Review 000-tor-browser.js and 001-base-profile.js for 102

browser/app/profile/000-tor-browser.js may contain some old stuff that we could/should remove.

Also do any work outlined in #32759

`001-base-profile.js`

Convention: bold = we need to follow up.

intl.locale.requested
browser.search.update
browser.rights.3.shown
- Remove! 😈️ (see comments)
startup.homepage_welcome_url, startup.homepage_welcome_url.additional
- S131 might be interested
browser.aboutwelcome.enabled
startup.homepage_override_url
app.update.promptWaitTime
app.update.staging.enabled
browser.slowStartup.{notificationDisabled,maxSamples,samples}
- Remove! 😈️ (see comments)
browser.disableResetPrompt
browser.privatebrowsing.autostart
browser.cache.disk.enable
permissions.memory_only
network.cookie.lifetimePolicy
security.nocertdb
dom.storage.next_gen
- Remove! 😈️
browser.download.useDownloadDir
- Remove the related checkbox? --> #40656
browser.download.manager.addToRecentDocs
signon.rememberSignons
- Remove the related checkbox? --> #40656
browser.formfill.enable
- Remove the related checkbox? --> #40656
signon.autofillForms
- Remove the related checkbox? --> #40656
browser.sessionstore.privacy_level
browser.privatebrowsing.forceMediaMemoryCache
media.memory_cache_max_size
dom.security.https_only_mode
- Add reference to the issue
dom.security.https_only_mode.upgrade_onion
- Move to 000-tor-browser.js
- Add reference to the issue
security.ssl.require_safe_negotiation
security.ssl3.dhe_rsa_aes_128_sha, security.ssl3.dhe_rsa_aes_256_sha, security.ssl3.ecdhe_ecdsa_aes_256_sha, security.ssl3.ecdhe_ecdsa_aes_128_sha, security.ssl3.ecdhe_rsa_aes_128_sha, security.ssl3.ecdhe_rsa_aes_256_sha, security.ssl3.rsa_aes_128_sha, security.ssl3.rsa_aes_256_sha
browser.send_pings
- https://kb.mozillazine.org/Browser.send_pings
- Still a thing, didn't even know about this thing from the specs
geo.enabled
- Completely disable geolocation
- Even part of legal terms!
- Usage is through static prefs
geo.provider.network.url
- Still used, but not sure we have a good reason to reassign it, since we are disabling geolocation in general (defense in depth?)
- Keep it, or delete it?
  - My resolution: be coherent with the rest and keep it
browser.search.suggest.enabled
- Still used, and synchronized with about:preferences#search (remove it from there?) --> #40656
browser.safebrowsing.*
- All of them are still used
- There are also additional preferences browser.safebrowsing.provider.* with URLs, see modules/libpref/init/all.js
  - Like geo.provider.network.url confuses me a little bit
extensions.ui.lastCategory
- Still used, but I don't have a clue on why we use it, especially since when you go to about:addons you override it.
- To be checked again
datareporting.healthreport.uploadEnabled and datareporting.policy.dataSubmissionEnabled
- Used also in DisableTelemetry in browser/components/enterprisepolicies/Policies.jsm!
- that function also sets toolkit.telemetry.archive.enabled, should we add it, too?
  - "This can only be enabled if unified is on."
  - My resolution: add it
toolkit.telemetry.unified, toolkit.telemetry.enabled, toolkit.telemetry.updatePing.enabled
- Still used, see https://firefox-source-docs.mozilla.org/toolkit/components/telemetry/internals/preferences.html
- That document contains a few preferences for GeckoView.
  - It is especially about the streaming API, which is an alternative mode to the regular one, disabling it doesn't seem to disable telemetry
  - My resolution: ignore them
default-browser-agent.enabled (Windows only)
- Seems to be still used, and it's telemetry for engagement/marketing purposes: it checks users' default choices, even though they aren't Firefox.
- It is also disk leak, since it schedules as a Windows task, and it needs to copy data to the registry!
identity.fxaccounts.enabled
- Disables Firefox account/sync. Still many occurrences in the code.
services.sync.engine.*
- Still used, but there are a few new preferences:
  - services.sync.engine.bookmarks
  - services.sync.engine.history
  - services.sync.engine.passwords
  - services.sync.engine.addresses
  - services.sync.engine.creditcards
- They are synchronized with a sync.inc.xhtml panel, which we should be sure it is disabled
- Should we keep them, and add the new ones, even though we find it's possible to completely opt out the synchronization with a more generic pref (like identity.fxaccounts.enabled)?
