ESR128: investigate - thorin's list

added All Platforms Roadmap::Future FF128-esr labels

changed the description

added Meta label

changed the description

~~re: FF119+ 1841116 RFP warning banner in settings~~

nvm: this seems to be under the ETP section which we hide

changed the description

as I find things to query or action (rather than create a heap of issues) - moving to this post so we don't end up with hundreds of "Thorin changed the description" notations

prefs to flip/check

dom.textMetrics.baselines.enabled FF116 1840075
dom.textMetrics.fontBoundingBox.enabled FF116 1801198
dom.textMetrics.emHeight.enabled FF118 1841692
dom.webnotifications.privateBrowsing.enableDespiteLimitations FF122+ 1864520 Allow notification in PBM with pref enabled
- if service workers are enabled in PB mode by the time we get to ESR128, we need to check this

prefs deprecated

security.family_safety.mode FF117+ 1844908
- see #21686 (closed) original patch
- the bugzilla says "Remove pre-Win10-specific codepath from security/manager/" - but IDK what this means once we move to ESR128 (win10+ only) because windows 10 still ships with a Family Safety feature
javascript.use_us_english_locale FF119 1846224
- we already set locale to match language, but should clean up our code
widget.non-native-theme.enabled FF127 1848899

prefs flipped to what we want

media.devices.enumerate.legacy.enabled FF119/120? 1843434
FF118+ 1843763 something about sftp removed from GIO
- we already set network.gio.supported-protocols as blank and this should now be the default

other

FF119+ 1849040 Android 14 introduces a new Contrast setting
- This patch adds support for the Android contrast setting. This triggers the prefers-contrast media query as well as prefers-reduced-transparency
- we should check RFP still protects prefers-contrast as no-preference
- we should check what prefers-reduced-transparency should return with RFP
  - it is currently disabled in desktop and I believe RFP does not protect the value when enabled
- do something about the UI if these values are ignored ?
FF119+ 1591533 GeckoView + DoH stuff
~~FF119+ 1841116 RFP warning banner in settings~~
- ~~we don't want to show this in TB~~
FF119+ 1853835 media.webspeech.synth.enabled = true
- I think we want this off, not sure
FF120 (nightly so far) do something about this
- shows in PB windows regardless of starting in PBM or not
- we already have NewIdentity
FF120+ get rid of GPC UI (we may already be hiding it via the entire ETP/Cookies section) and preferably (or optionally) lock pref to some value
FF120+: 1857593 Enable GPC in Private Browsing Mode by default
- check we are ok with GPC in PB mode: I don't see an FPing issue
pref("privacy.globalprivacycontrol.pbmode.enabled", true);
FF121+ (windows) https://www.mozilla.org/en-US/firefox/121.0/releasenotes/
- Firefox now prompts Windows users to install the Microsoft AV1 Video Extension
- i think this prompt happens when you first encounter the codec in an actual video

