How to opt-out from forcing English everywhere

[powerman]

I believe allowing websites to detect my locale is not a big deal and will not have any real effect on fingerprinting, so I'd like to undo this change ("use English everywhere").

Before applying user.js I had "Languages" tab on about:addons - how I can get it back, please? :smile:

I've found extensions.ui.locale.hidden=true (which may be unrelated to this issue, but it name sounds like it may be it), but if I switch it manually to false and open about:addons it automatically switch back to true.

[powerman]

It turns out to be non-trivial to restore.

The obvious part was to add this to user-overrides.js (or change it in user.js):

user_pref("extensions.enabledScopes", 5);

But there is a hidden part too. Problem is, when extensions.enabledScopes was set to bitmask which doesn't include value 4 (SCOPE_APPLICATION) Firefox has modified extensions.json file in profile directory. Because of this change even after re-adding value 4 into extensions.enabledScopes language pack plugin will be shown always in "Disabled" state and "Enable" button will have no effect.

So, we need to manually undo these changes. Simple way is to restore this file from pre-ghacks backup. Harder way is to edit file, lookup for record with required ID (like "langpack-ru@firefox.mozilla.org") and make these changes in this record:

"active": true,
"userDisabled": false,
"seen": true,

You may also need to manually switch it off/on once after starting firefox before you'll be able to choose it in change language dialog.

Probably worth to add a note about this hassle in user.js?

[Thorin-Oakenpants]

the pref extensions.ui.locale.hidden is set internally and has nothing to do with the user.js - you get the same result in a vanilla profile - maybe it only shows if you have multiple language packs

[earthlng]

Interesting. Thanks @powerman for that very detailed explanation. Instead of editing the json file, have you tried to just reinstall the language pack after changing the enabledScopes pref? I assume that would work and be much easier. Anyhow, I think adding a note to that pref that mentions it breaking language packs would be helpful. @Thorin-Oakenpants, what do you think?

[powerman]

My language pack was installed by Gentoo package together with Firefox itself, it wasn't manually downloaded. I suppose reinstalling Gentoo package won't change anything because language pack file wasn't modified anyway (it's in /usr/lib64/firefox/browser/extensions/langpack-ru@firefox.mozilla.org.xpi).

[earthlng]

Oh I see. A Gentoo user, eh?! I guess that explains why you were able to find that non-trivial solution so quickly. I tip my hat to you, good sir :) I wish I had half the linux knowledge that you probably have. #jealous

[Thorin-Oakenpants]

what do you think?

@earthlng do what you need to, this is over my head

[Thorin-Oakenpants]

FYI: thanks @powerman

• interesting list: https://gist.github.com/powerman/b90f3a63fa2f3583d3e89b2468f95388 which ties in with #605 to set up at least one relaxed overrides js
• interesting article: https://habr.com/ru/post/445124/

[powerman]

Just in case: this article didn't meant to tell anything bad about this project. I had some past experience when author of project mentioned with some bit of critique in my article become really upset and angry at "that rude russian", which complicate future collaboration with him.

I believe this project is great, and you guys do really important work to make the world a better place!

But for most users, even paranoid ones (like me), main browser's usability is critical, and so is ability to use all websites they need. My user-overrides.js was designed to restore enough usability and compatibility with websites to make Firefox with ghacks user.js feels the same as without it - i.e. make it suitable for most users - but at same time keep as much of user.js improvements as possible.

I wasn't happy to make some of these changes. E.g. security.OCSP.require - I got several OCSP failures on websites like github.com, which made impossible to use website for several minutes (until issue gone). Same for FPI and RFP - I was hoping it will be possible to keep at least one of them, but breaking critical usability extension (Gesturefy) and critical for my work website (JIRA) leave no chances. :disappointed:

[Thorin-Oakenpants]

I don't understand this gesturefy thing .. WTF does it do that is so important? don't answer that - it's rhetorical.

But when it comes to work related sites, the solution is probably as simple as using a dedicated browser for work. It doesn't even have to be Firefox - although you can easily set up multiple versions of FF and run them concurrently (theme them to distinguish them). Personally, I have about a dozen sites bookmarked in a portable Opera, and 2 sites (for some "work") in a potable Chrome - because I'm too lazy to make them work in my FF and I am not willing to sacrifice anything in my setup = all other websites I visit. Both Opera and Chrome and sanitized between uses - but I only use them for those few sites.

I will say though, that I can totally live without twitter and FB etc - even videos. If I was to ever get something like Netflix, I would probably relax the video prefs, because uMatrix can control a lot of video sources on a per scope setting (I think). But maybe that's just me.

