as I find things to query or action (rather than create a heap of issues) - moving to this post so we don't end up with hundreds of "Thorin changed the description" notations
the bugzilla says "Remove pre-Win10-specific codepath from security/manager/" - but IDK what this means once we move to ESR128 (win10+ only) because windows 10 still ships with a Family Safety feature
Depending on the attributes supported by the browser, the log below should display a string that looks something like: {alpha: false, colorSpace: 'srgb', desynchronized: false, willReadFrequently: false}
^ RFP should protect the colorSpace and always return srgb
dom.webnotifications.privateBrowsing.enableDespiteLimitations FF122+ 1864520 Allow notification in PBM with pref enabled
if service workers are enabled in PB mode by the time we get to ESR128, we need to check this
The default is false (in StaticPrefList.yaml).
Does it make sense to re-define it to false in our profile as a defense-in-depth?
I think that web notifications will always be disabled for us, since they require some backend infrastructure we disable.
I'm following the bug, just in case Moz decides it's a good idea to allow notifications in PBM.
the bugzilla says "Remove pre-Win10-specific codepath from security/manager/" - but IDK what this means once we move to ESR128 (win10+ only) because windows 10 still ships with a Family Safety feature
FF118+ 1843763 something about sftp removed from GIO
we already set network.gio.supported-protocols as blank and this should now be the default
Doesn't exist by default on Firefox.
I guess it's okay to define it as blank, as the code checks if GetCharPref succeeded (and I think it does if the pref exists in the profile...) to decide the defaults.
FF119+ 1849040 Android 14 introduces a new Contrast setting
This patch adds support for the Android contrast setting. This triggers the prefers-contrast media query as well as prefers-reduced-transparency
we should check RFP still protects prefers-contrast as no-preference
we should check what prefers-reduced-transparency should return with RFP
it is currently disabled in desktop and I believe RFP does not protect the value when enabled
prefers-reduced-transparency seems to be gated on layout.css.prefers-reduced-transparency.enabled according to MDN.
Prefer contrast
Tor Browser:
Firefox:
do something about the UI if these values are ignored ?
Probably we should open an issue, as accessibility and fingerprintability is a difficult topic.
This has a compile-time setting: --disable-webspeech.
I think this is enabled by default: the default depends on whether you define an option as --disable or --enable.
I don't remember how it works at the moment, but a grep in my obj-* dir tells me that I have it enabled in my local dev build.
Anyway, this is already protected by RFP (why exactly?), so I wouldn't do anything for now, or maybe we can create a new issue only for this.
FF120 (nightly so far) do something about this
shows in PB windows regardless of starting in PBM or not
we already have NewIdentity
Seems like there were problems upstream for which this has been delayed.
Also, we locked it in release #42640 (closed) (I wonder if it was a good idea to lock a default false...).
FF120+ get rid of GPC UI (we may already be hiding it via the entire ETP/Cookies section) and preferably (or optionally) lock pref to some value
FF120+: 1857593 Enable GPC in Private Browsing Mode by default
check we are ok with GPC in PB mode: I don't see an FPing issue
Depending on the attributes supported by the browser, the log below should display a string that looks something like: {alpha: false, colorSpace: 'srgb', desynchronized: false, willReadFrequently: false}
^ RFP should protect the colorSpace and always return srgb
^ make sure whitelisting doesn't expose the system locale
This one had a lot to unpack...
So, the magic is done by Windows API (DirectWrite or something similar?), in particular by IDWriteFontFamily::GetFamilyNames.
So, there isn't a way to understand what's going on there.
However, I can see that eventually the current app locale determines whether this is an altLocale.
And this information is queried with the IsAltLocaleFamily() method.
It's used in a couple of ways:
use only the "canonical" name when creating a list of fonts in GetFontList. I'm kinda lost, I don't know exactly where this is used, but I think it's mostly for the font settings in about:preferences.
Actually, 1 and 2 are mutually exclusive on an if (SharedFontList()), which seems to confirm my hypothesis that this is used for about:preferences.
I tried to run a debug build and check if I hit the breakpoint, but I couldn't manage to...
FF120 1834274 Implement the remote setting client for fingerprinting protection overrides
we should nix this remote service: nsRFPService
Uhm. I don't believe nsRFPService is bad, it can help us to go between C++ and JS if needed...
Maybe nsIFingerprintingWebCompatService is bad (it's the one fetching the fingerprinting settings from remote).
