`browser/app/profile/000-tor-browser.js` may contain some old stuff that we could/should remove. Also do any work outlined in https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/32759 # `001-base-profile.js` Convention: **bold** = we need to follow up. - [x] `intl.locale.requested` - [x] `browser.search.update` - [x] `browser.rights.3.shown` - **Remove!** 😈️ (see comments) - [x] `startup.homepage_welcome_url`, `startup.homepage_welcome_url.additional` - S131 might be interested - [x] `browser.aboutwelcome.enabled` - [x] `startup.homepage_override_url` - [x] `app.update.promptWaitTime` - [x] `app.update.staging.enabled` - [x] `browser.slowStartup.{notificationDisabled,maxSamples,samples}` - **Remove!** 😈️ (see comments) - [x] `browser.disableResetPrompt` - [x] `browser.privatebrowsing.autostart` - [x] `browser.cache.disk.enable` - [x] `permissions.memory_only` - [x] `network.cookie.lifetimePolicy` - [x] `security.nocertdb` - [x] `dom.storage.next_gen` - **Remove!** 😈️ - [x] `browser.download.useDownloadDir` - **Remove the related checkbox?** --> #40656 - [x] `browser.download.manager.addToRecentDocs` - [x] `signon.rememberSignons` - **Remove the related checkbox?** --> #40656 - [x] `browser.formfill.enable` - **Remove the related checkbox?** --> #40656 - [x] `signon.autofillForms` - **Remove the related checkbox?** --> #40656 - [x] `browser.sessionstore.privacy_level` - [x] `browser.privatebrowsing.forceMediaMemoryCache` - [x] `media.memory_cache_max_size` - [x] `dom.security.https_only_mode` - **Add reference to the issue** - [x] `dom.security.https_only_mode.upgrade_onion` - **Move to `000-tor-browser.js`** - **Add reference to the issue** - [x] `security.ssl.require_safe_negotiation` - [x] `security.ssl3.dhe_rsa_aes_128_sha`, `security.ssl3.dhe_rsa_aes_256_sha`, `security.ssl3.ecdhe_ecdsa_aes_256_sha`, `security.ssl3.ecdhe_ecdsa_aes_128_sha`, `security.ssl3.ecdhe_rsa_aes_128_sha`, `security.ssl3.ecdhe_rsa_aes_256_sha`, `security.ssl3.rsa_aes_128_sha`, `security.ssl3.rsa_aes_256_sha` - [x] `browser.send_pings` - https://kb.mozillazine.org/Browser.send_pings - Still a thing, didn't even know about this thing from the specs - [x] `geo.enabled` - Completely disable geolocation - Even part of legal terms! - Usage is through static prefs - [x] `geo.provider.network.url` - Still used, but not sure we have a good reason to reassign it, since we are disabling geolocation in general (defense in depth?) - **Keep it, or delete it?** - **My resolution: be coherent with the rest and keep it** - [x] `browser.search.suggest.enabled` - Still used, and synchronized with `about:preferences#search` (**remove it from there?**) --> #40656 - [x] `browser.safebrowsing.*` - All of them are still used - There are also additional preferences `browser.safebrowsing.provider.*` with URLs, see `modules/libpref/init/all.js` - Like `geo.provider.network.url` confuses me a little bit - [ ] `extensions.ui.lastCategory` - Still used, but I don't have a clue on why we use it, especially since when you go to `about:addons` you override it. - **To be checked again** - [x] `datareporting.healthreport.uploadEnabled` and `datareporting.policy.dataSubmissionEnabled` - Used also in `DisableTelemetry` in `browser/components/enterprisepolicies/Policies.jsm`! - that function also sets `toolkit.telemetry.archive.enabled`, **should we add it, too**? - "This can only be enabled if `unified` is on." - **My resolution: add it** - [x] `toolkit.telemetry.unified`, `toolkit.telemetry.enabled`, `toolkit.telemetry.updatePing.enabled` - Still used, see https://firefox-source-docs.mozilla.org/toolkit/components/telemetry/internals/preferences.html - **That document contains a few preferences for GeckoView**. - It is especially about [the streaming API](https://firefox-source-docs.mozilla.org/toolkit/components/telemetry/internals/geckoview-streaming.html), which is an alternative mode to the regular one, disabling it doesn't seem to disable telemetry - **My resolution: ignore them** - [x] `default-browser-agent.enabled` (Windows only) - Seems to be still used, and it's [telemetry for engagement/marketing purposes](https://firefox-source-docs.mozilla.org/toolkit/mozapps/defaultagent/default-browser-agent/index.html): it checks users' default choices, even though they aren't Firefox. - It is also disk leak, since it schedules as a Windows task, and it needs to copy data to the registry! - [x] `identity.fxaccounts.enabled` - Disables Firefox account/sync. Still many occurrences in the code. - [x] `services.sync.engine.