Still, it could be worse .. I could go all Stallman crazy

[powerman]

I'm a freelance developer, with a lot of own open-source projects, so there is no real separation for me between "work" and "not work". I also don't use social websites (except github) and rarely use youtube - most of my browsing activity is related to software development. So, splitting it between several browsers just doesn't makes any sense. I can sometimes temporary run second browser because "skype doesn't work in this browser" or to "check is this website broken, or it's my extensions/settings broke it", but using multiple browsers (or even windows of same browser) isn't convenient for me.

So, in my case it's not a question like "how to use both insane anti-privacy websites like FB and get full ghacks user.js protection at same time" - nearly all websites I use on daily basis are sane, or at least may/should be sane, and should, at least in theory, works just fine with ghacks user.js. That's why I was so disappointed about amount of exceptions I had to make in user-overrides.js for these websites. But I do hope situation will improve with time, so maybe 6 months later I'll be able to remove some of them from user-overrides.js.

[theWalkingDuck]

go to: preferences > Language > Choose Uncheck Request English versions of web pages for enhanced privacy and add your preferred language or languages.

[Thorin-Oakenpants]

@earthlng (and others) Where are we at with this? I appreciate OP knows a hell of a lot more than me about what he has to do on Linux to solve the problem

• Clearly the user.js caused FF to internally hide the locale panel
• OP said something something
• theWalkingDuck said go change a UI option

So does just changing the UI option return the locale panel?

I do not want to leave non-English-as-1st-language users in the position of not being able to use FF in their preferred language, but I'm not able to test OPs setup, and I'm bit confused (to be expected). I'd like to clear this up and close it.

[powerman]

AFAIR - it's not. Sorry, don't have time to re-test this once again now just to make sure.

[Thorin-Oakenpants]

no worries if you don't have time. I'm not your employer :)

I assume you meant AFAIK (as far as i know), and "it's not" was referring to just changing the UI option isn't enough to fix it?

[powerman]

Yes.

[Thorin-Oakenpants]

OK, I think I know what's going on.. I just need to work a few things out. BTW, because I also don't have the locale panel showing, I can probably replicate OP

So I really quickly read scanned this in about 30 seconds - https://blog.mozilla.org/l10n/2019/04/02/changing-the-language-of-firefox-directly-from-the-browser/

A few things to note. You can do language switching from within the UI (and eventually it will be restartless). And you can change the order of the languages and request pages in that language. So I don't think the user.js prevents anyone from flipping a couple of prefs and setting what they like. Which begs the question, because I haven't looked at one for years .. just WTF is in the locale panel that is so important. What's it actually used for?

[powerman]

As actual language pack is installed as system-wide extension, and user.js disables such extensions, ability to switch language disappears too - the list of languages to choose from is just empty in this case.

[Thorin-Oakenpants]

Ahh, sorry ... maybe I need several coffees and a long sleep. I keep forgetting the scopes thing.

When I get time I will actually do some tests - in a clean profile and just change those scopes prefs and see if and what I can do with those languages to the chrome (and what I can do to add/remove additional languages). I am on a portable Firefox, so not sure if that will make a difference

the list of languages to choose from is just empty in this case

Maybe it's because I'm on a portable version? But my list of languages in the dropdown is full populated. And I've been using the scopes pref as is in the user.js since whenever we added it 3+ years ago. But, I do have Nightly as an installed version, so I can play around in there if need be

[theWalkingDuck]

These are the prefs related to the UI setting

checked:
     privacy.spoof_english  = 2
     javascript.use_us_english_locale = true

unchecked:
    privacy.spoof_english = 1
    javascript.use_us_english_locale = ''

Try to set the privacy.spoof_english pref to 1

[Thorin-Oakenpants]

I just re-read OP, and it's not entirely clear if OP has actually changed some of the language settings in the user.js. BUT, regardless of that, he should be able to change settings such as via the UI, in session. The real problem is that he has no languages to choose from - and I suspect that's more to do with the package or Linux or something. IDK, I'm not an expert on linux distros, linux packages, or Firefox's language addons vs the new code for languages stuff.

Try to set the privacy.spoof_english pref to 1

I wouldn't. All the code for that, as we looked at it a few times, and I read the tickets dozens of times, is that it is handled internally. I wouldn't mess with that.