stuff to do/check

FF117+ 1517786 canvas getContextAttributes
- Depending on the attributes supported by the browser, the log below should display a string that looks something like: {alpha: false, colorSpace: 'srgb', desynchronized: false, willReadFrequently: false}
- ^ RFP should protect the colorSpace and always return srgb
FF119+? 1850672 localized fonts names
- ^ make sure whitelisting doesn't expose the system locale
see #41327 (closed)
- we have MDN suggestions and shopping about to be flipped (and anything else added during the ESR115 lifecycle)
FF120 1847172 mozAddonManager hooked up in Fenix
FF120 1834274 Implement the remote setting client for fingerprinting protection overrides
- we should nix this remote service: nsRFPService
FF121 1807545 Android: Add new "Open in regular tab" feature
FF121 1852340 Implement a new "report broken site" feature for desktop Firefox
FF121 1865840 AbuseReport button for dictionaries
FF122'ish 1589554 Screen Wake Lock API
- make sure we lock it and/or are happy with the defaults if/when it lands in stable
- https://developer.mozilla.org/en-US/docs/Web/API/Screen_Wake_Lock_API
FF124 1586471 drag and drop in geckoview
FF?: browser.tabs.cardPreview.enabled - where is this image being stored?
- for context see https://blog.nightly.mozilla.org/2024/02/06/a-preview-of-tab-previews-these-weeks-in-firefox-issue-153/
FF124+ 1879130 enable ui.new-webcompat-reporter.enabled - we don't want this
FF123+ 1873223 access denied Modified firefox and firefox-private protocol handler behavior
- pref("network.protocol-handler.external.firefox", false);
- pref("network.protocol-handler.external.firefox-private", false);
FF125+ - remove Report Broken Site from hamburger menu
- ^ apparently this is hidden if telemetry is disabled
FF125+ 1847701 Android: accept-language format should be language-region
FF125+ 1883155
- do something about new profiles menu especially with installer
FF125+ 1867288 Create new search engine icons schema and use it
- "... implement a separate remote settings collection"
FF125+ 1885041 disallowing JSM based imports to everything except for devtools
- we have about 7 JSM files of our own making, of which lox_wasm.jsm is autogenerated - see PieroV & cohosh
FF126+ 1759175 Rewrite the crash reporter client in Rust
- listing in case we need to do something different with removing these components
FF126+ browser.search.serpEventTelemetryCategorization.enabled
- check if we need to do anything ... rolling out to a country near you .. hello USA
- IDK if it's covered by the disable telemetry build flag / master telemetry switch
- https://blog.mozilla.org/en/products/firefox/firefox-search-update/
FF126+ browser.backup.enabled 1886174
- stub this out
ESR128 - desktop see #41309 (closed) enable screenshots again (not sure about android)
FF127+ 1889718 what is foxbridge?
- https://searchfox.org/mozilla-central/source/browser/modules/FirefoxBridgeExtensionUtils.sys.mjs#56-71
- burn with I assume
FF127+ 1887038 What's New changes - may affect us
FF127+ 1891605 Change update check interval
- check our app.update.interval - we're currently 14400

prefs to flip/check

dom.textMetrics.baselines.enabled FF116 1840075

dom.textMetrics.fontBoundingBox.enabled FF116 1801198

dom.textMetrics.emHeight.enabled FF118 1841692

Done in !1147 (merged).

dom.webnotifications.privateBrowsing.enableDespiteLimitations FF122+ 1864520 Allow notification in PBM with pref enabled

if service workers are enabled in PB mode by the time we get to ESR128, we need to check this

The default is false (in StaticPrefList.yaml).

Does it make sense to re-define it to false in our profile as a defense-in-depth? I think that web notifications will always be disabled for us, since they require some backend infrastructure we disable.

I'm following the bug, just in case Moz decides it's a good idea to allow notifications in PBM.

prefs deprecated

security.family_safety.mode FF117+ 1844908

see #21686 (closed) original patch

the bugzilla says "Remove pre-Win10-specific codepath from security/manager/" - but IDK what this means once we move to ESR128 (win10+ only) because windows 10 still ships with a Family Safety feature

javascript.use_us_english_locale FF119 1846224

we already set locale to match language, but should clean up our code

widget.non-native-theme.enabled FF127 1848899

Will open a MR to remove them.

prefs flipped to what we want

media.devices.enumerate.legacy.enabled FF119/120? 1843434

Nothing to do (#42043 (closed)).

FF118+ 1843763 something about sftp removed from GIO

we already set network.gio.supported-protocols as blank and this should now be the default

Doesn't exist by default on Firefox. I guess it's okay to define it as blank, as the code checks if GetCharPref succeeded (and I think it does if the pref exists in the profile...) to decide the defaults.

FF119+ 1849040 Android 14 introduces a new Contrast setting

This patch adds support for the Android contrast setting. This triggers the prefers-contrast media query as well as prefers-reduced-transparency

we should check RFP still protects prefers-contrast as no-preference

we should check what prefers-reduced-transparency should return with RFP

it is currently disabled in desktop and I believe RFP does not protect the value when enabled

prefers-reduced-transparency seems to be gated on layout.css.prefers-reduced-transparency.enabled according to MDN.

Prefer contrast

Tor Browser:

Firefox:

do something about the UI if these values are ignored ?

Probably we should open an issue, as accessibility and fingerprintability is a difficult topic.

