let's hope for the best... whatever the fuck that would be.

How many Pants' are there?

Billions.

If you expected a more serious answer, then read this. If it was just a rethorical question, well... sorry.

[grauenwolfe]

Billions.

If you expected a more serious answer, then read this. If it was just a rethorical question, well... sorry.

Ha, totally kidding. Thought about putting a smiley or something but figured it wasn't needed, glad you knew and good to see the Pants' are reaching such high population numbers.

[2glops]

When I saw most of issues were gone, I didn't understand. Thanks earthlng for giving some information.

[crssi]

@Pants I wish this will be sorted out fast and without a pain. About CK... if he is behind or not, I still cannot express my opinion about him and in the same time not to go in the ocean of bad words.

[Forsaked]

I hope @Thorin-Oakenpants finds his way back soon!

[earthlng]

WELCOME BACK MY FRIEND! you had me worried for a moment there! I'm glad everything got sorted out and is now back to normal, all your stickies and issues un-hidden, etc.

so the CHEF-KOCH got you banned, huh?! HOLY SHIT! WHAT A FUCKING CUNT!!

I'd love to know more about the conversations you had with github support to get your account un-banned.

[Thorin-Oakenpants]

Just to confirm, it was CHEF-KOCH... he must have spent ages pouring over the T&C finding something - it was a comment of mine that pointed readers to his "Say Thanks" asking you to say "Thanks" to him. Removed the comment, and now I am not flagged. Now you know who is a petty, vindictive, twisted individual who would rather the world burns than be constructive

[crssi]

Welcome back. :)

[2glops]

Welcome back Thorin !

[claustromaniac]

Ha, totally kidding. Thought about putting a smiley or something but figured it wasn't needed, glad you knew and good to see the Pants' are reaching such high population numbers.

Oh. But I didn't really know. I just bundled three different answers.

Shame on you for thinking I was hacked.

Shame? I just presented some of the less-complex possibilities I could think of. Besides, it just means I consider you sufficiently high-profile to be worth a hack, which should be kind of flattering! I could be exchanging words with terrorists and all sorts of lunatics here, for all I know. Or maybe your crazy asshole computer-genius nephew got ahold of your computer for a few minutes.

Sorry if it offends you. If you live in like a top security bunker and physically store your data in a Faraday cage, I have no fucking way to know, right?

Edit: WTF are you referring to me in plural?

Singular. They. Same argument as before: you could be an alien or some paranoid AI for all I know. You should be thankful I didn't use "it", instead.

What the hell, man. Isn't that shit supposed to be kinda common in english? It's a genuine question, this is not my native language.

On second thought, if you were an alien it probably wouldn't be your native language either. Unless you were a Hollywood alien, of course.

Anyway, I'm just glad you're back.

[claustromaniac]

BTW you could actually be several people for all I know... :zipper_mouth_face:

[earthlng]

IDK about that. If you don't trust your installed webextensions it might be a good idea. But if f.e a hacker manages to inject external JS into one of those domains, you'd normally see + block that with uMatrix. If uMatrix etc are locked out with that pref you won't notice anything.

[earthlng]

network.dns.native-is-localhost - For testing purposes! -> moved to ignore

[earthlng]

browser.chrome.errorReporter.* - only enabled in Nightly.

https://wiki.mozilla.org/Firefox/BrowserErrorCollection https://support.mozilla.org/en-US/kb/firefox-nightly-error-collection https://firefox-source-docs.mozilla.org/browser/browser/BrowserErrorReporter.html

[earthlng]

extensions.getAddons.get.url - never used thanks to 0306 - moved to ignore

[earthlng]

/* xxxx: disable Browser Error Reporter (FF60+)
 * [1] https://support.mozilla.org/en-US/kb/firefox-nightly-error-collection
 * [2] https://firefox-source-docs.mozilla.org/browser/browser/BrowserErrorReporter.html ***/
user_pref("browser.chrome.errorReporter.enabled", false);
user_pref("browser.chrome.errorReporter.submitUrl", "");

maybe 0380? or move the remaining 2 prefs in 0360 somewhere else because those 2 alone don't really "quiet fox" the new Activity-stream page anymore.

[earthlng]

So in FF60+ the 4503 pref is meaningless

not setting that pref gives them access to a special mozAddonManager API. Unnecessary API IMO.

