Questions about user.js for FF60 ESR

[Just-me-ghacks]

Trying to create a user.js for FF60 ESR. I have a few questions:

1. user_pref("browser.cache.frecency_experiment", -1); - Should I keep it? Deprecated in FF59 but 0 in FF60 ESR?!?

2. user_pref("browser.library.activity-stream.enabled", false); - Why is this commented out and what does it do?

3. user_pref("geo.enabled", false); - Can I change this to TRUE in order to reduce entropy? If I click "Don't Allow" I won't become more fingerprintable, will I?
   Other prefs which I use include:
   user_pref("geo.wifi.uri", "https://127.0.0.1");
user_pref("privacy.resistFingerprinting", false);

4. Why are these not included in the user.js?
   user_pref("dom.enable_performance_navigation_timing", false); // (default TRUE in FF60 ESR)
   user_pref("dom.enable_performance_observer", false); // (default TRUE in FF60 ESR)
   Is user_pref("dom.enable_performance", false); a master switch?

5. user_pref("browser.sessionstore.interval", 30000); - Can I set it to 600000 (10 minutes) to reduce SSD / HDD writes. I don't care about recently closed tabs.

6. user_pref("security.pki.sha1_enforcement_level", 1); - Does removing this pref reduce entropy?

7. user_pref("middlemouse.contentLoadURL", false); - Is this Linux only?

8. Are these ALL the prefs I need with resistFingerprinting DISABLED:

user_pref("browser.zoom.siteSpecific", false);
user_pref("device.sensors.enabled", false);
user_pref("dom.enable_performance", false);
user_pref("dom.enable_performance_navigation_timing", false);
user_pref("dom.enable_performance_observer", false);
user_pref("dom.enable_resource_timing", false);
user_pref("dom.gamepad.enabled", false);
user_pref("dom.netinfo.enabled", false);
user_pref("media.ondevicechange.enabled", false);
user_pref("media.video_stats.enabled", false);
user_pref("media.webspeech.synth.enabled", false);
user_pref("webgl.enable-debug-renderer-info", false);

Thank you very much!

[Thorin-Oakenpants]

4. Is user_pref("dom.enable_performance", false); a master switch

see #491 (comment) . It certainly looks like it.

8. Are these ALL the prefs I need with resistFingerprinting DISABLED

• sensors - are you using a smart phone or tablet? IDK, do desktop machine with rotating screens etc have this ability?
• gamepad IMO makes zero diff. If you plug in a gamepad, you would want to use it? Do you have a gamepad? I know nothing about these things - maybe it's plugged in for a different software and FF will detect it.
• netinfo : I'm fairly sure this is only for android, but yeah, I'd make it active
• those two perf prefs from 4 - if you want to add them for yourself, it would do no harm

AFAIK, anything that RFP covers, is in section 4600, so it should be "ALL" the prefs you can consider with RFP=off

[earthlng]

1. https://github.com/ghacksuserjs/ghacks-user.js/search?q=frecency_experiment&type=Issues
2. if you don't want Activity Stream you can just delete the xpi in ESR. It's commented out because we don't disable Highlights and it's part of that. It displays the 6 most recent highlights in the Library menu
3. it's inactive in the user.js for a while now. IDK if ESR already has the prompt for geolocation.

If I click "Don't Allow" I won't become more fingerprintable, will I?

no more than anyone else who clicks Don't Allow. And definitely less than if you'd click Allow

4. haven't tested it yet.
5. you can certainly do that but it might have some unexpected side-effects because various things are stored in there, IDK.
6. no. Default in ESR is 3 which from a websites perspective is the same as 1 ie it can't detect that
7. yes. middlemouse in Windows doesn't paste clipboard content and the default in Windows is false anyway

[Thorin-Oakenpants]

3. geo.enabled", false

this disables the API, so its not the same as auto-blocking, or ignoring prompts (AFAIK the JS response is different, and this would put you in a very small group). FF & ESR have had geo behind a prompt for a very long time. The question is, does 0201b exist for you. It was added in FF58 so you should have it.

/* 0201b: set a default permission for Location (FF58+)
 * [NOTE] best left at default "always ask", fingerprintable via Permissions API
 * [SETTING] to add site exceptions: Page Info>Permissions>Access Your Location
 * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Location>Settings ***/
   // user_pref("permissions.default.geo", 2); // 0=always ask (default), 1=allow, 2=block

Leave the API on, but auto-block if prompt fatigue annoys you. IMO, as E says, it's not really a FP'able item (unless they perhaps timed it - computer vs human speed for blocking), as each user could have different responses per site.

[Just-me-ghacks]

1. OK, I will remove it. No surprise I was confused. They forgot to remove the fricking pref! Big E said: "the pref still exists but the code that used it was removed, they just forgot to remove the pref"

2. I don't want Activity Stream. Since I delete all .xpi it's better to keep browser.library.activity-stream.enabled FALSE and ACTIVATED, right?

3. Yes, FF60 ESR has the prompt for geolocation. And permissions.default.geo is 0 by default.

OK, I will remove user_pref("geo.enabled", false);

user_pref("geo.wifi.uri", "https://127.0.0.1"); would help in case of accidental "Allow" click, right?