FF119+ 1591533 GeckoView + DoH stuff

This is only about APIs.

As far as I can tell, there isn't an exposed UI and I can't find callers of setTrustedRecursiveResolverUri, except for tests.

Relevant Bug for further developments of DoH on Android: https://bugzilla.mozilla.org/show_bug.cgi?id=1801530

FF119+ 1853835 media.webspeech.synth.enabled = true

I think we want this off, not sure

This has a compile-time setting: --disable-webspeech.

I think this is enabled by default: the default depends on whether you define an option as --disable or --enable. I don't remember how it works at the moment, but a grep in my obj-* dir tells me that I have it enabled in my local dev build.

Anyway, this is already protected by RFP (why exactly?), so I wouldn't do anything for now, or maybe we can create a new issue only for this.

FF120 (nightly so far) do something about this

shows in PB windows regardless of starting in PBM or not

we already have NewIdentity

Seems like there were problems upstream for which this has been delayed. Also, we locked it in release #42640 (closed) (I wonder if it was a good idea to lock a default false...).

FF120+ get rid of GPC UI (we may already be hiding it via the entire ETP/Cookies section) and preferably (or optionally) lock pref to some value

FF120+: 1857593 Enable GPC in Private Browsing Mode by default

check we are ok with GPC in PB mode: I don't see an FPing issue

pref("privacy.globalprivacycontrol.pbmode.enabled", true);

#42777 (closed)

FF121+ (windows) https://www.mozilla.org/en-US/firefox/121.0/releasenotes/

Firefox now prompts Windows users to install the Microsoft AV1 Video Extension

i think this prompt happens when you first encounter the codec in an actual video

I can't test this one, as I support AV1 both on Linux and on my Windows VM.

I'd need a way to uninstall it, but I don't have a clue on how to do it... Maybe an old Windows 10 version?

AV1 sample

spbtv_sample_bipbop_av1_960x540_25fps

Source: https://github.com/SPBTV/video_av1_samples/blob/master/spbtv_sample_bipbop_av1_960x540_25fps.mp4

Should also be AV1: https://bitmovin.com/demos/av1

FF117+ 1517786 canvas getContextAttributes

Depending on the attributes supported by the browser, the log below should display a string that looks something like: {alpha: false, colorSpace: 'srgb', desynchronized: false, willReadFrequently: false}

^ RFP should protect the colorSpace and always return srgb

We're good here: #42996 (closed)

FF119+? 1850672 localized fonts names

^ make sure whitelisting doesn't expose the system locale

This one had a lot to unpack...

So, the magic is done by Windows API (DirectWrite or something similar?), in particular by IDWriteFontFamily::GetFamilyNames. So, there isn't a way to understand what's going on there.

However, I can see that eventually the current app locale determines whether this is an altLocale. And this information is queried with the IsAltLocaleFamily() method.

It's used in a couple of ways:

use only the "canonical" name when creating a list of fonts in GetFontList. I'm kinda lost, I don't know exactly where this is used, but I think it's mostly for the font settings in about:preferences.
In FontList::LocalizedFamilyName, and I'm sure this is only for the settings (see the comment)

Actually, 1 and 2 are mutually exclusive on an if (SharedFontList()), which seems to confirm my hypothesis that this is used for about:preferences. I tried to run a debug build and check if I hit the breakpoint, but I couldn't manage to...

see #41327 (closed)

we have MDN suggestions and shopping about to be flipped (and anything else added during the ESR115 lifecycle)

Shopping was handled elsewhere.

FF120 1847172 mozAddonManager hooked up in Fenix

Wow. It was here all the time.

You outsmarted us again.

ma1 is dealing with this in these very days

FF120 1834274 Implement the remote setting client for fingerprinting protection overrides

we should nix this remote service: nsRFPService

Uhm. I don't believe nsRFPService is bad, it can help us to go between C++ and JS if needed... Maybe nsIFingerprintingWebCompatService is bad (it's the one fetching the fingerprinting settings from remote).

I tried to follow, but it isn't trivial. Opened #43178 (closed) for a further investigation.

FF121 1807545 Android: Add new "Open in regular tab" feature

Covered in #43094 (closed).

