Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ToDo: diffs FF111-FF112 #1661

Closed
earthlng opened this issue Apr 22, 2023 · 4 comments
Closed

ToDo: diffs FF111-FF112 #1661

earthlng opened this issue Apr 22, 2023 · 4 comments
Labels
diffs enhancement task

Comments

@earthlng
Copy link
Contributor

earthlng commented Apr 22, 2023
edited by Thorin-Oakenpants

FF112 is scheduled for release Apr. 11th

FF112 release notes
FF112 for developers
FF112 security advisories

61 diffs ( 31 new, 15 gone, 15 different )

new in v112.0:

  • FYI: these are not RFP, they are FPP which is different (see below) and these are WiP
    • pref("privacy.resistFingerprinting.randomization.daily_reset.enabled", false);
    • pref("privacy.resistFingerprinting.randomization.daily_reset.private.enabled", false);
    • pref("privacy.resistFingerprinting.randomization.enabled", false); - e.g. to be removed in 1829643

FYI: FPP: Mozilla are going to very slowly roll out a thing called FPP (FingerPrint Protection) into PB windows. This is a WiP. It will be ready when they announce it.

Phase 1 includes fonts at vis level 2 (i.e only allow os system fonts), subtle canvas randomizing (excluding IsPoinInPath and isPointInStroke), and I think window positions = 0. Last but not least, removing math entropy in audio for all FF users - note this does not remove all entropy, and RFP has additional protections which should then make all RFP users the same per platform (because Hrtz etc affect results but RFP sets those).

There will be a combination of 4 prefs: 2 x RFP, 2 x FPP, for all and pb modes. And not all combinations will be engineered. And RFP should always take precedence over FPP. One thing I do know is that down the road we can use RFP in normal mode, and FPP in PB mode - which might be a great way to reduce breakage for some users frequent sites. I do know we cannot have the reverse (RFP in pb mode and FPP in normal mode) edit: RFP always overrides FPP, so any split would be FPP in normal mode, and RFP in PB mode.

In the future, FPP can be a choice for those who don't like or can't use RFP but do want some randomizing. FPP is going to very compat, to the point where webcompat will be able to override individual protections on troublesome sites. So if FB breaks webcompat silently disables the problematic protection for FB when they add that site compat rule - so clearly this is a very different threat model, but may suit some people. Over time more protections will be added to FPP. I see this as replacing the need for Canvas Blocker

In order to enable/disable parts of FPP in testing, the two toms (ritter, schuster) and tim, and I'm sure there some more on the team, as a WiP, have engineered each protection as a target. So each target can globally be flipped on and off. This same targeting is somewhat related to the per site compat thing - but the pref itself is global. This same mechanism will also be able to be used for RFP (but super not recommended). In TB for example it would be locked off. Oh, and FPP will be tied to ETP.

So this answers all the people's questions about .. can I use RFP but turn off timezone and prefers-light. While I don't really recommend it, I need to think thru the ramifications a bit more. RFP is certainly more robust than an extension, and we're only confident of fooling naive scripts (don't get me wrong, advanced scripts have different levels of advanced, so full RFP most certainly does have an effect), so my gut feeling is that this is fine too.

That's all I'm going to say. All this is available in public bugzillas, and I know as much as that. I just spent a week in costa rica with the tor project (and tom ritter was there too, and we had a session on FPP as to what it is and how it relates to, or could enhance, RFP). Other than that (public info), it's all inhouse and tightly kept a secret (fair enough)

So that's about all I know (there is more: like exceptions and cascading iframes, i.e cross domain, but let's not go down the rabbit hole just yet), and it's fairly complicated and a WiP, so please don't ask questions. Let's just wait and see what happens when it lands and is announced by Firefox (because by then it should be robust and working as planned)

-thorin

changed in v112.0:

