cleanup of the about:config section [continued]

[Thorin-Oakenpants]

carrying on from #1212 ... I'll keep editing this first comment as the checklist.

• https://www.privacytools.io/browsers/#about_config

PS: FYI, you generally have to @ me (I rarely watch anything to limit the noise), but I'll stay subscribed to this issue

PPS: mods feel free to fixup all the labels :)

---

:hankey: Part 1: Finish Cleanup

Remove (from the last issue)

• [x] browser.sessionstore.max_tabs_undo see this comment and the subsequent reply

Also remove

• [x] Mozillazine from the Related Information list
  • woefully out of date info (that's just the nature of trying to maintain such a list)
  • it is being discontinued anyway: see this

---

:ambulance: Part 2a: Easy Quick Additions

Add these [just plonk it anywhere, we'll deal with the order/sectioning later]. These are all zero breakage

• [x] beacon
• [x] prefetching
• [x] dns prefetching
• [x] predictor (and prefetching)
  • flipping enabled probably makes prefetch redundant but no time or inclination to dig into this
• [x] Safe Browsing remote checks for downloads
  • ?? this needs a warning, but we can do that when we jumble things around into sections. Not overly concerned given SB itself was recommend off for years with no warning. We'll get to it.

zero breakage pref details

beacon ```js /* disable sending additional analytics to web servers * [1] https://developer.mozilla.org/docs/Web/API/Navigator/sendBeacon ***/ user_pref("beacon.enabled", false); ``` prefetch ```js /* disable link prefetching * [1] https://developer.mozilla.org/docs/Web/HTTP/Link_prefetching_FAQ ***/ user_pref("network.prefetch-next", false); ``` dns prefetching ```js /* disable DNS prefetching * [1] https://developer.mozilla.org/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control ***/ user_pref("network.dns.disablePrefetch", true); user_pref("network.dns.disablePrefetchFromHTTPS", true); // hidden pref in ESR (unhidden and default true FF70+) ``` predictor & pre-fetching ```js /* disable predictor / prefetching ***/ user_pref("network.predictor.enabled", false); user_pref("network.predictor.enable-prefetch", false); ``` sb remote checks [edit: [here](https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-protection-work#w_what-information-is-sent-to-mozilla-or-its-partners-when-phishing-and-malware-protection-are-enabled) is the source of that description, but I personally would just link the URL without the anchor] ```js /* disable SB remote checks for downloads * To verify the safety of certain executable files, Firefox may submit some information about the * file, including the name, origin, size and a cryptographic hash of the contents, to the Google * Safe Browsing service which helps Firefox determine whether or not the file should be blocked * [SETUP-SECURITY] If you do not understand this, or you want this protection, then override it ***/ user_pref("browser.safebrowsing.downloads.remote.enabled", false); ```

---

:ambulance: Part 2b: Add Sanitizing on close info

• I'll dump a draft in a subsequent comment: but this is a way better method to emulate session control of persistent local web data (a la PB mode)

---

:8ball: Part 3: ETP/cookies and sanitize on close

• [x] remove all the ETP/cookie prefs
• [x] remove dom.event.clipboardevents.enabled (see https://github.com/privacytoolsIO/privacytools.io/issues/1430#issuecomment-609794486)
• [ ] create a new section for UI changes: for ETP and sanitize on close

---

:: Part 4: Sectionize

• three sections max: e.g. no breakage, some breakage depending on usage, here be dragons)
• at the same time we fixup descriptions and explain the breakage or why there are dragons
• at the same time we provide better soucres if needed etc

---

:beer: Part 5: Get Wrecked

• drink copious amounts of amber liquid, pants optional

...

[Thorin-Oakenpants]

Just a heads up: I am incentivized to get to Part 5 :beer: so lets get this done or I'll lose interest / time to do it

[blacklight447]

Hey thorin, thanks for starting out the work, shall we open up a pull request to work on this?

[Thorin-Oakenpants]

go for it: all the info is already in the first post for parts 1 and 2a

e.g.

disable sending additional analytics to web servers
 * [1] https://developer.mozilla.org/docs/Web/API/Navigator/sendBeacon ***/
user_pref("beacon.enabled", false);

becomes

beacon.enabled = false disable sending additional analytics to web servers. Source

[Mikaela]

@blacklight447-ptio Any news about this? I am assigning myself too in case I would end up looking at this sometime when looking at issues assigned to me while this doesn't seem too difficult PR as Thorin-Oakenpants has already done most of the thinking, but I guess I should finish #1580 first.

