ToDo: diffs FF102-FF103

[earthlng]

trafficstars

FF103 is scheduled for release July 26th

FF103 release notes FF103 for developers FF103 security advisories

---

68 diffs ( 34 new, 19 gone, 15 different )

new in v103.0:

• FYI: pref("browser.display.os-zoom-behavior", 1); this ticket 1782287 explains it

pref("browser.download.open_pdf_attachments_inline", false);
pref("pdfjs.annotationEditorEnabled", false);

removed, renamed or hidden in v103.0:

• [x] 6012 pref("security.pki.sha1_enforcement_level", 1); 1766687 - https://github.com/arkenfox/user.js/pull/1508/commits/0e2d566cc3bc139965842833d9de22fafae567cb

changed in v103.0:

• 7016 pref("network.cookie.cookieBehavior", 5); // prev: 4

ignore

click me for details

==NEW

pref("browser.aboutwelcome.templateMR", false);
pref("browser.newtabpage.activity-stream.discoverystream.recentSaves.enabled", false);
pref("devtools.browserconsole.enableNetworkMonitoring", false);
pref("devtools.browsertoolbox.scope", "everything");
pref("dom.events.asyncClipboard.readText", false);
pref("dom.fullscreen.modal", false);
pref("dom.text-recognition.enabled", false);
pref("fission.enforceBlocklistedPrefsInSubprocesses.tmp", false);
pref("fission.omitBlocklistedPrefsInSubprocesses.tmp", false);
pref("gfx.direct3d11.reuse-decoder-device-force-enabled", false);
pref("image.decode-sync.enabled", false);
pref("javascript.options.experimental.array_find_last", false);
pref("layout.css.has-selector.enabled", false);
pref("layout.css.linear-easing-function.enabled", false);
pref("layout.expose_high_rate_mode_from_refreshdriver", true);
pref("media.av1.force-thread-count", 0);
pref("media.av1.new-thread-count-strategy", false);
pref("media.videocontrols.picture-in-picture.display-text-tracks.toggle.enabled", true);
pref("network.allow_raw_sockets_in_content_processes", false);
pref("network.http.origin.redirectTainted", true);
pref("network.trr.retry_on_recoverable_errors", true);
pref("privacy.restrict3rdpartystorage.preferences.learnMoreURLSuffix", "total-cookie-protection");
pref("remote.experimental.enabled", false);
pref("security.tls.ech.disable_grease_on_fallback", true);
pref("security.tls.ech.grease_probability", 50);
pref("security.tls.ech.grease_size", 100);
pref("security.webauthn.ctap2", false);
pref("widget.windows.alternate_fullscreen_heuristics", true);
pref("widget.windows.fullscreen_marking_workaround", 0);
pref("widget.windows.uwp-system-colors.enabled", true);
pref("widget.windows.uwp-system-colors.highlight-accent", false);

==REMOVED, RENAMED or HIDDEN

pref("browser.newtabpage.activity-stream.discoverystream.compactLayout.enabled", false);
pref("browser.preferences.instantApply", false);
pref("devtools.devices.url", "https://code.cdn.mozilla.net/devices/devices.json");
pref("devtools.netmonitor.features.serverSentEvents", true);
pref("devtools.netmonitor.features.webSockets", true);
pref("devtools.remote.tls-handshake-timeout", 10000);
pref("dom.ipc.shims.enabledWarnings", false);
pref("dom.menuitem.enabled", false);
pref("fission.frontend.simulate-events", false);
pref("fission.frontend.simulate-messages", false);
pref("plugins.flashBlock.enabled", true);
pref("reader.improvements_H12022.enabled", false);
pref("urlclassifier.flashAllowExceptTable", "except-flashallow-digest256");
pref("urlclassifier.flashAllowTable", "allow-flashallow-digest256");
pref("urlclassifier.flashExceptTable", "except-flash-digest256");
pref("urlclassifier.flashSubDocExceptTable", "except-flashsubdoc-digest256");
pref("urlclassifier.flashSubDocTable", "block-flashsubdoc-digest256");
pref("urlclassifier.flashTable", "block-flash-digest256");