FYI

  • pref("browser.contentblocking.features.strict", "tp,tpPrivate,cookieBehavior5,cookieBehaviorPBM5,cm,fp,stp,emailTP,emailTPPrivate,lvl2,lvl2PBM,rp,rpTop,ocsp,qps,qpsPBM");
  • prev: tp,tpPrivate,cookieBehavior5,cookieBehaviorPBM5,cm,fp,stp,lvl2,lvl2PBM,rp,rpTop,ocsp,qps,qpsPBM
  • diff: emailTP, emailTPPrivate added

ignore

click me for details

==NEW

pref("browser.history_swipe_animation.disabled", false);
pref("browser.newtabpage.activity-stream.discoverystream.spoc-topsites-positions", "1");
pref("browser.promo.cookiebanners.enabled", false);
pref("browser.translations.useHTML", false);
pref("browser.urlbar.resultMenu.keyboardAccessible", true);
pref("dom.checkedUnsafePtr.dumpStacks.enabled", false);
pref("dom.element.popover.enabled", false);
pref("dom.memory.foreground_content_processes_have_larger_page_cache", true);
pref("dom.window_position_size_properties_replaceable.enabled", true);
pref("gfx.webgpu.ignore-blocklist", false);
pref("gfx.webrender.dcomp-video-check-slow-present", true);
pref("gfx.webrender.max-shared-surface-size", 2048);
pref("gfx.webrender.scissored-cache-clears.enabled", true);
pref("gfx.webrender.scissored-cache-clears.force-enabled", false);
pref("javascript.options.wasm_extended_const", true);
pref("layout.css.exp.enabled", false);
pref("layout.css.forced-color-adjust.enabled", false);
pref("layout.css.motion-path-offset-position.enabled", false);
pref("network.auth.supress_auth_prompt_for_XFO_failures", true);
pref("network.trr.ohttp.config_uri", "");
pref("network.trr.ohttp.relay_uri", "");
pref("network.trr.ohttp.uri", "");
pref("network.trr.use_ohttp", false);
pref("print.save_as_pdf.use_page_rule_size_as_paper_size.enabled", false);
pref("privacy.query_stripping.listService.logLevel", "Error");
pref("privacy.trackingprotection.emailtracking.pbmode.enabled", true);
pref("security.sandbox.utility-wmf-cdm.lpac.enabled", false);
pref("security.tls.ech.grease_http3", false);

==REMOVED, RENAMED or HIDDEN

pref("browser.display.normal_lineheight_calc_control", 2);
pref("browser.display.show_loading_image_placeholder", false);
pref("browser.urlbar.weather.zeroPrefix", true);
pref("dom.fileHandle.enabled", false);
pref("editor.css.default_length_unit", "px");
pref("editor.hr_element.allow_to_delete_from_following_line", true);
pref("editor.initialize_element_before_connect", true);
pref("editor.positioning.offset", 0);
pref("editor.resizing.preserve_ratio", true);
pref("editor.use_div_for_default_newlines", true);
pref("gfx.webgpu.force-enabled", false);
pref("layout.css.moz-box-flexbox-emulation.enabled", false);
pref("security.sandbox.content.tempDirSuffix", "");
pref("security.sandbox.plugin.tempDirSuffix", "");
pref("widget.pause-compositor-when-minimized", true);

==CHANGED

pref("browser.newtabpage.activity-stream.discoverystream.saveToPocketCard.enabled", true); // prev: false
pref("browser.newtabpage.activity-stream.discoverystream.sendToPocket.enabled", true); // prev: false
pref("dom.media.autoplay-policy-detection.enabled", true); // prev: false
pref("dom.mozTextStyle.enabled", false); // prev: true
pref("dom.quotaManager.backgroundTask.enabled", true); // prev: false
pref("dom.sitepermsaddon-provider.separatedBlocklistedDomains", "shopee.co.th,shopee.tw,shopee.co.id,shopee.com.my,shopee.vn,shopee.ph,shopee.sg,shopee.com.br,shopee.com,shopee.cn,shopee.io,shopee.pl,shopee.com.mx,shopee.com.co,shopee.cl,shopee.kr,shopee.es,shopee.in,alipay.com,miravia.es"); // prev: "shopee.co.th,alipay.com,miravia.es"
pref("dom.workers.pFetch.enabled", true); // prev: false
pref("gfx.max-alloc-size", 2147483647); // prev: 500000000
pref("gfx.webrender.dcomp-video-sw-overlay-win", true); // prev: false
pref("html5.inert.enabled", true); // prev: false
pref("layout.css.linear-easing-function.enabled", true); // prev: false
pref("layout.css.overflow-overlay.enabled", true); // prev: false
pref("layout.forms.reveal-password-context-menu.enabled", true); // prev: false
pref("security.webauth.u2f", false); // prev: true
@earthlng
Copy link
Contributor Author

