MOAR stuff to look at

[Thorin-Oakenpants]

snip

[bogachenko]

Device Storage API
https://wiki.mozilla.org/WebAPI/DeviceStorageAPI
https://bugzilla.mozilla.org/show_bug.cgi?id=1046258
https://bugzilla.mozilla.org/show_bug.cgi?id=886627

[bogachenko]

https://bugzilla.mozilla.org/show_bug.cgi?id=1450401

Posted by 8 months ago

maybe that's what they could do to resolve

maybe

---

security.tls.version.min = 3

https://blog.torproject.org/new-sslv3-attack-found-disable-sslv3-torbrowser
https://blog.torproject.org/comment/271978#comment-271978

In TOR version 1

full-screen-api.enabled = false

https://trac.torproject.org/projects/tor/ticket/12609

still included in TOR

[bogachenko]

aa okey

[bogachenko]

yes now I see. just thought - advertisement

[bogachenko]

this is also webgl.force-enabled part 3

https://wiki.mozilla.org/Blocklisting/Blocked_Graphics_Drivers

at the very end of the page

[bogachenko]

Mozilla need to tell mobile users of something, I don't see that as a bad thing

I would argue

---

OK, and the rest?

[bogachenko]

My English is running out.
I am against any display of updates, banners, notifications. I do not want that my browser (at start, and especially at work) was connected on the third party or to shit NOT a direct task.
this is who I am.

Whatever the outcome, you're right, this is your repository = your rules. My (no one unnecessary opinion) I will keep to myself

[bogachenko]

Well, with the "Pull requests" I hurried. hahha

[crssi]

About promo links and even telemetry... lets say we trust mozilla and anonymizing those data, then I do not see any reason to block those, since mozilla also needs feedback to make things better... whatever you decide is just fine.

File Handle API looks quite dangerous. I do not see any reason that some 3rd party stuff can make/modify files, even if its sandboxed or limited only to firefox profile. It smells like hell to new supercookie and other abusements.

I would disable security.tls.version.min and the same with full-screen-api.enabled.
What you have wrote about those make total sense and I have full screen relaxed for a long time and was always in doubt about TLS min.

[bogachenko]

@crssi
1 telemetry is good, but not for everyone. mozilla Has a bugreport, github issues, there is (in the end of it all) Firefox Nightly.
but for ordinary (mortals) there is no.

2 ye

3 full-screen-api.enabled disable uncomfortable. YouTube / twitch is crying. but still need, especially with the included protection from fingerprints browser. it is strange that it is included in TOR. apparently patches issued for circumvent this anal umbrella over. I hope and believe (and most importantly prepare) perhaps mozilla will release

[crssi]

@bogachenko

1. also mortals IMHO, mozilla need to know what is used and what is not to make the used things better and to drop things not used. I am not calling for a change here and the current ghacks prefs are good, I was just saying, no need to go further here. ;)

2. You haven't understood me ;)... disable is not setting it to false. In ghacks user.js it means to comment that pref out. So it stays at default (whatever it is) or user does the change to whatever he/her wish.
   I am using this as True.

Cheers

[bogachenko]

@crssi

1.can argue about that fooooooooooorever.

2. english english english

Cheers

[crssi]

Doh... stupid me. 😄

Thx Thorin

[claustromaniac]

Element.requestFullscreen()

Note: This method must be called while responding to a user interaction or a device orientation change; otherwise it will fail.

[crssi]

OT or maybe not (due to FS)... does user_pref("media.autoplay.default", 1); really need to be active?

[bogachenko]

@crssi I was having trouble playing the video. watched, or rather wanted to see the (pirated) movies to different sites. player refused to work. Thought that broke that that in the adblock list = no. then I thought that because of blocking third-party cookies (Firefox 63) = nope.Disable this setting (by process of elimination, trial and error) = works

upd Actually, I turned off this pref. (although it was on youtube and twitch ooooh, how useful)

upd in fact, in OLDER versions of firefox was a very good expansion block (ungodly) flash player and html5.

[crssi]

@bogachenko obviously we are in the same club about expressions in english, I am also not good at that.
I didnt understand what is your verdict in your last post.

The player refused to work when user_pref("media.autoplay.default", 1);?

I know I had numerous problems in the past with upper set, but did tried yesterday all kind of video providers I could remember and there were not problems. It looks like mozilla has sorted out those in the last year or two.

FF now does not start to play until tab focus anymore.
In addition... lately (last year) I haven't seen any site to auto play, except there where I wanted and expected so.
That said, , I kind don't hate it anymore and default is OK with me.

Cheers

[bogachenko]

@crssi

obviously we are in the same club about expressions in english, I am also not good at that

like this? You're all English speaking here. British / Canadians / Americans and Australians. Not? hm
my English is bed bad. And (drunk) google translate is even worse

---

The player refused to work when user_pref("media.autoplay.default", 1);

at 1 it did not work, at 0 all is well
The player STARTED working when user_pref("media.autoplay.default", 0); yeah

I'm just saying that some sites break down. Perhaps that is the fault of the company that makes the player (not the Mozilla Foundation), who then use sites with pirated videos.
just as a fact. this pref SOMETIMES breaks reproduction

I put 0. Now there are no problems with playback. or I did not find

from Russia with love

[earthlng]

does user_pref("media.autoplay.default", 1); really need to be active?

they're working on making it default-prompt which should land soonish. see meta bug - only 4 open tickets left atm
Until then you can use site permissions to allow autoplay on sites that break with 1.

