user.js

user.js copied to clipboard

Based on @Roman-Nopantski's diff: https://gist.github.com/pyllyukko/f5184fbb51b5e340f5637adee582c4d9

STARTUP

• [x] 0101: disable "slow startup" options
  • WONTFIX: Doesn't seem that relevant
• [x] 0102: set start page (0=blank, 1=home, 2=last visited page, 3=resume previous session)
  • Commented out in the ghacks version
  • Some aspects considered in #218

GEOLOCATION

• [x] 0201: disable location-aware browsing
  • Should be covered by geo.enabled
  • Also Mozilla bug's 689252 & 692927 talk that geo.wifi.* settings are not used anymore.
• [x] 0202: disable GeoIP-based search results
  • 00b102e9a2f6e6c615da8a96c67c47d0af7b9a59
• [ ] 0203: disable using OS locale, force APP locale
• [x] 0204: set APP local
• [x] 0206: disable geographically specific results/search engines eg: "browser.search.*.US"
• [x] 0207: set language to match
  • d80e67469d0219b46836f737441006512febcf0e
• [x] 0208: enforce US English locale regardless of the system locale

QUIET FOX [PART 1]

• [x] 0301: disable browser auto update
  • WONTFIX: Updates are good for you :)
• [x] 0305: disable add-ons auto update
  • WONTFIX: Updates are good for you :)
• [x] 0307: disable auto updating of personas (themes)
• [x] 0309: disable sending Flash crash reports
• [x] 0310: disable sending the URL of the website where a plugin crashed
  • Need more info on dom.ipc.plugins.reportCrashURL
• [x] 0320: disable extension discovery (featured extensions)
  • WONTFIX
• [x] 0330b: set unifiedIsOptIn to make sure telemetry respects OptIn choice and that telemetry
  • WONTFIX: Telemetry is already disabled
• [x] 0331: remove url of server telemetry pings are sent to
  • WONTFIX: Telemetry is already disabled
• [x] 0332: disable archiving pings locally - irrelevant if toolkit.telemetry.unified is false
  • f781e7d27aa77d5fe2bf27a81cf966ad029280b7
• [x] 0333a: disable health report
  • 30a7b5df17ed524af4df0c49f90cd180bafa288f
• [x] 0333b: disable about:healthreport page (which connects to Mozilla for locale/css+js+json)
  • WONTFIX
• [x] 0335: remove a telemetry clientID
  • WONTFIX: Telemetry is already disabled
• [x] 0336: disable "Heartbeat" (Mozilla user rating telemetry)
  • Disabled according to Mozilla's instructions
• [x] 0340: disable experiments
• [x] 0341: disable Mozilla permission to silently opt you into tests
• [x] 0350: disable crash reports
• [x] 0351: disable sending of crash reports (FF44+)
• [x] 0360: disable new tab tile ads & preload & marketing junk
  • WONTFIX: Tiles are already disabled
• [x] 0373: pocket
  • Handled by "master switches" browser.pocket.enabled & extensions.pocket.enabled
  • #143
• [x] 0374: disable "social" integration
  • #202
• [x] 0375: disable "Reader View"
  • No reason to disable AFAIK
• [x] 0376: disable FlyWeb, a set of APIs for advertising and discovering local-area web servers
• [x] 0380: disable sync

QUIET FOX [PART 2]

• [x] 0401: .....sanitize blocklist url
• [ ] 0402: disable/enable various Kinto blocklist updates (FF50+)
• [x] 0410: disable safe browsing
  • Safe browsing stays enabled
  • fd6cf46447dcd4b8e44246c525d715b7ea9d8126
• [ ] 0410a: disable "Block dangerous and deceptive content" This setting is under Options>Security
• [x] 0410b: disable "Block dangerous downloads" This setting is under Options>Security
  • c9b747d74587ac5ee9406b0e62af475eae3ce6f3
• [x] 0410c: disable Google safebrowsing downloads, updates
  • WONTFIX: Safe browsing stays enabled
• [x] 0410d: disable mozilla safebrowsing downloads, updates
  • WONTFIX: Safe browsing stays enabled
• [x] 0410e: disable binaries NOT in local lists being checked by Google (real-time checking)
  • WONTFIX: browser.safebrowsing.downloads.remote.enabled is already disabled
• [ ] 0410f: disable reporting URLs
• [x] 0410g: show=true or hide=false the 'ignore this warning' on Safe Browsing warnings which
  • Commented out in the ghacks version
• [x] 0421: enable more Tracking Protection choices under Options>Privacy>Use Tracking Protection
  • https://wiki.mozilla.org/Security/Tracking_protection#Prefs: "show a checkbox to toggle privacy.trackingprotection.enabled in the Preferences (Nightly only)" -> already visible
• [x] 0430: disable SSL Error Reporting - PRIVACY
  • #67 & 263f5b26cc106d1d8bdd2f57512a675a53f8b1a3
• [x] 0440: disable Mozilla's blocklist for known Flash tracking/fingerprinting (48+)
  • WONTFIX