some bugzilla tickets

  • browser.contentblocking.features.strict
    Bug 1818292 - Add email tracking protection to ETP strict.
    Bug 1808212 - Part 3: Adding the content blocking pref setting for the level2 list pref in private windows.
    Bug 1783496 - Add cookieBehavior5,cookieBehaviorPBM5 back to strict ETP pref so dFPI item is shown in the strict category.
    Bug 1778457 - Enable query parameter stripping in Private Browsing Mode if ETP strict is enabled.
    Bug 1776760 - Enable dFPI by default for Beta and Release via cookieBehavior pref.

  • browser.display.normal_lineheight_calc_control
    Bug 1814626 - Expose line-height resolution to style, and use it from ToResolvedValue.

  • browser.display.show_loading_image_placeholder
    Bug 1817360 - Remove browser.display.show_loading_image_placeholder.
    Bug 1817360 - Clean-up image icon loading code.

  • browser.history_swipe_animation.disabled
    Bug 1820270 - Bring back swipe-to-navigation flag.
    Bug 1773057 - Remove browser.history_swipe_animation.disabled pref.

  • browser.newtabpage.activity-stream.discoverystream.saveToPocketCard.enabled
    Bug 1819712 - Turn on Save To Pocket button
    Bug 1788063 - Pocket newtab pref to hide Pocket story descriptions based on region.
    Bug 1787522 - Pocket newtab limit save to Pocket card hover button to specific regions.

  • browser.newtabpage.activity-stream.discoverystream.sendToPocket.enabled
    Bug 1820019 - Turn on Save To Pocket button landing page

  • browser.newtabpage.activity-stream.discoverystream.spoc-topsites-positions
    Bug 1805589 - Pocket newtab add Discovery Stream topsites to topsites list earlier.

  • browser.promo.cookiebanners.enabled
    Bug 1808441 - Add Cookie Banner Promo on PB new tab.

  • browser.translations.useHTML
    Bug 1813782 - Allow about:translations to work on HTML via a pref;

  • browser.urlbar.resultMenu.keyboardAccessible
    Bug 1813517 - Add hidden pref for allowing Tab to skip over the menu button.

  • browser.urlbar.weather.zeroPrefix
    Bug 1817038 - Move weather suggestion keywords to Nimbus.
    Bug 1814795 - Support keyword-based weather suggestions in addition to zero-prefix.

  • dom.checkedUnsafePtr.dumpStacks.enabled
    Bug 1789399 - Print out the creation stack and the last assignment stack of CheckedUnsafePtr when it is unsafe.

  • dom.element.popover.enabled
    Bug 1820544 - Add popover attribute and part of basic popover functionality.

  • dom.fileHandle.enabled
    Bug 1500343 - Part 4: Remove IDL for IDBFileHandle/FileRequest/MutableFile
    Bug 1764771 - Disable IDBMutableHandle support by default

  • dom.media.autoplay-policy-detection.enabled
    Bug 1812189 - enable autoplay policy detection API.

  • dom.memory.foreground_content_processes_have_larger_page_cache
    Bug 1815069, add dom.memory.foreground_content_processes_have_larger_page_cache pref to control page cache behavior in content processes,

  • dom.mozTextStyle.enabled
    Bug 1818409 - Disable mozTextStyle by default.