[tomac4t]

Take notes:

dom.event.clipboardevents.enabled = false Disable that websites can get notifications if you copy, paste, or cut something from a web page, and it lets them know which part of the page had been selected.

Breaking the Nextcloud text editor, pasting text on Twitter Web UI and a lot of things.

media.gmp-widevinecdm.enabled = false Disables the Widevine Content Decryption Module provided by Google Inc., used for the playback of DRM-controlled HTML5 content. Details

I found it breaking the "animate" feature on windy.com.

media.navigator.enabled = false Websites can track the microphone and camera status of your device.

Breaking the Live Streaming on Youtube. And it is unnecessary, Firefox will asked you Camera and Microphone permission.

[dngray]

Was this ever finished? It probably should be before we progress onto https://github.com/privacytoolsIO/privacytools.io/issues/1328 and https://github.com/privacytoolsIO/privacytools.io/issues/1257

[Mikaela]

I am afraid not

[Thorin-Oakenpants]

I am afraid not

A piece of string walks into a bar and walks up to the counter.

The bartender says, "Sorry mate, we don't serve pieces of string in here, get lost."

Upset, the piece of string walks out the door. A sudden thought strikes him. He tangles himself all up and messes his hair up.

He walks back into the bar and approaches the counter. The bartender says, "Oi, aren't you that piece of string from before...?"

"No," says the piece of string, "I'm a frayed knot."

---

So part2b and part3 are much the same: with a backtrack on 2b being added to the list (instead I think it should be treated same as ETP: i.e part3)

Sanitizing on close, and ETP have a UI. There's no need to list

• privacy.trackingprotection.fingerprinting.enabled = true
• privacy.trackingprotection.cryptomining.enabled = true
• privacy.trackingprotection.enabled = true
• network.cookie.cookieBehavior = 1

ETP's fingerprinters and cryptominers are enabled by default anyway. And setting custom settings from user.js can result in them not being applied - see 1607249

I would create a new section above the about:config, and tell users to use the UI - that's what it's there for. That's for both ETP and sanitizing on close. I think there's already a page with some pretty pictures about ETP?

Not sure about the other two issues, but I'm assuming that the FPing gets it's own page, and extensions gets it's own page? IDK. I have no idea how you want to structure it

[Thorin-Oakenpants]

https://old.reddit.com/r/privacytoolsIO/comments/fvue9m/firefox_issues_after_aboutconfig_adjustments/

I actually think you should also remove dom.event.clipboardevents.enabled - I honestly believe this is one of those paranoid settings that everyone promotes across the web due to the name without actually understanding it

• it requires user interaction
• pages can already tell WTF you're doing on a page: who F'ing cares if you selected some text and copied it - it's not a FPing, tracking, security or privacy risk
• if you're pasting - well, the site can already see what you pasted
• Tor Browser doesn't change it from FF's default (it's not a threat)

I've added it to the list in OP

[blacklight447]

https://old.reddit.com/r/privacytoolsIO/comments/fvue9m/firefox_issues_after_aboutconfig_adjustments/

I actually think you should also remove dom.event.clipboardevents.enabled - I honestly believe this is one of those paranoid settings that everyone promotes across the web due to the name without actually understanding it

* it requires user interaction

* pages can already tell WTF you're doing on a page: who F'ing cares if you selected some text and copied it - it's not a FPing, tracking, security or privacy risk

* if you're pasting - well, the site can already see what you pasted

* Tor Browser doesn't change it from FF's default (it's not a threat)

I've added it to the list in OP

question, if i copy my password from my password manager, and accidently go to a tab which is not the site where i want to log in, will this site be able to read my clipboard and therefore my password?

[Thorin-Oakenpants]

If clipboard contents could just be grabbed by websites, then we'd all be in the shit - just clicking on a tab (which is part of the chrome), the answer would be no. I've tried to get to the bottom of clipboard several times over the years, and can't seem to find any clear-cut answers: the good news is that I can't really find exploits either.

I'm only focusing on the clipboard read aspect, I don't care about write.