But ME, I'm definitely editing out AMO from that pref

that won't work because the code to restrict webextension access checks both the new pref and 4503

[earthlng]

yeah let's NOT do that. You've seen the countless reddit posts asking why AMO detects their FFs as an older version. I assume, based on the mozAddonManager pref being an RFP sub-pref, the whole point of the mozAddonManager was to be able to detect the FF version despite RFP.

[earthlng]

I'd put it under 2600, something like this:

/* 26xx: disable webextension restrictions on certain mozilla domains (FF60+) ***/
   // user_pref("extensions.webextensions.restrictedDomains", "");

add notes and/or warnings as you see fit, f.e. that several mozilla domains use google analytics and noscript etc won't be able to block that.

[Atavic]

For 3rd party scripts only, starting from FF 43 until today:

The Web Storage API now respects the browser’s third-party cookies preference, so it will no longer work when the script is in a third-party context and the user has disabled third-party cookies. The IndexedDB API and the new Service Worker Cache API will also obey the same constraint.

...see link here.

[Atavic]

If the 1st party uses web workers, then it is able to use IndexedDB. I don't see it as an oversight, cliqz is partner with Mozilla.

[Atavic]

I totally agree! But it cannot be an oversight.

[earthlng]

60b16 changes since 60b9

new

pref("app.normandy.first_run", true); pref("image.animated.decode-on-demand.threshold-kb", 4194303); // 60b9: 20480 pref("network.cookie.same-site.enabled", true);

changed

pref("layout.display-list.retain", true); // prev: false pref("privacy.resistFingerprinting.reduceTimerPrecision.microseconds", 1000); // prev: 2000

EDIT: updated 1st post

[fmarier]

Here's the meta bug for same-site cookies: https://bugzilla.mozilla.org/show_bug.cgi?id=samesite-cookies

Probably no point in listing this pref in user.js since it's enabled by default and it restricts cookies further. The pref is only there in case we need to turn the feature off quickly due to unforeseen bugs/breakage.

[crssi]

Is this the same as uMatrix rule...

* * cookie block
* 1st-party cookie allow

...which reads as allow outbound 1st-party cookies and deny outbound 3rd-party cookies?

[fmarier]

SameSite=strict goes further than disabling third-party cookies. It also strips the first-party cookie if you follow a link from a different site. See http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/ for a good explanation.

[crssi]

@fmarier thx If I understand correctly this behavior is server side controlled over header and not client side by preferences?

[earthlng]

I agree with @fmarier in that we don't need the pref in the user.js per se but I think it's a nice new feature and worth adding for the links alone. something like this:

/* 27xx: enable support for same-site cookies (FF60+)
 * [NOTE] support for same-site cookies is enabled by default but we don't enforce it
 * in case mozilla needs to turn it off quickly due to unforeseen bugs/breakage.
 * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=samesite-cookies
 * [2] https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60/
 * [3] https://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/ ***/
   // user_pref("network.cookie.same-site.enabled", true); // default: true

[earthlng]

AFAIK FPI only works on domain anyway ie secure.bank.com has access to cookies etc from bank.com and vice-versa.

same-site cookies makes it so that when you click a link to yourbank.com and you happen to be logged in to yourbank.com in another tab (or didn't logout) the cookie will not be sent and therefore preventing potential CSRF. FPI has nothing to do with that. EDIT: not just links but some other things as well, like certain forms and whatnot, see the .nl link for details.

[earthlng]

my 2 cents:

pref("app.normandy.first_run", true); - probably unnecessary but we can add it to the other normandy stuff, up to you pref("browser.startup.blankWindow", false); - nothing to do with privacy/security and IMO not worth adding to 5000 either pref("browser.urlbar.openintab", false); - sounds pretty annoying. I'd ignore it pref("devtools.policy.disabled", false); - devtools are awesome. Why would anyone want to disable that? IMO move to ignore pref("dom.push.alwaysConnect", false); - default is false which is what we want and thus it's safe to ignore but I don't mind adding it with the other push stuff just in case pref("network.ftp.enabled", true); - maybe add as inactive for those who want to disable it. I think FF61 will disable ftp for sub-resources which is probably the better option pref("media.cubeb.sandbox", false); - something to do with audio on linux (and maybe Mac, IDK). It's true on linux and false on Windows. I'd say move to ignore

changed:

IMO move to ignore: pref("browser.schedulePressure.timeoutMs", 300); // prev: 1000 pref("devtools.debugger.features.root", true); // prev: false - no idea what this is but most people probably don't use the debugger anyway pref("gfx.webrender.blob-images", 1); // prev: 2 pref("gfx.webrender.hit-test", true); // prev: false pref("layout.css.servo.chrome.enabled", true); // prev: false - seemingly removed in FF61 pref("privacy.resistFingerprinting.reduceTimerPrecision.microseconds", 1000); // prev: 2000

[earthlng]

:jeans: you forgot to move 0512 to deprecated/removed

[earthlng]

Is is something to do with being a system addon, and the prefs are hidden until created by the addon?

yes exactly. I already planned to change the way I retrieve the default prefs for the next diff because of some changes mozilla made in 61 but I'll update this diff as well as soon as FF60 portable is available.

