Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

changelog: v91.1 #1250

Closed
Thorin-Oakenpants opened this issue Sep 7, 2021 · 22 comments
Closed

changelog: v91.1 #1250

Thorin-Oakenpants opened this issue Sep 7, 2021 · 22 comments

Comments

@Thorin-Oakenpants
Copy link
Contributor

Thorin-Oakenpants commented Sep 7, 2021

ESR users, get the v91.1 release

here is the v91-91.1 diff, which I added to the changes below


  • v91.0 date: 7-Sep-2021
  • v91.1 date: 27-Oct-2021
  • foreword: These are all the changes since the last changelog (v90).

FF91 release notes
FF91 for developers
FF91 security advisories


CHANGELOG: [all changes ... 103 commits v90-91.1 ... good luck]

  • links to bugzilla tickets and default pref changes in Firefox are in our ToDo: diffs FF90-FF91 issue
  • for all the rest see the full list of pref changes below

⭐ your friendly reminder to run prefsCleaner


ALL CHANGES (EXCEPT REMOVALS)

   // user_pref("network.trr.mode", 5);
   // user_pref("network.proxy.failover_direct", false);
  • made active in user.js v91
    • to enforce the default and clean up section 1600
user_pref("network.http.referer.spoofSource", false); // [DEFAULT: false]
  • made inactive in user.js v91.1
    • taskbar: section 5000 is optional opsec
    • graphite, asmjs, wasm: see section header 5500 : optional hardening
    • http alt srv: see [WHY] in user.js, also will propbably start to break things like RR
    • DNT: is sent anyway with ETP
    • reducedMotion: deduped, moved to personal, not a privacy issue with RFP (and we don't bother with FPing for non-RFP)
    • for systemAddons see reminder: revisit proxy direct failover #1251
   // user_pref("browser.taskbar.lists.enabled", false);
   // user_pref("browser.taskbar.lists.frequent.enabled", false);
   // user_pref("browser.taskbar.lists.recent.enabled", false);
   // user_pref("browser.taskbar.lists.tasks.enabled", false);
   // user_pref("gfx.font_rendering.graphite.enabled", false);
   // user_pref("javascript.options.asmjs", false);
   // user_pref("javascript.options.wasm", false);
   // user_pref("network.http.altsvc.enabled", false);
   // user_pref("network.http.altsvc.oe", false);
   // user_pref("privacy.donottrackheader.enabled", true);
   // user_pref("ui.prefersReducedMotion", 1);
   // user_pref("extensions.systemAddon.update.enabled", false); // [FF62+]
   // user_pref("extensions.systemAddon.update.url", ""); // [FF44+]
  • changed value in user.js v91
    • permissions: were 2, now 0, because DON'T BOTHER 0702
    • ui dark theme: moved to personal, not a privacy issue with RFP (and we don't bother with FPing for non-RFP)
   // user_pref("permissions.default.geo", 0);
   // user_pref("permissions.default.camera", 0);
   // user_pref("permissions.default.microphone", 0);
   // user_pref("permissions.default.desktop-notification", 0);
   // user_pref("permissions.default.xr", 0); //
   // user_pref("ui.systemUsesDarkTheme", 1); // was 0, now 1

REMOVALS

  • removed from user.js v91
    • not recorded in 6050
    • inactive the whole ESR cycle (except warnOnAboutConfig)
   // user_pref("alerts.showFavicons", false); // [DEFAULT: false]
   // user_pref("dom.battery.enabled", false);
   // user_pref("dom.storage.enabled", false);
   // user_pref("gfx.direct2d.disabled", true); // [WINDOWS]
   // user_pref("layers.acceleration.disabled", true);
   // user_pref("media.media-capabilities.enabled", false);
   // user_pref("security.insecure_connection_icon.enabled", true); // [DEFAULT: true]
user_pref("general.warnOnAboutConfig", false); // XHTML version
user_pref("dom.allow_cut_copy", false);
user_pref("dom.vibrator.enabled", false);
user_pref("media.getusermedia.audiocapture.enabled", false);
user_pref("media.getusermedia.browser.enabled", false);
user_pref("media.getusermedia.screensharing.enabled", false);
user_pref("security.mixed_content.block_active_content", true); // [DEFAULT: true]
user_pref("webgl.enable-webgl2", false);
user_pref("webgl.disable-fail-if-major-performance-caveat", true); // [DEFAULT: true FF86+]
  • previously removed items
    • added to 6050: active at some stage during the ESR cycle
    browser.newtabpage.activity-stream.asrouter.providers.snippets
    browser.send_pings.require_same_host
    media.gmp-widevinecdm.visible
    network.http.redirection-limit
    privacy.partition.network_state
    security.ssl.enable_ocsp_stapling
    webgl.min_capability_mode

STATS

 STATS v91.1: up to and including section 4500, minus the parrots
 =========
    total: 229
 inactive:  49
           ---
   active: 180
  default:  11 (at least)
      n/a:   2 (of the three prefs in 0204, only one will apply)
           ---
  flipped: 167 (at most)
@Thorin-Oakenpants
Copy link
Contributor Author

Thorin-Oakenpants commented Sep 7, 2021

IMPROVEMENTS

Thanks for flying Delta. Hopefully we've bent the curve.