It's also a bit confusing (for me at least)

• https://developer.mozilla.org/en-US/docs/Web/API/Clipboard_API FF63+ <- gated behind the Permissions API, and responds to on open, on cut, on paste events. There's a pref for this new API. But I've yet to see any permissions in the UI
• prior to FF63 it used an older API/method
• I have at least three prefs and no two APIs and idea how they all relate exactly

If someone pastes their password into the wrong form (AFAIK a password field cannot be read by clipboard), and on the wrong site - then that's an OpSec error. The pref mentioned here is old (way older than FF63), but it does still have affect when toggled. How that ties into the new API I'm not sure.

Hope my non-answer helped :)

Edit: re: permission: you get a dialog to allow or cancel: it's not a "site" permission

[gary-host-laptop]

Has the about:config list on the website been updated to some extent yet? If not, when will this be finished? I've been wanting to start using them but was unsure if they were outdated or not, since most of this issue is completed.

[dngray]

I think this one might have stalled.

We should decide what other important switches need to be changed. I'm not keen on reproducing the whole work of ghacks-user.js though.

[dngray]

@Thorin-Oakenpants:

You might have noticed i asked for your help in https://github.com/privacytools/privacytools.io/pull/2005#issuecomment-704015427 I'm thinking of getting this cleaned up. We're thinking of not listing umatrix (unmaintained) / decentraleyes (virtually unmaintained), and updating the about:config options to be a bit more up to date.

The issue we have now is that they don't really apply to Fenix builds. Do you plan to have a separate branch for that? Do you even use a browser on your phone? I remember seeing on your wiki that the user.js can't really be used with the Android version of Firefox anymore.

[gary-host-laptop]

Can you edit the about:config on Fenix? Last I remembered you can't.

[Thorin-Oakenpants]

decentraleyes, localCDN, cookie cleaners ... are all gimmicks - always have been. The proper solution is first party isolation, period. End of story. One assumes you're masking your IP.

decentraleyes has literally been useless for a year - see https://github.com/arkenfox/user.js/issues/948

For those who don't want to use FPI (or dFPI), then those gimmicks may help: but it's not something I'm interested in. Use FPI/dFPI or f-off is my motto (yeah, I get the cross-domain login issues: adapt or die: use another profile/browser for those sites: or wait for dFPI).

Same with FPing (all those anti-FPing extensions can basically be bypassed: you just cannot expect web ext APIs to do what FF can do internally)

• fake your timezone - oophs, I just got your real one via Date.parse() or workers
• fake as en-US - oophs, I just got your real locale/language via other means
• fake domrect - I can tell you're faking which makes you stand out
• fake textmetrics - I can tell you're faking... ditto
• and so on

---

Fenix: use FPI and RFP: that's all you need. I use nightly, but also have a release build for testing. about:config is not available in release as it exposes all prefs: many of which can easily break GeckoView leaving end users with no option but to wipe everything and reinstall the browser = a PR nightmare and a waste of support resources

I don't generally care about android browsers. RFP still has a few gaps: so on my nightly I also disable webRTC and webGL. The other would be web audio, but I leave mine on for testing (I do not for a second believe the entropy on audio is very high, at all: it's not hardware dependent)

FYI: my phone has FF release, FF Nightly (main one) with above 4 pref changes), TB for Android release. Chrome browser is pre-installed and never used. I don't use my phone for much: and browsing is limited to tests, a handful of news/techblogs/sports-news sites - zero logins. Banking is via apps. I prefer doing real web browsing in my dual kick ass super high res monitors :)

Do you plan to have a separate branch for that

No. I have never supported an android user.js: it just happened that FF68 and lower was 95% the same. With GeckoView it's radically different (hence I changed the wiki entry). The user.js readme says arkenfox is for desktop only, as does the user.js itself

---

uMatrix: it hardly ever gets any updates anyway. I'm going to keep using for at least the next six months to a year and see if some features can get added to uBO (such as scope switches like workers and CSP reports) - and meanwhile I've slowly relaxed my hardened-nightmare uM settings and so far everything is already covered by uBO (default block all third party) - remember, I have FPI so third party connections are not an issue

how you handle that on PTIO recommendations, IDK.