I'll have to install a certain version to get a diff for it and thus I won't be able to create OS-diffs anymore because I don't have a Mac.

[earthlng]

• keyboardevent stuff: https://www.fxsitecompat.com/en-CA/docs/2018/non-printable-keys-will-soon-stop-firing-keypress-event/ FF60 doesn't have the whitelist yet and enabling it already might just break too many sites. Waiting at least for FF61 seems like a good idea. Perhaps even wait until they enable it by default because I don't know what the pros and cons of this are, either.
• ftp - I wouldn't mind adding it inactive tbh. Martin wrote an article about it and we could link to that. https://www.ghacks.net/2018/02/20/firefox-60-with-new-preference-to-disable-ftp/
• registerProtocolHandler - yes false is what we want. "low usage rate of the functionality" so breakage-wise it shouldn't be a problem to set this already. 1 more bit for fingerprinting but it's very unlikely that anyone is using that. Nightly has it disabled too. a similar pref was added in 59: dom.registerContentHandler.enabled
• dom.registerContentHandler.enabled https://bugzilla.mozilla.org/show_bug.cgi?id=1398169 https://www.fxsitecompat.com/en-CA/docs/2018/navigator-registercontenthandler-has-been-removed/ https://developer.mozilla.org/en-US/Firefox/Experimental_features#DOM we can disable that too IMO. Also already disabled in Nightly 61
• security.mixed_content.upgrade_display_content - not even enabled in Nightly. We should wait IMO
• security.pki.distrust_ca_policy - if they land it as 1, which they most likely will, we don't need to enforce it.
• dom.ipc.useNativeEventProcessing.content - fixes some kind of bugs. No idea what the pros and cons of flipping this back would be. Best not to mess with it
• dom.moduleScripts.enabled - ignore. some links are here: https://bugzilla.mozilla.org/show_bug.cgi?id=1438139#c5
• security.webauth.webauthn - probably best to ignore this, nobody is forced to use it. https://www.w3.org/TR/webauthn/ https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API https://hacks.mozilla.org/2018/01/using-hardware-token-based-2fa-with-the-webauthn-api/

[earthlng]

updated the 1st post.

• pref("app.shield.optoutstudies.enabled", true); was added to the default pref files in FF60 but apparently existed before that as a pref set by a system addon. I kept it under NEW regardless.
• following are the prefs set by system addons or not included in the default prefs files and therefore missing in the diffs. some of them are NEW in FF60 and are now included in the updated 1st post.