I tried to follow, but it isn't trivial.
Opened #43178 (closed) for a further investigation.
FF121 1807545 Android: Add new "Open in regular tab" feature
FF121 1852340 Implement a new "report broken site" feature for desktop Firefox
I can't find this even in Firefox .
However, we already disable webcompat stuff (extensions.webcompat-reporter.enabled), and from a quick investigation it seems this pref is still used.
Okay, found it, it's above the help menu on my Windows VM. I don't know why I don't see it on Linux.
However, I confirm this menu entry isn't available on Tor Browser.
Okay, you wrote it below, it's because of telemetry.
As for the preferences, I found dom.screenwakelock.enabled, permissions.default.screen-wake-lock, and dom.screenwakelock.testing.
As per https://phabricator.services.mozilla.com/D189510, it seems the permission doesn't have a UI for consistency with Blink/WebKit.
I don't understand very well how permissions.default.screen-wake-lock works, but we don't customize it for the other similar preference.
The risk is leaking that a device is on battery (and low level) when the permission isn't granted.
I don't think it's a worth fingerprinting vector (you'll know that some users are on battery, but only its percentage is below 5%).
I think it cannot be used for linkability either.
As for the draining of the battery...
I hope the standard committee and upstream decided in a correct way, I don't feel it's a danger worth breaking compatibility.
FWIW, when you change tab the lock will be released automatically.
It seems to be kinda limited compared to desktop, but it's exporting HTML from the browser.
You can't drag and drop links/tabs to other browsers, from what I can see (I tried on Bliss, where I can easily emulate a tablet), and the data will often be converted to text as long as you're in the browser realm.
Drag&drop is completely intentional (especially on Android, where you have to select the thing to drag first).
So, even though there might be linkability risks (you might drag&drop HTML on some app that can actually receive it - I don't know one though), but they don't seem important enough to me to disable this feature.
FF?: browser.tabs.cardPreview.enabled - where is this image being stored?
It seems at certain point Mozilla created a firefox:// and firefox-private:// protocol for $reasons on Windows, then they switched to firefox-bridge and finally they removed them and switched to native messaging.
Now that I think of it, at a certain point Moz started shipping a nmhproxy (Native Messaging Host Proxy - something I stumbled upon while rebasing).
We have #43033 (closed) for that.
FF125+ - remove Report Broken Site from hamburger menu
^ apparently this is hidden if telemetry is disabled
I confirm this is hidden .
FF125+ 1847701 Android: accept-language format should be language-region
do something about new profiles menu especially with installer
Gated on browser.profiles.enabled, which is currently false.
I like the idea of multiple profiles tbh, and there are ways we could implement it also to avoid a conflict of port numbers with little-t-tor.
MB doesn't have any problems with this functionality.
FF125+ 1867288 Create new search engine icons schema and use it
"... implement a separate remote settings collection"
We already bypass this and remote settings collections shouldn't be a big problem now .
FF125+ 1885041 disallowing JSM based imports to everything except for devtools
we have about 7 JSM files of our own making, of which lox_wasm.jsm is autogenerated - see PieroV & cohosh
Yep, lox_wasm.jsm is currently the only jsm file we have...
But it isn't a problem because you can still import JSMs, and we'd like to switch to a native implementation (see #43096).
FF126+ 1759175 Rewrite the crash reporter client in Rust
listing in case we need to do something different with removing these components
The crash reporter has a configure time flag (--disable-crashreporter) that is also used for Moz builds with the various sanitizers.
If they removed that flag, we would have had a build error.
Also, I checked we don't have a crashreporter executable.
Finally, I checked toolkit/crashreporter/moz.build, and the client is not built if we set that flag.
Metabug to capture work targeting the MVP release for a profile backup solution (to a local file on the filesystem) in desktop Firefox (target ship date or target Firefox version TBD)
The fact that it's offline/on local file is very interesting.
Also, there's another pref that at the moment is false (browser.backup.scheduled.enabled).
I think we could set both to false to be ready for further developments, and let users choose to opt-in (I see backup mostly as a violation of our standalone mode, rather than other threats).
ESR128 - desktop see #41309 (closed) enable screenshots again (not sure about android)
As part of changes needed for DSA (EU Digital Services Act) requirements, in Firefox 121 we are going to enable a new add-on abuse reporting form hosted on addons.mozilla.org (Bug 1863307, Bug 1865840, Bug 1866565, and Bug 1859791)