delta

Thanks for pointing out typos and fuckups and the thumbsup in comments

v90
- 106.9 KB
- 1725 lines
- 1664 sloc
- end of section 4500: line 1497
- items with [SETUP-: 42
- items with [WARNING]: 23

v91
- 88.8 KB
- 1461 lines
- 1406 sloc
- end of section 4500: line 1080
- items with [SETUP-: 32
- items with [WARNING]: 5

savings
- 16.9% - size: 18.1 KB
- 15.3% - lines: 264
- 15.5% - sloc: 258
- 27.9% - end of section 4500: 417 lines
- 23.8% - items with [SETUP-: 10 less
- 78.3% - items with [WARNING]: 18 less
-  0.0% - no parrots were sacrificed

@Thorin-Oakenpants
Copy link
Contributor Author

Thorin-Oakenpants commented Sep 7, 2021

ALL HAIL PANTS

Collect the set

allhailpants

@ginick
Copy link

ginick commented Sep 8, 2021

this one took me quit some time to merge.(manually with Meld)
Thanks to everyone involved for the hard work and dedication on this project.

@Thorin-Oakenpants
Copy link
Contributor Author

So .. no comments/feedback (or emojis) on the improvements?

How's everyone liking them? Does it make things easier? Do you like item 6050 (and 6051 for items removed in this ESR cycle) so you don't have to check the removed scratchpad and can just let prefsCleaner do the work? Are you impressed that no parrots were harmed in the making of this release?

Some feedback would be welcome. Don't make me sic the trash pandas on you all

@ghost
Copy link

ghost commented Sep 9, 2021

This will definitely make things easier. For people that don't bother reading and just take the user.js template as-is, this will reduce situations where people breakage. For my two cents, I'd prefer the network.http.referer.XOriginPolicy pref to be relaxed to 1. To me that seems like the sweetspot, it would also reduce breakage for the people that encounter them. Anyone who wants to harden it further can just add it to their user-overrides.

@Thorin-Oakenpants
Copy link
Contributor Author

Thanks. I don't think anything I did removes any meaningful breakage: wasm isn't used much. I don't think asm broke things, https alt srv didn't break things. no one uses graphite ...

I was more concerned with people who DO read the user.js

@ginick
Copy link

ginick commented Sep 9, 2021

6050 was useful to me as i could reset/remove no longer used items.
there is no longer section 4600 and its items are spread across the bottom sections; i don't mind it,but there is no longer a warning to not use these preferences with RFP enabled.
i also noticed that many items that had explanations of what they do and had related links,are now mostly just put there with no explanation.(with some exception where there is a short line about this item purpose).

@rusty-snake
Copy link
Contributor

but there is no longer a warning to not use these preferences with RFP enabled.

user.js/user.js

Line 1315 in 524823f

[WARNING] DO NOT USE with RFP. RFP already covers these and they can interfere

@practik
Copy link

practik commented Sep 9, 2021

no comments/feedback (or emojis) on the improvements?

🍻🍺🍻🍺🍻🍺🍻🍺🍻

I was going to wait till I'd gotten thru the whole thing (I'm only to 1600 atm), because holy &$#*@ this is a comprehensive overhaul. I see now why it took a minute to get released. Anyway, so far I'm not seeing anything that doesn't make sense.

Only possible complaint is what @ginick said about lost explanations. Most of them I don't miss, but I was glad I got to read the stuff that used to be at the top of section 1000 and the notes on the old 1001 and 1023 before that info got axed.

@Onfroygmx
Copy link

So .. no comments/feedback (or emojis) on the improvements?
Blaim github, there are only issues!
And as soon as you post something which is not an issue, well ....

Onf

@Thorin-Oakenpants
Copy link
Contributor Author

@practik

but I was glad I got to read the stuff that used to be at the top of section 1000 and the notes on the old 1001 and 1023 before that info got axed

But that's the point: when it was added it was relevant, today it is not

  • section 1000 header: none of it applies anymore since FF85 and network partitioning
  • 1001 didn't have anything except a TC mention which no longer applies, see network partitioning

As for 1023, it only lost some info about "possibly" affected recently closed tabs/history - I can't vouch for that anymore. Its been years since I added that pref, and only tested it the once. This level of maintenance I can do without. The fact that cache is disabled saves magnitudes of order far more disk writes (if it has an impact for you)

Now if there is something I removed that is still relevant, then we can put it back


@ginick

no longer section 4600 and its items are spread across the bottom sections

they're still together (mostly: prefers-color and prefers-reduced-motion went to personal, and font pref was swapped out, whitelist vs vis) , just a different section number

i also noticed that many items that had explanations of what they do and had related links,are now mostly just put there with no explanation.(with some exception where there is a short line about this item purpose).

Excluding section 7000s and 8000s (don't bothers) which I am not interested in, any links removed were a waste of time: e.g. the bugzilla which showed the pref being added, but it doesn't even have any info (seriously, some of them were only 4 comments long), and/or the pref/description is self-evident. I even replaced some, rather than remove them. Nothing of value was lost, I can assure you. And some replacements were better, e.g. the ASM and JIT ones

e.g.

https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=asm.js

instead of

 * [2] https://www.mozilla.org/security/advisories/mfsa2015-29/
 * [3] https://www.mozilla.org/security/advisories/mfsa2015-50/
 * [4] https://www.mozilla.org/security/advisories/mfsa2017-01/#CVE-2017-5375
 * [5] https://www.mozilla.org/security/advisories/mfsa2017-05/#CVE-2017-5400

