general.buildID.override + dom.battery.enabled

[earthlng]

/* 4702: navigator.buildID (see gecko.buildID in about:config) reveals build time
 * down to the second which defeats user agent spoofing and can compromise OS etc
 * [1] https://bugzilla.mozilla.org/583181 ***/
   // user_pref("general.buildID.override", "20100101"); // (hidden pref)

we should enable this for non-RFP users. It doesn't conflict with RFP so there's really no reason not to enable it, IMHO.

see buildID @ https://browserleaks.com/javascript with and w/o RFP.

(see gecko.buildID in about:config)

gecko.buildID doesn't exist anymore since at least FF52: compare DXR ESR45 vs ESR52

---

dom.battery.enabled - it's not deprecated and shouldn't be under 9999. IDK a good reason why we shouldn't actively disable it IMO. Let's move it back into the active part of the user.js

just my 2 cents

[earthlng]

Q: Is UA sent regardless of JS being disabled?

yes UA is sent with every request regardless of JS

[earthlng]

Sure, we can move battery

let's do it ... #486

[crssi]

You have mentioned

/* 0804: limit history leaks via enumeration (PER TAB: back/forward) - PRIVACY
 * This is a PER TAB session history. You still have a full history stored under all history
 * default=50, minimum=1=currentpage, 2 is the recommended minimum as some pages
 * use it as a means of referral (e.g. hotlinking), 4 or 6 or 10 may be more practical ***/
user_pref("browser.sessionhistory.max_entries", 10);

is there any security/privacy implications that prevents the following to be set as 10?:

/* 1020: disable the Session Restore service completely
 * [WARNING] [SETUP] This also disables the "Recently Closed Tabs" feature
 * It does not affect "Recently Closed Windows" or any history. ***/
user_pref("browser.sessionstore.max_tabs_undo", 10); 

Thx and cheers

[crssi]

But... don't we sanitize this by the current shutdown settings?:

/*** 2800: SHUTDOWN [SETUP]
     You should set the values to what suits you best.
     - "Offline Website Data" includes appCache (2730), localStorage (2710),
       Service Worker cache (2740), and QuotaManager (IndexedDB (2720), asm-cache)
     - In both 2803 + 2804, the 'download' and 'history' prefs are combined in the
       Firefox interface as "Browsing & Download History" and their values will be synced
 ***/
user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!");
/* 2802: enable Firefox to clear history items on shutdown
 * [SETTING] Privacy & Security>History>Clear history when Firefox closes ***/
user_pref("privacy.sanitize.sanitizeOnShutdown", true);
/* 2803: set what history items to clear on shutdown
 * [SETTING] Privacy & Security>History>Clear history when Firefox closes>Settings
 * [NOTE] If 'history' is true, downloads will also be cleared regardless of the value
 * but if 'history' is false, downloads can still be cleared independently
 * However, this may not always be the case. The interface combines and syncs these
 * prefs when set from there, and the sanitize code may change at any time ***/
user_pref("privacy.clearOnShutdown.cache", true);
user_pref("privacy.clearOnShutdown.cookies", true);
user_pref("privacy.clearOnShutdown.downloads", true); // see note above
user_pref("privacy.clearOnShutdown.formdata", true); // Form & Search History
user_pref("privacy.clearOnShutdown.history", true); // Browsing & Download History
user_pref("privacy.clearOnShutdown.offlineApps", true); // Offline Website Data
user_pref("privacy.clearOnShutdown.sessions", true); // Active Logins
user_pref("privacy.clearOnShutdown.siteSettings", false); // Site Preferences

[crssi]

Understood, thank you.
I am using 10 for mistakenly closed tabs, but since I am using Temporary Containers (which wipes data after 2 minutes) and also sanitize at shutdown, I assume (which I can be mistaken) that its safe.
I do not use history at all and have set

/* 0862  */ user_pref("places.history.enabled", false);

Thanks ❤️ and sorry for hijacking the topic.

[earthlng]

Firefox keeps session cookies with the URLs in session history to more faithfully restore your session

only if you don't have 1021:

/* 1021: disable storing extra session data
 * extra session data contains contents of forms, scrollbar positions, cookies and POST data
 * define on which sites to save extra session data:
 * 0=everywhere, 1=unencrypted sites, 2=nowhere ***/
user_pref("browser.sessionstore.privacy_level", 2);

[earthlng]

(buildID) is reflected in the UA string

nope, the buildID in the UA is (and has been for a long time) always Gecko/20100101, even if navigator.buildID is not spoofed by either RFP or general.buildID.override

[crssi]

only if you don't have 1021

Doesn't comply with what I see.
I do have:

user_pref("browser.sessionstore.privacy_level", 2);

if I close the tab and check cookie storage its still there and then restore it with CTRL+SHIFT+T everything is like I would never closed the tab (cookie wise) and I am still logged on.

[earthlng]

Hmm interesting. It's probably because there are 2 kinds of cookies, session and "permanent" (ie with an expire date). I assume FF keeps permanent ones in cookies.sqlite and session cookies in sessionstore.jsonlz4.

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie

Session cookies will get removed when the client is shut down.

If (the Expires or Max-Age directives are) not specified, the cookie will have the lifetime of a session cookie. A session is finished when the client is shut down meaning that session cookies will get removed at that point. However, many web browsers have a feature called session restore that will save all your tabs and have them come back next time you use the browser. Cookies will also be present and it's like you had never actually closed the browser.

I guess the bold part is where browser.sessionstore.privacy_level comes in, in regards to cookies.

If you want to know exactly what's stored in sessionstore.jsonlz4 you can try if dejsonlz4 is able to decompress it and look at its content. Close the browser before you do, though, and I'd recommend to copy the file before you tamper with it.
Although it should probably also be possible to just copy the file while FF is still running if you wanna know what's in there at any given time.

We should probably change the line * extra session data contains contents of forms, scrollbar positions, cookies and POST data to session cookies instead of just cookies. 👖 ?

[Atavic]

Does general.buildID.override still work?

[earthlng]

Yes but only if privacy.resistFingerprinting is false:
DXR is way out of sync but this should probably still be current state in FF62:
https://dxr.mozilla.org/mozilla-release/source/dom/base/Navigator.cpp#566-582

mozilla-release == FF62 at the moment