*` - Still used, but there are a few new preferences: - `services.sync.engine.bookmarks` - `services.sync.engine.history` - `services.sync.engine.passwords` - `services.sync.engine.addresses` - `services.sync.engine.creditcards` - They are synchronized with a `sync.inc.xhtml` panel, which we **should be sure it is disabled** - Should we keep them, and **add the new ones**, even though we find it's possible to completely opt out the synchronization with a more generic pref (like `identity.fxaccounts.enabled`)? - As usual, is it to be seen as a defense in depth? - **My resolution: add them for now, and remove them in the future, if we decide we don't actually need them** - [x] `browser.region.network.scan` - "Include wifi data in region request." - Already disabled by default, but being explicit here seems a good idea - [x] `browser.region.network.url`, `browser.region.update.enabled` - Still used, but unlike the previous ones, have other defaults - `toolkit/modules/Region.jsm` also contains `browser.region.local-geocoding` (already `false`), **should we add it explicitly?** - **My resolution: yes add it** - [x] `browser.tabs.remote.separatedMozillaDomains` - Allows Mozilla-controlled webpages to access privileged features. Still used and we need to keep it empty. - See https://firefox-source-docs.mozilla.org/dom/ipc/process_model.html#privileged-mozilla-content - [ ] `browser.urlbar.dnsResolveSingleWordsAfterSearch` - "Did you mean to go to $host?" - https://firefox-source-docs.mozilla.org/browser/urlbar/preferences.html - Is S131 browser expected to be able to access the LAN? In case **we might move this to Tor Browser-only**. - **Beware of possible fingerprinting**: this question is asked with a notification box, which will make the letterbox change (related: #41433) - [x] `messaging-system.rsexperimentloader.enabled` - Still used in toolkit/components/nimbus/lib/RemoteSettingsExperimentLoader.jsm - The same file also has `app.shield.optoutstudies.enabled`, **should we add it**? - They are used in the same `if` in `init` - **My resolution: added, to be coherent with other prefs** - Notice that you don't enable opting out, if you want to opt out you have to set it `false` 😐️ - Anyway, it's already `false` currently, so yet another defense in depth - [x] `trailhead.firstrun.branches` - **Remove!** 😈️ (see comments) - [x] `browser.newtabpage.activity-stream.asrouter.userprefs.cfr.{addons,features}` - See above, too - [x] `network.trr.resolvers` - **Seems an old preference, and new `network.trr.*` exist**, including one to set `https://mozilla.cloudflare-dns.com/dns-query` as the default TRR provider (see StaticPrefLiast.yaml`) - Compare with Firefox 78 and #40048. - **My resolution: changed to `network.trr.default_provider_uri`** - [x] `network.trr.exclude-etc-hosts` - Still used, but **we should explain** why `false` actually is the right value for us - [x] `security.pki.crlite_mode` - Might be interesting, though. The problem is telemetry/downloads from Mozilla (see #40048) - [x] `signon.management.page.breach-alerts.enabled` - "Firefox displays critical alerts in the Lockwise password manager when a website is breached." (#40048) - Still used, disabled to prevent sending telemetry/data to Mozilla - [x] `extensions.fxmonitor.enabled` - Old pref for Firefox 78 (#40048), used in `browser/components/fxmonitor/FirefoxMonitor.jsm`, but then disabled in https://bugzilla.mozilla.org/show_bug.cgi?id=1696550 and removed in https://bugzilla.mozilla.org/show_bug.cgi?id=1712838 - **Remove!** 😈️ - [x] `signon.management.page.mobileAndroidURL` and `signon.management.page.mobileAppleURL` - Part of lockwise :coffin:, removed with b67b613817b790bfdb0a2e2155b9c8c4f5a61eb2 - **Remove!** 😈️ - [x] `signon.recipes.remoteRecipes.enabled` - Still used - [x] `dom.serviceWorkers.enabled` and `dom.push.enabled` - Still used - [ ] `webgl.disable-fail-if-major-performance-caveat`, `webgl.enable-webgl2` - Still used - **How do they help against fingerprinting?** - [x] `gfx.downloadable_fonts.fallback_delay` - #27258 - [ ] `browser.startup.homepage_override.buildID` - **How does it help against fingerprinting?** I guess it was added to the user-agent back then, but now Firefox always show the spoofed date. Or is it used also for telemetry? - We have a patch to `browser/components/BrowserContentHandler.jsm` realted to this pref (the updater). **Shall we review it?** - `modules/libpref/Preferences.cpp` contains a list of preferences that are fingerprintable, and therefore removed from child processes, should we have a look at them, too (especially `extensions.lastAppBuildId`). - [x] `browser.link.open_newwindow.restriction` - Bug #9881: Open popups in new tabs (to avoid fullscreen popups) - https://kb.mozillazine.org/Browser.link.open_newwindow.restriction - Still valid - [ ] `media.benchmark.vp9.threshold` - "Set video VP9 to 0 for everyone (bug #22548)" - **Is this still a valid reason?** - Used as a static pref - [ ] `dom.enable_resource_timing` - "Bug #13024: To hell with this API" - Luckily enough timings are much more limited as a default, and 8 years ago was before spectre/meltdown. **Check again the status of this, and add more reasons for which we should keep this?** - Used as a static pref - [x] `privacy.resistFingerprinting` - Lol. **We should move this as the first one of the category?** - **My resolution: done it** - [x] `privacy.resistFingerprinting.block_mozAddonManager` - Thanks Mozilla :slight_smile: . - [ ] `dom.webaudio.enabled` - #13017 - Still used, also as a static pref - **S131: what are the relations between this and WebRTC?** - [x] `dom.webmidi.enabled` - Done for 102 in #41398. - [ ] `dom.w3c_touch_events.enabled` - **WIP**, see #28535 - [x] `dom.vr.enabled` - Still valid; `false` by default also in Firefox (see `StaticPrefList.yaml`), but we disabled it explicitly in case Mozilla enabled it without us noticing. - Not reviewed, too, probably - #21607 - [ ] `security.webauth.webauthn` - Reference: #26614, but **if I understand correctly, this has never been audited!** Disabled because we didn't audit, but then now followed up - Possible problem: we don't want this _for Android_ because it depends on a proprietary dependency (that however might be replaced with a GPLv3 one) - In any case, the preference is still valid - [ ] `dom.postMessage.sharedArrayBuffer.withCOOP_COEP` - Still valid (used as a static pref) - **Can we open #40016 again**? I'm not satisfied by the way it was closed. - Maybe related: #17412, but problems might have been solved, see [MDN](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/SharedArrayBuffer#security_requirements) - Also related: #40177 - [ ] `security.remote_settings.intermediates.enabled` - Still used. Interestingly enough, this is `true` by default only on Android - Disabled in #30682, but **gk opened #40099 to follow up** - [x] `dom.use_components_shim` - Wow, `Components.interfaces` for sites is still a thing on Firefox :see_no_evil: - Related: legacy/trac#2874 - [x] `privacy.resistFingerprinting.letterboxing` :slight_smile: - [x] `dom.netinfo.enabled` - **Change the comment as Thorin suggested** :slight_smile: - The default is also `false` - [x] `network.http.referer.defaultPolicy` - It sets the value that is already the default, but it does it only for non-PBM sessions (it takes for granted that PBM also has the same value). The reason was that it hasn't always been the default, see (#32948). - **Should we explicitly tell to do so in all modes?