Further addon suggestions

[b16r05]

Add on suggestions [and other privacy related suggestions] mentioned at the following websites for consideration/integration:

Prism Break: https://prism-break.org/en/categories/windows/#web-browser-addons

• Cookie AutoDelete
• Decentraleyes
• HTTPS Everywhere
• Mailvelope
• NoScript
• Privacy Badger
• uBlock Origin

Privacy Tools: https://www.privacytools.io/#addons

• Privacy Badger
• uBlock
• Cookie AutoDelete
• HTTPS Everywhere
• Decentraleyes
• uMatrix
• NoScript Security Suite

[Atavic]

IMHO Privacy Badger is superseded by ublock origin, here it has been asked:

Do uBlock just do that same job as privacy badger or should I use both?

uBo does more and all the features of PB are included. PB deals with 3rd party tracking only.

If you have customized your adblocker settings to block trackers as well, Privacy Badger may be partially redundant

^ Source

Also see: https://github.com/ghacksuserjs/ghacks-user.js/issues/598#issuecomment-447567241 https://github.com/privacytoolsIO/privacytools.io/issues/335

[elypter]

there is also privacy possum which is supposedly more advanced

[elypter]

on top of those i have those privacy addons: ClearURLs UntrackME Clean Links ScriptSafe Skip Redirect Pure URL Luminous

and those useful addons:

Violentmonkey Redirector Stylus Chrome Store Foxified Video DownloadHelper Terms of Service: Didn't Read

[dimqua]

@Atavic

uBlock Origin protects using blacklists. Privacy Badger protects by automatically learning about trackers as you browse, which means Privacy Badger might catch things that uBlock Origin doesn't know about.

IMHO, uMatrix does this job better, since it can block things that these two addons don't know about. But it's only effective against 3rd party tracking too. That's why I think uBlock is a good addition to uMatrix.

[samuel8941]

I don't know where you guys are going with this. What's the point of adding extensions you like to a list?

People are capable of installing the extensions they like. That's what made Firefox big. I don't disagree with a list of good extensions, but maybe you should ask yourself if this is really that relevant right now when thinking about what a "Librefox" differentiates from a Firefox.

[Atavic]

Suggesting a few extensions may help in debugging issues for those that use them. Regarding ClearURLs, Clean Links, Skip Redirect and Pure URL I have substituted them with: https://github.com/tumpio/requestcontrol

[elypter]

these addons are also a source of inspiration for features that could become a browser core functionality. there is a lot of potential for synergies and performance improvements. addons were originally meant as niche additions that only some users need. these addons however add core features from a privacy standpoint. making those work together and possibly integrate better in the future makes a truly private and practical web experience a reality.

[intika]

Extensions suggestion/recommendation will be removed from the project on next release, recommended and reviewed addons will probably be kept on an open issue like this one.

One single extension (that should include most needed privacy features) will be kept on the main project page...

Libefox needs to find its way as a browser.

Also a lot of settings will be integrated directly to the browser, and yes a list base could be helpful to shape what feature will be integrated on the browser.

[elypter]

a browser integration should be the final goal. privacy is a core feature and should not be treated like it's an optional extra. combining all the privacy addon features into a single addon or directly into the browser will remove many redundancies, improve control and performance. it is the right approach but also a very ambitious goal. many addons are big projects just for themselves. so maybe try to focus on providing better interfaces to the addons first and help addon developers implement them. this way you can already test the interfaces under practical conditions without having to write all the addon code first to get any feedback. there are many limiting factors in the webextension implementations. asking the addon developers what stops them from making a better addon also gives you a good hint what you have to modify for your own addon/browser integration.

[b16r05]

@elypter Great reply in response to @samuel8941's comment. Couldn't have said it better myself. I haven't even heard of any of the addons you mentioned, but, I know stylUS : )

Further, Firefox itself has made some privacy related changes, that was previously possible only with addons. For example, I think Firefox does HTTPS by default now. Another thing is "referrer getting stripped" was also added (not sure if is the same as pure URL), etc. Overlap is another problem... we have quite a few addons that do the same thing like ad-blocking, but not all function similarly!

