Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ToDo: diffs FF110-FF111 #1646

Closed
1 task done
earthlng opened this issue Mar 19, 2023 · 12 comments
Closed
1 task done

ToDo: diffs FF110-FF111 #1646

earthlng opened this issue Mar 19, 2023 · 12 comments
Labels
diffs enhancement task

Comments

@earthlng
Copy link
Contributor

earthlng commented Mar 19, 2023
edited by Thorin-Oakenpants

FF111 is scheduled for release Mar. 14th

FF111 release notes
FF111 for developers
FF111 security advisories

73 diffs ( 44 new, 16 gone, 13 different )

new in v111.0:

  • pref("alerts.useSystemBackend.windows.notificationserver.enabled", true); - 25a3623

ignore

click me for details

==NEW

pref("browser.chrome.toolbar_tips.hide_on_keydown", 0);
pref("browser.display.use_document_fonts.icon_font_allowlist", "Material Icons, Material Icons Extended, Material Icons Outlined, Material Icons Round, Material Icons Sharp, Material Icons Two Tone, Google Material Icons, Material Symbols Outlined, Material Symbols Round, Material Symbols Rounded, Material Symbols Sharp");
pref("browser.migrate.content-modal.import-all.enabled", false);
pref("browser.search.serpEventTelemetry.enabled", false);
pref("browser.swipe.navigation-icon-end-position", 60);
pref("browser.swipe.navigation-icon-max-radius", 20);
pref("browser.swipe.navigation-icon-min-radius", 12);
pref("browser.swipe.navigation-icon-start-position", -40);
pref("browser.translations.enable", false);
pref("browser.translations.logLevel", "Error");
pref("browser.urlbar.weather.zeroPrefix", true);
pref("cookiebanners.service.detectOnly", false);
pref("cookiebanners.ui.desktop.cfrVariant", 0);
pref("dom.clamp.timeout.nesting.level", 5);
pref("dom.customHighlightAPI.enabled", false);
pref("dom.quotaManager.backgroundTask.enabled", false);
pref("dom.security.credentialmanagement.identity.test_ignore_well_known", false);
pref("dom.use_counters.dump.document", false);
pref("dom.use_counters.dump.page", false);
pref("dom.use_counters.dump.worker", false);
pref("dom.webgpu.indirect-dispatch.enabled", false);
pref("dom.workers.modules.enabled", false);
pref("dom.workers.pFetch.enabled", false);
pref("gfx.webrender.dcomp-apply-1704954", true);
pref("identity.fxaccounts.toolbar.defaultVisible", false);
pref("image.avif.sequence.animate_avif_major_branded_images", false);
pref("image.avif.sequence.enabled", false);
pref("layout.css.more_color_4.enabled", false);
pref("layout.css.page-orientation.enabled", false);
pref("layout.css.scroll-anchoring.max-consecutive-adjustments-timeout-ms", 500);
pref("media.eme.playready.enabled", false);
pref("network.cookie.blockUnicode", false);
pref("network.dns.max_any_priority_threads", 3);
pref("network.dns.max_high_priority_threads", 5);
pref("network.fetch.redirect.stripAuthHeader", true);
pref("network.http.redirect.stripAuthHeader", true);
pref("network.trr.display_fallback_warning", false);
pref("network.trr.fallback_warning_heuristic_list", "canary");
pref("places.loglevel", "Error");
pref("privacy.authPromptSpoofingProtection", true);
pref("signon.signupDetection.confidenceThreshold", "0.75");
pref("signon.signupDetection.enabled", false);
pref("threads.use_low_power.enabled", false);

==REMOVED, RENAMED or HIDDEN

pref("browser.aboutwelcome.templateMR", true);
pref("browser.download.animateNotifications", true);
pref("browser.history_swipe_animation.disabled", false);
pref("browser.swipe.navigation-icon-move-distance", 100);
pref("devtools.storage.extensionStorage.enabled", true);
pref("dom.media.autoplay.autoplay-policy-api", false);
pref("dom.security.secFetch.enabled", true);
pref("extensions.unifiedExtensions.enabled", true);
pref("fission.experiment.enrollmentStatus", 0);
pref("fission.experiment.startupEnrollmentStatus", 0);
pref("gfx.use-ahardwarebuffer-content", false);
pref("print.pages_per_sheet.enabled", true);
pref("privacy.restrict3rdpartystorage.preferences.learnMoreURLSuffix", "total-cookie-protection");
pref("svg.display-lists.hit-testing.enabled", true);
pref("svg.display-lists.painting.enabled", true);
pref("webgl.enable-ahardwarebuffer", false);

==CHANGED

pref("alerts.useSystemBackend", true); // prev: false
pref("browser.contentblocking.report.monitor.enabled", false); // prev: true
pref("browser.sessionstore.idleDelay", 180); // prev: 180000
pref("browser.theme.colorway-migration", true); // prev: false
pref("dom.forms.autocapitalize", true); // prev: false
pref("dom.fs.enabled", true); // prev: false
pref("dom.fs.writable_file_stream.enabled", true); // prev: false
pref("fission.omitBlocklistedPrefsInSubprocesses", true); // prev: false
pref("layout.css.scroll-anchoring.min-average-adjustment-threshold", 2); // prev: 3
pref("media.webrtc.capture.allow-directx", true); // prev: false
pref("signon.firefoxRelay.feature", "available"); // prev: "not available"
pref("signon.firefoxRelay.learn_more_url", "https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/firefox-relay-integration"); // prev: "https://relay.firefox.com/"
pref("toolkit.aboutProcesses.showProfilerIcons", true); // prev: false
@earthlng
Copy link
Contributor Author

some bugzilla tickets

  • alerts.useSystemBackend
    Bug 1497425 - Enable native notifications by default on Windows.
    Bug 1644104 - Enable native notifications by default for Nightly on Windows.

  • alerts.useSystemBackend.windows.notificationserver.enabled
    Bug 1497425 - Enable native notifications by default on Windows.
    Bug 1644104 - Enable native notifications by default for Nightly on Windows.

  • browser.aboutwelcome.templateMR
    Bug 1812935 - [Cleanup] Remove browser.aboutwelcome.templateMR pref and pre-MR onboarding
    Bug 1786905 - Turn on MR new user onboarding by default in Fx106
    Bug 1774063 - Added a 'browser.aboutwelcome.templateMR' pref to support MR 2022 onboarding

  • browser.chrome.toolbar_tips.hide_on_keydown
    Bug 1569439 - Cleanup tooltip pref handling.

  • browser.contentblocking.report.monitor.enabled
    Bug 1815751 - Disable the Monitor card in about:protections.

  • browser.display.use_document_fonts.icon_font_allowlist
    Bug 1813865: Add 'Material Icons Extended' to the allowlist of known ligature icon fonts.
    Bug 1363454 - Create a pref to list icon font families that should be used even when use_document_fonts=0, overriding the browser's font prefs.

  • browser.download.animateNotifications
    Bug 1804411 - Downloads panel animations should honour prefers-reduced-motion settings.

  • browser.history_swipe_animation.disabled
    Bug 1773057 - Remove browser.history_swipe_animation.disabled pref.

  • browser.migrate.content-modal.import-all.enabled
    Bug 1803446 Implement 'variant 2' version of the main selector page for the migration wizard.

  • browser.search.serpEventTelemetry.enabled
    Bug 1813162 - Implement the SERP impression event.

  • browser.sessionstore.idleDelay
    Bug 1808729 - Limit session store writes to once per hour when the user is idle,

  • browser.swipe.navigation-icon-end-position
    Bug 1799563 - Refresh swipe-to-navigation UX.

  • browser.swipe.navigation-icon-max-radius
    Bug 1799563 - Refresh swipe-to-navigation UX.

  • browser.swipe.navigation-icon-min-radius
    Bug 1799563 - Refresh swipe-to-navigation UX.

  • browser.swipe.navigation-icon-move-distance
    Bug 1799563 - Remove browser.swipe.navigation-icon-move-distance pref.

  • browser.swipe.navigation-icon-start-position
    Bug 1799563 - Refresh swipe-to-navigation UX.

  • browser.theme.colorway-migration
    Bug 1808589 - Enable colorway builtin themes migration on all channels.
    Bug 1806701 - Lock colorways migration behind a pref, disable by default on all channels.

  • browser.translations.enable
    Bug 1805476 - Stub out an about:translations page with no real functionality;

  • browser.translations.logLevel
    Bug 1805476 - Stub out an about:translations page with no real functionality;

  • browser.urlbar.weather.zeroPrefix
    Bug 1814795 - Support keyword-based weather suggestions in addition to zero-prefix.

  • cookiebanners.service.detectOnly
    Bug 1809700 - Refactor detect-only mode into separate pref.

  • cookiebanners.ui.desktop.cfrVariant
    Bug 1800678 - enable nimbus experimentation for CBH doorhanger.

  • devtools.storage.extensionStorage.enabled
    Bug 1811230 - [devtools] Consider extension storage inspection always enabled.

  • dom.clamp.timeout.nesting.level
    Bug 1815590 - Add a pref for the number of nested timeouts before we start clamping,

  • dom.customHighlightAPI.enabled
    Bug 1803355: Basic implementation of Custom Highlight API.

  • dom.forms.autocapitalize
    Bug 1692007 - Ship autocapitalize attribute.

  • dom.fs.enabled
    Bug 1811001 - Enable OPFS by default on Release.
    Bug 1811001 - Enable FileSystemWritableFileStream by default on Release.
    Bug 1785123: Enable Origin Private File System (OPFS) by default on Nightly

  • dom.fs.writable_file_stream.enabled
    Bug 1811001 - Enable FileSystemWritableFileStream by default on Release.
    Bug 1802279 - Extend preference to disable WritableFileStream in all contexts.

  • dom.media.autoplay.autoplay-policy-api
    Bug 1814985 - part1 : remove experimental API 'document.autoplayPolicy'.

  • dom.quotaManager.backgroundTask.enabled
    Bug 1788986 - Part 2: Use a background task for QM shutdown cleanup

  • dom.security.credentialmanagement.identity.test_ignore_well_known
    Bug 1804727, part 1 - Add a debugging preference to FedCM -

  • dom.security.secFetch.enabled
    Bug 1813489: Remove pref dom.security.secFetch.enabled,

  • dom.use_counters.dump.document
    Bug 1813593 - Dump use counters with dom.use_counters.dump.{document,worker,page}.

  • dom.use_counters.dump.page
    Bug 1813593 - Dump use counters with dom.use_counters.dump.{document,worker,page}.

  • dom.use_counters.dump.worker
    Bug 1813593 - Dump use counters with dom.use_counters.dump.{document,worker,page}.

  • dom.webgpu.indirect-dispatch.enabled
    Bug 1806699: Make WebGPU indirect dispatch/draw pref-enabled.

  • dom.workers.modules.enabled
    Bug 1812628 - put worker modules behind a flag;

  • dom.workers.pFetch.enabled
    Bug 1351231 - Preference for PFetch.

  • extensions.unifiedExtensions.enabled
    Bug 1799009 - Remove unified extensions pref and non-unified extensions variants from test suite.
    Bug 1801129 - Enable unified extensions UI in all channels.
    Bug 1793626 - Enable unified extensions pref by default on Nightly.
    Bug 1777481 - Introduce a new extension button on the toolbar.
    Bug 1811230 - [devtools] Re-remove extensions.unifiedExtensions.enabled which was reintroduced by mistake.
    Bug 1811230 - [devtools] Consider extension storage inspection always enabled.

  • fission.experiment.enrollmentStatus
    Bug 1671548 - Remove fission experiment support code and prefs,

  • fission.experiment.startupEnrollmentStatus
    Bug 1671548 - Remove fission experiment support code and prefs,

  • fission.omitBlocklistedPrefsInSubprocesses
    Bug 1811294: Roll out Pref Sanitization

  • gfx.use-ahardwarebuffer-content
    Bug 1810097 - Support AHardwareBuffer of out-of-process WebGL on Android

  • gfx.webrender.dcomp-apply-1704954
    Bug 1816001 - allow users to disable mitigation for bug 1638709

  • identity.fxaccounts.toolbar.defaultVisible
    Bug 1816560 - Introduce a pref to control the visibility of the not_configured FxA toolbar button for experimentation.

  • image.avif.sequence.animate_avif_major_branded_images
    Bug 1788119 - Part 3 - Add initial support for animated AVIF sequences.

  • image.avif.sequence.enabled
    Bug 1788119 - Part 3 - Add initial support for animated AVIF sequences.

  • layout.css.more_color_4.enabled
    Bug 1352757 - Add lab(), lch(), oklab(), oklch() to specified colors.

  • layout.css.page-orientation.enabled
    Bug 1798323 - Style changes to support the 'page-orientation' property.

  • layout.css.scroll-anchoring.max-consecutive-adjustments-timeout-ms
    Bug 1808077 - Tweak scroll anchoring heuristics.

  • media.eme.playready.enabled
    Bug 1815553 - follow the naming convention of existing code (mf -> wmf).
    Bug 1810817 - p4: initial PlayReady DRM support.

  • media.webrtc.capture.allow-directx
    Bug 1818616 - Enable directx screen capturer everywhere.
    Bug 1808667 - Configure windows desktop capture settings.

  • network.cookie.blockUnicode
    Bug 1797231 - Add pref to block unicode chars in cookies

  • network.dns.max_any_priority_threads
    Bug 1812009 - Add prefs that allow increasing the DNS thread count

  • network.dns.max_high_priority_threads
    Bug 1812009 - Add prefs that allow increasing the DNS thread count

  • network.fetch.redirect.stripAuthHeader
    Bug 1802086 - remove auth header from redirected cross-origin requests.

  • network.http.redirect.stripAuthHeader
    Bug 1802086 - remove auth header from redirected cross-origin requests.

  • network.trr.display_fallback_warning
    Bug 1806412 - Record DoH heuristic failure and fallback logic

  • network.trr.fallback_warning_heuristic_list
    Bug 1806412 - Record DoH heuristic failure and fallback logic

  • places.loglevel
    Bug 1809195 - Move frecency decay to a new javascript component.

  • print.pages_per_sheet.enabled
    Bug 1811970: Remove no-longer-needed about:config pref for printing multiple pages-per-sheet.

  • privacy.authPromptSpoofingProtection
    Bug 791594 - Hide authPromptSpoofing protection behind a pref.

  • privacy.restrict3rdpartystorage.preferences.learnMoreURLSuffix
    Bug 1801929 - Replace 'Total Cookie Protection' learn more link with support-link.
    Bug 1774739 - Update ETP preferences section for TCP in standard mode.

  • signon.firefoxRelay.feature
    Bug 1751763 - Firefox Relay integration
    Bug 1818044 - Enable Firefox Relay integration on Beta and Stable.
    Bug 1815274 - Enable Firefox Relay integration on Nightly

  • signon.firefoxRelay.learn_more_url
    Bug 1819213 - Firefox Relay Integration: Change the learn more link to a sumo link
    Bug 1751763 - Firefox Relay integration

  • signon.signupDetection.confidenceThreshold
    Bug 1819213 - Firefox Relay Integration: Change the learn more link to a sumo link

  • signon.signupDetection.enabled
    Bug 1819213 - Firefox Relay Integration: Change the learn more link to a sumo link

  • svg.display-lists.hit-testing.enabled
    Bug 829802 - Remove svg.display-lists prefs

  • svg.display-lists.painting.enabled
    Bug 829802 - Remove svg.display-lists prefs

  • threads.use_low_power.enabled
    Bug 1748378 - Create a way to deprioritize threadpools.

  • toolkit.aboutProcesses.showProfilerIcons
    Bug 1814152 - Always enable the profile button in about:processes

  • webgl.enable-ahardwarebuffer
    Bug 1810097 - Support AHardwareBuffer of out-of-process WebGL on Android

@earthlng earthlng pinned this issue Mar 19, 2023
@fxbrit
Copy link
Collaborator

fxbrit commented Mar 20, 2023

ugh I think we need to do...absolutely nothing?

1797231 looked like an interesting read but I can't access it. also cool read from 1811001 --> https://developer.mozilla.org/en-US/docs/Web/API/File_System_Access_API#origin_private_file_system

@Thorin-Oakenpants
Copy link
Contributor

1797231 -> https://hg.mozilla.org/releases/mozilla-release/rev/a2246da1895f9be97e3ca2165274668cc184c70a

@fxbrit
Copy link
Collaborator

fxbrit commented Mar 20, 2023

thx, curious to see if eventually they flip it in Nightly.

@Thorin-Oakenpants
Copy link
Contributor

pref("alerts.useSystemBackend.windows.notificationserver.enabled", true);

windows only: could be interesting from an app state separation from OS - IIUIC, since notifications are secure context only, then the when using the app mechanism, the OS can't read it?

maybe we could add this to section 5000 optional opsec? @fxbrit

@Thorin-Oakenpants
Copy link
Contributor

https://bugzilla.mozilla.org/show_bug.cgi?id=791594 is an interesting read

@Thorin-Oakenpants
Copy link
Contributor

Thorin-Oakenpants commented Mar 25, 2023
edited

FYI: browser.display.use_document_fonts.icon_font_allowlist - IF you block document fonts, which is just dumb IMO, then this allows those fonts listed to still load (namely because they contain icon glyphs) - once again, this is NOT a privacy issue - all users on all browsers would request those fonts with the same referrer if any (and we harden referers FWIW) - the issue is IP and again, if you want to protect that then use a VPN. Once again, LocalCDN or injecting local resources is not a proper/full solution and really achieves very little - there are approximately six major internet backbones/companies that if blocked/not used will break way too much - think akaimai, cloudflare, aws, alphabet, etc - you're not achieving much fucking around with using a few local resources

tl;dr: stop listening to fuckwits on reddit and if you want to protect your IP (and relax referers while you're at it), then use a VPN (and not an extension)

/* 8001: prefsCleaner: reset items useless for anti-fingerprinting ***/
   // user_pref("browser.display.use_document_fonts", "");

^^ don't use this pref, just. don't

end of today's lesson

@GlassGruber
Copy link

https://bugzilla.mozilla.org/show_bug.cgi?id=791594 is an interesting read

nice, this is similar but far simpler and fishier than recent browser in the browser attack

@fxbrit
Copy link
Collaborator

fxbrit commented Mar 28, 2023
edited

maybe we could add this to section 5000 optional opsec?

I honestly wouldn't bother, it seems very extreme and kinda debatable: one could argue that it's more secure since it can help avoiding some fishing (eg. notifications are native so you're not tempted to click fake notifications on websites).

https://bugzilla.mozilla.org/show_bug.cgi?id=791594 is an interesting read

I tried the test website, that's a nice fix cause the window going grey really gives a sense of "change" happening.

@Thorin-Oakenpants
Copy link
Contributor

one could argue that it's more secure since it can help avoiding some fishing

fishing? 🐟 🎣 🐠 .. phishing

nah

notifications (and almost all other chrome UI messaging) is anchored to the urlbar which you can't modify. In my pic I have the bookmarks toolbar showing, but even if it wasn't (and the overlap is tiny) the icon in the urlbar is a dead giveaway

still, meatspace is a real thing

@Thorin-Oakenpants
Copy link
Contributor

I honestly wouldn't bother, it seems very extreme

the entire section is "extreme" [1] - fits perfectly ... FYI: https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41696

[1] as in this is firefox not tor browser, and we're not aiming to protect you from your own OS if it is compromised

@Thorin-Oakenpants Thorin-Oakenpants unpinned this issue Mar 30, 2023
@Thorin-Oakenpants Thorin-Oakenpants mentioned this issue Mar 30, 2023
Closed
@fxbrit
Copy link
Collaborator

fxbrit commented Mar 30, 2023

fishing?

lulz 🐟

anyway you're right, I didn't consider that in browser notifications are placed in the urlbar.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
diffs enhancement task
Milestone
No milestone
Development

No branches or pull requests
4 participants
@GlassGruber @Thorin-Oakenpants @earthlng @fxbrit