ToDo: diffs FF59-FF60

[earthlng]

• FF60 Release Notes
• FF60 for Developers
• FF60 Site Compatibilty

---

new in v59 ^{stuff we forgot}

• layout.css.moz-document.content.enabled=false
  • changed in FF61 with an exception to avoid breakage
• dom.registerContentHandler.enabled
  • will be changed in FF62

scratchpad scripts

• being an ESR major release, we can redo our scratchpad scripts up to ESR60

---

new in v60.0:

• Normandy / Shield 1436113 - 04f1449 bc17b4e
  • pref("app.normandy.api_url", "https://normandy.cdn.mozilla.net/api/v1");
  • pref("app.normandy.enabled", true);
  • pref("app.shield.optoutstudies.enabled", true);
• pref("browser.cache.offline.insecure.enable", true); 1354175 - d04ff84
• Browser Error Reporter 1426482 - 6309822
  • pref("browser.chrome.errorReporter.enabled", false);
  • pref("browser.chrome.errorReporter.submitUrl", "https://sentry.prod.mozaws.net/api/339/store/");
• pref("extensions.screenshots.upload-disabled", false); 1432694 - 75534b4
• pref("extensions.webextensions.restrictedDomains", "accounts-static.cdn.mozilla.net,accounts.firefox.com,addons.cdn.mozilla.net,addons.mozilla.org,api.accounts.firefox.com,content.cdn.mozilla.net,content.cdn.mozilla.net,discovery.addons.mozilla.org,input.mozilla.org,install.mozilla.org,oauth.accounts.firefox.com,profile.accounts.firefox.com,support.mozilla.org,sync.services.mozilla.com,testpilot.firefox.com"); 1415644: Access Denied - cd322f3
• pref("network.cookie.same-site.enabled", true); 795346 - 40db113
• pref("network.ftp.enabled", true); - b880c9d
• TRR (Trusted Recursive Resolver) 1434852 - see FF60+: TRR mode (DNS over HTTPS) #410 - b89e247
  • pref("network.trr.mode", 0);
  • pref("network.trr.bootstrapAddress", "");
  • pref("network.trr.uri", "");
• security.insecure_connection_text* - 1335970 - e373a0f
  • pref("security.insecure_connection_text.enabled", false);
  • pref("security.insecure_connection_text.pbmode.enabled", false);
• pref("identity.fxaccounts.enabled", true); 5000
• NOT added to the user.js but leaving here for visibility:
  • pref("security.pki.distrust_ca_policy", 1);
    • Symantec certificates issued before June 2016 are now distrusted
  • pref("dom.registerProtocolHandler.insecure.enabled", true);
    • will be changed in FF62

removed, renamed or hidden in v60.0:

ALL DONE - d10c859 & 8f2b674 & c5a1a03

• pref("browser.newtabpage.activity-stream.enabled", true); 1433324
• pref("browser.newtabpage.directory.source", "https://tiles.services.mozilla.com/..."); 1370930
• pref("browser.newtabpage.enhanced", true); 1433133
• pref("browser.newtabpage.introShown", false); 1433133
• pref("dom.workers.enabled", true); 1434934
• pref("view_source.tab", true); 1418403
• pref("extensions.shield-recipe-client.enabled", true); 1436113
• pref("extensions.shield-recipe-client.api_url", "https://normandy.cdn.mozilla.net/api/v1"); 1436113

changed in v60.0:

• the parrot needs some love - article, 107264, 440908, 1423840 - 6736033
  • fix wiki stuff about the parrot
• privacy.resistFingerprinting.block_mozAddonManager (4503) -> active - 7d65d8c
  • this is due to the new pref extensions.webextensions.restrictedDomains
• pref("security.tls.version.max", 4); // prev: 3 1202

redundant in 60 due to RFP ^{privacy.resistFingerprinting}

• webgl.enable-debug-renderer-info 2011 1337157 - c4a1583

---

ignore

click me for details

==NEW

pref("app.normandy.dev_mode", false);
pref("app.normandy.first_run", true);
pref("app.normandy.logging.level", 50);
pref("app.normandy.run_interval_seconds", 86400);
pref("app.normandy.shieldLearnMoreUrl", "https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield");
pref("browser.chrome.errorReporter.infoURL", "https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/nightly-error-collection");
pref("browser.chrome.errorReporter.logLevel", "Error");
pref("browser.chrome.errorReporter.projectId", "339");
pref("browser.chrome.errorReporter.publicKey", "c709cb7a2c0b4f0882fcc84a5af161ec");
pref("browser.chrome.errorReporter.sampleRate", "0.001");
pref("browser.newtabpage.activity-stream.enableWideLayout", true);
pref("browser.newtabpage.activity-stream.section.highlights.includePocket", true);
pref("browser.newtabpage.activity-stream.sectionOrder", "topsites,topstories,highlights");
pref("browser.newtabpage.activity-stream.telemetry.ut.events", false);
pref("browser.newtabpage.activity-stream.topSitesRows", 1);
pref("browser.startup.blankWindow", false);
pref("browser.urlbar.openintab", false);
pref("device.sensors.ambientLight.enabled", true);
pref("device.sensors.motion.enabled", true);
pref("device.sensors.orientation.enabled", true);
pref("device.sensors.proximity.enabled", true);
pref("devtools.browserconsole.filter.css", false);
pref("devtools.browserconsole.filter.debug", true);
pref("devtools.browserconsole.filter.net", false);
pref("devtools.browserconsole.new-frontend-enabled", false);
pref("devtools.browserconsole.ui.filterbar", false);
pref("devtools.debugger.features.replay", false);
pref("devtools.policy.disabled", false);
pref("devtools.responsive.reloadConditions.touchSimulation", false);
pref("devtools.responsive.reloadConditions.userAgent", false);
pref("devtools.responsive.reloadNotification.enabled", true);
pref("dom.keyboardevent.keypress.dispatch_non_printable_keys_only_system_group_in_content", false);
pref("dom.push.alwaysConnect", false);
pref("dom.serviceWorkers.update_delay", 1000);
pref("dom.webdriver.enabled", true);
pref("dom.webmidi.enabled", false);
pref("extensions.getAddons.compatOverides.url", "https://services.addons.mozilla.org/api/v3/addons/compat-override/?guid=%IDS%&lang=%LOCALE%");
pref("extensions.langpacks.signatures.required", false);
pref("general.document_open_conversion_depth_limit", 20);
pref("identity.fxaccounts.remote.root", "https://accounts.firefox.com/");
pref("image.animated.decode-on-demand.batch-size", 6);
pref("image.animated.decode-on-demand.threshold-kb", 4194303);
pref("image.mem.animated.use_heap", false);
pref("image.mem.volatile.min_threshold_kb", -1);
pref("image.multithreaded_decoding.idle_timeout", 600000);
pref("intl.tsf.hack.japanist10.do_not_return_no_layout_error_of_composition_string", true);
pref("javascript.options.array_prototype_values", true);
pref("javascript.options.spectre.jit_to_C++_calls", true);
pref("javascript.options.spectre.object_mitigations.barriers", true);
pref("javascript.options.spectre.object_mitigations.misc", true);
pref("javascript.options.spectre.string_mitigations", true);
pref("javascript.options.spectre.value_masking", true);
pref("layers.omtp.dump-capture", false);
pref("layout.css.individual-transform.enabled", false);
pref("layout.css.paint-order.enabled", true);
pref("layout.word_select.stop_at_underscore", false);
pref("marionette.debugging.clicktostart", false);
pref("marionette.enabled", false);
pref("media.cubeb.sandbox", false);
pref("media.getusermedia.camera.off_while_disabled.delay_ms", 3000);
pref("media.getusermedia.camera.off_while_disabled.enabled", true);
pref("media.getusermedia.microphone.off_while_disabled.delay_ms", 3000);
pref("media.getusermedia.microphone.off_while_disabled.enabled", true);
pref("network.dns.native-is-localhost", false);
pref("network.trr.allow-rfc1918", false);
pref("network.trr.blacklist-duration", 259200);
pref("network.trr.confirmationNS", "example.com");
pref("network.trr.credentials", "");
pref("network.trr.early-AAAA", false);
pref("network.trr.request-timeout", 3000);
pref("network.trr.useGET", false);
pref("network.trr.wait-for-portal", true);
pref("pdfjs.textLayerMode", 1);
pref("privacy.resistFingerprinting.reduceTimerPrecision.jitter", true);
pref("security.mixed_content.upgrade_display_content", false);
pref("services.sync.engine.bookmarks.buffer", false);
pref("services.sync.engine.passwords.validation.interval", 86400);
pref("services.sync.engine.passwords.validation.maxRecords", 1000);
pref("services.sync.engine.passwords.validation.percentageChance", 10);
pref("services.sync.prefs.sync.browser.urlbar.matchBuckets", true);
pref("services.sync.prefs.sync.privacy.resistFingerprinting.reduceTimerPrecision.jitter", true);