I think this "these addons are also a source of inspiration for features that could become a browser core functionality. " should be on a TODO list... There should be a table of sorts so users can see which privacy features are included (what is in the core), which addons are recommended, which addons are under review and which addons not to use (and why) <-- looks like table columns :)

So, having a wiki page with the "master chart for addons" is one way to do it. Another suggestions is to have users submit addons for review. So, having another repo for addon suggestions by users and then, they go into review... similar to chocolatey package request, but maybe that is too much ; )

[b16r05]

@intika

Wow... I had no idea (I am not using LibreFox) that there was a place for users to submit addon suggestions. Having this is a good idea...

Reason is take for example user agent spoofer. Chameleon is a WebExtension port of the popular Firefox addon Random Agent Spoofer... https://addons.mozilla.org/en-US/firefox/addon/chameleon-ext/ https://github.com/sereneblue/chameleon and LibreFox has its own recommendation: https://github.com/intika/Librefox/#librefox-addons

So, how does a user know, if a newer addon is better than existing one or takes care of something completely new (or is crap)? You want users to submit new addons and the tech. team to review. And, perhaps a wiki page can show that the addon was reviewed and recommended or not recommended, or is redundant because such functionality is built into the LibreFox browser.

With so many addon options, it is overwhelming, therefore, I think this is important. LibreFox WILL find its way, the clearer it is to the users how privacy options are set up, whether to user addons or not, and which ones, and overall how easy it is to use the browser, out of the box.

And lastly, I know this is asking much, as addons is just a smaller part of the core function of the browser : )

[Atavic]

What's a minimal list of must have extensions?

gorhill uBo decentraleyes noscript (or uMatrix) as discussed here one for cookies on/off one for trimming/clearing URLs?

Notices: Too many addons may lead to problems: https://github.com/pyllyukko/user.js/issues/348#issuecomment-420322549

and also may lead to unique fingerprinting, particularly for the extensions that modify the page's DOM, as explained in the XHOUND research PDF linked here

The upstream project's related issue hasn't lead to a minimal must-have extensions list (yet).

[b16r05]

@elypter

"combining all the privacy addon features into a single addon or directly into the browser " -- sounds ambitious, I am not sure this is possible. Then, again, maybe with how WebExtensions work, it is!

"many addons are big projects just for themselves" -- absolutely. NoScript looks complicated as a user, can't imagine what the dev. feels like :-)

My suggestions has been to have a wiki page which shows by category, for example,

adblocker user agent spoofer cookie handler etc.

and for each category a list of:

addons recommended addons not recommended addons under review addons redundant etc.

so, the process is transparent to users. They know they can suggest if they see something new or review if they have any doubts about an addon/privacy feature.

[elypter]

gorhill uBo decentraleyes noscript (or uMatrix) as discussed here one for cookies on/off one for trimming/clearing URLs?

there should also be an addon to clear referrers and headers and all those addons/features should be capable of using white&blacklist, asking the user as well as detecing patterns themselves like privacy badger or privacy possum which monitor third party scripts to see if they are used on multiple sites and what they are doing.

[Atavic]

^ That's the one for trimming/clearing URLs, See: https://github.com/intika/Librefox/issues/39#issuecomment-449867379

[atomGit]

Temporary Containers - this and, optionally, privacy.firstparty.isolate should eliminate the need for any cookie/storage/canvas cleaners, which can't clean everything by domain anyway (IndexedDB)

ClearURLs - dynamically updated list of URL param cleaning (tracking)

Decentraleyes - already mentioned - apparently loading local web fonts is on the to-do list

Privacy-Oriented Origin Policy POOP - strip origin headers

Skip Redirect - already mentioned

uBO and/or uM - already mentioned

[elypter]

i would like to suggest a concept that is not quite functional yet but has some potential. there is a project called truthbot(unfortunately discontinued now). its goal was to show users the ownership relation of a website. todays big corporations usually own hundreds of daughter corporations which themselves own many domains. it has come so far that the average user doesn't notice anymore who a website really belongs to and thus are less suspicious of potentially biased information. it however can be important information for privacy concerns as well. it can make blocking content based on company much easier and it can also make container isolation work with less breakage by automatically putting every company in its own container. i made a suggestion for containerise a while ago here: https://github.com/kintesh/containerise/issues/33#issuecomment-437074155

[intika]

@b16r05

"combining all the privacy addon features into a single addon or directly into the browser " -- sounds ambitious, I am not sure this is possible. Then, again, maybe with how WebExtensions work, it is!

