-
Notifications
You must be signed in to change notification settings - Fork 523
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
mass cleanup #1235
Comments
|
One other option, after more tidying up and possible removals, is to take some inactive items left, that make no sense, and move them all to a new section towards the end, like edit: ⭐ 🎉 fukYeah .. yet another genius Pants visionary moment 🚀 👀 ALL HAIL PANTS 😈 🛐 Edit: Actually, I'm leaning towards a different structural approach, rather than split things up by what they do, first group them by the threat/impact: not that I am saying to use these names, but items like |
I like that, all four of them summarize that they affected Firefox, and in fact it adds CVE-2014-1488 for good measure FYI, adding the
|
example: and we could create a permissions subsection to de-dupe info: benefits
/*** [SECTION 7000] DON'T BOTHER ***/
user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies!");
/* 7001: disable Location-Aware Browsing
* [WHY] The API state is fingerprintable. Permission is already behind a prompt (7002)
* [1] https://www.mozilla.org/firefox/geolocation/ ***/
// user_pref("geo.enabled", false);
/* 7002: set a default permission for Location (7001) [FF58+]
* 0=always ask (default), 1=allow, 2=block
* [WHY] Fingerprintable via Permissions API. Just use site exceptions for annoying sites you frequent
* [SETTING] to add site exceptions: Ctrl+I>Permissions>Access Your Location
* [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Location>Settings ***/
// user_pref("permissions.default.geo", 2); |
8000s (was 4600s) - move below personal, so user-relevant part is shorter - swap out font vis with document fonts + font whitelist - font vis still has usability/visual purposes: it just won't really help much with fingerprinting - ESR78 users (who can't use font vis), sorry, but we made doc fonts inactive for a while now, and now recommend you don't use it anyway
cool, that last commit, along with previous cleaning up, now means the user has 176 less lines to scroll/read/parse (compared to v90) to get to the end of the personal section. Great usability improvement. Can't wait to smash that more with section 7000 |
- just to be clear, this section is not supported: not interested in references or explanations or FF version numbers or default info etc - "do more harm than good" - ambiguous, not interested in explaining why exactly: but FYI - some leak - most break shit - almost all are easily fingerprinted and the combo of them would make you really stand out - removed the duplicate `ui.prefersReducedMotion` - this should move to personal as well - moved `ui.systemUsesDarkTheme` to personal
Hello, First thanks for the cleanup, sometimes it is needed. As for my 2 cents:
The file is still 1500 lines long and unless you want to know why you use it, most of the users will just copy it. Just easier maintenance for the future. Onf |
Thanks @Onfroygmx
But yes, ultimately, one day, all the don't bothers are just dead weight: so are the enforced defaults: in fact we could make all the enforced defaults into inactive don't bothers and just slap a WHY on them (except there is a benefit in active for new users) There is still at least another 12 items and 80+ lines I am targeting for don't bother or removal. And there is yet more that can be done to simply/reduce the reading bits. Then I can tidy/renumber sections: some of them are starting to get quite compact. I just need to play it by ear .. prototype as I go |
- merged 3DES cipher to bottom: it is still the same order of [1] - 3DES pref will be deprecated: pref name changes, and the cipher slated to be unavailable unless you downgrade to < TLS1.2 - see https://bugzilla.mozilla.org/show_bug.cgi?id=1724072 - FYI: we reset TLS downgrades to session only by resetting the pref currently in 1203 - "Minimal/non-existent threat of downgrade attacks" - FYI: these old ciphers are about 1-2% of traffic (from memory) - but that's still significant breakage - So the only reason to do this would be to harden against downgrade attacks (and inadvertently use weak sites = breakage): but that doesn't fit most user's threat model: and is probably never going to happen for them. Not sure if I can word that much better and just as succinct
probably more professional to keep it at the end since it isn't strictly project related. It also opens up space for `DON'T TOUCH` and `OPTIONAL OPSEC`
- inactive in user.js since - v55: gfx.direct2d.disabled - v67: layers.acceleration.disabled - the way to counter hardware fingerprinting is within each API that may expose it - this may have made some sense way back in the day, when there were less options/protections, but not any more - [are we web render yet](https://arewewebrenderyet.com/) - yes, 100% - there is no need to cripple your browser's perf
- inactive since we added it in v63 - this is not how you defeat fingerprinting (unless done in an enforced set) - for the record: not even tor browser disable this - fingerprinting this is not cheap in gecko (for now) - from [2] - decoding/encoding capabilities: "it is expected that the entropy ... isn’t going to be significant" - HDR detection: "... has the potential to add significant entropy .. however .. but ... thus minimizing effective entropy" - it is what it is - note that RFP has some mitigations in FF82+ 1461454
dead wood: marked as default false since at least v68, inactive since at least v78, and web notifications are controlled in 2300s
dead weight: ESR users will already be aware of and ticked the warning box by now
Not trying to spam, just... Why print: "strongly". Can do without, right, "it is recommended to just use Tor Browser". Without the "you", as well: not trying to issue orders, yeah? Cool, thanks for your time!! :)) |
because words matter :) And I have shares in Tor Browser :) But honestly, sometimes it's just organic: probably at the time when they were added or tweaked, I'd probably been reading about people using FF with Tor But sure, a lot of descriptions can be trimmed of excessive wording .. indeed whole sentences. As for the onion prefs, they are already changed Lines 1321 to 1324 in 778421c
|
"Death by a thousand cuts" or "How I learned to love the knife", by Pants. Over time, as the number of flipped prefs decreases, as Firefox and the web are able to transition to better defaults, we are ending up with a lot of old info, a lot of inactive prefs, a lot of old references, and even outdated descriptions. It is time to clean out the dead wood.
Clearly a downward trend in flipped prefs, and an upward trend in inactive : source 1, source 2
at the time of writing (updated)
Every bit made more simple, or removed, means a leaner, cleaner user.js. Check my commits. Make sure I didn't screw something up (earthlng is away for a while focusing on saving the world from trumperism). If you disagree with something, sing out. Here's your chance
Make suggestions
(number)
⭐ speak now or forever hold your
penispeace ... I don't want anyone flipping out like the last time I did a major clean up - btw, that cleanup brought the user.js down from a high (I think) of 137 KB in v65 to 109 KB in v68...
The text was updated successfully, but these errors were encountered: