-
Notifications
You must be signed in to change notification settings - Fork 523
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
headsup: I intend to relax some prefs #1707
Comments
Done, will land in next AF release. Remember folks, AF is a template ... thanks for all the feedback, until next time ... |
on leaking search typos, even if I used a search shortcut (e.g. d for duckduckgo) or a dropdown search button, I would still leak the typo - how we send is not the issue, it's the typo. Makes me even more sure I did the right thing. mistyped urls are a little different dinsey.com ... where woke goes to die? |
good stuff, what's the next quest now? |
Your next quest ... First you have to find your closest chinatown. Then look for an old wise woman and tell her you want what's in the back. She will then send you on a quest to retrieve the staff of a thousand fires. This quest will be long and arduous but if you can find a good paladin warlock it can make things manageable. Once you defeat the undead soldier of the sands of time and receive the staff you must bring it back to the old wise woman. DO NOT fall victim to its power. It's best to just put it in your bag of holding and forget about it. Once all is complete then you are ready for step one. |
I did it to myself didn't I |
I just discovered that the Mozilla Archive offers EME-free builds, likely for users that want FOSS builds that lack DRM support: https://archive.mozilla.org/pub/firefox/releases/120.0.1/win64-EME-free/en-US/ This is an alternative to setting an override, for those who want it. Is this worth adding to the wiki, or maybe just the OP in this sticky? |
no - just flip a pref FFS :) When disabled you don't even retain the DRM plugin. also, makes me wonder if you have to update manually all the time, unless the built in updater knows to get the EME free build - and is it as optimized as mozilla's stable builds? IDK, not worth even thinking about, TBH :) |
It does, otherwise I wouldn't have brought it up. It's weird that this build exists at all, though, because the only difference from regular release builds seems to be a new pref:
That's it. Though why the same thing can be controlled by two different prefs is beyond me. Maybe it's about FOSS purism. |
this will get rid of
43 (Ipv6 wasn't listed) of the common items in the wikispeak if you want to
DRM - move to optional hardening
I have lived without DRM in my everyday main FF since we first disabled it. I do not stream any content (Netflix, Disney, Hulu etc). But I do read a lot, and some of that is news, and some of that news comes with video, and sometimes that shit won't work (not always because its DRM - I use a pretty hard uBO), and all I end up doing is flicking over to my nightly (which is default + uBO + sanitizing on close) and fucking loading it anyway.
I get that DRM is a propriety and closed source, but honestly, for our threat model, disabling it is just a PITA and massive overkill. If this is your issue, then use Tor Browser. And I'm sure I'm the exception not the norm re streaming, so I know I've said users could just use a secondary browser, but that's not always easy for some people if they want a second gecko, dealing with profiles and installs and running concurrently.
So heads up, this WILL be moved to optional hardening. Those who do not want DRM can easily add an override
referer.XOriginPolicy -
make inactivemove to optional hardeningI plan to relax this. I don't see any real benefit for value
1
, it will unbreak fuck all IMO. So I am going to make the pref inactive. Those who want to harden can do so in their overrides. At the end of the day, most navigational "tracking" is harmless (i.e the same for everyone) and effectively blocking cross site referers just breaks "everything"I am also going to remove any reference to Smart Referer, as I consider it abandoned. Plus it's not a good idea re CSRF see #1433 and for this reason I will not be recommending ANY referer extensions
Also, mask your IP, you dirty filthy animals
keyword -
make inactivemove to optional opsecConsidering the default FF does not show the searchbar, the urlbar IS the searchbar. So disabling keyword is more of an obstacle than a help. I also think the chances you do a typo or leak a secret are slim to none (I think I've caught myself with about 2 in 10 years), and you would still leak that typo/secret if you used the searchbar and hit enter. And the advice "Override this if you trust and use a privacy respecting search engine" is a little weird - if users are that privacy conscious (e.g. I still use google in nightly because it gets me my results) then they would have already changed engines. In other words, users are going to use the search engine they want to, and we can't change that, so to dictate out advice for keyword based on their search engine is a bit on odd, kinda. Anyway, I don't see this as anything more than user hostile for our threat model - even TB doesn't bother, because usability matters.
once again, those who wish to override it, can do so
IPv6:
make inactive- move to optional hardeningThis is only an issue IMO for those using a VPN. And VPN users should be using a system wide reputable VPN like e.g. Mullvad (full disclosure, Mullvad sponsors Tor Project, and I work with them both - in fact I will be at Mullvad headquarters for a week in late October). I'm not a VPN expert, so Mullvad is the only name I could think of that I know is reputable. I assume Mullvad covers IPv6 properly (IANAE on networking shit, that's the 🐟 ). I also wonder, and IANAE, is that if the VPN fell over, you would be leaking your real IP anyway, so big deal with the mac addy? rhetorical q, don't answer
I think this line sums it up "If you are not masking your IP, then this won't make much difference."
again, users can override
The text was updated successfully, but these errors were encountered: