arkenfox / user.js

Firefox privacy, security and anti-tracking: a comprehensive user.js template for configuration and hardening
MIT License
10.17k stars 517 forks source link

Questions: Default Permission for "Extract Canvas Data" & Option to Store Pwds #385

Closed zazenbingle closed 6 years ago

zazenbingle commented 6 years ago

Hello,

  1. Is there no way to stop the annoying prompt "Allow Website to Extract Canvas Data?"
    --> I poked around a bit and can't find a way. If that's true, then I'm amazed that FF would create a site level permission and not allow us to default the permission to "Blocked" for all sites.
    --> I have the "canvas blocker" extension per your recommendation. All options are at default, so the "Block Mode" is set to "fake readout API." Maybe "Block readout API" would be more effective?
    --> Most annoying part is that before the Amazon.com login page redirects from the login page to the 2-factor code page, the prompt auto-submits with "Yes, allow fingerprinting" before I can tell them to fuck off. I mean...the nerve of them!

  2. Does User.js not control Options>Privacy&Security>"Remember logins and passwords for websites"?
    --> I've always had it off.
    --> I see that User pref 901 is commented out: // user_pref("signon.rememberSignons", false);

2a. Does that mean I've been controlling this through the "options" page and not the Ghacks User.js file?

2b. Why comment out pref 901? Seems like the spirit / reason for existence of the Ghacks user.js file is to shut down stuff like the ability to save passwords.

Background...given that the stupidity of still asking the 2nd question when it appears the answer is staring me in the face... I'm new to FF, about:config, and user.js in the past 6-months & still learning what "options" settings are/can be controlled through User.js and which ones aren't/can't.

Another reason for asking the question: I just updated from 58 to 59, and it appears that a couple of things from the Options/privacy page didn't carry over. Not sure if I just didn't catch in the past (since FF56), or if FF forgot some of my settings on the upgrade from 58 to 59.

Really appreciate all that you guys do. Reading through the open & closed issues, I'm in awe.

Thanks!

earthlng commented 6 years ago

Hi

Does that mean I've been controlling this through the "options" page and not the Ghacks User.js file?

Yes. You can activate that pref in your user.js or add it to your overrides file if you use our updater script. (see https://github.com/ghacksuserjs/ghacks-user.js/wiki/3.2-Applying-Your-Changes)

zazenbingle commented 6 years ago

Got it.

Follow-up: You are correct, all I had to do was set the preference to "Block Canvas Extract" on the Amazon login page's permissions. Sneaky bastards that they somehow managed to invoke the fingerprinting prompt AFTER clicking the submit button, which made me think the prompt was originating from a different page.

Thanks for explaining on the saved passwords. I'll add that preference to my list of overrides at the bottom of the script.

You guys rock!

I guess I hit "Close & Comment" at the bottom? Thanks again.

zazenbingle commented 6 years ago

Hey -- After sleeping on it, I've got a theory on what happened & wanted to share it with you. If you agree with the theory, then I propose that add a warnings section to Wiki 3.1 "Resetting Inactive Prefs."

As a total amateur hack privacy enthusiast, I've never run a .bat file that required CMD:CD to a new filepath and I'd never heard of the scratchpad. But, I stumbled through & ran the .bat file / scratchpad scripts after updating FF58 to FF59.

What I think happened: Between the .bat file and scratchpad scripts, I reset the values to default which to that point I had controlled manually via Options>Privacy. Heck, I didn't even understand what I was controlling manually through Options>Privacy vs the User.js file.
--> I'm not confident enough with this stuff to prove this. It just seems like the best explanation because when I updated FF from 56 to 57 and from 57 to 58, FF remembered those settings that I had controlled manually through Options>Privacy. This is the first FF update that forgot them, and it's the first time I've used the .bat file/scratchpad scripts.

If you agree that's what happened, then I propose and addition to wiki, 3.1 "Resetting Inactive Prefs"

I don't know enough to know if that's possible. Does every manual setting in Options>Privacy have a corresponding user pref to control it?

Hope you find this useful. Please go ahead and close when ready.

Thanks again for all that you do.