The main browser extension i am thinking of would just bring important features not everything other extension would always be needed... it would be just a must have extension to make Librefox complete

My suggestions has been to have a wiki page which shows by category, for example,

After the release of the next version any PR for that would be welcome but all those extensions etc. have to be limited because the most important thing is the core Librefox... it's why i thought of a future open issue, where main post would have a list that would be updated over time while user post what they want to add to that list in the issue itself or something else i did not yet decided how to go for this, and would probably needs help to review this growing list because a good review need a lot of time at least 1h per addon depending on the size

[elypter]

Privacy-Oriented Origin Policy POOP - strip origin headers

i havent heared of this one yet. thanks

[intika]

i would like to suggest a concept that is not quite functional yet but has some potential. there is a project called truthbot(unfortunately discontinued now). its goal was to show users the ownership relation of a website. todays big corporations usually own hundreds of daughter corporations which themselves own many domains. it has come so far that the average user doesn't notice anymore who a website really belongs to and thus are less suspicious of potentially biased information. it however can be important information for privacy concerns as well. it can make blocking content based on company much easier and it can also make container isolation work with less breakage by automatically putting every company in its own container. i made a suggestion for containerise a while ago here: kintesh/containerise#33 (comment)

Let keep things cool right now and not overwhelm too much the to-do list

[b16r05]

@intika

Ah... now I understand about the main browser extension. So, just the fact that other browser extensions/addons will be needed, makes this issue still relevant : )

Yes, I understand about focusing on LF core... and "limiting extensions or else getting fingerprinted" : )

I want to just leave another suggestion on here... which is to take a look at how chocolatey-package-requests works: https://github.com/chocolatey/chocolatey-package-requests. This is probably very elaborate, but could be simplified as far as "Addons Review" is concerned, as it is not the main focus of LF. This method might still help with the review process. Of course, people will help as new requests come in... or addon status will continue to say "Under Review" : )

[intika]

Ah... now I understand about the main browser extension. So, just the fact that other browser extensions/addons will be needed, makes this issue still relevant : )

it's why it's still open :) :+1:

[theel0ja]

I'd suggest only having uBlock Origin and maybe HTTPS Everywhere bundled and everything else shall be installed by the user if he wants.

[intika]

@theel0ja uBlock Origin would be a lot for maintenance i prefer keeping that out... the main addon would just provide what can not be done on the core settings, kind of an addition to the core settings for an easy way to switch on/off like some anti fingerprinting features

[atomGit]

personally i would not suggest HTTPS Everywhere - it relies on an imperfect 3rd part list which, in my opinion, is a super-dumb way to handle the problem - and Smart HTTPS doesn't work with containers, as i was informed - that leaves a brand new one - HTTPZ - by claustromaniac - it's simple and (so far) it works and there's nothing to configure, so it should be completely transparent to the user

as for uBO - its simple mode makes it pretty manageable and transparent for most people i would think, with just a little careful setup (or pre-configured perhaps)

[dimqua]

@atomGit HTTPZ is great, but it uses a list of ignored hosts which is temporary (unlike Smart HTTPS). It is not very convinient, IMHO.

[atomGit]

actually i see that as a plus - with Smart HTTPS, if an https site takes too ling to load, by default it's added to a list, redirected to http, and will always load as http from then on - not good - i actually used to dump that list every so often to avoid the problem - HTTPZ works like Smart HTTPS without the whitelist

personally i don't mind hitting http sites with https requests because i think every admin should be using SSL, especially since Let's Encrypt certs are free

[theel0ja]

I personally use uBlock Origin with default settings with few extra lists added, while uMatrix handles third-party script blocking etc. Just a personal preference.

(...oh and I wouldn't suggest uMatrix for non-techies, but uBlock Origin is no problem for them)

[elypter]

I wouldn't suggest uMatrix for non-techies

however the approach to be able to set each rule for each resource is something very powerful and understandable by everyone. it's just that a giant colored table overwhelms them. alternatively you could just show the tree of resources and when clicking on one a dialog shows up that allows to set individual rules.