==CHANGED

pref("browser.contentblocking.features.strict", "tp,tpPrivate,cm,fp,stp,lvl2,rp,rpTop,ocsp,qps"); // prev: "tp,tpPrivate,cookieBehavior5,cookieBehaviorPBM5,cm,fp,stp,lvl2,rp,rpTop,ocsp,qps"
pref("browser.safebrowsing.provider.mozilla.lists", "base-track-digest256,mozstd-trackwhite-digest256,google-trackwhite-digest256,content-track-digest256,mozplugin-block-digest256,mozplugin2-block-digest256,ads-track-digest256,social-track-digest256,analytics-track-digest256,base-fingerprinting-track-digest256,content-fingerprinting-track-digest256,base-cryptomining-track-digest256,content-cryptomining-track-digest256,fanboyannoyance-ads-digest256,fanboysocial-ads-digest256,easylist-ads-digest256,easyprivacy-ads-digest256,adguard-ads-digest256,social-tracking-protection-digest256,social-tracking-protection-facebook-digest256,social-tracking-protection-linkedin-digest256,social-tracking-protection-twitter-digest256"); // prev: "base-track-digest256,mozstd-trackwhite-digest256,google-trackwhite-digest256,content-track-digest256,mozplugin-block-digest256,mozplugin2-block-digest256,block-flash-digest256,except-flash-digest256,allow-flashallow-digest256,except-flashallow-digest256,block-flashsubdoc-digest256,except-flashsubdoc-digest256,ads-track-digest256,social-track-digest256,analytics-track-digest256,base-fingerprinting-track-digest256,content-fingerprinting-track-digest256,base-cryptomining-track-digest256,content-cryptomining-track-digest256,fanboyannoyance-ads-digest256,fanboysocial-ads-digest256,easylist-ads-digest256,easyprivacy-ads-digest256,adguard-ads-digest256,social-tracking-protection-digest256,social-tracking-protection-facebook-digest256,social-tracking-protection-linkedin-digest256,social-tracking-protection-twitter-digest256"
pref("dom.block_reload_from_resize_event_handler", false); // prev: true
pref("dom.fileHandle.enabled", false); // prev: true
pref("dom.streams.transferable.enabled", true); // prev: false
pref("extensions.InstallTriggerImpl.enabled", false); // prev: true
pref("gfx.direct3d11.reuse-decoder-device", true); // prev: -1
pref("layout.css.backdrop-filter.enabled", true); // prev: false
pref("layout.display_partial_background_images", true); // prev: false
pref("mathml.scriptminsize_attribute.disabled", true); // prev: false
pref("mathml.scriptsizemultiplier_attribute.disabled", true); // prev: false
pref("media.autoplay.block-webaudio", true); // prev: false
pref("services.sync.engine.tabs.filteredSchemes", "about|resource|chrome|file|blob|moz-extension|data"); // prev: "about|resource|chrome|file|blob|moz-extension"
pref("urlclassifier.disallow_completions", "goog-downloadwhite-digest256,base-track-digest256,mozstd-trackwhite-digest256,content-track-digest256,mozplugin-block-digest256,mozplugin2-block-digest256,goog-passwordwhite-proto,ads-track-digest256,social-track-digest256,analytics-track-digest256,base-fingerprinting-track-digest256,content-fingerprinting-track-digest256,base-cryptomining-track-digest256,content-cryptomining-track-digest256,fanboyannoyance-ads-digest256,fanboysocial-ads-digest256,easylist-ads-digest256,easyprivacy-ads-digest256,adguard-ads-digest256,social-tracking-protection-digest256,social-tracking-protection-facebook-digest256,social-tracking-protection-linkedin-digest256,social-tracking-protection-twitter-digest256"); // prev: "goog-downloadwhite-digest256,base-track-digest256,mozstd-trackwhite-digest256,content-track-digest256,mozplugin-block-digest256,mozplugin2-block-digest256,block-flash-digest256,except-flash-digest256,allow-flashallow-digest256,except-flashallow-digest256,block-flashsubdoc-digest256,except-flashsubdoc-digest256,goog-passwordwhite-proto,ads-track-digest256,social-track-digest256,analytics-track-digest256,base-fingerprinting-track-digest256,content-fingerprinting-track-digest256,base-cryptomining-track-digest256,content-cryptomining-track-digest256,fanboyannoyance-ads-digest256,fanboysocial-ads-digest256,easylist-ads-digest256,easyprivacy-ads-digest256,adguard-ads-digest256,social-tracking-protection-digest256,social-tracking-protection-facebook-digest256,social-tracking-protection-linkedin-digest256,social-tracking-protection-twitter-digest256"

[earthlng]

some bugzilla tickets

• browser.aboutwelcome.templateMR Bug 1774063 - Added a 'browser.aboutwelcome.templateMR' pref to support MR 2022 onboarding

• browser.contentblocking.features.strict Bug 1776760 - Enable dFPI by default for Beta and Release via cookieBehavior pref. Bug 1763660 - Add query parameter stripping pref to ETP strict. Bug 1734328 - Part 4: Add disallow relaxing referrer policies for top navigation to the ETP strict list. Bug 1664995 - Part 4: Enable OCSP partiitoning in strict mode.

• browser.display.os-zoom-behavior Bug 1773633 - Allow configuring OS zoom behavior.

• browser.download.open_pdf_attachments_inline Bug 1772569, add a preference so that pdf files sent as attachments can be opened either inline or download, and default to downloaded,

• browser.newtabpage.activity-stream.discoverystream.compactLayout.enabled Bug 1774813 - Pocket newtab removing old layout that's not needed. Bug 1717682 - Pref and implementation for compact 4 card row layout for Pocket newtab.

• browser.newtabpage.activity-stream.discoverystream.recentSaves.enabled Bug 1774473 - Pocket newtab recent saves section.

• browser.preferences.instantApply Bug 1325637 - Remove browser.preferences.instantApply pref.

• devtools.browserconsole.enableNetworkMonitoring Bug 1764348 - Enable browser console / browser toolbox console users turn on network monitoring manually

• devtools.browsertoolbox.scope Bug 1770363 - [devtools] Implement on-demand multiprocess debugging in TargetCommand API.

• devtools.devices.url Bug 1770899 - [devtools] Use RemoteSettings devtools-devices collection.

• devtools.netmonitor.features.serverSentEvents Bug 1771277 - [devtools] Remove the websocket and server sent events prefs

• devtools.netmonitor.features.webSockets Bug 1771277 - [devtools] Remove the websocket and server sent events prefs

• devtools.remote.tls-handshake-timeout Bug 1770869 - remove unused client certificate authentication for remote devtools

• dom.block_reload_from_resize_event_handler Bug 1772850 - Let dom.block_reload_from_resize_event_handler=false ride the trains.

• dom.events.asyncClipboard.readText Bug 1744524: part 5) Add pref for enabling clipboard.readText() gated by a "Paste" button.

• dom.fileHandle.enabled Bug 1764771 - Disable IDBMutableHandle support by default

• dom.fullscreen.modal Bug 1771151 - Make modal dialog code more generic, and make it apply to fullscreen too behind a pref.

• dom.ipc.shims.enabledWarnings Bug 1773044 - Remove the dom.ipc.shims.enabledWarnings pref.

• dom.menuitem.enabled Bug 1372276 - Remove HTML menuitem.

• dom.streams.transferable.enabled Bug 1770627 - Ship transferable streams Bug 1659025 - Add dom.streams.transferable.enabled

• dom.text-recognition.enabled Bug 1759504 - Put the text recognition UI behind an experimental feature

• extensions.InstallTriggerImpl.enabled Bug 1772901 - Disable InstallTrigger methods.

• fission.enforceBlocklistedPrefsInSubprocesses.tmp Bug 1772599 - Use a temporary pref for a few weeks while we vette the behavior

• fission.frontend.simulate-events Bug 1771630 - Remove unused fission.frontend.* prefs.

• fission.frontend.simulate-messages Bug 1771630 - Remove unused fission.frontend.* prefs.