  • dom.quotaManager.backgroundTask.enabled
    Bug 1820823 - Flip dom.quotaManager.backgroundTask.enabled on all channels that support background tasks.
    Bug 1788986 - Part 2: Use a background task for QM shutdown cleanup

  • dom.sitepermsaddon-provider.separatedBlocklistedDomains
    Bug 1824812 — Add more shopee domains to the site permissions blocklist.
    Bug 1812195 — Add alipay.com and miravia.es to the site permission blocklist.
    Bug 1795927 - Add SitePermsAddon blocklist.

  • dom.window_position_size_properties_replaceable.enabled
    Bug 1816472 - Make individual size / position properties really readonly.

  • dom.workers.pFetch.enabled
    Bug 1812039 - enable PFetch in default.
    Bug 1351231 - Preference for PFetch.

  • editor.css.default_length_unit
    Bug 1815827 - part 1: Get rid of editor.css.default_length_unit pref
    Bug 1745882 - Move all editor prefs in all.js to StaticPrefList.yaml

  • editor.hr_element.allow_to_delete_from_following_line
    Bug 1815827 - part 2: Get rid of editor.hr_element.allow_to_delete_from_following_line pref

  • editor.initialize_element_before_connect
    Bug 1815827 - part 3: Get rid of editor.initialize_element_before_connect pref

  • editor.positioning.offset
    Bug 1815827 - part 4: Get rid of editor.positioning.offset pref
    Bug 1745882 - Move all editor prefs in all.js to StaticPrefList.yaml

  • editor.resizing.preserve_ratio
    Bug 1815827 - part 5: Get rid of editor.resizing.preserve_ratio pref
    Bug 1745882 - Move all editor prefs in all.js to StaticPrefList.yaml

  • editor.use_div_for_default_newlines
    Bug 1815827 - part 6: Get rid of editor.use_div_for_default_newlines pref
    Bug 1745882 - Move all editor prefs in all.js to StaticPrefList.yaml

  • gfx.max-alloc-size
    Bug 1759728 - Increase max-alloc-size to the maximum value of int32_t.

  • gfx.webgpu.force-enabled
    Bug 1814745 - Don't require a browser restart to update dom.webgpu.enabled.

  • gfx.webgpu.ignore-blocklist
    Bug 1814745 - Don't require a browser restart to update dom.webgpu.enabled.

  • gfx.webrender.dcomp-video-check-slow-present
    Bug 1818685 - Disable video overlay if mVideoSwapChain->Present() is very slow on Windows

  • gfx.webrender.dcomp-video-sw-overlay-win
    Bug 1816026 - Enable video overlay of software decoded video until release on Windows

  • gfx.webrender.max-shared-surface-size
    Bug 1817033 - Make MAX_SHARED_SURFACE_SIZE configurable with a preference

  • gfx.webrender.scissored-cache-clears.enabled
    Bug 1818047 - Add prefs to control WebRender scissored cache clears.

  • gfx.webrender.scissored-cache-clears.force-enabled
    Bug 1818047 - Add prefs to control WebRender scissored cache clears.

  • html5.inert.enabled
    Bug 1764263 - Let the inert attribute ride the trains.

  • javascript.options.wasm_extended_const
    Bug 1814421: Prepare wasm extended-const for ship.

  • layout.css.exp.enabled
    Bug 1814469 - Implement CSS exponential functions.

  • layout.css.forced-color-adjust.enabled
    Bug 1591210 - Add forced-color-adjust property

  • layout.css.linear-easing-function.enabled
    Bug 1819447 - Enable linear() easing function on all channels.

  • layout.css.motion-path-offset-position.enabled
    Bug 1818666 - Support offset-position in the style system.

  • layout.css.moz-box-flexbox-emulation.enabled
    Bug 1818811 - Make -moz-box-layout: flex default, and clean-up CSS.
    Bug 1816455 - Turn flex emulation on everywhere.
    Bug 1815255 - Enable flexbox emulation on nightly.

  • layout.css.overflow-overlay.enabled
    Bug 1817189 - Ship overflow: overlay.