[Atavic]

This intl.locale.matchOS set to false may block @powerman

[earthlng]

I think enabledscopes only blocks language packs if they're installed system-wide ie in the firefox install directory (or some other directory in Linux, IDK). But for most people who'd probably install a language pack via the UI, I assume that the xpi will be placed in the profile folder and therefore won't be affected by the enabledscopes pref. We can add a note to enabledscopes that it breaks language packs if they're installed system-wide, maybe with a link back to this issue for how to fix it. Or we can just do nothing because until now, nobody had a problem with this in the last 2+ years and most people who want a localized FF will probably just download and use FF in the language they want and not use a language pack at all.

[Thorin-Oakenpants]

I don't even know what to put in pref 2660 to address this - and would it only be languages, what about dictionaries, maybe even extensions?. We already have

 * [SETUP-CHROME] This will break extensions that do not use the default XPI directories

so at worst we could just expand on that a little?

 * [SETUP-CHROME] This will break extensions that do not use the default XPI directories and
 * also known to cause issues with system-wide language packs in Linux (see GitHub issue #674)

^ not my finest work. What can you come up with?

[earthlng]

IDK, what are "the default XPI directories"? Maybe something like "This will break extensions, language packs, themes and any other XPI files which are installed outside of profile directories (see GitHub issue #674 for an issue with language packs in Linux)"

[Thorin-Oakenpants]

default xpi dirs are where your xpis are .. profile/extensions. As a professional proof reader, script writer, author, and provocateur ... I like your wording better. PS: My verbal reasoning tells me that it's not clear that those adjectives applied to you, and not me

[Thorin-Oakenpants]

FYI: See #707 . When the "package" is not English (or en-US) - i'm only playing around with portable Windows versions, then the pref we used to set (I made it inactive yesterday) would cause the dropdown in the above pic to be blank. That is 0205 intl.locale.requested. In my test, for example, I had a French version of FF but 0205 would blank it, and I would end up with a mixed bag of French or English about pages or menus etc.

Seems like when it was added in FF59 as a replacement for an older pref, it is no longer needed to help hide your language/locale. So much was going on with RFP pushing things for ESR60, and quantum, that this kinda slipped under the radar.

So one thing you guys can do, is to comment it out and reset it in about:config. Don't set it as an empty string (or you'll get the dual language issue), or you could set it as "fr" or "de" or whatever you like.

This hasn't helped obviously ... imagine all the non-English users getting pissed off with English being used in about:preferences. Apologies - clear that 0205 pref guys

[KOLANICH]

Uncheck Request English versions of web pages for enhanced privacy

IMHO it doesn't enhance privacy when no IP addr hiding is used because it is (relatively) easy to detect user's area (with accuracy up to a city district in some cases) based on his IP addr.

[Thorin-Oakenpants]

There's an assumption with a lot of prefs, that the user is masking their IP - IP is the 101 basics of tracking. I mean, what is the point of all the FPing measures and blocking tracking cookies etc, when the user just keeps giving away their IP. Let's not split hairs here about multiple devices/users, and yes there are some tangible benefits even when IP is leaked. But surely I do not need to add this assumption to the user.js? Maybe I do?

Anyway, the language changes are not about privacy, but anonymity (anti-FPing). You're already on the site, so your privacy on that site is gone

[KOLANICH]

IP - IP is the 101 basics of tracking.

IP addr is often dynamic. At least it used to be in Russia for some time (before ISPs have switched to IPoE, they used to use VPN for that, and in order to change an IP addr a user just needed to restart the VPN).

Anyway, the language changes are not about privacy, but anonymity (anti-FPing). You're already on the site, so your privacy on that site is gone

Yes, and it is a feature. Usually users within a country are native speakers and usually native speakers use native language. So the ones using English instead of native language within non-English-speaking country are uncommon.

[Thorin-Oakenpants]

IP addr is often dynamic

And it is also often not dynamic. If I tried to quantify everything I said, I'd be here all day. IP -> easy way to track (assuming that the IP does not change)

And of course an IP address (assumption not a VPN or proxy or Tor or some other networking protocol/combo that does not link back to the real IP address) that resolves to Pluto, but the FP, or free info in the header, indicates Martian would stick out

[claustromaniac]

(assuming that the IP does not change)

Even if it changes it can easily be used for fingerprinting. If your address is dynamic but you live in like... Croatia, you're still in like the 0.06% of the world's population, which makes you pretty unique by itself.

[KOLANICH]

Croatia, you're still in like the 0.06% of the world's population, which makes you pretty unique by itself.

Yes, and I guess that Croatian IP is highly correlated with use of Croatian language as the default one. As I understand, this repo customizations are for the browser setups not using Tor or other way hiding their IP, because the ones using Tor should use TorBrowser, and ones using other methods instead probably should also use TorBrowser rather than the usual tweaked Firefox, and if one uses TorBrowser, most of the privacy-related settings are already enabled there.