PS: In case the order of my actions are important, here's how I did it: [With FF closed]

  1. Backed up the profile
  2. Downloaded earthlng user.js v59.0-alpha, manually appended my exceptions, manually updated user.js in my profile folder.
    [Opened one session of FF]
  3. Updated FF58 to FF59
  4. Ran the .bat & scratchpad scripts.
  5. Closed down FF session, then re-opened (which took like 30-seconds to load that first time. Very fast after that.)
  6. Confirmed in about:config that my User.js changes were in effect.
zazenbingle commented 6 years ago

when you talk about the bat file, what are you referring to? the updater or the prefs cleaner? --> Prefs cleaner.

OK, looks like I misunderstood how to use the .bat & scripts. I just walked through 3.1 "The Solution" from the top to the bottom (didn't run the troubleshooter...I'm not THAT dense!) In the future, I'll just run the .bat prefs cleaner and the script for REMOVED, if there's a new one at the next release.

There is no problem! Last thing I want is to annoy. I sincerely appreciate this tool and all the knowledge documented in the wiki, user.js, and the github issue. I spend hours reading through all this stuff, and the helpful links spread throughout. That you guys stay up on the changes and help the rest of us with recommended settings, free of charge, is truly amazing to me. Thank you. I mean, until I started following you on Github, I never realized how fluid browsers are with settings added & dropped with each version.

The prefs cleaner re-setting my [exceptions made vi UI] was a wake-up call to my own lax approach and an invitation to automate via the User.js exceptions file instead of via the UI. Only shared it with you in case you thought it was worth mentioning in Wiki 3.1. Sounds like that's not the case.

Probably comes down to shades of beginner. I read the entire User.js before implementing, top to bottom. I read through many of the linked pages. I read through the wiki several times - which is awesome and thank you for creating & maintaining it. I implemented user.js with about 5 minor exceptions appended to the bottom, then I clicked through the UI and made a couple of more changes. Never occurred to me (until this experience) that the best practice is to stop making any changes via the UI and only make them in the User.js exceptions file.

Thanks again for all that you guys do. I appreciate it!

zazenbingle commented 6 years ago

Appreciate you summing it up. Nope, no action required, will close.

Six months ago when I first tried this, I had a sense of foreboding about making any changes via the UI. But I was too new to confidently research each UI option & map it back to about:config. And I was too intimidated to make lots of changes. It was my first time in the profile folder.

The exceptions I made originally were all so basic that the about:config pref spelled them out to a layperson. My first two exceptions are: user_pref("browser.startup.homepage", "https://duckduckgo.com/"); user_pref("browser.startup.page", 1); //(0=blank, 1=home, 2=last visited page, 3=resume previous session)

But not all about:config pref names jump out at the layperson like that. So it's like a mapping that takes (forever?) to gel in the mind, or 500 dots where only about 100 or so immediately connect between the pref and the UI in the newbie's mind. Nothing to be done about it. But it would be awesome if FF would have place a hover-tip over the text of each UI element that showed the corresponding about:config pref name(s).

Determined to add some value, so a parting shot of a wiki tip: it would have saved me an hour or two of troubleshooting that one time if I had bracketed the top and bottom of my exceptions page with:

user_pref("_user.js.parrot", "Begin preferences override"); ...all of your exceptions go here... user_pref("_user.js.parrot", "End preferences override");

OK, I'm going now. Thanks again for everything!

zazenbingle commented 6 years ago

That's awesome.

Note self: sometimes it's best to just stop digging. But I never think of that until after hitting the "Comment" button.

earthlng commented 6 years ago

I've updated the wiki page to include the new prefsCleaner script for Linux/Mac and used the opportunity to include a warning as suggested by @zazenbingle . I also tried to make it clearer that people don't need to run both the prefsCleaner + the scratchpad scripts (except for the REMOVED one).

Thanks @zazenbingle for lettings us know that there was room for improvement. If you'd read it again now, do you think it would have helped you understand it better?

claustromaniac commented 6 years ago

This is great feedback in my opinion. Makes me realise that every little thing that can be done to ease a bit the process of managing these Firefox files/settings is worth it.

In other words, makes me feel a bit less of a lazy dude with a weird hobby. Annoying @earthlng by having him review my frequent PRs can actually help. It's actually worth it.

Oh man... I'm just getting started here. @earthlng, you don't know what you're in for!

earthlng commented 6 years ago

It's actually worth it.

It really is :smile:

earthlng commented 6 years ago

I'm waiting for an update to the updater merge function that can comment out active user-prefs in the ghacks user.js. You're up for a challenge? :grin: