Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ToDo: diffs FF109-FF110 #1640

Closed
earthlng opened this issue Mar 10, 2023 · 7 comments
Closed

ToDo: diffs FF109-FF110 #1640

earthlng opened this issue Mar 10, 2023 · 7 comments
Labels
diffs enhancement task

Comments

@earthlng
Copy link
Contributor

earthlng commented Mar 10, 2023
edited by Thorin-Oakenpants

FF110 is scheduled for release Feb. 14th

FF110 release notes
FF110 for developers
FF110 security advisories

88 diffs ( 40 new, 34 gone, 14 different )

changed in v110.0:

  • FYI
    • pref("browser.contentblocking.features.strict", "tp,tpPrivate,cookieBehavior5,cookieBehaviorPBM5,cm,fp,stp,lvl2,lvl2PBM,rp,rpTop,ocsp,qps,qpsPBM");
    • pref("security.sandbox.gpu.level", 1); // prev: 0 - cool 🎉
  • pref("network.cookie.sameSite.schemeful", false); // prev: true - see comment below

ignore

click me for details

==NEW

pref("browser.aboutwelcome.showModal", false);
pref("browser.opaqueResponseBlocking.javascriptValidator", false);
pref("browser.theme.colorway-migration", false);
pref("cookiebanners.listService.testSkipRemoteSettings", false);
pref("dom.events.dataTransfer.imageAsFile.enabled", false);
pref("dom.fs.writable_file_stream.enabled", false);
pref("dom.media.autoplay-policy-detection.enabled", false);
pref("dom.security.credentialmanagement.identity.reject_delay.duration_ms", 120000);
pref("dom.security.credentialmanagement.identity.reject_delay.enabled", true);
pref("dom.security.setHTML.enabled", false);
pref("editor.inline_style.range.compatible_with_the_other_browsers", true);
pref("gfx.canvas.accelerated.debug", false);
pref("gfx.canvas.accelerated.force-enabled", false);
pref("gfx.video.convert-i420-to-nv12.force-enabled", false);
pref("gfx.webrender.dcomp-video-sw-overlay-win", false);
pref("layout.css.floating-first-letter.tight-glyph-bounds", 1);
pref("layout.css.nth-child-of.enabled", false);
pref("layout.css.overflow-overlay.enabled", false);
pref("layout.css.scroll-driven-animations.enabled", false);
pref("media.getusermedia.camera.macavf.enabled", false);
pref("media.peerconnection.allow_old_setParameters", true);
pref("media.video-wakelock", true);
pref("media.webrtc.capture.allow-directx", false);
pref("media.webrtc.capture.allow-wgc", false);
pref("media.wmf.media-engine.raw-data-threshold.audio", 2000000);
pref("media.wmf.media-engine.raw-data-threshold.video", 500000);
pref("network.cors_preflight.block_userpass_uri", false);
pref("network.early-hints.parent-connect-timeout", 10000);
pref("network.early-hints.preconnect.enabled", false);
pref("network.http.http2.websockets", true); // prev: false
pref("network.http.useragent.forceRVOnly", 109);
pref("network.trr_ui.skip_reason_learn_more_url", "https://firefox-source-docs.mozilla.org/networking/dns/trr-skip-reasons.html#");
pref("network.webtransport.datagram_size", 1200);
pref("network.webtransport.redirect.enabled", false);
pref("pdfjs.defaultZoomDelay", 400);
pref("privacy.annotate_channels.strict_list.pbmode.enabled", false);
pref("signon.firefoxRelay.base_url", "https://relay.firefox.com/api/v1/");
pref("signon.firefoxRelay.feature", "not available");
pref("signon.firefoxRelay.learn_more_url", "https://relay.firefox.com/");
pref("widget.gtk.grab-pointer", 2);
pref("widget.gtk.ignore-bogus-leave-notify", 2);

==REMOVED, RENAMED or HIDDEN

pref("browser.places.snapshots.expiration.days", 210);
pref("browser.places.snapshots.expiration.userManaged.days", 420);
pref("browser.places.snapshots.relevancy.timeOfDayIntervalSeconds", 3600);
pref("browser.places.snapshots.score.CurrentSession", 1);
pref("browser.places.snapshots.score.IsUserPersisted", 1);
pref("browser.places.snapshots.score.IsUserRemoved", -10);
pref("browser.places.snapshots.score.Visit", 1);
pref("browser.places.snapshots.source.CommonReferrer", 3);
pref("browser.places.snapshots.source.Overlapping", 3);
pref("browser.places.snapshots.source.TimeOfDay", 3);
pref("devtools.browserconsole.contentMessages", false);
pref("devtools.browsertoolbox.fission", true);
pref("dom.fs.main_thread_writable_file_stream", false);
pref("dom.security.sanitizer.rewrite_no_bounty", false);
pref("dom.streams.byte_streams.enabled", true);
pref("dom.streams.pipeTo.enabled", true);
pref("dom.streams.readable_stream_default_controller.enabled", true);
pref("dom.streams.readable_stream_default_reader.enabled", true);
pref("dom.streams.transferable.enabled", true);
pref("dom.streams.transform_streams.enabled", true);
pref("dom.streams.writable_streams.enabled", true);
pref("extensions.formautofill.creditCards.hideui", false);
pref("extensions.formautofill.creditCards.used", 0);
pref("html5.offmainthread", true);
pref("javascript.options.large_arraybuffers", true);
pref("layout.css.caption-side-non-standard.enabled", false);
pref("layout.css.grid-template-subgrid-value.enabled", true);
pref("layout.css.scroll-linked-animations.enabled", false);
pref("media.peerconnection.simulcast", true);
pref("media.webrtc.capture.allow-iosurface", true);
pref("network.cookie.move.interval_sec", 0);
pref("privacy.restrict3rdpartystorage.rollout.preferences.learnMoreURLSuffix", "total-cookie-protection");
pref("privacy.restrict3rdpartystorage.rollout.preferences.TCPToggleInStandard", false);
pref("webgl.force-layers-readback", false);

==CHANGED

pref("browser.migrate.opera-gx.enabled", true); // prev: false
pref("browser.migrate.opera.enabled", true); // prev: false
pref("browser.migrate.vivaldi.enabled", true); // prev: false
pref("content.sink.perf_parse_time", 30000); // prev: 360000
pref("dom.focus.fixup", true); // prev: false
pref("dom.sitepermsaddon-provider.separatedBlocklistedDomains", "shopee.co.th,alipay.com,miravia.es"); // prev: "shopee.co.th"
pref("layout.css.container-queries.enabled", true); // prev: false
pref("layout.css.named-pages.enabled", true); // prev: false
pref("toolkit.shutdown.lateWriteChecksStage", 2); // prev: 3
pref("webgl.out-of-process.async-present", true); // prev: false
@earthlng
Copy link
Contributor Author

some bugzilla tickets

  • browser.aboutwelcome.showModal
    Bug 1801224 - Invoke window modal for new users on first startup

  • browser.contentblocking.features.strict
    Bug 1808212 - Part 3: Adding the content blocking pref setting for the level2 list pref in private windows.
    Bug 1783496 - Add cookieBehavior5,cookieBehaviorPBM5 back to strict ETP pref so dFPI item is shown in the strict category.
    Bug 1778457 - Enable query parameter stripping in Private Browsing Mode if ETP strict is enabled.
    Bug 1776760 - Enable dFPI by default for Beta and Release via cookieBehavior pref.
    Bug 1763660 - Add query parameter stripping pref to ETP strict.

  • browser.migrate.opera.enabled
    Bug 1806711 - Enable Opera, Opera GX and Vivaldi migrators by default.
    Bug 1800923 Not able to import data from Opera/Vivaldi on first run migration.
    Bug 1284106 Make Possible import data from (new) Opera

  • browser.migrate.opera-gx.enabled
    Bug 1806711 - Enable Opera, Opera GX and Vivaldi migrators by default.
    Bug 1800923 Not able to import data from Opera/Vivaldi on first run migration.
    Bug 1795462 - Importing data from OperaGX.