  - As usual, is it to be seen as a defense in depth?
  - My resolution: add them for now, and remove them in the future, if we decide we don't actually need them
browser.region.network.scan
- "Include wifi data in region request."
- Already disabled by default, but being explicit here seems a good idea
browser.region.network.url, browser.region.update.enabled
- Still used, but unlike the previous ones, have other defaults
- toolkit/modules/Region.jsm also contains browser.region.local-geocoding (already false), should we add it explicitly?
  - My resolution: yes add it
browser.tabs.remote.separatedMozillaDomains
- Allows Mozilla-controlled webpages to access privileged features. Still used and we need to keep it empty.
- See https://firefox-source-docs.mozilla.org/dom/ipc/process_model.html#privileged-mozilla-content
browser.urlbar.dnsResolveSingleWordsAfterSearch
- "Did you mean to go to $host?"
- https://firefox-source-docs.mozilla.org/browser/urlbar/preferences.html
- Is S131 browser expected to be able to access the LAN? In case we might move this to Tor Browser-only.
  - Beware of possible fingerprinting: this question is asked with a notification box, which will make the letterbox change (related: #41433 (closed))
messaging-system.rsexperimentloader.enabled
- Still used in toolkit/components/nimbus/lib/RemoteSettingsExperimentLoader.jsm
- The same file also has app.shield.optoutstudies.enabled, should we add it?
  - They are used in the same if in init
  - My resolution: added, to be coherent with other prefs
  - Notice that you don't enable opting out, if you want to opt out you have to set it false 😐️
  - Anyway, it's already false currently, so yet another defense in depth
trailhead.firstrun.branches
- Remove! 😈️ (see comments)
browser.newtabpage.activity-stream.asrouter.userprefs.cfr.{addons,features}
- See above, too
network.trr.resolvers
- Seems an old preference, and new network.trr.* exist, including one to set https://mozilla.cloudflare-dns.com/dns-query as the default TRR provider (see StaticPrefLiast.yaml`)
- Compare with Firefox 78 and #40048 (closed).
- My resolution: changed to network.trr.default_provider_uri
network.trr.exclude-etc-hosts
- Still used, but we should explain why false actually is the right value for us
security.pki.crlite_mode
- Might be interesting, though. The problem is telemetry/downloads from Mozilla (see #40048 (closed))
signon.management.page.breach-alerts.enabled
- "Firefox displays critical alerts in the Lockwise password manager when a website is breached." (#40048 (closed))
- Still used, disabled to prevent sending telemetry/data to Mozilla
extensions.fxmonitor.enabled
- Old pref for Firefox 78 (#40048 (closed)), used in browser/components/fxmonitor/FirefoxMonitor.jsm, but then disabled in https://bugzilla.mozilla.org/show_bug.cgi?id=1696550 and removed in https://bugzilla.mozilla.org/show_bug.cgi?id=1712838
- Remove! 😈️
signon.management.page.mobileAndroidURL and signon.management.page.mobileAppleURL
- Part of lockwise ⚰, removed with b67b6138
- Remove! 😈️
signon.recipes.remoteRecipes.enabled
- Still used
dom.serviceWorkers.enabled and dom.push.enabled
- Still used
webgl.disable-fail-if-major-performance-caveat, webgl.enable-webgl2
- Still used
- How do they help against fingerprinting?
gfx.downloadable_fonts.fallback_delay
- #27258 (closed)
browser.startup.homepage_override.buildID
- How does it help against fingerprinting? I guess it was added to the user-agent back then, but now Firefox always show the spoofed date. Or is it used also for telemetry?
- We have a patch to browser/components/BrowserContentHandler.jsm realted to this pref (the updater). Shall we review it?
- modules/libpref/Preferences.cpp contains a list of preferences that are fingerprintable, and therefore removed from child processes, should we have a look at them, too (especially extensions.lastAppBuildId).
browser.link.open_newwindow.restriction
- Bug #9881 (closed): Open popups in new tabs (to avoid fullscreen popups)
- https://kb.mozillazine.org/Browser.link.open_newwindow.restriction
- Still valid
media.benchmark.vp9.threshold
- "Set video VP9 to 0 for everyone (bug #22548 (closed))"
  - Is this still a valid reason?
- Used as a static pref
dom.enable_resource_timing
- "Bug #13024 (closed): To hell with this API"