[b16r05]

@intika

I am still reading the Readme.MD (quite long : ) and the addons sections...

Question 1: You mention that recommended addons must be installed manually. Can this be automated? Or, is it too much? What I mean is... whichever addons are recommended, they could be automatically installed in bulk. Perhaps, you could give users the option to check/uncheck for individual recommended addon options. Same goes for recommended addon settings. If users want to use the recommended settings, they simply check/uncheck a box, and recommended settings are applied. [Should this be another issue?]

Question 2: No where did I see (CTRL+F on readme.md) anything about in-built password manager and Firefox sync? Will these work the same as standard Firefox?

[intika]

@b16r05 there is no plan in automating addons installation nor bundling addons the next version would have a lot of features integrated and switchable over settings, and a single Librefox addons that complete the whole thing for advanced users... in other words the browser will have main privacy/security option available natively, and there will be a single addon for users willing to have max enforcement.... (not bundled) recommended addons section will be dropped and kept alive just through user discussion under the issue section as it is already somehow the case right now... there is no need to supercharge the browser with 1000 addons that would break once an update is released plus for real protection, usability and performance this is questionable... any way the plan is meant to please every one... users who wants to enforce, users who wants to have a bunch of addons and users who just want an acceptable privacy and settings are kept over update so no need to redo all the settings every update...

Password manager will be kept for sure and it could be disabled if needed to... for the sync i did not yet decided whether to keep it switchable or remove it (i guess i will make it switchable it will just require some additional work).

Currently password manager and sync are just disabled, they can be enabled back under the mozilla.cfg file tho

[atomGit]

one add-on that i think is desperately needed is something to work with containers which restricts containers to specified domains - please correct me if i'm wrong, but i could find no such add-on anywhere on planet earth that will not allow any domains to be opened in a container other than those assigned to that container

i'm aware of TC, but it's not overly user-friendly for a few reasons (breaks forward/back nav for one when it's in auto mode) and requires at least one additional add-on (MAC) if one wants to add domains to a specified permanent container and disallow other domains to be opened in that container (and the whole process of adding domains to a container is totally convoluted at the moment)

then again, what is the best way to isolate storage? FPI? containers? both? i think the major advantage with containers and TC in auto-temp mode is being able to dump (most) storage after leaving a domain, however if this functionality were available for FPI, would a container add-on even be necessary form purely a privacy/tracking POV? sure, one can auto-dump all storage when FF exits, but that also removes desired storage (cookies) for domains where users want to keep settings, as well as other stuff users may want to keep (history, site permissions, etc.)

[Atavic]

what is the best way to isolate storage?

Short answer is FPI, see: https://github.com/ghacksuserjs/ghacks-user.js/issues/395

I trust FPI more than Containers because the latter doesn't isolate: Exceptions for Invalid TLS Certificates, HSTS Flags, OCSP Responses

See: https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers#What_is_.28and_isn.27t.29_separated_between_Containers

Comparing FPI, Containers and PB Mode: https://medium.com/@stoically/enhance-your-privacy-in-firefox-with-temporary-containers-33925cd6cd21

[atomGit]

I trust FPI more than Containers ...

ditto - plus FPI is native whereas containers are sorta not native i believe - and since they are in some ways redundant, i prefer to avoid that redundancy

i realize i'm going off-topic here (feel free to spank me), but i have a Q regarding FPI:

let's look at FPI like containers for the sake of this example - you have previously visited example.com with FPI enabled and now (in order to log-on or un-break something) you disable FPI and visit example.com again - what happens to that data? can the domain now access the data that was stored when FPI was enabled or is it kept separate?

[Atavic]

FPI comes from Tor, it's close to an Identity in the Tor Browser.

In Firefox, you're supposed to close it - and totally clear/wipe session data - and not just disable FPI, otherwise:

FPI data will remain on disk and is accessible from the First Party until cleared.

See 1st post of https://github.com/ghacksuserjs/ghacks-user.js/issues/395

[elypter]

this post is about the possible breakages with fpi https://www.ctrl.blog/entry/firefox-fpi

does fpi support grouping like with containers where a certain set of domains access the same stash of user data?

[Atavic]

privacy.firstparty.isolate.restrict_opener_access set to false lowers some isolation rules and can help those logging into Google or Facebook.