** Or at least, should we update the description to tell it's a defense in depth? - **My resolution: yes** - [x] `network.http.referer.XOriginTrimmingPolicy` - Recently updated, see #17228. - [ ] `media.videocontrols.picture-in-picture.enabled` - **Disabled only because not yet audited** - See #40147 and #40148 - [x] `network.http.referer.hideOnionSource` - **Move to `000-tor-browser.js`** - Original issue: #22320 - [x] `network.http.windows-sso.enabled` - #40463 - **We should remove the related checkbox in `about:preferences`** --> #40656 - [ ] `dom.enable_event_timing` - #40383 - Minimum is 16ms and rounded by 8ms; **if we decided that we lost the war against time measurements we could even re-enable this**. - [x] `dom.textMetrics.actualBoundingBox.enabled`, `dom.textMetrics.baselines.enabled`, `dom.textMetrics.emHeight.enabled`, `dom.textMetrics.fontBoundingBox.enabled` - Not sure of the original issue, but it seems it arrived with 91.2 ESR update. In any case, it's enough obvious why we need them :wink: - [x] `pdfjs.enableScripting` - Added recently (#40424), **we should add the reference also to the file** - [x] `javascript.options.large_arraybuffers` - https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40177#note_2758404 - Basically, don't expose 32-bit. Unless there's another way to do so now. - [x] `browser.display.use_system_colors` - Added recently, but might need more work in the future, see #40057 - [x] `privacy.firstparty.isolate` - [ ] `privacy.partition.network_state` - https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40308#note_2723512 - **Check again and/or update the comment** - [x] `network.cookie.cookieBehavior` and `network.cookie.cookieBehavior.pbmode` - [ ] `network.predictor.enabled` - **_temporarily_ disabled** #16633 and #21657 - [ ] `privacy.purge_trackers.enabled` - **Update the issue number to the correct one** (#40220) - **Check what GeckoView does** (see the issue) - Not sure on why we don't want this... - [x] `network.dns.disablePrefetch` - **Do we need also `network.dns.disablePrefetchFromHTTPS`**? - **My resolution: yes**, even policies disable both - [x] `network.protocol-handler.*` - More details in https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/25559#note_2846617 - [x] `network.proxy.allow_bypass` - [x] `network.http.tailing.enabled` - [x] `network.http.http2.*` - [x] `network.gio.supported-protocols` - **Add the reference to the bug number** (#23044) - [ ] `media.peerconnection.enabled` - **S131: This is for WebRTC, should we move it to Tor Browser?** - [ ] `media.gmp-provider.enabled`, `media.gmp-manager.url.override` and `media.gmp-manager.updateEnabled` - They are okay, but **we might use them for S131 stuff**, so we should add them to our notes somewhere - There's also a related ticket: #15910 (**add it to the pref file - added**) - [ ] `browser.eme.ui.enabled`, `media.gmp-widevinecdm.visible`, `media.gmp-widevinecdm.enabled`, `media.eme.enabled`, `media.mediadrm-widevinecdm.visible` - All still used, **but to track for S131, too** - However, I wouldn't remove them and add them back to Tor Browser, I would keep them and then remove in S131's branch, so that base-browser remains unencumbered - [x] `devtools.webide.autoinstallADBExtension`, `devtools.webide.enabled` - **Remove!** 😈️ (see comments, basically webide isn't a thing anymore) - [x] `devtools.debugger.chrome-debugging-host` - [x] `network.file.disable_unc_paths` - [x] `network.file.path_blacklist` - Cannot find our related issue, but found c6cbbca92205d461e1b9869fd39a79362fc0e9c1. However, everything is explained in Bugzilla (and wow, I didn't know about `file:///net`). - [x] `svg.disabled` - [x] `mathml.disabled` - [x] `svg.context-properties.content.allowed-domains` - [ ] `security.ssl.enable_false_start` - Still a thing, **but I think we could review the TLS preferences** - Couple of related issues: #18274 #28536 - [x] `network.http.connection-retry-timeout` - We set 0, which means "do not use a second connection" - **Only Tor Browser**, if still needed (see legacy/trac#7656) - **Moved, and follow up in the performance issue** (#32759) - [x] `network.manage-offline-status` - To avoid phoning home? I found the related