4. OK, I will keep these two prefs until someone test it.

5. OK, I will run FF with 600000 (10 minutes) for a while and let you know if I experience any problems.

6. OK, I will continue using it then.

7. OK, I will remove it. Why no LINUX tag in the user.js?

8. device.sensors.enabled - Is this mobile phone / tablet only? I thought it covers some laptop sensors as well? Like integrated accelerometers, adaptive brightness, etc.

dom.gamepad.enabled - Doesn't it leak info about any USB device (like thumb drive, printer, etc.) connected to the PC?

dom.netinfo.enabled - OK, I will keep it.

VERY IMPORTANT:
9. In FF60 ESR with user_pref("privacy.resistFingerprinting", false); I should use user_pref("general.buildID.override", "20100101");, right? If that's the case you might want to add the value 20100101 to the user.js

[Thorin-Oakenpants]

7. OK, I will remove it. Why no LINUX tag in the user.js?

Umm, because it's not just a linux pref (it exists for all OSes), but the change is only useful for linux users? The default is false in windows. We set it as false. NFI what the default is in linux

9. buildid override

tricky one. ESR is still using 20100101 and FF64+ will use 20181001000000 - i.e when mitigating. It's tricky because you're on Linux, so the actual buildid could be very telling. BUT, (and JS control is your friend, and not every site pulls all this info, they have easier ways to track the bulk of people, so the threat may be low), it could be that by assigning 20100101 and your distro = more unique than without.

[Thorin-Oakenpants]

3. user_pref("geo.wifi.uri", "https://127.0.0.1"); would help in case of accidental "Allow" click, right?

Yup. If you don't want geo at all, this would be the fallback AFAICT.

[Just-me-ghacks]

I use Windows.

[Thorin-Oakenpants]

device.sensors.enabled - Is this mobile phone / tablet only? I thought it covers some laptop sensors as well? Like integrated accelerometers, adaptive brightness, etc.

Good point. Devices are always changing. Laptops have adaptive brightness? Maybe we should re-check this. But I had a feeling that it was android only?

[Thorin-Oakenpants]

I use Windows.

Then don't set it. The number of windows users (IDK 90% of FF users) with ESR who don't spoof it would be like 99% of them. If you change it you'll stick out like a dog's balls (in a worse case scenario). I've never liked this pref being used TBH

[Just-me-ghacks]

FF60 ESR, Windows:

If user_pref("general.buildID.override", "20100101"); and user_pref("privacy.resistFingerprinting", false); is not a good idea, how is user_pref("privacy.resistFingerprinting", true); a good idea? (With resistFingerprinting enabled my buildID is 20100101.)

Yes, there are laptops with adaptive brightness sensors. Google "adaptive brightness laptop", "disable adaptive brightness windows", "powercfg adaptive brightness" for more info.

[Thorin-Oakenpants]

there are laptops with adaptive brightness sensors

Oh. Maybe we should revisit that pref's inactive state and marking it as optional.

how is RFP setting the buidID to 20100101 a good idea

Because RFP is a "set of users" with enforced patches and rules and spoofs and mitigations. Any attempt to lower entropy is applied to the whole group. In protecting the group, elimination bits is always good.

vs

You as a random non RFP user in a sea of ALL FF users = hopeless

[Just-me-ghacks]

Thanks, Pants and Big E! This pretty much answers all my questions. I will leave this thread open for another 24 hours if someone wants to add something and then we can close it.

[earthlng]

np, you're welcome

[Atavic]

Quoting: #573 (comment)

But I had a feeling that it was android only?

Also MacBook Pro: https://trac.torproject.org/projects/tor/ticket/21609#comment:10

[Atavic]

Microsoft surface, Lenovo Yoga: https://malwaretips.com/threads/firefox-gets-privacy-boost-by-disabling-proximity-and-ambient-light-sensor-apis.80699/

[correabuscar]

For what is worth, you need user_pref("dom.enable_performance_observer", true); for github to work properly, I found out the hard way: github/browser-support#28 (comment)

enable_performance_observer was mentioned in other issues but I won't dupe this message there, but just link here to the issues where I see it:
#448 (comment)
#457 (comment)
#491 (comment)

Note that my current use is now:

dom.enable_performance	false	
dom.enable_performance_navigation_timing	false	
dom.enable_performance_observer	true
privacy.resistFingerprinting	false

So dom.enable_performance being false doesn't make the dom.enable_performance_observer be false, they seem unrelated.

The only thing I changed to make github work was set dom.enable_performance_observer=true.
Just to give you an idea how broken github would be with this to false:

the notifications blue dot wouldn't appear unless I manually refreshed the webpage, I wouldn't see any new comments/updates if I were sitting on an issue or PR page, unless I F5/refreshed the webpage manually, and visiting a notification wouldn't move the scroll to the specific item in question, it would always just be on the top of the issue instead. When creating a new gist, changing to public gist on the green button would still show secret gist on the button even though clicking it would create the chosen public gist. If I pressed the 'star' button on a repo, it would redirect me to my dashboard page, then I'd press back and still see the repo unstarred so an F5 to refresh was needed!