==REMOVED or HIDDEN

pref("browser.newtabpage.activity-stream.aboutHome.enabled", true);
pref("browser.newtabpage.activity-stream.topSitesCount", 6);
pref("browser.newtabpage.columns", 5);
pref("browser.newtabpage.compact", false);
pref("browser.newtabpage.rows", 3);
pref("browser.newtabpage.thumbnailPlaceholder", false);
pref("browser.places.useAsyncTransactions", true);
pref("devtools.highlighter.writingModeAdjust", false);
pref("devtools.webide.monitorWebSocketURL", "ws://localhost:9000");
pref("dom.secureelement.enabled", false);
pref("extensions.alwaysUnpack", false);
pref("extensions.getAddons.getWithPerformance.url", "https://services.addons.mozilla.org/%LOCALE%/firefox/api/%API_VERSION%/search/guid:%IDS%?src=firefox&appOS=%OS%&appVersion=%VERSION%&tMain=%TIME_MAIN%&tFirstPaint=%TIME_FIRST_PAINT%&tSessionRestored=%TIME_SESSION_RESTORED%");
pref("extensions.hotfix.cert.checkAttributes", true);
pref("extensions.hotfix.certs.1.sha1Fingerprint", "91:53:98:0C:C1:86:DF:47:8F:35:22:9E:11:C9:A7:31:04:49:A1:AA");
pref("extensions.hotfix.certs.2.sha1Fingerprint", "39:E7:2B:7A:5B:CF:37:78:F9:5D:4A:E0:53:2D:2F:3D:68:53:C5:60");
pref("extensions.hotfix.id", "[email protected]");
pref("extensions.interposition.enabled", true);
pref("extensions.interposition.prefetching", true);
pref("extensions.shield-recipe-client.dev_mode", false);
pref("extensions.shield-recipe-client.first_run", true);
pref("extensions.shield-recipe-client.logging.level", 50);
pref("extensions.shield-recipe-client.run_interval_seconds", 86400);
pref("extensions.shield-recipe-client.shieldLearnMoreUrl", "https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield");
pref("extensions.shield-recipe-client.startup_delay_seconds", 300);
pref("extensions.shield-recipe-client.user_id", "");
pref("gfx.font_loader.families_per_slice", 3);
pref("identity.fxaccounts.remote.connectdevice.uri", "https://accounts.firefox.com/connect_another_device?service=sync&context=fx_desktop_v3");
pref("identity.fxaccounts.remote.email.uri", "https://accounts.firefox.com/?service=sync&context=fx_desktop_v3&action=email");
pref("identity.fxaccounts.remote.force_auth.uri", "https://accounts.firefox.com/force_auth?service=sync&context=fx_desktop_v3");
pref("identity.fxaccounts.remote.signin.uri", "https://accounts.firefox.com/signin?service=sync&context=fx_desktop_v3");
pref("identity.fxaccounts.remote.signup.uri", "https://accounts.firefox.com/signup?service=sync&context=fx_desktop_v3");
pref("identity.fxaccounts.remote.webchannel.uri", "https://accounts.firefox.com/");
pref("identity.fxaccounts.settings.devices.uri", "https://accounts.firefox.com/settings/clients?service=sync&context=fx_desktop_v3");
pref("identity.fxaccounts.settings.uri", "https://accounts.firefox.com/settings?service=sync&context=fx_desktop_v3");
pref("layout.css.stylo-blocklist.blocked_domains", "");
pref("layout.css.stylo-blocklist.enabled", false);
pref("pdfjs.disableTextLayer", false);
pref("pdfjs.enableHandToolOnLoad", false);
pref("pdfjs.enhanceTextSelection", false);
pref("security.xcto_nosniff_block_images", false);
pref("services.sync.errorhandler.networkFailureReportTimeout", 1209600);
pref("services.sync.prefs.sync.browser.newtabpage.enhanced", true);
pref("services.sync.scheduler.eolInterval", 604800);
pref("signed.applets.codebase_principal_support", false);
pref("svg.paint-order.enabled", true);