  • browser.migrate.vivaldi.enabled
    Bug 1806711 - Enable Opera, Opera GX and Vivaldi migrators by default.
    Bug 1800923 Not able to import data from Opera/Vivaldi on first run migration.
    Bug 1795739 - Make it possible to import data from Vivaldi.

  • browser.opaqueResponseBlocking.javascriptValidator
    Bug 1532644 - Implement the initial version of the Javascript Validator for ORB

  • browser.places.snapshots.expiration.days
    Bug 1808915: Remove snapshots and session manager functionality.
    Bug 1763577 - MR2-426 - Implement initial snapshots expiration.

  • browser.places.snapshots.expiration.userManaged.days
    Bug 1808915: Remove snapshots and session manager functionality.
    Bug 1763577 - MR2-426 - Implement initial snapshots expiration.

  • browser.places.snapshots.relevancy.timeOfDayIntervalSeconds
    Bug 1808915: Remove snapshots and session manager functionality.
    Bug 1804223: Normalise snapshot pref names and allow enabling interaction logging without turning on snapshotting.

  • browser.places.snapshots.score.CurrentSession
    Bug 1808915: Remove snapshots and session manager functionality.
    Bug 1804223: Normalise snapshot pref names and allow enabling interaction logging without turning on snapshotting.

  • browser.places.snapshots.score.IsUserPersisted
    Bug 1808915: Remove snapshots and session manager functionality.
    Bug 1804223: Normalise snapshot pref names and allow enabling interaction logging without turning on snapshotting.

  • browser.places.snapshots.score.IsUserRemoved
    Bug 1808915: Remove snapshots and session manager functionality.
    Bug 1804223: Normalise snapshot pref names and allow enabling interaction logging without turning on snapshotting.

  • browser.places.snapshots.score.Visit
    Bug 1808915: Remove snapshots and session manager functionality.
    Bug 1804223: Normalise snapshot pref names and allow enabling interaction logging without turning on snapshotting.

  • browser.places.snapshots.source.CommonReferrer
    Bug 1808915: Remove snapshots and session manager functionality.
    Bug 1804223: Normalise snapshot pref names and allow enabling interaction logging without turning on snapshotting.

  • browser.places.snapshots.source.Overlapping
    Bug 1808915: Remove snapshots and session manager functionality.
    Bug 1804223: Normalise snapshot pref names and allow enabling interaction logging without turning on snapshotting.

  • browser.places.snapshots.source.TimeOfDay
    Bug 1808915: Remove snapshots and session manager functionality.
    Bug 1804223: Normalise snapshot pref names and allow enabling interaction logging without turning on snapshotting.

  • browser.theme.colorway-migration
    Bug 1806701 - Lock colorways migration behind a pref, disable by default on all channels.

  • content.sink.perf_parse_time
    Bug 1808824 - decrease content.sink.perf_parse_time,

  • cookiebanners.listService.testSkipRemoteSettings
    Bug 1804129 - Tests for nsICookieBannerService::hasRuleForBrowsingContextTree.

  • devtools.browserconsole.contentMessages
    Bug 1806405 - [devtools] Remove code related to "show content message" toggle.

  • devtools.browsertoolbox.fission
    Bug 1625939 - [devtools] Remove devtools.browsertoolbox.fission preference and remove old non-fission Browser Toolbox.
    Bug 1625937 - [devtools] Enable multiprocess browser toolbox on all channels.

  • dom.events.dataTransfer.imageAsFile.enabled
    Bug 1812611 - Disable image dragging as files by default again.

  • dom.focus.fixup
    Bug 1810077 - Let the focus fixup rule ride the trains.

  • dom.fs.main_thread_writable_file_stream
    Bug 1802279 - Extend preference to disable WritableFileStream in all contexts.
    Bug 1798459 - Disable WritableFileStream on the main thread;

  • dom.fs.writable_file_stream.enabled
    Bug 1802279 - Extend preference to disable WritableFileStream in all contexts.

  • dom.media.autoplay-policy-detection.enabled
    Bug 1773551 - part2 : implement the navigator autoplay policy API.