  - Luckily enough timings are much more limited as a default, and 8 years ago was before spectre/meltdown. Check again the status of this, and add more reasons for which we should keep this?
- Used as a static pref
privacy.resistFingerprinting
- Lol. We should move this as the first one of the category?
- My resolution: done it
privacy.resistFingerprinting.block_mozAddonManager
- Thanks Mozilla 🙂 .
dom.webaudio.enabled
- #13017 (closed)
- Still used, also as a static pref
- S131: what are the relations between this and WebRTC?
dom.webmidi.enabled
- Done for 102 in #41398 (closed).
dom.w3c_touch_events.enabled
- WIP, see #28535
dom.vr.enabled
- Still valid; false by default also in Firefox (see StaticPrefList.yaml), but we disabled it explicitly in case Mozilla enabled it without us noticing.
  - Not reviewed, too, probably
- #21607 (closed)
security.webauth.webauthn
- Reference: #26614, but if I understand correctly, this has never been audited! Disabled because we didn't audit, but then now followed up
  - Possible problem: we don't want this for Android because it depends on a proprietary dependency (that however might be replaced with a GPLv3 one)
- In any case, the preference is still valid
dom.postMessage.sharedArrayBuffer.withCOOP_COEP
- Still valid (used as a static pref)
- Can we open #40016 again? I'm not satisfied by the way it was closed.
  - Maybe related: #17412 (closed), but problems might have been solved, see MDN
  - Also related: #40177 (closed)
security.remote_settings.intermediates.enabled
- Still used. Interestingly enough, this is true by default only on Android
- Disabled in #30682 (closed), but gk opened #40099 to follow up
dom.use_components_shim
- Wow, Components.interfaces for sites is still a thing on Firefox 🙈
- Related: legacy/trac#2874 (closed)
privacy.resistFingerprinting.letterboxing 🙂
dom.netinfo.enabled
- Change the comment as Thorin suggested 🙂
- The default is also false
network.http.referer.defaultPolicy
- It sets the value that is already the default, but it does it only for non-PBM sessions (it takes for granted that PBM also has the same value). The reason was that it hasn't always been the default, see (#32948 (closed)).
- Should we explicitly tell to do so in all modes? Or at least, should we update the description to tell it's a defense in depth?
  - My resolution: yes
network.http.referer.XOriginTrimmingPolicy
- Recently updated, see #17228 (closed).
media.videocontrols.picture-in-picture.enabled
- Disabled only because not yet audited
- See #40147 (closed) and #40148 (closed)
network.http.referer.hideOnionSource
- Move to 000-tor-browser.js
- Original issue: #22320 (closed)
network.http.windows-sso.enabled
- #40463 (closed)
- We should remove the related checkbox in about:preferences --> #40656
dom.enable_event_timing
- #40383 (closed)
- Minimum is 16ms and rounded by 8ms; if we decided that we lost the war against time measurements we could even re-enable this.
dom.textMetrics.actualBoundingBox.enabled, dom.textMetrics.baselines.enabled, dom.textMetrics.emHeight.enabled, dom.textMetrics.fontBoundingBox.enabled
- Not sure of the original issue, but it seems it arrived with 91.2 ESR update. In any case, it's enough obvious why we need them 😉
pdfjs.enableScripting
- Added recently (#40424 (closed)), we should add the reference also to the file
javascript.options.large_arraybuffers
- #40177 (comment 2758404)
- Basically, don't expose 32-bit. Unless there's another way to do so now.
browser.display.use_system_colors
- Added recently, but might need more work in the future, see #40057
privacy.firstparty.isolate
privacy.partition.network_state
- #40308 (comment 2723512)
- Check again and/or update the comment
network.cookie.cookieBehavior and network.cookie.cookieBehavior.pbmode
network.predictor.enabled
- temporarily disabled #16633 (closed) and #21657
privacy.purge_trackers.enabled
- Update the issue number to the correct one (#40220 (closed))
- Check what GeckoView does (see the issue)
- Not sure on why we don't want this...
network.dns.disablePrefetch
- Do we need also network.dns.disablePrefetchFromHTTPS?
  - My resolution: yes, even policies disable both
network.protocol-handler.*
- More details in #25559 (comment 2846617)
network.proxy.allow_bypass
network.http.tailing.enabled
network.http.http2.*
network.gio.supported-protocols
- Add the reference to the bug number (#23044 (closed))
media.peerconnection.enabled
- S131: This is for WebRTC, should we move it to Tor Browser?