==CHANGED

pref("browser.newtabpage.activity-stream.feeds.section.topstories.options", "{\"api_key_pref\":\"extensions.pocket.oAuthConsumerKey\",\"hidden\":true,\"provider_description\":\"pocket_description\",\"provider_icon\":\"pocket\",\"provider_name\":\"Pocket\",\"read_more_endpoint\":\"https://getpocket.com/explore/trending?src=fx_new_tab\",\"stories_endpoint\":\"https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=en-US&feed_variant=default_spocs_off\",\"stories_referrer\":\"https://getpocket.com/recommendations\",\"privacy_notice_link\":\"https://www.mozilla.org/privacy/firefox/#suggest-relevant-content\",\"disclaimer_link\":\"https://getpocket.com/firefox/new_tab_learn_more\",\"topics_endpoint\":\"https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_lang=en-US\",\"show_spocs\":false,\"personalized\":true}"); // prev: "{\"api_key_pref\":\"extensions.pocket.oAuthConsumerKey\",\"hidden\":true,\"provider_header\":\"pocket_feedback_header\",\"provider_description\":\"pocket_description\",\"provider_icon\":\"pocket\",\"provider_name\":\"Pocket\",\"read_more_endpoint\":\"https://getpocket.com/explore/trending?src=fx_new_tab\",\"stories_endpoint\":\"https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=2&consumer_key=$apiKey&locale_lang=en-US\",\"stories_referrer\":\"http://getpocket.com/recommendations\",\"info_link\":\"https://www.mozilla.org/privacy/firefox/#pocketstories\",\"disclaimer_link\":\"https://getpocket.com/firefox/new_tab_learn_more.php\",\"topics_endpoint\":\"https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_lang=en-US\",\"show_spocs\":false,\"personalized\":true}"
pref("browser.safebrowsing.provider.mozilla.lists", "long-string"); // prev: "long-string"
pref("browser.schedulePressure.timeoutMs", 300); // prev: 1000
pref("devtools.debugger.features.root", true); // prev: false
pref("dom.ipc.useNativeEventProcessing.content", false); // prev: true
pref("editor.use_div_for_default_newlines", true); // prev: false
pref("extensions.getAddons.get.url", "https://services.addons.mozilla.org/api/v3/addons/search/?guid=%IDS%&lang=%LOCALE%"); // prev: "https://services.addons.mozilla.org/%LOCALE%/firefox/api/%API_VERSION%/search/guid:%IDS%?src=firefox&appOS=%OS%&appVersion=%VERSION%"
pref("font.name-list.sans-serif.ko", "Malgun Gothic, Gulim"); // prev: "Gulim, Malgun Gothic"
pref("gfx.webrender.blob-images", 1); // prev: 2
pref("gfx.webrender.hit-test", true); // prev: false
pref("layout.css.servo.chrome.enabled", true); // prev: false
pref("dom.moduleScripts.enabled", true); // prev: false
pref("privacy.resistFingerprinting.reduceTimerPrecision.microseconds", 1000); // prev: 2000
pref("security.sandbox.content.level", 5); // prev: 4
pref("security.webauth.webauthn", true); // prev: false
pref("urlclassifier.disallow_completions", "long-string"); // prev: "long-string"

[earthlng]

bugzilla tickets

• app.normandy.api_url
  Bug 1436113 - Part 2: Refactor "shield-recipe-client" to "normandy"

• app.normandy.dev_mode
  Bug 1436113 - Part 2: Refactor "shield-recipe-client" to "normandy"

• app.normandy.enabled
  Bug 1436113 - Part 2: Refactor "shield-recipe-client" to "normandy"

• app.normandy.logging.level
  Bug 1436113 - Part 2: Refactor "shield-recipe-client" to "normandy"

• app.normandy.run_interval_seconds
  Bug 1436113 - Part 2: Refactor "shield-recipe-client" to "normandy"

• app.normandy.shieldLearnMoreUrl
  Bug 1436113 - Part 2: Refactor "shield-recipe-client" to "normandy"

• app.shield.optoutstudies.enabled
  Bug 1436113 - Part 2: Refactor "shield-recipe-client" to "normandy"

• browser.cache.offline.insecure.enable
  Bug 1354175 - Disable AppCache in insecure contexts.

• browser.chrome.errorReporter.enabled
  Bug 1426482 Report browser errors in Nightly to Mozilla.

• browser.chrome.errorReporter.infoURL
  Bug 1426482 Report browser errors in Nightly to Mozilla.

• browser.chrome.errorReporter.logLevel
  Bug 1426482 Report browser errors in Nightly to Mozilla.

• browser.chrome.errorReporter.projectId
  Bug 1426482 Report browser errors in Nightly to Mozilla.

• browser.chrome.errorReporter.publicKey
  Bug 1426482 Report browser errors in Nightly to Mozilla.

• browser.chrome.errorReporter.sampleRate
  Bug 1426482 Report browser errors in Nightly to Mozilla.

• browser.chrome.errorReporter.submitUrl
  Bug 1426482 Report browser errors in Nightly to Mozilla.

• browser.newtabpage.activity-stream.aboutHome.enabled
  Bug 1433324 - Part 1. Assume true for browser.newtabpage.activity-stream.aboutHome.enabled.
  Bug 1396274 - Disable Activity Stream about:home in browser_aboutHome.js
  Bug 1392324 - Add pref to enable Activity Stream on about:home.

• browser.newtabpage.activity-stream.enabled
  Bug 1433324 - Part 3. Assume true for browser.newtabpage.activity-stream.enabled

• browser.newtabpage.columns
  Bug 1433133 - remove unused prefs and exported bits from NewTabUtils.jsm,

• browser.newtabpage.compact
  Bug 1433133 - remove unused prefs and exported bits from NewTabUtils.jsm,

• browser.newtabpage.directory.source
  Bug 1370930 - remove DirectoryLinksProvider,

• browser.newtabpage.enhanced
  Bug 1433133 - remove unused prefs and exported bits from NewTabUtils.jsm,

• browser.newtabpage.introShown
  Bug 1433133 - remove unused prefs and exported bits from NewTabUtils.jsm,

• browser.newtabpage.rows
  Bug 1433133 - remove unused prefs and exported bits from NewTabUtils.jsm,

• browser.newtabpage.thumbnailPlaceholder
  Bug 1433133 - remove unused prefs and exported bits from NewTabUtils.jsm,

• browser.places.useAsyncTransactions
  Bug 1131491 - Remove browser.places.useAsyncTransactions preference - async transactions are now the only version.

• browser.policies.enabled
  Bug 1442759 - Enable the policy engine by default on Nightly and early Betas.

• browser.safebrowsing.provider.mozilla.lists
  Bug 1423229 - [4.0] Add support for category-based tracking lists.

• browser.schedulePressure.timeoutMs
  Bug 1436423 - Reduce the schedule pressure limit closer to the values that users are reporting.
  Bug 1406414 - Switch to an APNG loading indicator when the browser is under schedule pressure.

• browser.startup.blankWindow
  Bug 1336227 - Show about:blank as soon as possible during startup (pref'ed off),

• browser.urlbar.openintab
  Bug 1394304: Part 1 - Use pref to control whether to open url bar results in a new tab.

• device.sensors.ambientLight.enabled
  Bug 1359076: Disable all Device Sensor APIs except orientation by default

• device.sensors.motion.enabled
  Bug 1359076: Disable all Device Sensor APIs except orientation by default

• device.sensors.orientation.enabled
  Bug 1359076: Disable all Device Sensor APIs except orientation by default

• device.sensors.proximity.enabled
  Bug 1359076: Disable all Device Sensor APIs except orientation by default

• devtools.browserconsole.filter.css
  Bug 1435092 - Add a util object to manage preferences;
  Bug 1204808 - Move devtools prefs to its own file in /devtools folder.

• devtools.browserconsole.filter.debug
  Bug 1435092 - Add a util object to manage preferences;

• devtools.browserconsole.filter.net
  Bug 1435092 - Add a util object to manage preferences;
  Bug 1204808 - Move devtools prefs to its own file in /devtools folder.

• devtools.browserconsole.new-frontend-enabled
  Bug 1435084 - Create a pref to enable the new console UI in the browser console;r=nchevobbe

• devtools.browserconsole.ui.filterbar
  Bug 1435092 - Add a util object to manage preferences;

• devtools.devedition.promo.enabled
  Bug 1204808 - Move devtools prefs to its own file in /devtools folder.

• devtools.highlighter.writingModeAdjust
  Bug 1430919 - Enable grid highlighter writing mode support.
  Bug 1303171 - Adjust highlighters to account for writing mode and text dir.

• devtools.responsive.reloadConditions.touchSimulation
  Bug 1428816 - Add RDM UI to control whether we reload.

• devtools.responsive.reloadConditions.userAgent
  Bug 1428816 - Add RDM UI to control whether we reload.

• devtools.responsive.reloadNotification.enabled
  Bug 1428816 - Show reload help on first RDM open.

• dom.ipc.useNativeEventProcessing.content
  Bug 1430744: Stop processing native events in the content process on Windows in Nightly.

• dom.keyboardevent.keypress.dispatch_non_printable_keys_only_system_group_in_content
  Bug 1443117 - Restart to dispatch "keypress" event for non-printable keys and key combinations on Nightly and early-Beta until Google fixes related bugs of their web apps
  Bug 1440189 - part 1: Stop dispatching keypress event to the default event group in web content (only Nightly and early Beta)
  Bug 1433101 - part 1: Add new pref which disables keypress event for non-printable keys only for the default event group in web content

• dom.moduleScripts.enabled
  Bug 1438139 - Enable <script type="module"> by default
  Bug 1428685 - Use dom.webcomponents.shadowdom.enabled pref for Shadow DOM.

• dom.push.alwaysConnect
  Bug 1440467 - Add a pref to always connect to the Push server without existing subscriptions.

• dom.registerContentHandler.enabled
  Bug 1398169 - Use pref to disable registerContentHandler in non stable builds.

• dom.registerProtocolHandler.insecure.enabled
  Bug 1429732 - Use a pref to disable registerProtocolHandler in insecure contexts.

• dom.secureelement.enabled
  Bug 1353329 - Remove remains of SecureElement API.

• dom.serviceWorkers.update_delay
  Bug 1432846 - Delay update runnables from service workers that don't control any clients.

• dom.webdriver.enabled
  Bug 1169290 - Guard navigator.webdriver behind dom.webdriver.enabled pref.

• dom.webmidi.enabled
  Bug 1201590 - WebMIDI Utility classes;

• dom.workers.enabled
  Bug 1434934 - Remove dom.workers.enabled pref,

• editor.use_div_for_default_newlines
  Bug 1430551 - Make editor use <div> as defaultParagraphSeparator even in release channel

• extensions.alwaysUnpack
  Bug 1444502: Remove support for installing unpacked extensions.

• extensions.getAddons.compatOverides.url
  Bug 1402064 Switch to modern AMO metadata API

• extensions.getAddons.get.url
  Bug 1402064 Switch to modern AMO metadata API

• extensions.getAddons.getWithPerformance.url
  Bug 1402064 Switch to modern AMO metadata API

• extensions.hotfix.cert.checkAttributes
  Bug 1356331 Remove hotfix code from addons manager and related tests

• extensions.hotfix.certs.1.sha1Fingerprint
  Bug 1356331 Remove hotfix code from addons manager and related tests

• extensions.hotfix.certs.2.sha1Fingerprint
  Bug 1356331 Remove hotfix code from addons manager and related tests

• extensions.hotfix.id
  Bug 1356331 Remove hotfix code from addons manager and related tests

• extensions.interposition.enabled
  Bug 1443983: Part 2 - Remove remaining interpositions.
  Bug 1412456 - Disable add-on interposition

• extensions.interposition.prefetching
  Bug 1443983: Part 2 - Remove remaining interpositions.

• extensions.langpacks.signatures.required
  Bug 1444487 Add preference for langpack signing.

• extensions.screenshots.upload-disabled
  Bug 1432694 - Add a default value for the Screenshots upload-disabled pref;

• extensions.webextensions.restrictedDomains
  Bug 1415644: Create a list of restricted domains.

• font.name-list.sans-serif.ko
  Bug 1431570 - Use Malgun Gothic as default font of Korean on release channel.

• general.document_open_conversion_depth_limit
  Bug 1440663 - Add a preference to limit document opening data conversion recursion depth to nsDocumentOpenInfo,

• gfx.font_loader.families_per_slice
  Bug 1440411 - Remove the obsolete gfx.font_loader.families_per_slice pref (no longer used by any code).

• gfx.webrender.blob-images
  Bug 1362115 - turn on blob-images by default with webrender.
  Bug 1425260: gfx.webrender.all turns on all preferences that are needed for webrender.

• gfx.webrender.hit-test
  Bug 1421380 - Enable gfx.webrender.hit-test by default.
  Bug 1423982 - Only do the WR-based hit-test if WR is enabled.

• identity.fxaccounts.enabled
  Bug 1434706 - Add identity.fxaccounts.enabled pref to disable Sync and FxA.