  • dom.security.credentialmanagement.identity.reject_delay.duration_ms
    Bug 1803245 - Add Timeout nsiTimer onto the Document to track active IdentityCredential requests,

  • dom.security.credentialmanagement.identity.reject_delay.enabled
    Bug 1803245 - Add Timeout nsiTimer onto the Document to track active IdentityCredential requests,

  • dom.security.sanitizer.rewrite_no_bounty
    Bug 1806447 - Always use the new Sanitizer implementation instead of the old nsTreeSanitizer code.

  • dom.security.setHTML.enabled
    Bug 1805632 - Add a new pref just for Element.setHTML without enabling the Sanitizer interface.

  • dom.sitepermsaddon-provider.separatedBlocklistedDomains
    Bug 1812195 — Add alipay.com and miravia.es to the site permission blocklist.
    Bug 1795927 - Add SitePermsAddon blocklist.

  • dom.streams.byte_streams.enabled
    Bug 1807845 - Remove the dom.streams prefs

  • dom.streams.pipeTo.enabled
    Bug 1807845 - Remove the dom.streams prefs

  • dom.streams.readable_stream_default_controller.enabled
    Bug 1807845 - Remove the dom.streams prefs

  • dom.streams.readable_stream_default_reader.enabled
    Bug 1807845 - Remove the dom.streams prefs

  • dom.streams.transferable.enabled
    Bug 1807845 - Remove the dom.streams prefs

  • dom.streams.transform_streams.enabled
    Bug 1807845 - Remove the dom.streams prefs

  • dom.streams.writable_streams.enabled
    Bug 1807845 - Remove the dom.streams prefs

  • editor.inline_style.range.compatible_with_the_other_browsers
    Bug 1792386 - part 1: Make HTMLEditor::SetInlinePropertiesAsSubAction extend and/or shrink range smarter

  • extensions.formautofill.creditCards.hideui
    Bug 1805838 - Remove 'extensions.formautofill.creditCards.hideui' preference

  • extensions.formautofill.creditCards.used
    Bug 1808303 - Remove the pref to determine whether a user has ever used credit card autofill

  • gfx.canvas.accelerated.debug
    Bug 1806392 - Add a debug indicator for Accelerated Canvas2D.

  • gfx.canvas.accelerated.force-enabled
    Bug 1806058 - Add blocklist for Accelerated Canvas2D.

  • gfx.video.convert-i420-to-nv12.force-enabled
    Bug 1753373 - Upload software decoded video to NV12 for video overlay on Windows

  • gfx.webrender.dcomp-video-sw-overlay-win
    Bug 1807515 - Enable video overlay of software decoded video until early beta on Windows
    Bug 1753373 - Upload software decoded video to NV12 for video overlay on Windows

  • html5.offmainthread
    Bug 1801862 - Remove the pref to run the HTML parser on the main thread.

  • javascript.options.large_arraybuffers
    Bug 1703508 part 1 - Remove pref for large ArrayBuffers.

  • layout.css.caption-side-non-standard.enabled
    Bug 1807963 - Remove non-standard values of caption-side for good.

  • layout.css.container-queries.enabled
    Bug 1809720 - Let container queries ride the trains.
    Bug 1801123 - Enable container queries on nightly.

  • layout.css.floating-first-letter.tight-glyph-bounds
    Bug 290125 - Create a pref to treat floated ::first-letter more like webkit/blink, not tightly wrapping the glyph extents.

  • layout.css.grid-template-subgrid-value.enabled
    Bug 1804980: Remove the about:config pref for subgrid, layout.css.grid-template-subgrid-value.enabled, since it's been default-enabled for years.

  • layout.css.named-pages.enabled
    Bug 1802239 - Enable CSS named pages on all channels
    Bug 1787947 - pref on CSS named pages in Nightly

  • layout.css.nth-child-of.enabled
    Bug 1808227 - Implement parsing and serialization for nth-child(An+B of selector list) and :nth-last-child(An+B of selector list)

  • layout.css.overflow-overlay.enabled
    Bug 1521631 - Implement overflow: overlay as an alias on auto, and enable on Nightly.

  • layout.css.scroll-driven-animations.enabled
    Bug 1807685 - Rename scroll-linked (animations) to scroll-driven (excluding WPT tests).