• fission.omitBlocklistedPrefsInSubprocesses.tmp Bug 1772599 - Use a temporary pref for a few weeks while we vette the behavior

• gfx.direct3d11.reuse-decoder-device Bug 1776800 - Let zero copy hardware decoded video to release on intel GPU on Windows Bug 1774018 - Enable reuse-decoder-device on Nightly on Nightly / Early Beta

• gfx.direct3d11.reuse-decoder-device-force-enabled Bug 1776800 - Let zero copy hardware decoded video to release on intel GPU on Windows

• image.decode-sync.enabled Bug 1774849 - Always use sync decoding during reftests.

• javascript.options.experimental.array_find_last Bug 1704385: Add pref for Array.findLast

• layout.css.backdrop-filter.enabled Bug 1578503 - Enable backdrop-filter by default

• layout.css.has-selector.enabled Bug 1771896 - Add simple parsing and matching support for :has

• layout.css.linear-easing-function.enabled Bug 1764126 - Part 4: Add parsing for linear easing function and gate it behind pref.

• layout.display_partial_background_images Bug 1775237. Let progressive background images ride the trains. Bug 1773023. Restrict progressive background images to nightly again for now. Bug 1770920. Let progressive background images ride the trains. Bug 1231622. Allow drawing CSS images that don't have a complete frame.

• layout.expose_high_rate_mode_from_refreshdriver Bug 1771718, nsRefreshDriver::IsInHighRateMode(),

• mathml.scriptminsize_attribute.disabled Bug 1772697 - Disable various legacy MathML features on all channels.

• mathml.scriptsizemultiplier_attribute.disabled Bug 1772697 - Disable various legacy MathML features on all channels.

• media.autoplay.block-webaudio Bug 1773577 - enable the pref 'media.autoplay.block-webaudio'.

• media.av1.force-thread-count Bug 1773768 - force set thread count for dav1d decoder.

• media.av1.new-thread-count-strategy Bug 1771986 - introduce new thread count strategy for dav1decoder.

• media.videocontrols.picture-in-picture.display-text-tracks.toggle.enabled Bug 1764120 - Subtitle font size settings in PiP window.

• network.allow_raw_sockets_in_content_processes Bug 1770485 - Make content process socket threads use a regular event loop, with a pref

• network.cookie.cookieBehavior Bug 1776760 - Enable dFPI by default for Beta and Release via cookieBehavior pref.

• network.http.origin.redirectTainted Bug 1605305 - Consistently provide an Origin header for normal requests.

• network.trr.retry_on_recoverable_errors Bug 1772111 - Allow to retry TRR for recoverable errors,

• plugins.flashBlock.enabled Bug 1773043 - Remove flashblock from SafeBrowsing

• privacy.restrict3rdpartystorage.preferences.learnMoreURLSuffix Bug 1774739 - Update ETP preferences section for TCP in standard mode.

• reader.improvements_H12022.enabled Bug 1767846 - Remove MSU Reader Mode improvements pref. Bug 1753117: Add pref for UI changes to Reader Mode.

• remote.experimental.enabled Bug 1777951 - Enable partially implemented WebDriver BIDi features on Nightly channel only.

• security.pki.sha1_enforcement_level Bug 1766687 - remove support for SHA1 signatures in all certificates (including imported roots) Bug 1767099 - convert some security PKI preferences to static prefs Bug 1767489 - disable sha-1 signatures in certificates by default

• security.tls.ech.disable_grease_on_fallback oBug 1770907 - Disable ECH GREASE when retrying connections.

• security.tls.ech.grease_probability Bug 1774001 - Bump Nightly to 50% ECH GREASE probability. Bug 1770627 - Ship transferable streams Bug 1774001: Enable ECH GREASE on Nightly Bug 1767974 - Add preferences for ECH GREASE Mode.

• security.tls.ech.grease_size Bug 1767974 - Add preferences for ECH GREASE Mode.