• identity.fxaccounts.remote.connectdevice.uri
  Bug 1427674 - Unify FxA content server URL preferences.
  Bug 1418466 - Add Connect Another Device button to relevant Sync UI.

• identity.fxaccounts.remote.email.uri
  Bug 1427674 - Unify FxA content server URL preferences.
  Bug 1411714 - Handle action=email in about:accounts.

• identity.fxaccounts.remote.force_auth.uri
  Bug 1427674 - Unify FxA content server URL preferences.

• identity.fxaccounts.remote.root
  Bug 1427674 - Unify FxA content server URL preferences.

• identity.fxaccounts.remote.signin.uri
  Bug 1427674 - Unify FxA content server URL preferences.

• identity.fxaccounts.remote.signup.uri
  Bug 1427674 - Unify FxA content server URL preferences.

• identity.fxaccounts.remote.webchannel.uri
  Bug 1427674 - Unify FxA content server URL preferences.

• identity.fxaccounts.settings.devices.uri
  Bug 1427674 - Unify FxA content server URL preferences.

• identity.fxaccounts.settings.uri
  Bug 1427674 - Unify FxA content server URL preferences.

• image.animated.decode-on-demand.batch-size
  Bug 523950 - Part 3. Add preferences to control animated image decoding behaviour.

• image.animated.decode-on-demand.threshold-kb
  Bug 523950 - Part 3. Add preferences to control animated image decoding behaviour.

• image.mem.animated.use_heap
  Bug 1427639 - Part 1. Add preferences to control image frame allocations in volatile memory or the heap.

• image.mem.volatile.min_threshold_kb
  Bug 1427639 - Part 1. Add preferences to control image frame allocations in volatile memory or the heap.

• image.multithreaded_decoding.idle_timeout
  Bug 1436247 - Part 2. Shutdown idle image decoder threads after the configured timeout.

• intl.tsf.hack.japanist10.do_not_return_no_layout_error_of_composition_string
  Bug 1435730 - part 1: Make TSFTextStore::GetTextExt() not return TS_E_NOLAYOUT error to Japanist 10 when the range is in composition string

• javascript.options.array_prototype_values
  Bug 1420101 - Add default enabled pref for Array.prototype.values.

• javascript.options.spectre.jit_to_C++_calls
  Bug 1438886 - Prevent speculative execution after returning from GC-capable C++ code.

• javascript.options.spectre.object_mitigations.barriers
  Bug 1437483 part 3 - Enable Ion object type barrier mitigations by default.
  Bug 1437483 part 1 - Add pref for Spectre mitigations for Ion object type barriers.

• javascript.options.spectre.object_mitigations.misc
  Bug 1442561 part 3 - Flip the pref.
  Bug 1442561 part 1 - Add browser pref for misc Spectre object type mitigations.

• javascript.options.spectre.string_mitigations
  Bug 1434230 part 4 - Enable Spectre string mitigations by default.
  Bug 1434230 part 1 - Some Spectre mitigations for loadStringChars.

• javascript.options.spectre.value_masking
  Bug 1433111 - Add JS Shell and about:config switch for Value masking.

• layers.omtp.dump-capture
  Add 'layers.omtp.dump-capture' for logging DrawTargetCapture (bug 1435938,

• layout.css.individual-transform.enabled
  Bug 1207734 - Part 2. Add a preference to enable/disable individual transform.

• layout.css.paint-order.enabled
  Bug 1435684 - Enable the paint-order property for HTML text.
  Bug 1426146 - patch 2 - Support the paint-order property for HTML text (in addition to SVG); currently preffed-off by default.

• layout.css.servo.chrome.enabled
  Bug 1417138 part 2 - Enable stylo-chrome by default.
  Bug 1430014 - Part 1: Add --enable-stylo=only configure option and MOZ_OLD_STYLE define.

• layout.css.stylo-blocklist.blocked_domains
  Bug 1426223 - remove Stylo domain blocklist mechanism.

• layout.css.stylo-blocklist.enabled
  Bug 1426223 - remove Stylo domain blocklist mechanism.

• layout.display-list.retain
  Bug 1413546 - Add pref to allow retained display lists within the parent process.

• layout.word_select.stop_at_underscore
  Bug 1431672 - Add a pref to control whether underscore is treated as a word-forming character.

• media.cubeb.sandbox
  Bug 1434156 - Remove nightly gate from AudioIPC for Linux.
  Bug 1425788 - Disable AudioIPC on macOS while investigating fallout.

• media.getusermedia.camera.off_while_disabled.delay_ms
  Bug 1299515 - Disable turning off camera while disabled by default on android.

• media.getusermedia.camera.off_while_disabled.enabled
  Bug 1299515 - Disable turning off camera while disabled by default on android.

• media.getusermedia.microphone.off_while_disabled.delay_ms
  Bug 1436352 - Enable turning microphone off on track-disable by default.

• media.getusermedia.microphone.off_while_disabled.enabled
  Bug 1436352 - Enable turning microphone off on track-disable by default.

• network.dns.native-is-localhost
  bug 1434852 - introducing TRR (DOH);

• network.ftp.enabled
  Bug 1374114 - Add a pref to disable ftp.

• network.tcp.tcp_fastopen_enable
  Bug 1431738 - We will disable TFO on late beta and release.
  Bug 1426367 - Turn on TFO for Windows.

• network.trr.allow-rfc1918
  bug 1434852 - introducing TRR (DOH);

• network.trr.blacklist-duration
  bug 1434852 - introducing TRR (DOH);

• network.trr.bootstrapAddress
  bug 1434852 - introducing TRR (DOH);

• network.trr.confirmationNS
  bug 1434852 - introducing TRR (DOH);

• network.trr.credentials
  bug 1434852 - introducing TRR (DOH);

• network.trr.early-AAAA
  bug 1443489 - TRR: require a pref set to allow early AAAA responses

• network.trr.mode
  bug 1434852 - introducing TRR (DOH);

• network.trr.request-timeout
  bug 1434852 - introducing TRR (DOH);

• network.trr.uri
  bug 1434852 - introducing TRR (DOH);

• network.trr.useGET
  bug 1434852 - introducing TRR (DOH);

• network.trr.wait-for-portal
  bug 1434852 - introducing TRR (DOH);

• privacy.resistFingerprinting.reduceTimerPrecision.jitter
  Bug 1425462 Turn jitter on by default.
  Bug 1425462 When reducing the precision of timestamps, also apply fuzzytime to them

• security.insecure_connection_text.enabled
  Bug 1335970 - Add prefs to add "Not Secure" text to insecure pages.