I'll do some reference link number crunching and diffs

@Thorin-Oakenpants
Copy link
Contributor Author

I did some quick number crunching: excluding

  • the intro and deprecated section
  • the value in pref geo.provider.network.url
  • the three examples in 1600s header (which are still there)
  • the six in 2300s header (which are still there)
  • the example in 1272 (which is still there)
  • the four references in new item 0705 (DoH)
  • http:// : no changes
  • https://: excluding dupes
    • v90 - 228
    • v91 - 149 : all ] https:// if you search them, as of last commit

diffs to follow

v90: 228

https://abouthome-snippets-service.readthedocs.io/
https://addons.mozilla.org/about
https://addons.mozilla.org/firefox/addon/temporary-containers/
https://archive.is/DYjAM (archived)
https://arkenfox.github.io/TZP/tests/windownamea.html
https://arkenfox.github.io/TZP/tzp.html#misc
https://arkenfox.github.io/TZP/tzp.html#screen
https://arxiv.org/abs/1810.07304
https://bitmovin.com/demos/drm
https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/
https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/
https://blog.mindedsecurity.com/2011/10/autocompleteagain.html
https://blog.mozilla.org/data/2018/08/20/effectively-measuring-search-in-firefox/
https://blog.mozilla.org/l10n/2017/03/07/firefox-l10n-report-aurora-54/
https://blog.mozilla.org/nnethercote/2018/03/09/a-new-preferences-parser-for-firefox/
https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/
https://blog.mozilla.org/security/2016/10/18/phasing-out-sha-1-on-the-public-web/
https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers/
https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/
https://blog.mozilla.org/security/2021/03/22/firefox-87-trims-http-referrers-by-default-to-protect-user-privacy/
https://blog.mozilla.org/security/tag/crlite/
https://blog.scottlogic.com/2014/11/07/http-2-a-quick-look.html
https://browserleaks.com/ssl
https://browserleaks.com/webrtc
https://bugzilla.mozilla.org/1008453
https://bugzilla.mozilla.org/1121643
https://bugzilla.mozilla.org/1170911
https://bugzilla.mozilla.org/1171228
https://bugzilla.mozilla.org/1173199
https://bugzilla.mozilla.org/1195552
https://bugzilla.mozilla.org/1216893
https://bugzilla.mozilla.org/1226490
https://bugzilla.mozilla.org/1279029
https://bugzilla.mozilla.org/1281959
https://bugzilla.mozilla.org/1288359
https://bugzilla.mozilla.org/1304389
https://bugzilla.mozilla.org/1305144
https://bugzilla.mozilla.org/1313580
https://bugzilla.mozilla.org/1319773#c22
https://bugzilla.mozilla.org/1330882
https://bugzilla.mozilla.org/1348275
https://bugzilla.mozilla.org/1353705
https://bugzilla.mozilla.org/1381938
https://bugzilla.mozilla.org/1382359
https://bugzilla.mozilla.org/1407366
https://bugzilla.mozilla.org/1411425
https://bugzilla.mozilla.org/1433507
https://bugzilla.mozilla.org/1448423
https://bugzilla.mozilla.org/1460537
https://bugzilla.mozilla.org/1492607
https://bugzilla.mozilla.org/1528289
https://bugzilla.mozilla.org/1613063 [META]
https://bugzilla.mozilla.org/1632765
https://bugzilla.mozilla.org/1635603
https://bugzilla.mozilla.org/1642623
https://bugzilla.mozilla.org/1688105
https://bugzilla.mozilla.org/302433
https://bugzilla.mozilla.org/381681
https://bugzilla.mozilla.org/418986
https://bugzilla.mozilla.org/603903
https://bugzilla.mozilla.org/654550
https://bugzilla.mozilla.org/789788
https://bugzilla.mozilla.org/960426
https://bugzilla.mozilla.org/967812
https://bugzilla.mozilla.org/967977
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1189041,1297416,1452713
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1260931,1299996
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1357733,1292751
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1429800,1670985
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1642387,1660945
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1659530,1681331
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1695693,1719301
https://bugzilla.mozilla.org/buglist.cgi?bug_id=232227,1330876
https://bugzilla.mozilla.org/buglist.cgi?bug_id=867501,1629630
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817
https://dbaron.org/mozilla/visited-privacy
https://developer.mozilla.org/docs/Web/API/MediaDevices/enumerateDevices
https://developer.mozilla.org/docs/Web/API/MediaDevices/ondevicechange
https://developer.mozilla.org/docs/Web/API/Navigator/sendBeacon
https://developer.mozilla.org/docs/Web/API/Network_Information_API
https://developer.mozilla.org/docs/Web/API/Notifications_API
https://developer.mozilla.org/docs/Web/API/PointerEvent
https://developer.mozilla.org/docs/Web/API/Push_API
https://developer.mozilla.org/docs/Web/API/SpeechSynthesis
https://developer.mozilla.org/docs/Web/API/Storage_Access_API
https://developer.mozilla.org/docs/Web/API/Storage_API
https://developer.mozilla.org/docs/Web/API/StorageManager
https://developer.mozilla.org/docs/Web/API/Touch_events
https://developer.mozilla.org/docs/Web/API/Web_Speech_API
https://developer.mozilla.org/docs/Web/API/WEBGL_debug_renderer_info
https://developer.mozilla.org/docs/Web/API/WebVR_API
https://developer.mozilla.org/docs/Web/API/Window/postMessage
https://developer.mozilla.org/docs/Web/CSS/Privacy_and_the_:visited_selector
https://developer.mozilla.org/docs/Web/Events/beforeunload
https://developer.mozilla.org/docs/Web/Events/devicechange
https://developer.mozilla.org/docs/Web/HTTP/CSP
https://developer.mozilla.org/docs/Web/HTTP/Headers/Referrer-Policy
https://developer.mozilla.org/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control
https://developer.mozilla.org/docs/Web/HTTP/Link_prefetching_FAQ
https://developer.mozilla.org/docs/WebAssembly
https://earthlng.github.io/testpages/visited_links.html (see github wiki APPENDIX A on how to use)
https://en.wikipedia.org/wiki/3des#Security
https://en.wikipedia.org/wiki/Forward_secrecy
https://en.wikipedia.org/wiki/GIO_(software)
https://en.wikipedia.org/wiki/Graphite_(SIL)
https://en.wikipedia.org/wiki/GVfs
https://en.wikipedia.org/wiki/HTTP_ETag#Tracking_using_ETags
https://en.wikipedia.org/wiki/IDN_homograph_attack
https://en.wikipedia.org/wiki/Key_size
https://en.wikipedia.org/wiki/Meet-in-the-middle_attack
https://en.wikipedia.org/wiki/Ocsp
https://expired.badssl.com/
https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/
https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/
https://feeding.cloud.geek.nz/posts/tweaking-referrer-for-privacy-in-firefox/
https://firefox-source-docs.mozilla.org/toolkit/components/telemetry/telemetry/internals/preferences.html