• security.webauthn.ctap2 Bug 1757589 - Add pref to switch between 'old' and 'new' authenticator code

• services.sync.engine.tabs.filteredSchemes Bug 1773154 - Reduce number of scheduled sync calls in sync-after-tab-change Bug 1754899: Call sync after location change

• widget.windows.alternate_fullscreen_heuristics Bug 1732517 - [3/5] Decouple Firefox/Windows fullscreen state

• widget.windows.fullscreen_marking_workaround Bug 1732517 - [4/5] Fix fullscreen marking on Windows 7

• widget.windows.uwp-system-colors.enabled Bug 1775310 - Add some accent-color-based dark mode system colors on Windows.

• widget.windows.uwp-system-colors.highlight-accent Bug 1776556 - Restore Windows' accent-color / system-color behavior for now.

[rusty-snake]

The only thing that looks interesting to me besides security.pki.sha1_enforcement_level removal and network.cookie.cookieBehavior=5 as default is browser.download.open_pdf_attachments_inline.

[fxbrit]

FYI for Nightly users:pdfjs.annotationEditorEnabled doesn't exist thesse, see pdfjs.annotationEditorMode instead.

@Thorin-Oakenpants anything left to look at for https://github.com/arkenfox/user.js/pull/1508? do you want to add the pdf prefs as enforced defaults?

[Thorin-Oakenpants]

I just haven't gotten around to finishing off checking what those prefs do exactly, but my first instinct is we don't need to do anything with them

I don't just move prefs to ignore willy nilly, I actually look up and deep dive a lot of them - I only move some without checking if it's obvious - like threadcounts

I decided to take an extended break .. what's the hurry? Am happy not reading any bugzilla/moz stuff for a while

[fxbrit]

no hurry, I was actually offering myself to do the deep dive if there is still something you want to know; I already read the pdf stuff for example.

[Thorin-Oakenpants]

so I haven't looked at the last two, and I do not see any issues at face value based on my instincts

• pretty sure the pdf, even if inline, is isolated
• who cares if you annotate a pdf
  • IDK if it works with pdfjs.enableScripting = false, but with that false there is no way, AFAIK, for a pdf to exfil anything (even it could read annotations)

over to you guys to do some work .. I'm off to for some 🐟 and 🍟

[fxbrit]

from my understanding of the bugzilla browser.download.open_pdf_attachments_inline is staying to false as the idea is to NOT open PDFs inline, but instead to do what chrome does: download them to disk and then open them as files in a new tab, using the file:// scheme.

key comments:

• https://bugzilla.mozilla.org/show_bug.cgi?id=1772569#c6
• https://bugzilla.mozilla.org/show_bug.cgi?id=1772569#c19

the pref was introduced to give a choice, so it's behavioral and there isn't a change in how the native reader works. PDFs like https://www.apple.com/privacy/docs/Building_a_Trusted_Ecosystem_for_Millions_of_Apps_A_Threat_Analysis_of_Sideloading.pdf will for example still open in the built in reader without a download occurring; one would think that if it was safe before this release, it still is. if by isolation you mean the storage, then according to about:cache?storage=memoryafter opening that pdf the relative entries are partitioned with a key for the apple domain.

[rusty-snake]

• browser.download.open_pdf_attachments_inline should stay false by default and arkenfox does not need to touch it.
• pdfjs.annotationEditorEnabled is disabled for now and got renamed anyway so IMO we can ignore it for 103.

[Thorin-Oakenpants]

for me a pdf opened in a browser tab is not file:// .. https://www.w3.org/WAI/ER/tests/xhtml/testfiles/resources/pdf/dummy.pdf .. and has no PartitionKey (IDK what happens if inline). I read something recently about all this with the change to downloads, the revert to tmp pref, issues with extension (i.e .exe etc) saving.

I wasn't thinking of partitioning (and inline on the first party is not covered by partitioning on that first party) - what I meant by isolated was permissions - pdfjs has limited js ability (which we disable anyway) - I think it might be better explained in the moz hacks/blog/planet when they added pdf js. AFAIConcerned, an inline pdf is just a dumb element in the page

[opusforlife2]

What does "opening PDFs inline" mean? That instead of downloading them, they are opened in a new tab using that URL?

[rusty-snake]

Yes, if it has an Content-Disposition: attachment it is opened in a (new?) tab instead of being downloaded.