  • layout.css.scroll-linked-animations.enabled
    Bug 1807685 - Rename scroll-linked (animations) to scroll-driven (excluding WPT tests).

  • media.getusermedia.camera.macavf.enabled
    Bug 1806605 - Enable new mac camera backend on nightly and early beta.
    Bug 1806521 - Disable new mac camera backend.
    Bug 1451394 - Enable new Mac camera backend in Nightly and early Beta.
    Bug 1451394 - Integrate with the libwebrtc camera backend for Mac.

  • media.peerconnection.allow_old_setParameters
    Bug 1401592: Add a config option to imitate the old setParameters behavior.

  • media.peerconnection.simulcast
    Bug 1401592: Remove the media.peerconnection.simulcast pref.

  • media.video-wakelock
    Bug 1804770 - add a pref to control video wakelock.

  • media.webrtc.capture.allow-directx
    Bug 1808667 - Configure windows desktop capture settings.

  • media.webrtc.capture.allow-iosurface
    Bug 1808667 - Only set the media.webrtc.capture.allow-iosurface pref on mac.

  • media.webrtc.capture.allow-wgc
    Bug 1808667 - Configure windows desktop capture settings.

  • media.wmf.media-engine.raw-data-threshold.audio
    Bug 1807108 - use prefs to control the raw data threshold for engine streams.

  • media.wmf.media-engine.raw-data-threshold.video
    Bug 1807108 - use prefs to control the raw data threshold for engine streams.

  • network.cookie.move.interval_sec
    Bug 1808206 - Remove code that moves cookies around in memory
    Bug 1737080 - Disable moving cookies to save power

  • network.cookie.sameSite.schemeful
    Bug 1800273 - Disable network.cookie.sameSite.schemeful,

  • network.cors_preflight.block_userpass_uri
    Bug 1738251 - CORS requests to URL with userpassword should only fail for redirects

  • network.early-hints.parent-connect-timeout
    Bug 1804034 - Early Hints: Remove EarlyHintPreloader from EarlyHintRegistrar with timer when connect back doesn't happen

  • network.early-hints.preconnect.enabled
    Bug 1740692 - Establish a speculative connection when receiving rel=preconnect in 103 response,

  • network.http.http2.websockets
    Bug 1774572 - Enable websocket over http2,

  • network.http.useragent.forceRVOnly
    Bug 1806675 - fixate rv portion of UA string to 109.0 on android, too,
    Bug 1805967 - keep android the same because the issue doesn't occur there and its tests are unhappy. CLOSED TREE
    Bug 1805967 - cap rv: bits in User Agent string to 109 because some sites detect IE11 based on rv:11*,

  • network.trr_ui.skip_reason_learn_more_url
    Bug 1596845 - Make custom about:neterror page for TRR mode3 DNS failures

  • network.webtransport.datagram_size
    Bug 1791834 - Implement WebTransport Datagram,

  • network.webtransport.redirect.enabled
    Bug 1792678 - add webtransport redirect preference.

  • privacy.annotate_channels.strict_list.pbmode.enabled
    Bug 1808212 - Part 1: Add a pref for controlling ETP level 2 list in the private browsing mode.

  • privacy.restrict3rdpartystorage.rollout.preferences.learnMoreURLSuffix
    Bug 1797513 - TCP rollout clean up TCP-in-standard checkbox.
    Bug 1774739 - Update ETP preferences section for TCP in standard mode.

  • privacy.restrict3rdpartystorage.rollout.preferences.TCPToggleInStandard
    Bug 1797513 - TCP rollout clean up TCP-in-standard checkbox.