BLOCK IMPLICIT OUTBOUND [not explicitly asked for - eg clicked on]

• [ ] 0603a: disable more Necko/Captive Portal
• [ ] 0607: stop links launching Windows Store on Windows 8/8.1/10
• [x] 0608: disable predictor / prefetching (FF48+)
  • WONTFIX: Should be handled by the network.predictor.enabled master switch

LOCATION BAR / SEARCH / AUTO SUGGESTIONS / HISTORY / FORMS etc

• [x] 0808: disable history suggestions - PRIVACY (shoulder surfers, forensics/unattended browser)
  • Should be covered by browser.urlbar.maxRichResults
• [x] 0809: limit history leaks via enumeration (PER TAB: back/forward) - PRIVACY
  • WONTFIX
• [x] 0813: disable saving form data on secure websites - PRIVACY (shoulder surfers etc)
  • Commented out in the ghacks version
• [x] 0815: disable live search suggestions in the urlbar and toggle off the Opt-In prompt (FF41+)
  • Shouldn't have any effect because of browser.urlbar.suggest.searches
• [x] 0817: disable Jumplist (Windows7+)
  • WONTFIX
• [x] 0818: disable taskbar preview
  • WONTFIX
• [x] 0819: disable one-off searches from the addressbar (FF51+)
  • Covered by browser.urlbar.autocomplete.enabled
  • https://wiki.mozilla.org/QA/One-off_Searches_From_Awesomebar
  • https://bugzilla.mozilla.org/show_bug.cgi?id=1180944
  • https://people-mozilla.org/~shorlander/mockups/AwesomeResults/AwesomeResults-01.html
  • https://people-mozilla.org/~shorlander/Flare/
• [x] 0820: disable search reset (about:searchreset) (FF51+)
  • WONTFIX

PASSWORDS

• [x] 0904: how often in minutes Mozilla should ask for the master password (see pref above)
  • #215
• [x] 0906: ignore websites' autocomplete="off" (FF30+)
  • 5e2e5770c92d68fba9c59c0f15fd5624dca012c0 -> opposite :)
• [x] 0907: force warnings for logins on non-secure (non HTTPS) pages
  • 66f5ea1b3112e295faafc982583a6cf9481373c5
• [ ] 0908: When attempting to fix an entered URL, do not fix an entered password along with it
• [ ] 0909: disabling for now (FF51+)

CACHE

• [x] 1001: disable disk cache
  • #214
• [x] 1006: disable pages being stored in memory. This is not the same as memory cache.
• [ ] 1007: disable the Session Restore service completely
• [ ] 1008: IF you use session restore (see 1007 above), increasing the minimal interval between
• [ ] 1009: DNS cache and expiration time (default 400 and 60 - same as TBB)
• [ ] 1010: disable randomized FF HTTP cache decay experiments
• [ ] 1011: disable permissions manager from writing to disk (requires restart)
• [ ] 1012: disable resuming session from crash

SSL / OCSP / CERTS / ENCRYPTION / HSTS/HPKP/HTTPS

• [ ] 1215: disable Microsoft Family Safety cert (Windows 8.1)
• [ ] 1218: disable HSTS Priming (FF51+)
• [x] 1220: disable intermediate certificate caching (fingerprinting attack vector)
  • Commented out in the ghacks version
  • WONTFIX: This is the single most important feature to keep the internets working, because people don't know how to configure their servers with proper certificate chains :(
  • #219

FONTS

• [ ] 1402: allow icon fonts (glyphs) (FF41+)
• [ ] 1404: use more legible default fonts
• [ ] 1405: disable woff2
• [ ] 1406: disable CSS Font Loading API
• [ ] 1407: remove special underline handling for a few fonts which you will probably never use.
• [ ] 1408: disable graphite which FF49 turned back on by default

HEADERS / REFERERS

• [x] 1601: disable referer from an SSL Website
  • #190
  • Tweaking Referrers For Privacy in Firefox
• [x] 1602: DNT HTTP header - essentially USELESS - default is off. I recommend off.
  • Commented out in the ghacks version
• [x] 1605: referer, HOW to handle cross origins
  • Commented out in the ghacks version
• [x] 1606: referer, WHAT to send (limit the information)
  • Commented out in the ghacks version

PLUGINS

• [ ] 1801: set default plugin state (i.e new plugins on discovery) to never activate
• [x] 1802: enable click to play and set to 0 minutes
  • WONTFIX: We'll stick with the default of 60m
• [x] 1805: disable scanning for plugins
  • #79
• [ ] 1806: Acrobat, Quicktime, WMP are handled separately from 1805 above.
• [ ] 1807: disable auto-play of HTML5 media
• [ ] 1808: disable audio auto-play in non-active tabs (FF51+)
• [ ] 1820: disable all GMP (Gecko Media Plugins)
• [ ] 1825: disable widevine CDM
• [ ] 1830: disable all DRM content (EME: Encryption Media Extension)
• [ ] 1840: disable the OpenH264 Video Codec by Cisco to "Never Activate"
• [ ] 1850: disable the Adobe EME "Primetime CDM" (Content Decryption Module)

MEDIA / CAMERA / MIKE

• [x] 2001: disable WebRTC
  • WONTFIX: Disabled via media.peerconnection.enabled master switch
• [x] 2010: disable WebGL, force bare minimum feature set if used & disable WebGL extensions
  • b530c2f4ee06988fdecd9ac62ffcf9d9c68b2a87
• [ ] 2012: two more webgl preferences (FF51+)
• [x] 2021: disable speech recognition
  • #216
• [x] 2022: disable screensharing
  • Screensharing disabled via media.getusermedia.screensharing.enabled master switch
  • bdd9b158b5df5bcc66391673a5ae10cdbc834217
• [ ] 2024: enable/disable MSE (Media Source Extensions)
• [ ] 2025: enable/disable various media types - end user personal choice
• [ ] 2026: disable canvas capture stream
• [ ] 2027: disable camera image capture
• [ ] 2028: disable offscreen canvas

UI MEDDLING

• [ ] 2202: UI SPOOFING: disable scripts hiding or disabling the following on new windows
• [ ] 2203: POPUP windows - prevent or allow javascript UI meddling
• [ ] 2204: disable links opening in a new window

SERVICE WORKERS

• [x] 2301: disable workers API and service workers API
  • c65632f066223516d26ea67aecfa7a9fb04a3238
• [ ] 2302: disable service workers cache and cache storage
• [x] 2303: disable push notifications (FF44+) [requires serviceWorkers to be enabled]
  • #111
  • #154
• [x] 2304: disable web/push notifications
  • #111

DOM & JAVASCRIPT

• [ ] 2403: disable clipboard commands (cut/copy) from "non-priviledged" content
• [x] 2410: disable User Timing API
  • f37fcebc2cb62cc9d34f867a7ed4286b9211e4c2
• [x] 2411: disable resource/navigation timing
• [ ] 2414: disable shaking the screen
• [ ] 2415: max popups from a single non-click event - default is 20!
• [ ] 2415b: limit events that can cause a popup
• [ ] 2416: disable idle observation
• [x] 2418: disable full-screen API
  • WONTFIX
• [ ] 2421: in addition to 2420, these settings will help harden JS against exploits such as CVE-2015-0817
• [x] 2425: disable ArchiveAPI i.e reading content of archives, such as zip files, directly
  • e629cdab9203c839840c44ce82bd913b2cf1198d
• [ ] 2450: force FF to tell you if a website asks to store data for offline use

HARDWARE FINGERPRINTING

• [x] 2504: disable virtual reality devices
  • WONTFIX: Should be handled by the dom.vr.enabled master switch
• [x] 2507: disable keyboard fingerprinting (FF38+) (physical keyboards)
  • #159
• [ ] 2509: disable touch events
• [ ] 2511: disable MediaDevices change detection (FF51+) (enabled by default starting FF52+)

MISC - LEAKS / FINGERPRINTING / PRIVACY / SECURITY

• [ ] 2605: don't integrate activity into windows recent documents
• [ ] 2606: disable hiding mime types (Options>Applications) not associated with a plugin
• [ ] 2612: disable SimpleServiceDiscovery - which can bypass proxy settings - eg Roku
• [ ] 2614: disable SPDY as it can contain identifiers
• [ ] 2615: disable http2 for now as well
• [x] 2619: limit HTTP redirects (this does not control redirects with HTML meta tags or JS)
  • WONTFIX: Don't think we need to change this
• [ ] 2620: disable middle mouse click opening links from clipboard
• [x] 2621: disable IPv6 (included for knowledge ONLY - not recommended)
• [x] 2622: ensure you have a security delay when installing add-ons (milliseconds)
  • e6592f9b8c304eead1595b978f7663fcfa373532
• [x] 2626: strip optional user agent token, default is false, included for completeness
  • Doesn't seem to do anything
• [ ] 2627: Spoof default UA & relevant (navigator) parts (also see 0204 for UA language)
  • 35b9892933b1a02f1da62224c1fe4ce6e5afced8
• [ ] 2628: disable UITour backend so there is no chance that a remote page can use it
• [ ] 2629: disable remote JAR files being opened, regardless of content type
• [x] 2650: start the browser in e10s mode (48+)
  • Commented out in the ghacks version
  • #172
• [x] 2651: control e10s number of container processes
  • Commented out in the ghacks version
  • #172
• [ ] 2652: enable console shim warnings for extensions that don't have the flag
• [ ] 2660: enforce separate content process for file://URLs (FF53+?)
• [ ] 2662: disable "open with" in download dialog (FF50+)
• [ ] 2663: disable MathML (FF51+)
• [ ] 2664: disable DeviceStorage API
• [ ] 2665: sanitize webchannel whitelist
• [ ] 2666: disable HTTP Alternative Services
• [ ] 2668: lock down allowed extension directories
• [ ] 2669: strip paths when sending URLs to PAC scripts (FF51+)
• [ ] 2670: close bypassing of CSP via image mime types (FF51+)
• [x] 2671: disable SVG (FF53+)
  • WONTFIX

FIRST PARTY ISOLATION (PFI)

These are commented out in the ghacks version

• [x] 2698a: enable first party isolation pref and OriginAttribute (FF51+)
• [x] 2698b: this also isolates OCSP requests by first party domain

COOKIES & DOM STORAGE

• [ ] 2704: set cookie lifetime in days (see above pref) - default is 90 days
• [ ] 2706: disable Storage API (FF51+) which gives sites' code the ability to find out how much space
• [ ] 2707: clear localStorage and UUID when a WebExtension is uninstalled

SHUTDOWN

• [ ] 2803a: include all open windows/tabs when you shutdown
• [ ] 2804: (to match above) - auto selection of items to delete with Ctrl-Shift-Del
• [ ] 2804a: include all open windows/tabs when you run clear recent history
• [ ] 2805: reset default 'Time range to clear' for 'clear recent history' (see 2804 above)

PERSONAL SETTINGS

26.2.2017: Disabled the rest of these as these are just personal preferences and have no security/privacy impact

• [x] 3001: disable annoying warnings
• [x] 3001a: disable warning when a domain requests full screen
• [x] 3002: disable closing browser with last tab
• [x] 3004: disable backspace (0 = previous page, 1 = scroll up, 2 = do nothing)
  • WONTFIX
• [x] 3007: open new windows in a new tab instead
• [x] 3008: disable "Do you really want to leave this site?" popups
  • fca08276034cb4209036c74db8a85e1037075b9f
• [x] 3009: turn on APZ (Async Pan/Zoom) - requires e10s
• [x] 3010: enable ctrl-tab previews
• [x] 3011: don't open "page/selection source" in a tab. The window used instead is cleaner
• [x] 3012: spellchecking: 0=none, 1-multi-line controls, 2=multi-line & single-line controls
  • WONTFIX: User can enable/disable this from preferences if needed.
• [x] 3015: disable tab animation, speed things up a little
  • WONTFIX as cosmetic effect only
• [x] 3016: disable fullscreeen animation. Test using F11.
  • WONTFIX as cosmetic effect only
• [x] 3017: submenu in milliseconds. 0=instant while a small number allows
• [x] 3018: maximum number of daily bookmark backups to keep (default is 15)
• [x] 3020: FYI: urlbar click behaviour (with defaults)
• [x] 3021: FYI: tab behaviours (with defaults)
• [x] 3022: hide recently bookmarked items (you still have the original bookmarks) (FF49+)
• [x] 3023: disable automigrate, current default is false but may change (FF49+)

Deprecated

Not checking...

• [x] 2607: (23+) disable page thumbnails, it was around v23, not 100% sure when
• [x] 2408: (31+) disable network API - fingerprinting vector
• [x] 2620: (35+) disable WebSockets
• [x] 2023: (37+) disable camera autofocus callback (was in 36, not in 37)
• [x] 1804: (41+) disable plugin enumeration
• [x] 0420: (42+) disable tracking protection
• [x] 2803: (42+) what to clear on shutdown
• [x] 0411: (43+) disable safebrowsing urls & download
• [x] 0420: (43+) disable tracking protection. FF43+ URLs are now part of safebrowsing
• [x] 1803: (43+) remove plugin finder service
• [x] 2403: (43+) disable scripts changing images - test link below
• [x] 2615: (43+) disable http2 for now as well
• [x] 3001a: (43+) disable warning when a domain requests full screen
• [x] 3003: (43+) disable new search panel UI [Classic Theme Restorer can restore the old search]
• [x] 1201: (44+) block rc4 whitelist
• [x] 2417: (44+) disable SharedWorkers, which allow the exchange of data between iFrames that
• [x] 1005: (45+) disable deferred level of storing extra session data 0=all 1=http-only 2=none
• [x] 0334b: (46+) disable FHR (Firefox Health Report) v2 data being sent to Mozilla servers
• [x] 0410e: (46+) safebrowsing
• [x] 0333b: (47+) disable about:healthreport page UNIFIED
• [x] 0807: (47+) disable history manipulation
• [x] 0806: (48+) disable 'unified complete': 'Search with [default search engine]'
• [x] 2202: (49+) ONE of the new window UI prefs
• [x] 2431: (49+) disable ONE of the push notification prefs
• [x] 1809: (50+) remove Mozilla's plugin update URL
• [x] 1851: (51+) delay play of videos until they're visible
• [x] 2504: (51+) disable virtual reality devices
• [x] 2614: (51+) disable SPDY

I know its a list of each numbered items, but a quite a few are inactive for a reason (I hope people don't get the impression these are all on!). You could probably tick or look at those off straight away (I only have them in mine for completeness and to deter people turning them on from bad advice, or they don;t fit our purpose yet). Then again .. it's like a Lolly Scramble, isn't it (the link: I mean the NZ/Aussie game, not that slang definition which sounds painful )

here's two I quickly spotted

• 1006: no need to disable rendered pages in memory (achieves nothing AFAIK)
• 2621: disable IPv6 (which is a bad idea)

Here's mine: https://github.com/ghacksuserjs/ghacks-user.js/issues/10#issue-208648006 :) I'm 8 done out of 18. How are you doing :) have fun

Just indent with two more spaces below, e.g.:

* [x] Issue
  * Note

@pyllyukko just letting you know that your last few commits are "unverified" because GitHub does not know about your new key.

@pyllyukko just letting you know that your last few commits are "unverified" because GitHub does not know about your new key.

I know :/ It's because I created new subkey with ED25519 curves, and it's only supported by the very latest versions of GnuPG. Last time I tried, GitHub refused to update the key with that particular subkey. Need to try it again.

Small update on the PGP issue. So in here it even states "EdDSA, except Ed25519". I queried GitHub on the issue and they sayd: "Ed25519 keys are likely to be supported in the future, but we don't have a timeline of when that may be."

In the meanwhile, you can check my signatures from the command line with recent enough GnuPG:

$ git log --show-signature
commit e6592f9b8c304eead1595b978f7663fcfa373532 (HEAD -> master, origin/master, origin/HEAD)
gpg: Signature made Tue 21 Feb 2017 12:17:27 AM EET
gpg:                using EDDSA key 6760F995F5DD2C1A5805744C8043380FC109A370
gpg: Good signature from "pyllyukko <[email protected]>" [ultimate]
Primary key fingerprint: B284 21D6 03DE 0A1D 17AE  4415 78C2 DF2D 1A17 0CC6
     Subkey fingerprint: 6760 F995 F5DD 2C1A 5805  744C 8043 380F C109 A370
Author: pyllyukko <[email protected]>
Date:   Tue Feb 21 00:17:11 2017 +0200

    security.dialog_enable_delay -> 1000
    
    This is the default value

nvm, no one listens to me anyway

I see you;'re dragging the chain on the monster diff :)

Where's the rush?

pref("browser.aboutHomeSnippets.updateUrl", ""); // ghacks: "https://127.0.0.1"
    pyllyukko should match .. use HTTPS re MiTM re as per TBB and discussions there over this in tor tickets

? I don't get it.

And you are inconsistent with data plain text thingie - see comment ghacksuserjs/ghacks-user.js#18 (comment) - I just matched TBB. I don't think it;s all that important

True.

but I think they were used as a null/zero-length string causes issues in linux? IDK

Not that I know of.

@nodiscc: I tried to mark everything from #255 as done. It would be good to double check, that I didn't miss anything.

0340: disable experiments can also be marked as done. Other than that, everything looks fine. thanks

0819: ticked off and stated that it is covered by browser.urlbar.maxRichResults - this is not true. 0819 is about browser.urlbar.oneOffSearches. FYI, browser.urlbar.maxRichResults is pretty much obselete. It has no effect (tested for all "dropdowns" - search, history/etc) and pretty much confirmed by looking at the code.

0819: ticked off and stated that it is covered by browser.urlbar.maxRichResults - this is not true. 0819 is about browser.urlbar.oneOffSearches. FYI, browser.urlbar.maxRichResults is pretty much obselete. It has no effect (tested for all "dropdowns" - search, history/etc) and pretty much confirmed by looking at the code.

My mistake. So it's browser.urlbar.autocomplete.enabled that has this covered.

0815: Shouldn't have any effect because of keyword.enabled == false You are talking about the preference browser.urlbar.suggest.searches

This is incorrect: keyword.enabled does not control browser.urlbar.suggest.searches.

• Open a vanilla FF52
• Go to about:config. Set keyword.enabled-> false and browser.urlbar.suggest.searches-> true
• Open a new tab and type "wiki" and a ton of wiki search engines options will appear

Edit: FYI there is nothing to fix (except maybe your explanation above), browser.urlbar.suggest.searches is at false in your js.

@Thorin-Oakenpants: Thanks. Fixed it.

@nodiscc: Will do. There's actually more improvements that we should make to location bar behavior. For instance, the browser.urlbar.suggest.openpage is actually pretty useful, when you have gazillion tabs open.

Yes, urlbar.maxRichResults is deprecated

I'm lost. What does that commit have to do with maxRichResults? ;)

@pyllyukko If you are suggesting browser.urlbar.suggest.openpage -> true for convenience when you have a gazillion tabs open, then you are allowing extra chances for shoulder surfers and that is not "hardening" IMO.

You also have browser.urlbar.autocomplete.enabled-> false, so this renders browser.urlbar.suggest.openpage -> true as immaterial. It's at complete odds with your current setting.

note: FYI: 0850a is browser.urlbar.autocomplete.enabled

/* 0850c: disable location bar suggestion types
 * [SETTING] Options>Privacy>Location Bar>When using the location bar, suggest
 * [NOTE] If you wish to enable these suggestions, make sure 0850a is at default ***/
user_pref("browser.urlbar.suggest.history", false);
user_pref("browser.urlbar.suggest.bookmark", false);
user_pref("browser.urlbar.suggest.openpage", false);

You also have browser.urlbar.autocomplete.enabled-> false, so this renders browser.urlbar.suggest.openpage -> true as immaterial. It's at complete odds with your current setting.

Yes, I know.

I'm lost. What does that commit have to do with maxRichResults? ;)

It's the line 7805 of the test output: Deprecated : browser.urlbar.maxRichResults.

It's the line 7805 of the test output: Deprecated : browser.urlbar.maxRichResults.

Ahh .. had to fiddle with NS, uBo & uMatrix to get that part to load (I just looked at the commit listed at the top)

I assume this is your internal list of items to ignore, because clearly there are many items marked as "deprecated" that aren't, including ones in your js. I'm just pointing out that browser.urlbar.maxRichResults is actually deprecated so you can correct your js, not to ignore it (although I am not sure if it is still in ESR). At least you now know for the future.

What does that commit have to do with maxRichResults? ;) I assume this is your internal list of items to ignore

Sorry, linking directly to line 7805 of the travis log did not work. The build script compares prefs found in user.js against prefs present in Firefox source. In latest firefox revisions this pref is no longer present (hence on line 7805 of https://travis-ci.org/pyllyukko/user.js#L7805 the script outputs Deprecated : browser.urlbar.maxRichResults)

clearly there are many items marked as "deprecated" that aren't, including ones in your js

Are there? Which ones? Note that this is an automated comparison of user.js with the latest known Firefox source code revision (unreleased FF version), so they might still be present in a specific version. These are the URLs we use to compare against. You can set SOURCEVERSION to something else (tag names found at https://hg.mozilla.org/mozilla-central/tags) to compare with a fixed version (eg. FIREFOX_AURORA_50_BASE for Firefox 50). Maybe we are missing a Firefox source file to compare against?

browser.urlbar.suggest.openpage = true

• [ ] I'd rather set it to false as per policy to enforce the most hardened settings (in this case against shoulder surfing), but with a NOTICE: breaks tab switching from the URL bar. Then it will be easier to spot/change when wanting to tweak things for convenience. (https://github.com/pyllyukko/user.js/issues/231)

Are there? Which ones?

Deprecated : browser.crashReports.unsubmittedCheck.enabled
Deprecated : privacy.clearOnShutdown.cache
Deprecated : privacy.clearOnShutdown.cookies
Deprecated : privacy.clearOnShutdown.downloads
Deprecated : privacy.clearOnShutdown.formdata
Deprecated : privacy.clearOnShutdown.history
Deprecated : privacy.clearOnShutdown.offlineApps
Deprecated : privacy.clearOnShutdown.passwords
Deprecated : privacy.clearOnShutdown.sessions
Deprecated : privacy.cpd.cache
Deprecated : privacy.cpd.cookies
Deprecated : privacy.cpd.downloads
Deprecated : privacy.cpd.formdata
Deprecated : privacy.cpd.history
Deprecated : privacy.cpd.offlineApps
Deprecated : privacy.cpd.sessions
Deprecated : privacy.resistFingerprinting
Deprecated : privacy.sanitize.sanitizeOnShutdown
Deprecated : privacy.sanitize.timeSpan

Do I need to list more? Something is clearly wrong if these are marked as actually deprecated by your script

ALSO: you are not taking into account hidden prefs which are not listed in these js files

Something is clearly wrong if these are marked as actually deprecated by your script

Thanks, it appears we are missing https://hg.mozilla.org/mozilla-central/raw-file/tip/browser/app/profile/firefox.js where these prefs are located.