click me

```js pref("browser.newtabpage.activity-stream.collapseTopSites", false); pref("browser.newtabpage.activity-stream.default.sites", "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/"); pref("browser.newtabpage.activity-stream.disableSnippets", false); pref("browser.newtabpage.activity-stream.enableWideLayout", true); pref("browser.newtabpage.activity-stream.feeds.favicon", true); pref("browser.newtabpage.activity-stream.feeds.migration", true); pref("browser.newtabpage.activity-stream.feeds.newtabinit", true); pref("browser.newtabpage.activity-stream.feeds.places", true); pref("browser.newtabpage.activity-stream.feeds.prefs", true); pref("browser.newtabpage.activity-stream.feeds.section.highlights", true); pref("browser.newtabpage.activity-stream.feeds.section.topstories", false); pref("browser.newtabpage.activity-stream.feeds.section.topstories.options", "{\"api_key_pref\":\"extensions.pocket.oAuthConsumerKey\",\"hidden\":true,\"provider_description\":\"pocket_description\",\"provider_icon\":\"pocket\",\"provider_name\":\"Pocket\",\"read_more_endpoint\":\"https://getpocket.com/explore/trending?src=fx_new_tab\",\"stories_endpoint\":\"https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=en-US&feed_variant=default_spocs_off\",\"stories_referrer\":\"https://getpocket.com/recommendations\",\"privacy_notice_link\":\"https://www.mozilla.org/privacy/firefox/#suggest-relevant-content\",\"disclaimer_link\":\"https://getpocket.com/firefox/new_tab_learn_more\",\"topics_endpoint\":\"https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_lang=en-US\",\"show_spocs\":false,\"personalized\":true}"); pref("browser.newtabpage.activity-stream.feeds.sections", true); pref("browser.newtabpage.activity-stream.feeds.snippets", true); pref("browser.newtabpage.activity-stream.feeds.systemtick", true); pref("browser.newtabpage.activity-stream.feeds.telemetry", true); pref("browser.newtabpage.activity-stream.feeds.topsites", true); pref("browser.newtabpage.activity-stream.filterAdult", true); pref("browser.newtabpage.activity-stream.migrationExpired", false); pref("browser.newtabpage.activity-stream.migrationLastShownDate", 0); pref("browser.newtabpage.activity-stream.migrationRemainingDays", 4); pref("browser.newtabpage.activity-stream.section.highlights.collapsed", false); pref("browser.newtabpage.activity-stream.section.highlights.includePocket", true); pref("browser.newtabpage.activity-stream.section.topstories.collapsed", false); pref("browser.newtabpage.activity-stream.section.topstories.showDisclaimer", true); pref("browser.newtabpage.activity-stream.sectionOrder", "topsites,topstories,highlights"); pref("browser.newtabpage.activity-stream.showSearch", true); pref("browser.newtabpage.activity-stream.showSponsored", true); pref("browser.newtabpage.activity-stream.showTopSites", true); pref("browser.newtabpage.activity-stream.telemetry", true); pref("browser.newtabpage.activity-stream.telemetry.ping.endpoint", "https://tiles.services.mozilla.com/v4/links/activity-stream"); pref("browser.newtabpage.activity-stream.telemetry.ut.events", false); pref("browser.newtabpage.activity-stream.tippyTop.service.endpoint", "https://activity-stream-icons.services.mozilla.com/v1/icons.json.br"); pref("browser.newtabpage.activity-stream.topSitesRows", 1); pref("extensions.pocket.api", "api.getpocket.com"); pref("extensions.pocket.oAuthConsumerKey", "40249-e88c401e1b1f2242d9e441c4"); pref("extensions.pocket.site", "getpocket.com"); pref("extensions.webcompat.perform_ua_overrides", true); pref("pdfjs.cursorToolOnLoad", 0); pref("pdfjs.defaultZoomValue", ""); pref("pdfjs.disableAutoFetch", false); pref("pdfjs.disableFontFace", false); pref("pdfjs.disablePageLabels", false); pref("pdfjs.disablePageMode", false); pref("pdfjs.disableRange", false); pref("pdfjs.disableStream", false); pref("pdfjs.enablePrintAutoRotate", false); pref("pdfjs.enableWebGL", false); pref("pdfjs.externalLinkTarget", 0); pref("pdfjs.pdfBugEnabled", false); pref("pdfjs.renderer", "canvas"); pref("pdfjs.renderInteractiveForms", false); pref("pdfjs.showPreviousViewOnLoad", true); pref("pdfjs.sidebarViewOnLoad", 0); pref("pdfjs.textLayerMode", 1); pref("pdfjs.useOnlyCssZoom", false); ```

[earthlng]

pdfjs is ... secure/vetted as any pdf reader out there Exploits are rare

really? https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5158

[Atavic]

Anything related to pdf and office files isn't secure. They are widely used, sent by mail and exploited.

[earthlng]

wanna finish this?

what to do with the parrot? change the header of the first pref? what's the relevance of link 2?

[earthlng]

If you want we can remove the two existing links

:+1:

IDK if we need the 3rd link either. Better to just explain what it means for users. maybe something like

In FF60+, not all syntax errors cause parsing to abort ie reaching the last debug pref no longer necessarily means that all prefs have been applied. Check the console right after startup for any warnings/error messages related to non-applied prefs.

[earthlng]

I do not know if they flip these for ESR at the same time

probably not. Maybe if someone asks them to. The prefs are already there and it would be a simple change.

or ... ignore them and let FF take their course

:+1:

re: moz-document - FF61 will also have an exception to avoid most breakage. It's unlikely that this will be backported to ESR. "ignore it since it will be covered by default in 61+" :+1:

Suggest we delete them all and just create two up to ESR60 - deprecated and removed

and maybe one for RFP-ALTS?