  • security.sandbox.gpu.level
    Bug 1809519 - Enable the GPU sandbox in Release
    Bug 1803135 - Enable the GPU sandbox in Early Beta
    Bug 1347710 - Re-enable GPU sandbox on Windows Nightly
    Bug 1347710 - Change sandbox.gpu to a static pref

  • signon.firefoxRelay.base_url
    Bug 1751763 - Firefox Relay integration

  • signon.firefoxRelay.feature
    Bug 1751763 - Firefox Relay integration

  • signon.firefoxRelay.learn_more_url
    Bug 1751763 - Firefox Relay integration

  • toolkit.shutdown.lateWriteChecksStage
    Bug 1768581 - Part 3 Swap the order of MaybeFastShutdown and KillClearOnShutdown inside AdvanceShutdownPhase and add extra NS_ProcessPendingEvents for the main thread.
    Bug 1768581 - Part 12: Swap the order of MaybeFastShutdown and KillClearOnShutdown inside AdvanceShutdownPhase and add extra NS_ProcessPendingEvents for the main thread.

  • webgl.force-layers-readback
    Bug 1809768 - Remove pref webgl.force-layers-readback

  • webgl.out-of-process.async-present
    Bug 1800178 - Enable RemoteTexture on WebGL with sync present on android nightly
    Bug 1800032 - Enable RemoteTexture on WebGL with sync present until release

  • widget.gtk.grab-pointer
    Bug 1807482 - Re-introduce a reduced version of mouse grabs for desktop environments that need it.
    Bug 1807482 - Re-introduce a reduced version of mouse grabs.

  • widget.gtk.ignore-bogus-leave-notify
    Bug 1805939 - Ignore bogus leave-notify events on known-broken environments.

@Thorin-Oakenpants
Copy link
Contributor

thanks E .. have some 🥮

@Thorin-Oakenpants
Copy link
Contributor

I wonder if we should enforce network.cookie.sameSite.schemeful - see https://bugzilla.mozilla.org/show_bug.cgi?id=1800273#c7

without digging too far back, this was enabled FF104 1750972, now disabled. That's half a year. Clearly not a massive breakage, and they are flipping back out of an abundance of precaution.

@fxbrit what say you fishy 🎣 ? we're using HoM so scheme must be the same (that's what the "only" part means - no insecure fallbacks even for subresources), so I guess really it doesn't make a difference - perhaps we should just ignore it and let Mozilla eventually flip it again in future ?

@fxbrit
Copy link
Collaborator

fxbrit commented Mar 11, 2023
edited

that's what the "only" part means - no insecure fallbacks even for subresources

for clarity, do you mean that only Secure cookies are allowed? asking because I really don't know this.

my understanding of the bugzilla is that the HTTP page is setting a Strict cookie that it then expects to use after the redirect to HTTPS, but since SameSite is schemeful on that FF version it doesn't work. I think it would make sense to trigger the schemeful implementation unless we expect users to set a lot of exceptions to HoM: basically cookies would be set with the right scheme because the redirect is internal so it happens before the cookies are even set.

also cool stuff lulz --> https://bugzilla.mozilla.org/show_bug.cgi?id=1812195#c0

@Thorin-Oakenpants
Copy link
Contributor

my understanding is (and PB mode is HTTPS-First, not HoM) that we never connect to HTTP because we always try HTTPS first and with AF's settings we never even test if an insecure version exists and timeout to the interstitial. For HoM, schemeful doesn't even apply since everything will be HTTPS, same scheme, as per the "only" part - cogito ergo sum, right? amiright?

so, as per my linked bugzilla comment, this does not affect us - it only affects some sites with HoM exceptions (took 6 months for someone to complain about it and get it flipped) - so we could either set that pref, or ignore it and one day moz will flip it back on (maybe they never do) - I do not expect our users to be using insecure sites, and I'd rather not have the maintenance burden - but if you think we should add it, then confirm - otherwise I'm happy to close this and move on

@rusty-snake
Copy link
Contributor

  • pref("security.sandbox.gpu.level", 1); // prev: 0 - cool tada

FWIW: Windows only

@Thorin-Oakenpants Thorin-Oakenpants mentioned this issue Mar 12, 2023
Closed
@fxbrit
Copy link
Collaborator

fxbrit commented Mar 13, 2023

I do not expect our users to be using insecure sites

then let's leave it alone, we're not chasing standard's compliance. I think eventually Mozilla will flip it because they want to adhere to https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite (as they should).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
diffs enhancement task
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Thorin-Oakenpants @earthlng @fxbrit @rusty-snake