• [x] add https://hg.mozilla.org/mozilla-central/raw-file/$$SOURCEVERSION/browser/app/profile/firefox.js to list of source files.

you are not taking into account hidden prefs which are not listed in these js files

Yes, some prefs are created at runtime by Firefox itself. Fortunatefely most of these are covered in Mozilla unit tests prefs files, which the script also considers; but it's possible we are still missing some of them. Do you have an example of a missing preference?

I don't know of any hidden prefs that aren't in tests - all the hidden ones we're using are maked as "(hidden pref)" in the ghacks js, so you could scrape that

EDIT: 29 of them (1 in the deprecated section)

PS: this also doesn't account for legacy code: eg, yup, I'll say it again :) .. browser.urlbar.maxRichResults because its still in the js :) .. seriously, test it (FF52+, not sure about earlier). It has no effect on the dropdown whatsoever.

Indeed preferences that are marked (hidden pref) in ghacks user.js can not be found in our copies of Firefox source files:

$ make downloadffprefs 
2017-04-04 21:54:28 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/toolkit/components/telemetry/datareporting-prefs.js [717/717] -> "-" [1]
2017-04-04 21:54:30 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/toolkit/components/telemetry/healthreport-prefs.js [547/547] -> "-" [1]
2017-04-04 21:54:32 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/security/manager/ssl/security-prefs.js [5802/5802] -> "-" [1]
2017-04-04 21:54:38 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/modules/libpref/init/all.js [245079/245079] -> "-" [1]
2017-04-04 21:54:42 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/testing/profiles/prefs_general.js [19377/19377] -> "-" [1]
2017-04-04 21:54:46 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/layout/tools/reftest/reftest-preferences.js [6579/6579] -> "-" [1]
2017-04-04 21:54:48 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/js/src/tests/user.js [1912/1912] -> "-" [1]
2017-04-04 21:54:53 URL:https://hg.mozilla.org/mozilla-central/raw-file/tip/browser/app/profile/firefox.js [77214/77214] -> "-" [1]


$ curl --silent 'https://raw.githubusercontent.com/ghacksuserjs/ghacks-user.js/master/user.js' | grep 'hidden pref' | awk -F'"' '{print $2}' > ghacks-hidden.js

$ for line in $(cat ghacks-hidden.js); do grep "$line" sourceprefs.js >/dev/null || echo "hidden pref $line not found in Firefox source"; done

hidden pref browser.search.region not found in Firefox source
hidden pref javascript.use_us_english_locale not found in Firefox source
hidden pref toolkit.telemetry.unifiedIsOptIn not found in Firefox source
hidden pref datareporting.healthreport.service.enabled not found in Firefox source
hidden pref browser.selfsupport.enabled not found in Firefox source
hidden pref social.enabled not found in Firefox source
hidden pref services.sync.enabled not found in Firefox source
hidden pref network.dns.disablePrefetchFromHTTPS not found in Firefox source
hidden pref permissions.memory_only not found in Firefox source
hidden pref security.ssl.disable_session_identifiers not found in Firefox source
hidden pref security.nocertdb not found in Firefox source
hidden pref font.system.whitelist not found in Firefox source
hidden pref media.gmp-gmpopenh264.enabled not found in Firefox source
hidden pref dom.allow_cut_copy not found in Firefox source
hidden pref browser.tabs.remote.force-enable not found in Firefox source
hidden pref general.useragent.override not found in Firefox source
hidden pref general.buildID.override not found in Firefox source
hidden pref general.appname.override not found in Firefox source
hidden pref general.appversion.override not found in Firefox source
hidden pref general.platform.override not found in Firefox source
hidden pref general.oscpu.override not found in Firefox source
hidden pref ui.submenuDelay not found in Firefox source
hidden pref privacy.donottrackheader.value not found in Firefox source

• [ ] identify where in Firefox source these preferences are created, whether they are still in use, and adapt the Makefile to detect them

So I guess I'm not useless after all :) You owe me a :beer:

That last one hidden pref privacy.donottrackheader.value not found in Firefox source is legacy. Francois told me.