[dngray]

FYI: my phone has FF release, FF Nightly (main one) with above 4 pref changes), TB for Android release. Chrome browser is pre-installed and never used. I don't use my phone for much: and browsing is limited to tests, a handful of news/techblogs/sports-news sites - zero logins. Banking is via apps. I prefer doing real web browsing in my dual kick ass super high res monitors :)

I have to admit, my use case is much the same. Curious to know what are those 4 pref changes?

Same with FPing (all those anti-FPing extensions can basically be bypassed: you just cannot expect web ext APIs to do what FF can do internally)

Yup, which is why I've never been a fan of them. I'm not really a fan of too many extensions because it always causes issues when various things are upgraded and nowadays they never truly work as you've said.

@lynn-stephenson had this to say on the matter:

dngray I analyzed the traffic for CDNs, and it really makes sense to just not use extensions such as Decentraleyes, and LocalCDN. All they receive is typical HTTP headers, and don't seem to attempt to set cookies anyways. But if they do, FPI will mitigate that. In such a case, you're only revealing your IP, when you accessed that resource, and your user agent.

uMatrix: it hardly ever gets any updates anyway. I'm going to keep using for at least the next six months to a year and see if some features can get added to uBO (such as scope switches like workers and CSP reports) - and meanwhile I've slowly relaxed my hardened-nightmare uM settings and so far everything is already covered by uBO (default block all third party) - remember, I have FPI so third party connections are not an issue

Maybe we will leave uMatrix as is for now, we've got a warning about it being unmaintained. Someone might pick it up. Myself I'm just using uBlock in advanced mode/hard mode.

Obviously it doesn't work on Fenix builds either anymore and that's unlikely to change.

how you handle that on PTIO recommendations, IDK.

So we're thinking of doing 3 things with this:

• Removing Decentraleyes
• Removing Cookie AutoDelete (no longer works in Fenix anyway) and on desktop we have Temporary Containers. It may be possible we have Temporary Containers on Android in the future https://github.com/stoically/temporary-containers/issues/465
• Splitting the about:config settings into two sections, desktop and android
• Mentioning that arkenfox is for desktop only.

[Thorin-Oakenpants]

Curious to know what are those 4 pref changes

told ya already :) FPI, RFP, WebGL, WebRTC

[dngray]

Curious to know what are those 4 pref changes

told ya already :) FPI, RFP, WebGL, WebRTC

My bad, my mind is in a couple of places at once 😀

[dngray]

@Thorin-Oakenpants i think it might be a good idea to make a user.js devel branch/repo for Android. I know what you said about, not supporting it, but I think we could put some basic settings in there that do apply to GeckoView based browsers. It's not like the demand is ever going to go away, nor the questions.

You could mention that it isn't a main priority of the arkenfox project if you want. I rather like your comment formatting that you do in your main user.js.

It would also give something for us to cross-link to in worth-mentioning section.

[Thorin-Oakenpants]

i think it might be a good idea to make a user.js devel branch/repo for Android

with four prefs in it. not worth it mate :)

[dngray]

i think it might be a good idea to make a user.js devel branch/repo for Android

with four prefs in it. not worth it mate :)

For the moment, but of course that could change in the future 😀.

I'm thinking the best way would actually be a separate repo, where discussion can take place about what works or is relevant to Fenix.

[dngray]

Fenix: use FPI and RFP: that's all you need. I use nightly, but also have a release build for testing. about:config is not available in release as it exposes all prefs:

Interesting I found this worked with the F-Droid build of Fenix. I wonder if it's only the Google Play release that is the case.

[dngray]

I've started on part 3. I really like the sections arkenfox/user.js uses so I somewhat copied those.

I thought about re-ordering the sections in the same order, but thought maybe we should keep it in order of importance (like I believe it is currently). See https://github.com/privacytools/privacytools.io/pull/2081

create a new section for UI changes: for ETP and sanitize on close

I was curious, did you mean all of these? https://github.com/arkenfox/user.js/blob/master/user.js#L1310

As for part 4 do you think any of the sources we currently recommend as references could be better?