media.gmp-provider.enabled, media.gmp-manager.url.override and media.gmp-manager.updateEnabled
- They are okay, but we might use them for S131 stuff, so we should add them to our notes somewhere
- There's also a related ticket: #15910 (add it to the pref file - added)
browser.eme.ui.enabled, media.gmp-widevinecdm.visible, media.gmp-widevinecdm.enabled, media.eme.enabled, media.mediadrm-widevinecdm.visible
- All still used, but to track for S131, too
- However, I wouldn't remove them and add them back to Tor Browser, I would keep them and then remove in S131's branch, so that base-browser remains unencumbered
devtools.webide.autoinstallADBExtension, devtools.webide.enabled
- Remove! 😈️ (see comments, basically webide isn't a thing anymore)
devtools.debugger.chrome-debugging-host
network.file.disable_unc_paths
network.file.path_blacklist
- Cannot find our related issue, but found c6cbbca9. However, everything is explained in Bugzilla (and wow, I didn't know about file:///net).
svg.disabled
mathml.disabled
svg.context-properties.content.allowed-domains
security.ssl.enable_false_start
- Still a thing, but I think we could review the TLS preferences
- Couple of related issues: #18274 (closed) #28536 (closed)
network.http.connection-retry-timeout
- We set 0, which means "do not use a second connection"
- Only Tor Browser, if still needed (see legacy/trac#7656 (closed))
  - Moved, and follow up in the performance issue (#32759)
network.manage-offline-status
- To avoid phoning home? I found the related bug #18945 (closed), but not the exact reason.
network.captive-portal-service.enabled and network.connectivity-service.enabled
- Still used, and okay both for Tor Browser and base-browser. S131 might want something different, and maybe customize network.connectivity-service.IPv{4,6}.url
dom.push.serverURL
- Add the reference to the issue (#18801 (closed))
extensions.autoDisableScopes
- "If the add-on is a foreign install and is in a scope where add-ons that were dropped in should default to disabled then disable it"
- We use scope 0, i.e., we don't disable any addon (why? Is this because of HTTPS-E ⚰ and NoScript?)
extensions.bootstrappedAddons
- Already obsolete in 68 (#30845 (closed)).
extensions.checkCompatibility.4.*
- Remove! 😈️
extensions.databaseSchema
- It's still recognized, for XPI stuff... But why are we using it? I'd like to remove it, if possible.
extensions.enabledScopes
- We allow also SCOPE_APPLICATION, is it for NoScript? Default scope is profile, otherwise, but I am not sure on how the whole thing works, since Mozilla bundles addons, after all, like the screenshots
extensions.pendingOperations
- This is used by Firefox to do things, why are we setting its default, that Firefox will change it anyway?
extensions.getAddons.showPane, extensions.htmlaboutaddons.recommendations.enabled
- Still used, the former has even a policy
extensions.webextensions.restrictedDomains
- I'd like a second audit on it, opened an issue to follow-up (#41445 (closed))
extensions.postDownloadThirdPartyPrompt
- Show the prompt to install addons even though they are "recommended by Mozilla"
- Recommended by Thorin in #40177 (closed)
intl.multilingual.downloadEnabled
browser.uiCustomization.state
- #13318 (closed), #13378 (closed), #16510 (closed)
security.cert_pinning.enforcement_level
security.osclientcerts.autoload
- Great move: #33534 (comment 2683533)
security.family_safety.mode
security.enterprise_roots.enabled
security.certerrors.mitm.priming.enabled
gfx.offscreencanvas.domain-enabled, gfx.offscreencanvas.domain-allowlist
browser.share_menu.allow
browser.urlbar.suggest.topsites
browser.urlbar.update1.{interventions,searchTips}
- Remove! 😈️ (see comments)
corroborator.enabled
- Add the reference to the issue (#40048 (closed))
taskbar.grouping.useprofile
- "If marked as such in prefs, use a hash of the profile path for the id instead of the install path hash setup by the installer."
- S131 might want a different value (provided it's still useful, after we disable the items)
browser.taskbar.lists.enabled, browser.taskbar.lists.frequent.enabled, browser.taskbar.lists.tasks.enabled, browser.taskbar.lists.recent.enabled
- Good, but for ESR115 we'll have to test the new things about private mode that arrived recently

`000-tor-browser.js`

Edited Nov 16, 2022 by Pier Angelo Vendrame

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information