https://firefox-source-docs.mozilla.org/toolkit/modules/toolkit_modules/Region.html
https://firefox-source-docs.mozilla.org/toolkit/mozapps/extensions/addon-manager/SystemAddons.html
https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/
https://github.com/arkenfox/user.js/wiki/4.2.4-Header-Editor
https://github.com/mozilla/normandy
https://github.com/pyllyukko/user.js/issues/179#issuecomment-246468676
https://github.com/pyllyukko/user.js/issues/210
https://github.com/stoically/temporary-containers/wiki
https://github.com/tlswg/tls13-spec/issues/1001
https://github.com/WICG/media-capabilities
https://gitlab.torproject.org/legacy/trac/-/issues/8455
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/10089
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/10286
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/13023
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15757
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15758
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16206
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16222
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21323
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21675
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21686
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/22127
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/23044
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26424
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/9881
https://groups.google.com/forum/#!topic/mozilla.dev.platform/BdFOMAuCGW8/discussion
https://hg.mozilla.org/mozilla-central/rev/6d2d7856e468#l2.32
https://html.spec.whatwg.org/multipage/workers.html#navigator.hardwareconcurrency
https://http2.github.io/faq/
https://http2.github.io/http2-spec/#rfc.section.10.8
https://ipleak.org/
https://ja3er.com/
https://lcamtuf.blogspot.com/2016/08/css-mix-blend-mode-is-bad-for-keeping.html
https://medium.com/@stoically/enhance-your-privacy-in-firefox-with-temporary-containers-33925cd6cd21
https://medium.com/@stoically/enhance-your-privacy-in-firefox-with-temporary-containers-33925cd6cd21
https://medium.com/georg-fritzsche/data-preference-changes-in-firefox-58-2d5df9c428b5
https://mike.kaply.com/2012/02/21/understanding-add-on-scopes/
https://news.slashdot.org/story/15/08/14/2321202/how-to-quash-firefoxs-silent-requests
https://queue.acm.org/detail.cfm?id=2716278
https://rh0dev.github.io/blog/2017/the-return-of-the-jit/
https://robertheaton.com/2014/01/20/cookieless-user-tracking-for-douchebags/
https://scotthelme.co.uk/revocation-is-broken/
https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc
https://searchfox.org/mozilla-central/source/browser/extensions
https://security.stackexchange.com/questions/13799/is-webgl-a-security-concern
https://shiftordie.de/blog/2017/02/21/fingerprinting-firefox-users-with-cached-intermediate-ca-certificates-fiprinca/
https://spectrum.ieee.org/tech-talk/telecom/security/more-worries-over-the-security-of-web-assembly
https://spreadprivacy.com/is-private-browsing-really-private/
https://support.mozilla.org/kb/accessibility-services
https://support.mozilla.org/kb/address-bar-autocomplete-firefox#w_url-autocomplete
https://support.mozilla.org/kb/enable-background-updates-firefox-windows
https://support.mozilla.org/kb/how-does-phishing-and-malware-protection-work
https://support.mozilla.org/kb/personalized-extension-recommendations
https://support.mozilla.org/kb/push-notifications-firefox
https://support.mozilla.org/kb/use-primary-password-protect-stored-logins-and-pas
https://support.mozilla.org/questions/1043508
https://support.mozilla.org/questions/1293231
https://tools.ietf.org/html/draft-ietf-rtcweb-ip-handling-12#section-5.2
https://tools.ietf.org/html/rfc5077
https://tools.ietf.org/html/rfc5746
https://tools.ietf.org/html/rfc7838#section-9
https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers
https://w3c.github.io/ServiceWorker/#privacy
https://w3techs.com/technologies/details/ce-http2/all/all
https://wicg.github.io/media-capabilities/#security-privacy-considerations
https://wicg.github.io/netinfo/
https://wiki.mozilla.org/Firefox/Features/Form_Autofill
https://wiki.mozilla.org/Firefox/Shield
https://wiki.mozilla.org/GeckoMediaPlugins
https://wiki.mozilla.org/HTML5_Speech_API
https://wiki.mozilla.org/IDN_Display_Algorithm
https://wiki.mozilla.org/Media/getUserMedia
https://wiki.mozilla.org/Media/WebRTC/Privacy
https://wiki.mozilla.org/Necko/CaptivePortal
https://wiki.mozilla.org/Platform/GFX/HardwareAcceleration
https://wiki.mozilla.org/Private_Browsing
https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers
https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI
https://wiki.mozilla.org/Security/Safe_Browsing
https://wiki.mozilla.org/Security:Renegotiation
https://wiki.mozilla.org/SVGOpenTypeFonts - iSECPartnersReport recommends to disable this
https://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html
https://www.bleepingcomputer.com/news/software/major-browsers-to-prevent-disabling-of-click-tracking-privacy-risk/
https://www.contextis.com/resources/blog/webgl-new-dimension-browser-exploitation/
https://www.eff.org/deeplinks/2017/08/how-captive-portals-interfere-wireless-security-and-privacy
https://www.eff.org/deeplinks/2017/10/drms-dead-canary-how-we-just-lost-web-what-we-learned-it-and-what-we-need-do-next
https://www.grepular.com/Preventing_Web_Tracking_via_the_Browser_Cache
https://www.imperialviolet.org/2014/04/19/revchecking.html
https://www.internetsociety.org/tag/ipv6-security/ (see Myths 2,4,5,6)
https://www.mnot.net/blog/2016/03/09/alt-svc
https://www.mozilla.org/firefox/geolocation/
https://www.mozilla.org/security/advisories/mfsa2015-29/
https://www.mozilla.org/security/advisories/mfsa2015-50/
https://www.mozilla.org/security/advisories/mfsa2017-01/#CVE-2017-5375
https://www.mozilla.org/security/advisories/mfsa2017-02/ (CVE-2017-5383)
https://www.mozilla.org/security/advisories/mfsa2017-05/#CVE-2017-5400
https://www.mozilla.org/security/advisories/mfsa2017-15/#CVE-2017-7778
https://www.privacytools.io/#webrtc
https://www.securityartwork.es/2017/02/02/tls-client-fingerprinting-with-bro/
https://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/
https://www.ssllabs.com/ssl-pulse/
https://www.ssllabs.com/ssltest/viewMyClient.html
https://www.w3.org/TR/referrer-policy/
https://www.xn--80ak6aa92e.com/ (www.apple.com)
https://www.xudongz.com/blog/2017/idn-phishing/
https://www.zdnet.com/article/half-of-the-websites-using-webassembly-use-it-for-malicious-purposes
https://xkcd.com/538/