  • layout.forms.reveal-password-context-menu.enabled
    Bug 1816988 - Enable reveal password context-menu.

  • network.auth.supress_auth_prompt_for_XFO_failures
    Bug 1629307 - prevent auth prompts (status 401) if XFO checks fails.

  • network.trr.ohttp.config_uri
    Bug 1815741 - implement DNS-over-Oblivious-HTTP

  • network.trr.ohttp.relay_uri
    Bug 1815741 - implement DNS-over-Oblivious-HTTP

  • network.trr.ohttp.uri
    Bug 1823358 - Add new network.trr.ohttp.uri pref

  • network.trr.use_ohttp
    Bug 1815741 - implement DNS-over-Oblivious-HTTP

  • print.save_as_pdf.use_page_rule_size_as_paper_size.enabled
    Bug 1793220 - Use at-page size rule as paper size when printing to PDF

  • privacy.query_stripping.listService.logLevel
    Bug 1812594 - Refactor URLQueryStrippingListService init and shutdown logic.

  • privacy.resistFingerprinting.randomization.daily_reset.enabled
    Bug 1816064 - Part 1: Implement the session key for generating the random noise key for fingerprinting randomization.

  • privacy.resistFingerprinting.randomization.daily_reset.private.enabled
    Bug 1816064 - Part 1: Implement the session key for generating the random noise key for fingerprinting randomization.

  • privacy.resistFingerprinting.randomization.enabled
    Bug 1816064 - Part 1: Implement the session key for generating the random noise key for fingerprinting randomization.

  • privacy.trackingprotection.emailtracking.pbmode.enabled
    Bug 1818583 - Add a pref to control Email Tracking Protection in private windows.

  • security.sandbox.plugin.tempDirSuffix
    Bug 1772089 p5: Remove content temp dir from Windows and masOS.

  • security.sandbox.utility-wmf-cdm.lpac.enabled
    Bug 1793972: Enable an LPAC on the windows MF Media Engine utility process controlled by a pref.

  • security.tls.ech.grease_http3
    Bug 1816952: Add HTTP3 ECH GREASE Pref.

  • security.webauth.u2f
    Bug 1814487 - Pause rollout of CTAP2 support in 112.
    Bug 1814487 - Enable CTAP2 support.
    Bug 1809333 - Disable the U2F DOM API by default.
    Bug 1816500 - enable CTAP2 support in early beta.
    Bug 1752089 - Set security.webauthn.ctap2 true in nightly.

  • widget.pause-compositor-when-minimized
    Bug 1768495 Part 3: Remove redundant pause-on-minimize in nsCocoaWindow, remove pref.

@rusty-snake
Copy link
Contributor 

pref("browser.contentblocking.features.strict", "tp,tpPrivate,cookieBehavior5,cookieBehaviorPBM5,cm,fp,stp,emailTP,emailTPPrivate,lvl2,lvl2PBM,rp,rpTop,ocsp,qps,qpsPBM"); // prev: "tp,tpPrivate,cookieBehavior5,cookieBehaviorPBM5,cm,fp,stp,lvl2,lvl2PBM,rp,rpTop,ocsp,qps,qpsPBM"

Diff: added emailTP,emailTPPrivate

@Thorin-Oakenpants
Copy link
Contributor

OK, not seeing anything here to get excited about .. closing. If no one pipes up in the next 24 hrs or so, I'll do a cosmetic 112 release

@Thorin-Oakenpants
Copy link
Contributor

I have edited OP to explain FPP

@Thorin-Oakenpants Thorin-Oakenpants mentioned this issue May 4, 2023
Closed
@Thorin-Oakenpants Thorin-Oakenpants mentioned this issue Jul 10, 2023
Closed
@Thorin-Oakenpants Thorin-Oakenpants mentioned this issue Jul 26, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
diffs enhancement task
Milestone
No milestone
Development

No branches or pull requests
3 participants
@Thorin-Oakenpants @earthlng @rusty-snake