• security.insecure_connection_text.pbmode.enabled
  Bug 1335970 - Add prefs to add "Not Secure" text to insecure pages.

• security.mixed_content.upgrade_display_content
  Bug 1440709 - Disabling mixed content upgrading for now.
  Bug 1435733 - Upgrade mixed display content pref.

• security.pki.distrust_ca_policy
  Bug 1442075 - Enforce Symantec distrust in Firefox 60
  Bug 1437754 - Add a pref and disable the Symantec distrust algorithm

• security.sandbox.content.level
  Bug 1441824: Let level 5 (Alternate Desktop) for the Windows content sandbox ride the trains.
  Bug 1126437 - Add Linux content sandbox level 4 for blocking socket APIs.
  Bug 1417959: Bump Alternate Desktop to Level 5 and make that the Default on Nightly.
  Bug 1417959 - Bump Alternate Desktop to Level 5 and make that the Default on Nightly.
  Bug 1415250 Part 2: Make level 4 the default for the Windows content process sandbox.
  Bug 1402351 - Make the Linux level 3 / read sandbox ride the trains.
  Bug 1402340 - On non-Nightly revert back to Windows content process sandbox level 3 to fix suspected top crashes.
  Bug 1229829 - Part 2 - Use an alternate desktop on the local winstation for content processes;
  Bug 1388046 - Disable sandbox read restrictions (level 3) on beta/release.

• security.webauth.webauthn
  Bug 1432542 - Enable Web Authentication
  Bug 1428918 - Enable Web Authentication in Nightly
  Bug 1399959 - Prefer hardware instead of software U2F tokens

• security.xcto_nosniff_block_images
  Bug 1397740 - Removed security.xcto_nosniff_block_images from about:config

• services.sync.prefs.sync.browser.newtabpage.enhanced
  Bug 1433133 - remove unused prefs and exported bits from NewTabUtils.jsm,

• services.sync.prefs.sync.browser.urlbar.matchBuckets
  Bug 1430994 - Sync the browser.urlbar.matchBuckets pref.

• services.sync.prefs.sync.privacy.resistFingerprinting.reduceTimerPrecision.jitter
  Bug 1425462 When reducing the precision of timestamps, also apply fuzzytime to them

• signed.applets.codebase_principal_support
  Bug 1434952 - Remove signed.applets.codebase_principal_support pref.

• svg.paint-order.enabled
  Bug 1437267 - Remove the svg.paint-order.enabled pref.
  Bug 1362115 - turn on blob-images by default with webrender.

• urlclassifier.disallow_completions
  Bug 1423229 - [4.0] Add support for category-based tracking lists.
  Bug 1407879 - Check password field url against the local whitelist.
  Bug 1385484 - Cleanup Safe Browsing prefs and sync the download protection setting.

• view_source.tab
  Bug 1418403 - Remove viewing source in a standalone window.

[crssi]

^^I have asked/pointed the CSS Exfill author to your question.

Cheers

[mlgualtieri]

Hi all, I'm the author of CSS Exfil Protection. To answer Thorin's question, no I don't believe this removal would make the plugin obsolete as the plugin guards against several other methods that could be used to exfil data (background-image, list-style, cursor, & content).

Actually, the plugin as it stands today does not block anything related to the -moz-document selector. Today is the first I've heard of this selector, although it sounds like it's getting phased out so it's likely I won't need to add protection.

(PS - I would love for a day when my plugin becomes completely obsolete. Although it's fun hacking away at it, I'd rather see the protection offered by default in major browsers.)

[Atavic]

Bug 1446470: Make the moz-document-in-content pref false by default.

See here.

The @document at-rule has been limited to use only in user and UA sheets (bug 1035091)

See here.

While @mlgualtieri plugin works by pre-processing the CSS which is loaded onto a web page.

Inspection and sanitization of each CSSRule is done through the browser's native CSSStyleSheet JavaScript API. If a CSSRule.selectorText is detected that: 1) Parses the value attribute of an element, and 2) If the corresponding CSSRule.cssText includes a call to a remote URL, a new rule is created to override the call to the remote URL.

See Defense for Web Users.

[earthlng]

certain syntax errors stop the parsing and the debug pref is still useful in those cases. We just need to change the last one to something less definite.

[earthlng]

60b9 changes since 60b5

new

pref("browser.cache.offline.insecure.enable", true); // 60b5: false
pref("browser.policies.enabled", true);
pref("device.sensors.ambientLight.enabled", true); // 60b5: false
pref("device.sensors.proximity.enabled", true); // 60b5: false
pref("services.sync.engine.bookmarks.validation.enabled", true);
pref("services.sync.engine.passwords.validation.enabled", true);

removed, renamed or hidden

pref("geo.provider.ms-windows-location", false);

changed

pref("dom.registerContentHandler.enabled", false); // prev: true
pref("geo.wifi.uri", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%"); // prev: "https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_API_KEY%"
pref("layout.css.moz-document.content.enabled", false); // prev: true
pref("network.tcp.tcp_fastopen_enable", true); // prev: false
pref("security.mixed_content.block_object_subrequest", true); // prev: false

EDIT: updated 1st post

[earthlng]

IDK about that. If you don't trust your installed webextensions it might be a good idea. But if f.e a hacker manages to inject external JS into one of those domains, you'd normally see + block that with uMatrix.
If uMatrix etc are locked out with that pref you won't notice anything.

[earthlng]

network.dns.native-is-localhost - For testing purposes! -> moved to ignore

[earthlng]

browser.chrome.errorReporter.* - only enabled in Nightly.

https://wiki.mozilla.org/Firefox/BrowserErrorCollection
https://support.mozilla.org/en-US/kb/firefox-nightly-error-collection
https://firefox-source-docs.mozilla.org/browser/browser/BrowserErrorReporter.html

[earthlng]

extensions.getAddons.get.url - never used thanks to 0306 - moved to ignore

[earthlng]

yeah let's NOT do that. You've seen the countless reddit posts asking why AMO detects their FFs as an older version. I assume, based on the mozAddonManager pref being an RFP sub-pref, the whole point of the mozAddonManager was to be able to detect the FF version despite RFP.

[earthlng]

I'd put it under 2600, something like this:

/* 26xx: disable webextension restrictions on certain mozilla domains (FF60+) ***/
   // user_pref("extensions.webextensions.restrictedDomains", "");

add notes and/or warnings as you see fit, f.e. that several mozilla domains use google analytics and noscript etc won't be able to block that.

[Atavic]

For 3rd party scripts only, starting from FF 43 until today:

The Web Storage API now respects the browser’s third-party cookies preference, so it will no longer work when the script is in a third-party context and the user has disabled third-party cookies. The IndexedDB API and the new Service Worker Cache API will also obey the same constraint.

...see link here.

[Atavic]

If the 1st party uses web workers, then it is able to use IndexedDB.
I don't see it as an oversight, cliqz is partner with Mozilla.

[Atavic]

I totally agree! But it cannot be an oversight.

[earthlng]

60b16 changes since 60b9

new

pref("app.normandy.first_run", true);
pref("image.animated.decode-on-demand.threshold-kb", 4194303); // 60b9: 20480
pref("network.cookie.same-site.enabled", true);

changed

pref("layout.display-list.retain", true); // prev: false
pref("privacy.resistFingerprinting.reduceTimerPrecision.microseconds", 1000); // prev: 2000

EDIT: updated 1st post

[fmarier]

Here's the meta bug for same-site cookies: https://bugzilla.mozilla.org/show_bug.cgi?id=samesite-cookies

Probably no point in listing this pref in user.js since it's enabled by default and it restricts cookies further. The pref is only there in case we need to turn the feature off quickly due to unforeseen bugs/breakage.

[crssi]

Is this the same as uMatrix rule...

* * cookie block
* 1st-party cookie allow

...which reads as allow outbound 1st-party cookies and deny outbound 3rd-party cookies?

[fmarier]

SameSite=strict goes further than disabling third-party cookies. It also strips the first-party cookie if you follow a link from a different site. See http://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/ for a good explanation.

[crssi]

@fmarier thx
If I understand correctly this behavior is server side controlled over header and not client side by preferences?

[earthlng]

I agree with @fmarier in that we don't need the pref in the user.js per se but I think it's a nice new feature and worth adding for the links alone. something like this:

/* 27xx: enable support for same-site cookies (FF60+)
 * [NOTE] support for same-site cookies is enabled by default but we don't enforce it
 * in case mozilla needs to turn it off quickly due to unforeseen bugs/breakage.
 * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=samesite-cookies
 * [2] https://blog.mozilla.org/security/2018/04/24/same-site-cookies-in-firefox-60/
 * [3] https://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/ ***/
   // user_pref("network.cookie.same-site.enabled", true); // default: true

[earthlng]

AFAIK FPI only works on domain anyway ie secure.bank.com has access to cookies etc from bank.com and vice-versa.

same-site cookies makes it so that when you click a link to yourbank.com and you happen to be logged in to yourbank.com in another tab (or didn't logout) the cookie will not be sent and therefore preventing potential CSRF. FPI has nothing to do with that. EDIT: not just links but some other things as well, like certain forms and whatnot, see the .nl link for details.

[earthlng]

my 2 cents:

pref("app.normandy.first_run", true); - probably unnecessary but we can add it to the other normandy stuff, up to you
pref("browser.startup.blankWindow", false); - nothing to do with privacy/security and IMO not worth adding to 5000 either
pref("browser.urlbar.openintab", false); - sounds pretty annoying. I'd ignore it
pref("devtools.policy.disabled", false); - devtools are awesome. Why would anyone want to disable that? IMO move to ignore
pref("dom.push.alwaysConnect", false); - default is false which is what we want and thus it's safe to ignore but I don't mind adding it with the other push stuff just in case
pref("network.ftp.enabled", true); - maybe add as inactive for those who want to disable it. I think FF61 will disable ftp for sub-resources which is probably the better option
pref("media.cubeb.sandbox", false); - something to do with audio on linux (and maybe Mac, IDK). It's true on linux and false on Windows. I'd say move to ignore

changed:

IMO move to ignore:
pref("browser.schedulePressure.timeoutMs", 300); // prev: 1000
pref("devtools.debugger.features.root", true); // prev: false - no idea what this is but most people probably don't use the debugger anyway
pref("gfx.webrender.blob-images", 1); // prev: 2
pref("gfx.webrender.hit-test", true); // prev: false
pref("layout.css.servo.chrome.enabled", true); // prev: false - seemingly removed in FF61
pref("privacy.resistFingerprinting.reduceTimerPrecision.microseconds", 1000); // prev: 2000

[earthlng]

👖 you forgot to move 0512 to deprecated/removed

[earthlng]

Is is something to do with being a system addon, and the prefs are hidden until created by the addon?

yes exactly. I already planned to change the way I retrieve the default prefs for the next diff because of some changes mozilla made in 61 but I'll update this diff as well as soon as FF60 portable is available.

I'll have to install a certain version to get a diff for it and thus I won't be able to create OS-diffs anymore because I don't have a Mac.

[earthlng]

• keyboardevent stuff:
  https://www.fxsitecompat.com/en-CA/docs/2018/non-printable-keys-will-soon-stop-firing-keypress-event/
  FF60 doesn't have the whitelist yet and enabling it already might just break too many sites. Waiting at least for FF61 seems like a good idea. Perhaps even wait until they enable it by default because I don't know what the pros and cons of this are, either.
• ftp - I wouldn't mind adding it inactive tbh. Martin wrote an article about it and we could link to that.
  https://www.ghacks.net/2018/02/20/firefox-60-with-new-preference-to-disable-ftp/
• registerProtocolHandler - yes false is what we want. "low usage rate of the functionality" so breakage-wise it shouldn't be a problem to set this already. 1 more bit for fingerprinting but it's very unlikely that anyone is using that. Nightly has it disabled too. a similar pref was added in 59: dom.registerContentHandler.enabled
• dom.registerContentHandler.enabled
  https://bugzilla.mozilla.org/show_bug.cgi?id=1398169
  https://www.fxsitecompat.com/en-CA/docs/2018/navigator-registercontenthandler-has-been-removed/
  https://developer.mozilla.org/en-US/Firefox/Experimental_features#DOM
  we can disable that too IMO. Also already disabled in Nightly 61
• security.mixed_content.upgrade_display_content - not even enabled in Nightly. We should wait IMO
• security.pki.distrust_ca_policy - if they land it as 1, which they most likely will, we don't need to enforce it.
• dom.ipc.useNativeEventProcessing.content - fixes some kind of bugs. No idea what the pros and cons of flipping this back would be. Best not to mess with it
• dom.moduleScripts.enabled - ignore. some links are here: https://bugzilla.mozilla.org/show_bug.cgi?id=1438139#c5
• security.webauth.webauthn - probably best to ignore this, nobody is forced to use it.
  https://www.w3.org/TR/webauthn/
  https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API
  https://hacks.mozilla.org/2018/01/using-hardware-token-based-2fa-with-the-webauthn-api/

[earthlng]

updated the 1st post.