v91: 149

https://addons.mozilla.org/about
https://addons.mozilla.org/firefox/addon/temporary-containers/
https://archive.is/DYjAM (archived)
https://arkenfox.github.io/TZP/tests/windownamea.html
https://arkenfox.github.io/TZP/tzp.html#screen
https://bitmovin.com/demos/drm
https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/
https://blog.mindedsecurity.com/2011/10/autocompleteagain.html
https://blog.mozilla.org/data/2018/08/20/effectively-measuring-search-in-firefox/
https://blog.mozilla.org/l10n/2017/03/07/firefox-l10n-report-aurora-54/
https://blog.mozilla.org/nnethercote/2018/03/09/a-new-preferences-parser-for-firefox/
https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/
https://blog.mozilla.org/security/2016/10/18/phasing-out-sha-1-on-the-public-web/
https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/
https://blog.mozilla.org/security/tag/crlite/
https://browserleaks.com/ssl
https://browserleaks.com/webrtc
https://bugzilla.mozilla.org/1195552
https://bugzilla.mozilla.org/1226490
https://bugzilla.mozilla.org/1281959
https://bugzilla.mozilla.org/1304389
https://bugzilla.mozilla.org/1319773#c22
https://bugzilla.mozilla.org/1330882
https://bugzilla.mozilla.org/1348275
https://bugzilla.mozilla.org/1353705
https://bugzilla.mozilla.org/1381938
https://bugzilla.mozilla.org/1407366
https://bugzilla.mozilla.org/1411425
https://bugzilla.mozilla.org/1433507
https://bugzilla.mozilla.org/1448423
https://bugzilla.mozilla.org/1460537
https://bugzilla.mozilla.org/1492607
https://bugzilla.mozilla.org/1632765
https://bugzilla.mozilla.org/1635603
https://bugzilla.mozilla.org/1642623
https://bugzilla.mozilla.org/302433
https://bugzilla.mozilla.org/381681
https://bugzilla.mozilla.org/418986
https://bugzilla.mozilla.org/603903
https://bugzilla.mozilla.org/789788
https://bugzilla.mozilla.org/967812
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1189041,1297416,1452713
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1260931,1299996
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1429800,1670985
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1642387,1660945
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1659530,1681331
https://bugzilla.mozilla.org/buglist.cgi?bug_id=867501,1629630
https://bugzilla.mozilla.org/show_bug.cgi?id=1320796#c7
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=asm.js
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+graphite
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+jit
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+svg
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mathml
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=punycode+firefox
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wasm
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
https://dbaron.org/mozilla/visited-privacy
https://developer.mozilla.org/docs/Web/API/Navigator/sendBeacon
https://developer.mozilla.org/docs/Web/API/Notifications_API
https://developer.mozilla.org/docs/Web/API/Push_API
https://developer.mozilla.org/docs/Web/API/Storage_Access_API
https://developer.mozilla.org/docs/Web/API/Storage_API
https://developer.mozilla.org/docs/Web/API/StorageManager
https://developer.mozilla.org/docs/Web/API/Window/postMessage
https://developer.mozilla.org/docs/Web/CSS/Privacy_and_the_:visited_selector
https://developer.mozilla.org/docs/Web/Events/beforeunload
https://developer.mozilla.org/docs/Web/HTTP/CSP
https://developer.mozilla.org/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control
https://developer.mozilla.org/docs/Web/HTTP/Link_prefetching_FAQ
https://earthlng.github.io/testpages/visited_links.html (see github wiki APPENDIX A on how to use)
https://en.wikipedia.org/wiki/Basic_access_authentication
https://en.wikipedia.org/wiki/GIO_(software)
https://en.wikipedia.org/wiki/Graphite_(SIL)
https://en.wikipedia.org/wiki/GVfs
https://en.wikipedia.org/wiki/IDN_homograph_attack
https://en.wikipedia.org/wiki/Ocsp
https://expired.badssl.com/
https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/
https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/
https://feeding.cloud.geek.nz/posts/tweaking-referrer-for-privacy-in-firefox/