bug #18945, but not the exact reason. - [x] `network.captive-portal-service.enabled` and `network.connectivity-service.enabled` - Still used, and okay both for Tor Browser and base-browser. S131 might want something different, and maybe customize `network.connectivity-service.IPv{4,6}.url` - [x] `dom.push.serverURL` - **Add the reference to the issue** (#18801) - [x] `extensions.autoDisableScopes` - "If the add-on is a foreign install and is in a scope where add-ons that were dropped in should default to disabled then disable it" - We use scope 0, i.e., we don't disable any addon (why? Is this because of HTTPS-E :coffin: and NoScript?) - [x] `extensions.bootstrappedAddons` - **Already obsolete in 68** (#30845). - [x] `extensions.checkCompatibility.4.*` - **Remove!** 😈️ - [ ] `extensions.databaseSchema` - It's still recognized, for XPI stuff... But why are we using it? **I'd like to remove it, if possible**. - [ ] `extensions.enabledScopes` - We allow also `SCOPE_APPLICATION`, **is it for NoScript?** Default scope is profile, otherwise, but I am not sure on how the whole thing works, since Mozilla bundles addons, after all, like the screenshots - [ ] `extensions.pendingOperations` - This is used by Firefox to do things, **why are we setting its default, that Firefox will change it anyway?** - [x] `extensions.getAddons.showPane`, `extensions.htmlaboutaddons.recommendations.enabled` - Still used, the former has even a policy - [ ] `extensions.webextensions.restrictedDomains` - **I'd like a second audit on it, opened an issue to follow-up** (#41445) - [x] extensions.postDownloadThirdPartyPrompt - Show the prompt to install addons even though they are "recommended by Mozilla" - Recommended by Thorin in #40177 - [x] `intl.multilingual.downloadEnabled` - [x] `browser.uiCustomization.state` - #13318, #13378, #16510 - [x] `security.cert_pinning.enforcement_level` - [x] `security.osclientcerts.autoload` - Great move: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/33534#note_2683533 - [x] `security.family_safety.mode` - [x] `security.enterprise_roots.enabled` - [x] `security.certerrors.mitm.priming.enabled` - [x] `gfx.offscreencanvas.domain-enabled`, `gfx.offscreencanvas.domain-allowlist` - [x] `browser.share_menu.allow` - [x] `browser.urlbar.suggest.topsites` - [x] `browser.urlbar.update1.{interventions,searchTips}` - **Remove!** 😈️ (see comments) - [x] `corroborator.enabled` - **Add the reference to the issue** (#40048) - [x] `taskbar.grouping.useprofile` - "If marked as such in prefs, use a hash of the profile path for the id instead of the install path hash setup by the installer." - S131 might want a different value (provided it's still useful, after we disable the items) - [x] `browser.taskbar.lists.enabled`, `browser.taskbar.lists.frequent.enabled`, `browser.taskbar.lists.tasks.enabled`, `browser.taskbar.lists.recent.enabled` - Good, but for ESR115 we'll have to test the new things about private mode that arrived recently # `000-tor-browser.js` - [x] `app.update.notifyDuringDownload` - [x] `app.update.url.manual` - [x] `app.update.url.details` - [x] `app.update.badgeWaitTime` - [x] `app.releaseNotesURL` - [x] `app.releaseNotesURL.aboutDialog` - [x] `app.feedback.baseURL` - [x] `browser.shell.checkDefaultBrowser` - [x] `network.proxy.socks` - [x] `network.proxy.socks_port` - [x] `network.proxy.socks_remote_dns` - [x] `network.proxy.no_proxies_on` - [x] `network.proxy.allow_hijacking_localhost` - [x] `network.proxy.type` - [x] `network.proxy.failover_direct` - Used as a static pref - [x] `network.security.ports.banned` - [x] `network.dns.disabled` - [x] `network.http.max-persistent-connections-per-proxy` - [ ] `browser.uiCustomization.state` - **Should we make sure it's only in one place?** I.e., delete the one from `001-base-profile.js` once we add the one in `000-tor-browser.js`? (but I haven't compared them, yet) - [x] `browser.uiCustomization.state` - [x] `network.http.http3.enabled` - [x] `torbrowser.version` - [ ] Review the old torbutton/torlauncher preferences (we have another issue for that)