Uhm. I don't believe nsRFPService is bad

yeah, I meant kill the remote bits in it, not the service itself

Wow. It was ..

here all the time

FF121 1852340 Implement a new "report broken site" feature for desktop Firefox

~~I can't find this even in Firefox .~~ However, we already disable webcompat stuff (extensions.webcompat-reporter.enabled), and from a quick investigation it seems this pref is still used.

~~Okay, found it, it's above the help menu on my Windows VM. I don't know why I don't see it on Linux.~~ However, I confirm this menu entry isn't available on Tor Browser.

Okay, you wrote it below, it's because of telemetry.

FF121 1865840 AbuseReport button for dictionaries

I think it's fine. It opens AMO in a new tab, so users should understand they'll send data to Moz rather than us.

We don't ship dictionaries by default anyway, so users need to install them through AMO in the first place...

FF122'ish 1589554 Screen Wake Lock API

make sure we lock it and/or are happy with the defaults if/when it lands in stable

https://developer.mozilla.org/en-US/docs/Web/API/Screen_Wake_Lock_API

As for the preferences, I found dom.screenwakelock.enabled, permissions.default.screen-wake-lock, and dom.screenwakelock.testing.

As per https://phabricator.services.mozilla.com/D189510, it seems the permission doesn't have a UI for consistency with Blink/WebKit. I don't understand very well how permissions.default.screen-wake-lock works, but we don't customize it for the other similar preference.

The risk is leaking that a device is on battery (and low level) when the permission isn't granted. I don't think it's a worth fingerprinting vector (you'll know that some users are on battery, but only its percentage is below 5%). I think it cannot be used for linkability either.

As for the draining of the battery... I hope the standard committee and upstream decided in a correct way, I don't feel it's a danger worth breaking compatibility. FWIW, when you change tab the lock will be released automatically.

@ma1 do you agree about this API?

FF124 1586471 drag and drop in geckoview

This is the Java implementation.

It seems to be kinda limited compared to desktop, but it's exporting HTML from the browser. You can't drag and drop links/tabs to other browsers, from what I can see (I tried on Bliss, where I can easily emulate a tablet), and the data will often be converted to text as long as you're in the browser realm.

Drag&drop is completely intentional (especially on Android, where you have to select the thing to drag first). So, even though there might be linkability risks (you might drag&drop HTML on some app that can actually receive it - I don't know one though), but they don't seem important enough to me to disable this feature.

FF?: browser.tabs.cardPreview.enabled - where is this image being stored?

for context see https://blog.nightly.mozilla.org/2024/02/06/a-preview-of-tab-previews-these-weeks-in-firefox-issue-153/

This is now called browser.tabs.hoverPreview.enabled (renamed in Bug 1893676).

I think the implementation bug was Bug 1783521 and the (current) file is browser/components/tabbrowser/content/tab-hover-preview.mjs.

The page is rendered directly to a canvas which stays on memory as far as I can tell, it's never saved to disk.

FF124+ 1879130 enable ui.new-webcompat-reporter.enabled - we don't want this

I don't think we should set this specific pref, but rather disable web compat reporting. I think we've already done it.

FF123+ 1873223 access denied Modified firefox and firefox-private protocol handler behavior

pref("network.protocol-handler.external.firefox", false);

pref("network.protocol-handler.external.firefox-private", false);

It seems at certain point Mozilla created a firefox:// and firefox-private:// protocol for $reasons on Windows, then they switched to firefox-bridge and finally they removed them and switched to native messaging.

At least that's what BrowserGlue.sys.mjs says.

Now that I think of it, at a certain point Moz started shipping a nmhproxy (Native Messaging Host Proxy - something I stumbled upon while rebasing). We have #43033 (closed) for that.

FF125+ - remove Report Broken Site from hamburger menu

^ apparently this is hidden if telemetry is disabled

I confirm this is hidden .

FF125+ 1847701 Android: accept-language format should be language-region

This caused conflicts when rebasing my patch.

But I think we're still doing great with it.

FF125+ 1883155

do something about new profiles menu especially with installer

Gated on browser.profiles.enabled, which is currently false.

I like the idea of multiple profiles tbh, and there are ways we could implement it also to avoid a conflict of port numbers with little-t-tor.