[Thorin-Oakenpants]

I can't visualize that PR very well - i need to "see" things. As far as order goes, there is no such thing as importance IMO: that's subjective (even if you and I know that RFP + RFP do some massive lifting),

For your audience, it's going to be about tolerance: so in my head I was thinking you go

• ETP / COOKIES: here's an article (link to page or blog or whatever) about setting your "cookies+data", cue ETP pics, maybe add a cookie pref in that article like making 2rd party cookies session-only by default. ETP and cookies are tied together
• SANITIZING: here's an article (linked etc) on what persistent local data you can clear, cue pictures of customizing history from the preferences UI, and setting up ctrl-shift-del

That there removes a lot of about:config entries: and users hate long lists: and it's daunting

So, something like this

🔻 EASY AS FUCK

• ⭐ First, head to options and setup how ETP handles cookies and data .... here
• ⭐ Then, head to options and decide what cookies and data you want to clear between Firefox sessions .... here

🔻 ABOUT:CONFIG

• 🔹 Open about:config... instructions
• 🔹 Breakage is subjective and varies per person...
• ⭐ NO BREAKAGE
  • prefetching
  • etc
• ⭐ SOME BREAKAGE
  • pref c
  • etc
• ⭐ MORE BREAKAGE or UNINTENDED SIDE-EFFECTS
  • FPI: cross-domain logins may not work such as using google to sign into youtube
    • firstparty.isolate = true
  • RFP:
    • privacy.resistFingerprinting = true
  • LETTERBOXING: only use this if you use RFP
    • privacy.resistFingerprinting.letterboxing = true

🔻 ADVANCED

• ⭐ arkenfox link: description

[dngray]

I can't visualize that PR very well - i need to "see" things. As far as order goes

Oh, you know there's a live-preview mode: https://deploy-preview-2081--privacytools-io.netlify.app/browsers/#about_config

It shows the page as it would exactly appear.

I do like your ordering actually for No breakage, some breakage, more breakage.

[dngray]

small_red_triangle_down EASY AS FUCK

Ah, yes, these are exposed through the user interface, so I should use screenshots. Is that what you mean?

[lynn-stephenson]

@dngray I think it'd be a good idea to show screenshots, at least for the easy stuff.

[Thorin-Oakenpants]

small_red_triangle_down EASY AS FUCK

Ah, yes, these are exposed through the user interface, so I should use screenshots. Is that what you mean?

I don't understand. I was using the markup in github comments to emulate some sort of layout. My point was that the bits about using the UI would be elsewhere, because they're a bit long: and they're not about:config entries (to the end user). Isn't there already a blog post somewhere about ETP? Anyway I think they need a pic or two and deserve their own page(s) ... but if you think you can do without pictures and keep it short.. up to you

and then we can get into about config. So A) simple UI tweaks B) some simple about:config tweaks c) check out some extensions d) advanced (see Pants)

[dngray]

Isn't there already a blog post somewhere about ETP?

This is what I wasn't so sure about. I honestly don't remember where/if there was. I do know I didn't write it.

We could put a link in there to https://blog.mozilla.org/blog/2019/09/03/todays-firefox-blocks-third-party-tracking-cookies-and-cryptomining-by-default/ and https://blog.mozilla.org/blog/2020/08/04/latest-firefox-rolls-out-enhanced-tracking-protection-2-0-blocking-redirect-trackers-by-default/

Anyway I think they need a pic or two and deserve their own page(s)

I'm thinking this might be a good way to go. Thinking we might split the "Firefox Tweaks" into two pages "Easy Tweaks" and "Advanced Tweaks", the advanced page will contain the about:config stuff and the link to arkenfox/user.js

[Thorin-Oakenpants]

maybe I was thinking of https://blog.privacytools.io/firefox-privacy-an-introduction-to-safe/ (scroll down to ETP) .. IDK, I seem to remember a smaller entry - but that's almost exactly what you need. It even has a section on sanitizing further down - except it's using the Cookies + Site Data section whereas we are talking about the "remember history" section - as it gives you more granular control

[dngray]

Right, well i might work on including that part into the page without the other stuff that isn't relevant. I'm hesitant to link to the blog article as it is a bit outdated, ie the bit mentioning decentraleyes or other unrelated stuff to do with VPNs etc, ghackjs/user.js etc.

I get your point though.

[dngray]

@Thorin-Oakenpants

Sanitizing on close, and ETP have a UI. There's no need to list

• privacy.trackingprotection.enabled = true

I noticed this setting isn't enabled in user.js. By default it is set to false. When set to false "Tracking content" is "Only in Private Windows". I would have thought this was recommended "In all windows".

Wouldn't we want it to be in all windows?