• pref("app.shield.optoutstudies.enabled", true); was added to the default pref files in FF60 but apparently existed before that as a pref set by a system addon. I kept it under NEW regardless.
• following are the prefs set by system addons or not included in the default prefs files and therefore missing in the diffs. some of them are NEW in FF60 and are now included in the updated 1st post.

click me

pref("browser.newtabpage.activity-stream.collapseTopSites", false);
pref("browser.newtabpage.activity-stream.default.sites", "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/");
pref("browser.newtabpage.activity-stream.disableSnippets", false);
pref("browser.newtabpage.activity-stream.enableWideLayout", true);
pref("browser.newtabpage.activity-stream.feeds.favicon", true);
pref("browser.newtabpage.activity-stream.feeds.migration", true);
pref("browser.newtabpage.activity-stream.feeds.newtabinit", true);
pref("browser.newtabpage.activity-stream.feeds.places", true);
pref("browser.newtabpage.activity-stream.feeds.prefs", true);
pref("browser.newtabpage.activity-stream.feeds.section.highlights", true);
pref("browser.newtabpage.activity-stream.feeds.section.topstories", false);
pref("browser.newtabpage.activity-stream.feeds.section.topstories.options", "{\"api_key_pref\":\"extensions.pocket.oAuthConsumerKey\",\"hidden\":true,\"provider_description\":\"pocket_description\",\"provider_icon\":\"pocket\",\"provider_name\":\"Pocket\",\"read_more_endpoint\":\"https://getpocket.com/explore/trending?src=fx_new_tab\",\"stories_endpoint\":\"https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=en-US&feed_variant=default_spocs_off\",\"stories_referrer\":\"https://getpocket.com/recommendations\",\"privacy_notice_link\":\"https://www.mozilla.org/privacy/firefox/#suggest-relevant-content\",\"disclaimer_link\":\"https://getpocket.com/firefox/new_tab_learn_more\",\"topics_endpoint\":\"https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_lang=en-US\",\"show_spocs\":false,\"personalized\":true}");
pref("browser.newtabpage.activity-stream.feeds.sections", true);
pref("browser.newtabpage.activity-stream.feeds.snippets", true);
pref("browser.newtabpage.activity-stream.feeds.systemtick", true);
pref("browser.newtabpage.activity-stream.feeds.telemetry", true);
pref("browser.newtabpage.activity-stream.feeds.topsites", true);
pref("browser.newtabpage.activity-stream.filterAdult", true);
pref("browser.newtabpage.activity-stream.migrationExpired", false);
pref("browser.newtabpage.activity-stream.migrationLastShownDate", 0);
pref("browser.newtabpage.activity-stream.migrationRemainingDays", 4);
pref("browser.newtabpage.activity-stream.section.highlights.collapsed", false);
pref("browser.newtabpage.activity-stream.section.highlights.includePocket", true);
pref("browser.newtabpage.activity-stream.section.topstories.collapsed", false);
pref("browser.newtabpage.activity-stream.section.topstories.showDisclaimer", true);
pref("browser.newtabpage.activity-stream.sectionOrder", "topsites,topstories,highlights");
pref("browser.newtabpage.activity-stream.showSearch", true);
pref("browser.newtabpage.activity-stream.showSponsored", true);
pref("browser.newtabpage.activity-stream.showTopSites", true);
pref("browser.newtabpage.activity-stream.telemetry", true);
pref("browser.newtabpage.activity-stream.telemetry.ping.endpoint", "https://tiles.services.mozilla.com/v4/links/activity-stream");
pref("browser.newtabpage.activity-stream.telemetry.ut.events", false);
pref("browser.newtabpage.activity-stream.tippyTop.service.endpoint", "https://activity-stream-icons.services.mozilla.com/v1/icons.json.br");
pref("browser.newtabpage.activity-stream.topSitesRows", 1);
pref("extensions.pocket.api", "api.getpocket.com");
pref("extensions.pocket.oAuthConsumerKey", "40249-e88c401e1b1f2242d9e441c4");
pref("extensions.pocket.site", "getpocket.com");
pref("extensions.webcompat.perform_ua_overrides", true);
pref("pdfjs.cursorToolOnLoad", 0);
pref("pdfjs.defaultZoomValue", "");
pref("pdfjs.disableAutoFetch", false);
pref("pdfjs.disableFontFace", false);
pref("pdfjs.disablePageLabels", false);
pref("pdfjs.disablePageMode", false);
pref("pdfjs.disableRange", false);
pref("pdfjs.disableStream", false);
pref("pdfjs.enablePrintAutoRotate", false);
pref("pdfjs.enableWebGL", false);
pref("pdfjs.externalLinkTarget", 0);
pref("pdfjs.pdfBugEnabled", false);
pref("pdfjs.renderer", "canvas");
pref("pdfjs.renderInteractiveForms", false);
pref("pdfjs.showPreviousViewOnLoad", true);
pref("pdfjs.sidebarViewOnLoad", 0);
pref("pdfjs.textLayerMode", 1);
pref("pdfjs.useOnlyCssZoom", false);

[earthlng]

pdfjs is ... secure/vetted as any pdf reader out there
Exploits are rare

really? https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5158

[Atavic]

Anything related to pdf and office files isn't secure. They are widely used, sent by mail and exploited.

[earthlng]

wanna finish this?

what to do with the parrot? change the header of the first pref? what's the relevance of link 2?

[earthlng]

If you want we can remove the two existing links

👍

IDK if we need the 3rd link either. Better to just explain what it means for users. maybe something like

In FF60+, not all syntax errors cause parsing to abort ie reaching the last debug pref no longer necessarily means that all prefs have been applied. Check the console right after startup for any warnings/error messages related to non-applied prefs.

[earthlng]

I do not know if they flip these for ESR at the same time

probably not. Maybe if someone asks them to. The prefs are already there and it would be a simple change.

or ... ignore them and let FF take their course

👍

re: moz-document - FF61 will also have an exception to avoid most breakage. It's unlikely that this will be backported to ESR. "ignore it since it will be covered by default in 61+" 👍

Suggest we delete them all and just create two up to ESR60 - deprecated and removed

and maybe one for RFP-ALTS?

[earthlng]

cleanup scripts: I kinda liked the [changes-only] because users can reset everything with a single script. Otherwise they need to run 3 or 4 and commented-out won't be covered.

[earthlng]

I need a list of removed items since last release

everything we removed since last release only enforced the default values and doesn't need to be reset because they weren't stored in prefs.js anyway.

[earthlng]

you have all of them in the list above