https://firefox-source-docs.mozilla.org/toolkit/components/telemetry/telemetry/internals/preferences.html
https://firefox-source-docs.mozilla.org/toolkit/modules/toolkit_modules/Region.html
https://freedom-to-tinker.com/2017/12/27/no-boundaries-for-user-identities-web-trackers-exploit-browser-login-managers/
https://github.com/pyllyukko/user.js/issues/179#issuecomment-246468676
https://github.com/pyllyukko/user.js/issues/210
https://github.com/stoically/temporary-containers/wiki
https://github.com/tlswg/tls13-spec/issues/1001
https://gitlab.torproject.org/legacy/trac/-/issues/8455
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/10089
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16206
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16222
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21686
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/23044
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26424
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/9881
https://groups.google.com/forum/#!topic/mozilla.dev.platform/BdFOMAuCGW8/discussion
https://hg.mozilla.org/mozilla-central/rev/6d2d7856e468#l2.32
https://ipleak.org/
https://ja3er.com/
https://lcamtuf.blogspot.com/2016/08/css-mix-blend-mode-is-bad-for-keeping.html
https://medium.com/@stoically/enhance-your-privacy-in-firefox-with-temporary-containers-33925cd6cd21
https://medium.com/georg-fritzsche/data-preference-changes-in-firefox-58-2d5df9c428b5
https://mike.kaply.com/2012/02/21/understanding-add-on-scopes/
https://mozilla.github.io/normandy/
https://news.slashdot.org/story/15/08/14/2321202/how-to-quash-firefoxs-silent-requests
https://rh0dev.github.io/blog/2017/the-return-of-the-jit/
https://scotthelme.co.uk/revocation-is-broken/
https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc
https://spectrum.ieee.org/tech-talk/telecom/security/more-worries-over-the-security-of-web-assembly
https://support.mozilla.org/kb/accessibility-services
https://support.mozilla.org/kb/address-bar-autocomplete-firefox#w_url-autocomplete
https://support.mozilla.org/kb/common-myths-about-private-browsing
https://support.mozilla.org/kb/enable-background-updates-firefox-windows
https://support.mozilla.org/kb/how-does-phishing-and-malware-protection-work
https://support.mozilla.org/kb/personalized-extension-recommendations
https://support.mozilla.org/kb/push-notifications-firefox
https://support.mozilla.org/kb/use-primary-password-protect-stored-logins-and-pas
https://support.mozilla.org/kb/windows-sso
https://support.mozilla.org/questions/1293231
https://tools.ietf.org/html/draft-ietf-rtcweb-ip-handling-12#section-5.2
https://tools.ietf.org/html/rfc5746
https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers
https://w3c.github.io/ServiceWorker/#privacy
https://w3techs.com/technologies/details/ce-http2/all/all
https://wiki.mozilla.org/Firefox/Features/Form_Autofill
https://wiki.mozilla.org/GeckoMediaPlugins
https://wiki.mozilla.org/IDN_Display_Algorithm
https://wiki.mozilla.org/Media/WebRTC/Privacy
https://wiki.mozilla.org/Private_Browsing
https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers
https://wiki.mozilla.org/Security/Safe_Browsing
https://wiki.mozilla.org/Security:Renegotiation
https://www.bleepingcomputer.com/news/software/major-browsers-to-prevent-disabling-of-click-tracking-privacy-risk/
https://www.eff.org/deeplinks/2017/08/how-captive-portals-interfere-wireless-security-and-privacy
https://www.eff.org/deeplinks/2017/10/drms-dead-canary-how-we-just-lost-web-what-we-learned-it-and-what-we-need-do-next
https://www.imperialviolet.org/2014/04/19/revchecking.html
https://www.internetsociety.org/tag/ipv6-security/ (Myths 2,4,5,6)
https://www.privacytools.io/#webrtc
https://www.securityartwork.es/2017/02/02/tls-client-fingerprinting-with-bro/
https://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/
https://www.ssllabs.com/ssl-pulse/
https://www.ssllabs.com/ssltest/viewMyClient.html
https://www.xn--80ak6aa92e.com/ (www.apple.com)
https://www.xudongz.com/blog/2017/idn-phishing/
https://www.zdnet.com/article/half-of-the-websites-using-webassembly-use-it-for-malicious-purposes

@Thorin-Oakenpants
Copy link
Contributor Author

from above
228 - 149 = 79 less links

from below
 91 -  12 = 79 less links: but 103 changes

here are your diffs

12 new references added in v91

https://bugzilla.mozilla.org/show_bug.cgi?id=1320796#c7
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=asm.js
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+graphite
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+jit
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=firefox+svg
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=mathml
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=punycode+firefox
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wasm
https://en.wikipedia.org/wiki/Basic_access_authentication
https://mozilla.github.io/normandy/
https://support.mozilla.org/kb/common-myths-about-private-browsing
https://support.mozilla.org/kb/windows-sso

91 references removed in v91

https://abouthome-snippets-service.readthedocs.io/
https://arkenfox.github.io/TZP/tzp.html#misc
https://arxiv.org/abs/1810.07304
https://blog.lukaszolejnik.com/stealing-sensitive-browser-data-with-the-w3c-ambient-light-sensor-api/
https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers/
https://blog.mozilla.org/security/2021/03/22/firefox-87-trims-http-referrers-by-default-to-protect-user-privacy/
https://blog.scottlogic.com/2014/11/07/http-2-a-quick-look.html
https://bugzilla.mozilla.org/1008453
https://bugzilla.mozilla.org/1121643
https://bugzilla.mozilla.org/1170911
https://bugzilla.mozilla.org/1171228
https://bugzilla.mozilla.org/1173199
https://bugzilla.mozilla.org/1216893
https://bugzilla.mozilla.org/1279029
https://bugzilla.mozilla.org/1288359
https://bugzilla.mozilla.org/1305144
https://bugzilla.mozilla.org/1313580
https://bugzilla.mozilla.org/1382359
https://bugzilla.mozilla.org/1528289
https://bugzilla.mozilla.org/1613063 [META]
https://bugzilla.mozilla.org/1688105
https://bugzilla.mozilla.org/654550
https://bugzilla.mozilla.org/960426
https://bugzilla.mozilla.org/967977
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1357733,1292751
https://bugzilla.mozilla.org/buglist.cgi?bug_id=1695693,1719301
https://bugzilla.mozilla.org/buglist.cgi?bug_id=232227,1330876
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817
https://developer.mozilla.org/docs/Web/API/MediaDevices/enumerateDevices
https://developer.mozilla.org/docs/Web/API/MediaDevices/ondevicechange
https://developer.mozilla.org/docs/Web/API/Network_Information_API
https://developer.mozilla.org/docs/Web/API/PointerEvent
https://developer.mozilla.org/docs/Web/API/SpeechSynthesis
https://developer.mozilla.org/docs/Web/API/Touch_events
https://developer.mozilla.org/docs/Web/API/Web_Speech_API
https://developer.mozilla.org/docs/Web/API/WEBGL_debug_renderer_info
https://developer.mozilla.org/docs/Web/API/WebVR_API
https://developer.mozilla.org/docs/Web/Events/devicechange
https://developer.mozilla.org/docs/Web/HTTP/Headers/Referrer-Policy
https://developer.mozilla.org/docs/WebAssembly
https://en.wikipedia.org/wiki/3des#Security
https://en.wikipedia.org/wiki/Forward_secrecy
https://en.wikipedia.org/wiki/HTTP_ETag#Tracking_using_ETags
https://en.wikipedia.org/wiki/Key_size
https://en.wikipedia.org/wiki/Meet-in-the-middle_attack
https://firefox-source-docs.mozilla.org/toolkit/mozapps/extensions/addon-manager/SystemAddons.html
https://github.com/arkenfox/user.js/wiki/4.2.4-Header-Editor
https://github.com/mozilla/normandy
https://github.com/WICG/media-capabilities
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/10286
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/13023
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15757
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/15758
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21323
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21675
https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/22127
https://html.spec.whatwg.org/multipage/workers.html#navigator.hardwareconcurrency
https://http2.github.io/faq/
https://http2.github.io/http2-spec/#rfc.section.10.8
https://medium.com/@stoically/enhance-your-privacy-in-firefox-with-temporary-containers-33925cd6cd21
https://queue.acm.org/detail.cfm?id=2716278
https://robertheaton.com/2014/01/20/cookieless-user-tracking-for-douchebags/
https://searchfox.org/mozilla-central/source/browser/extensions
https://security.stackexchange.com/questions/13799/is-webgl-a-security-concern
https://shiftordie.de/blog/2017/02/21/fingerprinting-firefox-users-with-cached-intermediate-ca-certificates-fiprinca/
https://spreadprivacy.com/is-private-browsing-really-private/
https://support.mozilla.org/questions/1043508
https://tools.ietf.org/html/rfc5077
https://tools.ietf.org/html/rfc7838#section-9
https://wicg.github.io/media-capabilities/#security-privacy-considerations
https://wicg.github.io/netinfo/
https://wiki.mozilla.org/Firefox/Shield
https://wiki.mozilla.org/HTML5_Speech_API
https://wiki.mozilla.org/Media/getUserMedia
https://wiki.mozilla.org/Necko/CaptivePortal
https://wiki.mozilla.org/Platform/GFX/HardwareAcceleration
https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI
https://wiki.mozilla.org/SVGOpenTypeFonts - iSECPartnersReport recommends to disable this
https://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html
https://www.contextis.com/resources/blog/webgl-new-dimension-browser-exploitation/
https://www.grepular.com/Preventing_Web_Tracking_via_the_Browser_Cache
https://www.mnot.net/blog/2016/03/09/alt-svc
https://www.mozilla.org/firefox/geolocation/
https://www.mozilla.org/security/advisories/mfsa2015-29/
https://www.mozilla.org/security/advisories/mfsa2015-50/
https://www.mozilla.org/security/advisories/mfsa2017-01/#CVE-2017-5375
https://www.mozilla.org/security/advisories/mfsa2017-02/ (CVE-2017-5383)
https://www.mozilla.org/security/advisories/mfsa2017-05/#CVE-2017-5400
https://www.mozilla.org/security/advisories/mfsa2017-15/#CVE-2017-7778
https://www.w3.org/TR/referrer-policy/
https://xkcd.com/538/

@Thorin-Oakenpants
Copy link
Contributor Author

I'm not going to bother going through them - but the new ones replaced old broken ones, or were better (e.g. all the cve? ones). IMO nothing of value was lost. But there you go, now you have a list and can prove me wrong :)

@practik
Copy link

practik commented Sep 10, 2021

@Thorin-Oakenpants

when it was added it was relevant, today it is not

Awesome. Thanks for the explanation and the ab number crunches.

Two baby nits so far:
line 618 (item 1701): change "it's" to "its"
line 683 (item 2302): shouldn't "it is" be "they are"?

@Onfroygmx

github, there are only issues!

Fortunately things seem to be a little more humane around here :-)

@ginick
Copy link

ginick commented Sep 10, 2021

"Nothing of value was lost, I can assure you. And some replacements were better." 👍

@Marc05
Copy link

Marc05 commented Sep 10, 2021

I had the same concerns as the previous comments, but figured there were good reasons for the changes - thank you for explaining!

I was able to remove a couple of custom overrides. Side-note, the override recipes are very useful - I feel like they should get more visibility somehow.

  • I don't understand this line, what does "font fallback is equivalency" mean?:

    user.js/user.js

    Line 1303 in 76c1aad

    * [WHY] Breakage, font fallback is equivalency, also RFP
  • Looks like a typo here in "They":

    user.js/user.js

    Line 1309 in 76c1aad

    * [WHY] Fingerprintable. Breakage. They (cut/copy/paste) require user

@practik
Copy link

practik commented Sep 10, 2021

A few more you might want to consider:

  • line 248 (section 0400 header): change "striping" to "stripping"
  • line 790 (pref 2620): change "as secure/vetted more than most" to "more secure/vetted than most pdf readers"
  • line 994 (section 4500 header): add subhead "FF41-55" here
    • pants says nah

@Onfroygmx
Copy link

Sorry If I was harsh, I appreciate all you work!!

But I cannot agree with all.
So I strip all the comments compare the prefs from one version to another and override what I don't like.

Hail Pants, Earthlings and the others.

@Thorin-Oakenpants
Copy link
Contributor Author

Thorin-Oakenpants commented Sep 11, 2021

I don't understand this line, what does "font fallback is equivalency" mean?:

equivalency: same result as something else: e.g. the fonts you use (or have available) on a webpage are dictated by the OS and by your preferred language - e.g. on Windows, en-* uses Times New Roman, Arial, and Courier New. So the measurements stem from those, or from fallback fonts (which is dictated by the same forces: available OS fonts). When the metrics are the same, this is equivalency. RFP limits all the fonts available. Not to confuse this with other variables such as device pixel ratio, zoom, high precision measuring etc that can show differences.

Or more simply: let's just say most webaudio entropy stems from math entropy. You could randomize webaudio, but the entropy still remains in math. But fix math, you fix the webaudio - i.e webaudio is equivalency of math, and math is equivalency of OS, and you cannot hide your OS

I don't actually understand the 8 year old argument made at Tor Browser - maybe it made sense back then (edit: they didn't have a font whitelist at the time?). If you block the web font, then you end up using your default font, which will likely need to fallback to another font (because generally speaking the chars in glyphs and icons will not be in your default font: e.g. PUAs), which then creates more entropy than if you had just let the web font load - which is why they also disabled the fallback rendering - so everyone would end up with tofu = breakage. Using a web font means all users use the same font and don't fallback anyway. So this never made any sense to me.

Edit: by testing PUAs an attacker could probe system fonts which would vary mainly on linux (whitelisting didn't exist)


Note: FF86+ 1676966: gfx.font_rendering.fallback.async

  • When chars trigger global fallback search (iterating over all available fonts to try and render the char) FF starts loading the character map data required to support this, but no longer allows this to block layout & rendering; instead, FF continues to render (perhaps rendering tofu) while the loading happens in the background, and then re-layout/renders the document once loading is complete

You can see this in tests, see arkenfox/TZP#38 : until each Firefox session has come across a char it needs to fallback and resolve, it initially renders tofu, after which it remembers ... until the next session.

Tests: (load each test in a new browser session)

TZP

  • sweeet .. FP is stable on first load and subsequent re-runs and page loads, refreshes
  • this is because I set the characters directly in the html (offscreen) and only test them later, after it has had time to fallback
  • All Hail Pants

@Thorin-Oakenpants
Copy link
Contributor Author

Looks like a typo here in "They": They (cut/copy/paste) require use

Well the they refers to "cut, copy and paste". But it is a little awkward

@Thorin-Oakenpants
Copy link
Contributor Author

Hail Pants, Earthlings and the others.

Hails are limited to PANTS

Sorry If I was harsh

I didn't even understand your post

But I cannot agree with all .. and override what I don't like.

That's exactly what you're meant to do. The default user.js is a template and will not suit everyone .. indeed, anyone

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Development

No branches or pull requests

6 participants