Ie:

[Thorin-Oakenpants]

I noticed this setting isn't enabled in user.js

It's not even in the user.js

When set to false "Tracking content" is "Only in Private Windows"

Are you sure? privacy.trackingprotection.enabled is default false in about:config in my main FF. I am in a normal window. I have a shield icon in the urlbar, which when clicked shows that it is ON

When I go to facebook.com, the shield turns blue, indicating something was blocked. It's a bit hard to test shit in my main FF as so much stuff is already blocked via other means: but go ahead in a new profile and tell me ETP wasn't turned on by default for all users about a year ago

[Thorin-Oakenpants]

and tell me ETP wasn't turned on by default for all users about a year ago

make that 19 months stupid date formats .. so yeah a year ago : https://blog.mozilla.org/blog/2019/09/03/todays-firefox-blocks-third-party-tracking-cookies-and-cryptomining-by-default/

When you see the shield icon, you should feel safe that Firefox is blocking thousands of companies from your online activity

You’ll know when Enhanced Tracking Protection is working when you visit a site and see a shield icon in the address bar

[Thorin-Oakenpants]

Just a heads up: I am incentivized to get to Part 5 🍺 so lets get this done or I'll lose interest / time to do it

I can't believe it's been almost an entire year since I had a beer. You guys are killing me (not really: I got naked and drunk last weekend.. pics to follow)

[dngray]

Are you sure? privacy.trackingprotection.enabled is default false in about:config in my main FF. I am in a normal window

I just created a new profile in archlinux with firefox 81.0.2. By default ETP is set to Standard with privacy.trackingprotection.enabled set to false. If I then select "Custom" it is still off.

Only "Strict" enables that. Standard, Strict and Custom default to "Cross-site and social media trackers", ie option 4 of network.cookie.cookieBehavior. I was pretty sure 1 ie "All third-party cookies (may cause websites to break)" was desired. I don't use social logins and am yet to see a breakage.

Option 1 seems to be the route Apple wants to take too: https://webkit.org/blog/10218/full-third-party-cookie-blocking-and-more/

You guys are killing me (not really: I got naked and drunk last weekend.. pics to follow)

Sounds like how I am always, but then who ever heard of a polar bear wearing pants 🤪

I don't need to see pictures, unless you too are a polar bear.

[Thorin-Oakenpants]

We don't even have the pref in the user.js so it's not like I care about it (it's not something we need to control: they would flip it on when it was ready: and our user base most likely has uBO) ... What I am saying is that it's on by default for all users/windows. Mozilla said so: I can see it

https://www.huffpost.com/ has trackers using FF beta (nightly might have some dFPI experiments going on etc) privacy.trackingprotection.enabled = false (default)

mama (polar) bear

poppa (polar) bear

baby (polar) bear

big bad wolf

Convince me otherwise

[dngray]

Convince me otherwise

I think you just proved what I said above. Only Strict turns on privacy.trackingprotection.enabled from the user interface, unless you select "In all Windows" in custom mode.

My question was, perhaps we should instruct people to set that like so https://github.com/privacytools/privacytools.io/issues/1430#issuecomment-711155163 for the ETP instructions. That is how I have mine set up. I guess its not necessary as you said if a user has ublock.

Current preview: https://deploy-preview-2081--privacytools-io.netlify.app/browsers/#easy_tweaks

We're working on making a figure there that looks like the screenshot. We don't want to use the raster image screenshot because those look bad on HiDPI screens, make the site slow, don't work with a11y like screen readers.

[Thorin-Oakenpants]

sorry, I have so much other stuff going on. The pics show that by default, in standard mode, ETP is enabled and working. I do not understand what you're talking about. And now I see you're talking about the sub-item "Tracking" vs "Cross-site tracking cookies". Sheesh Louise: I need a break. Like I said, ETP is not something I really care about :)

Sure, if it's that important, then add that as an option for your users. But please tell me exactly what it is that "Tracking" protects you from: I'm interested. Because to me it sounds like some 1st party extras. It certainly can't hurt but it may produce more breakage and require exceptions depending on each user's mileage

[dngray]

Saw this today (related to cdn caching)

https://wicki.io/posts/2020-11-goodbye-google-fonts/ https://developers.google.com/web/updates/2020/10/http-cache-partitioning