So if we assumme that we want to mimic the population of the country which IP we use (assumming that we don't use any public VPN/Tor), we need to request the language common in that area. And if we don't mask IP, we don't need to change language - a user from non-English speaking country which browser prefers English is uncommon, so the feature carries more information.

[claustromaniac]

The thing is, we can agree that the subset of users that do hide their IP should ideally have as similar a fingerprint as possible. If all Tor users and VPN users request sites in english, all others requesting sites in their own languages will look different. Sure, it can be argued that they were already different because servers can find out if a user is connecting over Tor or even over some VPNs, but that would not necessarily mean the rest are individuals that don't hide their IPs (they could be proxies, for example).

Back to the hypothetical Croatian user: would he look less unique as a member of a super tiny group of worldwide users that have different IPs but otherwise very similar fingerprints, or as a member of an even tinier group of Croatians that use RFP and request sites in their own language?

[KOLANICH]

It seems that second group is really tinier. The problem is that using VPN for all the Web surfing activity is IMHO an overkill: it's both slow and carries additional risks: I assume that ISPs are quite trustworthy in the sense I assume they would not insert malware unless ordered by government agencies or hacked, if they lose reputation they are tied to their physical infrastructure, but VPNs are other beasts, they are not tied to physical infrastructure, can be closed and opened easily and their infrastructure can be compromised by the datacenters. Tor exit nodes are even less trustworthy. HTTPS and DoT/DoH can solve some issues, but 1 lot of site owners say "my website doesn't need https, I won't enable it, it conshmes resources" and unfortunately it is not always possible to stop using their websites; 2 vulnrs have been found in tls implementations multiple times. Whl can bet there is no more?

So I think it makes no sense to use Tor/VPN for daily surfing from home for all the sites. For the censored ones though it is the only way to use them.

So if the choice is following:

• native lang + other options from this repo+ no IP address hiding
• faked lang + other options + no IP address hiding,

then I guess the first option should be less unique

[Thorin-Oakenpants]

Yeah, look: it's pretty simple. if language/locale was being used to FP you (anti-FP TP lists, using uBO/uM and controlling third party: but we always assume the worst in building defences)

• if you are masking your IP, it might make sense to make your lang/locale as en-US - but there are millions of users with French, or German or Spanish, and so on. The chances of linking your traffic from outside parties is slim to none. But if you were the only user to request Klingon, then you'd be potentially fucked. At the end of the day, the tens? of millions of VPN/proxy users between them use tons of different languages, and bounce around different servers all over the world. You'd also be pretty safe to use your native lang.
  • it only works for the Tor Browser, because the TB can enforce the default
• if you are not masking your IP, then it makes sense to use the language of that country - if you didn't, e.g French visitors to the USA, you almost certainly wouldn't be unique, but it would be higher entropy (depends on the combo).

Having English as my first (and only live) language (the others are dead: Latin and Classical Greek) means I don't have the same issue as ESL.

Where it gets trickier, is when you combine results: e.g spoofing UTC=0 but claiming to be Greek. And the only way this works is when enforced (see TB), or when tens of millions of FF users uptake RFP when it's ready and the numbers per language are sufficient - because at the end of the day, if it gets uptake, it needs a high level of usability - which is why RFP only warns about language, but does not enforce it.

[Thorin-Oakenpants]

PS: I'm just grateful that the default language wasn't Chinese / Mandarin

https://en.wikipedia.org/wiki/List_of_languages_by_number_of_native_speakers

Edit: Holy sh%t .. 4.922% of the world speaks English - never knew it was so low. And it gets really depressing after the top 20 or so languages. Yup, I know percentages are not the same as internet figures (e.g, not all chinese are on the internet, etc)

[Thorin-Oakenpants]

I think we should revisit this: I just make arguments to use your own language regardless of IP masking or not. I know that the wiki page does not equate to users on the internet, or even more specific why that one Hungarian keeps visiting GoatsRUs ... but the point is that

• with an IP mask, who cares (see bullet point 3)
• without an IP mask you'll probably stick out more
• your language is already as common as fuck

Re-opening: At the very least we should add some concise info, maybe setup-tags (I don't want too many setup tags), at most we could flip them all inactive. Reopening

[claustromaniac]

4.922% of the world speaks English - never knew it was so low

That's native speakers, though. Trust me on this: as a second language I'd say it's by far the most popular one in the world.