Regarding privacy.donottrackheader.value: Searching for this string on DXR reveals that:

• it is deprecated in recent revisions and replaced with privacy.donottrackheader.enabled, there's a check at https://dxr.mozilla.org/mozilla-central/source/browser/components/nsBrowserGlue.js#1735 which converts the legacy setting (3 possible values: don't decide, do not track me, please track me) to the new setting (2 values: don't decide, do not track me).
• The Blame link on DXR shows that this was added in https://hg.mozilla.org/mozilla-central/rev/9a16137bc7b4 Tue, 28 Jan 2014 09:26:16 -0800 -- Change three-state DNT back to two state and update text. (https://bugzilla.mozilla.org/show_bug.cgi?id=1042135).
• The commit milestone and bug target indicate Firefox 36.0a1. Since this user.js does not target Firefox <45, I suggest that we don't specify this setting.
• However it can be stored in ignore.list to clear any possible confusion -> #262

// Deprecated Do Not Track setting, Firefox <36, https://hg.mozilla.org/mozilla-central/rev/9a16137bc7b4
"privacy.donottrackheader.value"

So I guess I'm not useless after all :) You owe me a :beer:

Never said you were (I think? Sorry if I sounded rude in any way, English is not my native language). Have some. :beer::beer::beer::coffee::beer::beer::beer::coffee::beer::beer::beer::coffee::beer::beer:

---

Same investigation method can be applied to other prefs if needed. Eg. https://dxr.mozilla.org/mozilla-central/search?q=browser.search.region&redirect=false... There are definitely some prefs that are created/checked randomly through the code (eg https://dxr.mozilla.org/mozilla-central/source/dom/base/Navigator.cpp?q=general.oscpu.override&redirect_type=single#479). We can move this to a new issue. -> Moved #261

Edit: (Note that you can run make checknotcovered to see all detected Firefox prefs that are not covered by user.js. Outdated log for reference)

Re: browser.urlbar.maxRichResults, it seems we are also missing many prefs files in https://dxr.mozilla.org/mozilla-central/source/obj-x86_64-pc-linux-gnu/dist/bin/browser/defaults/preferences/ and https://dxr.mozilla.org/mozilla-central/source/browser/app/profile. Thanks!

~~add https://dxr.mozilla.org/mozilla-central/source/obj-x86_64-pc-linux-gnu/dist/bin/browser/defaults/preferences/debugger.js https://dxr.mozilla.org/mozilla-central/source/obj-x86_64-pc-linux-gnu/dist/bin/browser/defaults/preferences/devtools.js https://dxr.mozilla.org/mozilla-central/source/browser/branding/unofficial/pref/firefox-branding.js https://dxr.mozilla.org/mozilla-central/source/obj-x86_64-pc-linux-gnu/dist/bin/browser/defaults/preferences/firefox-l10n.js https://dxr.mozilla.org/mozilla-central/source/obj-x86_64-pc-linux-gnu/dist/bin/browser/defaults/preferences/firefox.js https://dxr.mozilla.org/mozilla-central/source/obj-x86_64-pc-linux-gnu/dist/bin/browser/defaults/preferences/webide-prefs.js https://dxr.mozilla.org/mozilla-central/source/browser/app/profile/channel-prefs.js~~ those files are generated from:

• [x] https://hg.mozilla.org/mozilla-central/raw-file/tip/devtools/client/preferences/debugger.js
• [x] https://hg.mozilla.org/mozilla-central/raw-file/tip/devtools/client/preferences/devtools.js
• [x] https://hg.mozilla.org/mozilla-central/raw-file/tip/browser/branding/unofficial/pref/firefox-branding.js
• [x] https://hg.mozilla.org/mozilla-central/raw-file/tip/browser/branding/official/pref/firefox-branding.js
• [x] https://hg.mozilla.org/mozilla-central/raw-file/tip/browser/locales/en-US/firefox-l10n.js
• [x] https://hg.mozilla.org/mozilla-central/raw-file/tip/devtools/client/webide/webide-prefs.js
• [x] https://hg.mozilla.org/mozilla-central/raw-file/tip/browser/app/profile/channel-prefs.js
• [x] https://hg.mozilla.org/mozilla-central/raw-file/tip/browser/branding/nightly/pref/firefox-branding.js
• [x] https://hg.mozilla.org/mozilla-central/raw-file/tip/browser/branding/aurora/pref/firefox-branding.js

• [x] More possibly "hidden" prefs sources to consider (requires some more research, move to other issue) -> Moved to #261

@pyllyukko just letting you know that your last few commits are "unverified" because GitHub does not know about your new key.

FYI: It's working again.