MB doesn't have any problems with this functionality.

FF125+ 1867288 Create new search engine icons schema and use it

"... implement a separate remote settings collection"

We already bypass this and remote settings collections shouldn't be a big problem now .

FF125+ 1885041 disallowing JSM based imports to everything except for devtools

we have about 7 JSM files of our own making, of which lox_wasm.jsm is autogenerated - see PieroV & cohosh

Yep, lox_wasm.jsm is currently the only jsm file we have... But it isn't a problem because you can still import JSMs, and we'd like to switch to a native implementation (see #43096).

FF126+ 1759175 Rewrite the crash reporter client in Rust

listing in case we need to do something different with removing these components

The crash reporter has a configure time flag (--disable-crashreporter) that is also used for Moz builds with the various sanitizers.

If they removed that flag, we would have had a build error. Also, I checked we don't have a crashreporter executable. Finally, I checked toolkit/crashreporter/moz.build, and the client is not built if we set that flag.

FF126+ browser.search.serpEventTelemetryCategorization.enabled

check if we need to do anything ... rolling out to a country near you .. hello USA

IDK if it's covered by the disable telemetry build flag / master telemetry switch

https://blog.mozilla.org/en/products/firefox/firefox-search-update/

It seems not to do anything on PBM by default... Still, I think we could define this pref.

FF126+ browser.backup.enabled 1886174

stub this out

From the meta bug:

Metabug to capture work targeting the MVP release for a profile backup solution (to a local file on the filesystem) in desktop Firefox (target ship date or target Firefox version TBD)

The fact that it's offline/on local file is very interesting. Also, there's another pref that at the moment is false (browser.backup.scheduled.enabled).

I think we could set both to false to be ready for further developments, and let users choose to opt-in (I see backup mostly as a violation of our standalone mode, rather than other threats).

ESR128 - desktop see #41309 (closed) enable screenshots again (not sure about android)

Yep, handled it in #41309 (closed).

FF127+ 1889718 what is foxbridge?

https://searchfox.org/mozilla-central/source/browser/modules/FirefoxBridgeExtensionUtils.sys.mjs#56-71

burn with I assume

Something to talk between browsers it seems.

We have #43033 (closed), which was closed as a no-op, but maybe we should disable native messaging for extensions.

FF127+ 1887038 What's New changes - may affect us

What's New was removed in 1724300, but I didn't even know it existed.

I tried to understand what it looked like, but I concluded we don't need to care .

FF127+ 1891605 Change update check interval

check our app.update.interval - we're currently 14400

This changes brand-specific files, we should be good on that.

It also makes the update service timer run more often, I think.

changed the description

mentioned in issue #41496 (closed)

re report addons etc, emphasis mine: source

As part of changes needed for DSA (EU Digital Services Act) requirements, in Firefox 121 we are going to enable a new add-on abuse reporting form hosted on addons.mozilla.org (Bug 1863307, Bug 1865840, Bug 1866565, and Bug 1859791)

abuse reporting form hosted on addons.mozilla.org

As wrote above, I think it's enough for users to understand they're going to send that to Moz and not to us.

I don't know if this is a UX or lawyer question though.

marked this issue as related to #42356 (closed)

Separate item for UX

FF125+ 1866649 Remove --brand-color-accent and --platform-color-accent in favor of --color-accent-primary usage

cc @donuts feel free to spin off to a separate ticket if it concerns us and unsubscribe to this issue

I also found color stuff while rebasing. I'll have to spin off tickets as well.

Belated thank you for the heads up.

mentioned in issue #42640 (closed)

added 14.0 stable label

marked this issue as related to #42751 (closed)

mentioned in issue #42751 (closed)

removed Roadmap::Future label

added Next label

assigned to @pierov

added Doing label and removed Next label

mentioned in issue #43178 (closed)

mentioned in merge request !1232 (merged)

marked this issue as related to tor-browser-build#41249 (closed)

marked this issue as related to tor-browser-build#41250 (closed)

closed

removed Doing label

mentioned in issue #42804 (closed)

ESR128: investigate - thorin's list

Designs

Child items ...

Activity