If you want to test the new prompt-based autoplay even though it might not be fully polished yet, you can do so by setting the prefs like this:

// Switch block autoplay logic to v2, and enable UI.
pref("media.autoplay.enabled.user-gestures-needed", true);
// Allow asking for permission to autoplay to appear in UI.
pref("media.autoplay.ask-permission", true);
// Set Firefox to block autoplay, asking for permission by default.
pref("media.autoplay.default", 2); // 0=Allowed, 1=Blocked, 2=Prompt

[earthlng]

found another one that makes us stand out more than necessary for no good reason:

0201b: user_pref("permissions.default.geo", 2);

permissions can be read by sites and AFAIK RFP always rejects geolocation requests with "denied" anyway. I'm not sure if RFP geolocation can be overruled with site permissions but either way I think we should enforce the default permission which is prompt.

test: press ctrl+shift+k and run this

navigator.permissions.query({name:'geolocation'}).then(e => console.log("permission for geolocation:", e.state, "(default is prompt)"));

[earthlng]

No idea why you always get "granted". Did you test it on a site where you set a site permission for geolocation?
RFP doesn't affect the outcome of querying the permissions with that command.
permissions.default.geo=0 -> should return "prompt"
1 = "granted"
2 = "denied"
that's also what I see in my beta and I don't think anything related to this changed since FF63.

[earthlng]

There also seems to be a bug with the implementation in that it always reports the default permission instead of the actual permission set in Page Info->Permissions, fe
permissions.default.geo=0 -> test: reports "prompt"
set site permission to block for that domain, refresh or load the same page in another tab, ctrl+shift+k again and test still reports "prompt".
Makes the whole permission api kind of useless

[earthlng]

Why do I need to test it on a site?

ctrl+shift+k allows you to run code in the context of that site (where you clicked ctrl+shift+k).
I guess you always see "granted" because you ran it on about:config, right?
You need to test it on a real site, not a privileged page like about:config.
Sorry I should've mentioned that, I forgot that you're totally clueless when it comes to these things ;)

if I gave it permission I'm defeating the purpose of the test to detect the state of the pref.

not really. I assumed the whole purpose of the permissions API is to allow sites to query if they have a certain permission but it apparently doesn't take site permissions into consideration.

So it doesn't matter then what we set (ask or block)?

it matters what we set as default

I don't have GPS capabilities on my desktop machine. Would that make a difference?

no

[earthlng]

as of FF64 the permissions API itself only supports geolocation, notifications/push and persistent-storage.

1-liner for the Permissions API to query all permissions currently listed at https://developer.mozilla.org/en-US/docs/Web/API/Permissions/query:

for (const a of [ 'accelerometer', 'accessibility-events', 'ambient-light-sensor', 'background-sync', 'camera', 'clipboard-read', 'clipboard-write', 'geolocation', 'gyroscope', 'magnetometer', 'microphone', 'midi', 'notifications', 'payment-handler', 'persistent-storage', 'push' ]) navigator.permissions.query({name:a}).then(e => console.log("permission for", a, ":", e.state)).catch(console.log);

Don't run it on a privileged page ;)

camera and mic permissions are probably queryable but would need certain prefs enabled like media.navigator.enabled

Should we add a warning that changing from default prompt can be FP'ed?

👍

[earthlng]

"prompt" all of a sudden eh? ;)
you did run it on a privileged page when you got all "granted", didn't you, little liar? liar liar 👖 on 🔥

[earthlng]

Which ones?

0201b + 2305

[bogachenko]

@Thorin-Oakenpants

media.autoplay.default make inactive

what for? your buddy @earthlng wrote good settings.

// Switch block autoplay logic to v2, and enable UI.
pref("media.autoplay.enabled.user-gestures-needed", true);
// Allow asking for permission to autoplay to appear in UI.
pref("media.autoplay.ask-permission", true);
// Set Firefox to block autoplay, asking for permission by default.
pref("media.autoplay.default", 2); // 0=Allowed, 1=Blocked, 2=Prompt

which "it seems" helped me. not sure. but so far there are no problems. maybe I'm search bad?

---

lets remove browser.eme.ui.enabled 1830. It's not relevant. PS am going thru checking all the [SETTING] info

https://bugzilla.mozilla.org/show_bug.cgi?id=1127784
https://support.mozilla.org/en-US/questions/1164682

when TRUE (and rebooting the browser) nothing has changed
no plug-in, no tick in settings
hm

[bogachenko]

@Thorin-Oakenpants hell, I constantly forget about it ... my fool

[bogachenko]

@Thorin-Oakenpants oke

[bogachenko]

@Thorin-Oakenpants

If you have a question, by all means ask.

taking an opportunity, do you understand in the shell? I created a question here ... #537
this does not apply to security and privacy

[bogachenko]

@claustromaniac @earthlng @overdodactyl

[Atavic]

Been there, done that.

[Woofy-Wolf]

Hi, and thank you for your never-ending work on ghacks.

mozilla also needs feedback to make things better

telemetry is good, but not for everyone.

I'd like to enable a minimum level of telemetry, to contribute data that supports privacy-centric efforts at Mozilla, but I don't want to over-share. I think the least possible level of sharing is achieved with:

user_pref("toolkit.telemetry.unified", true); // 330
//user_pref("toolkit.telemetry.server", "data:,"); // 330 (comment out and reset in about:config)
user_pref("datareporting.healthreport.uploadEnabled", true); // 333

Can you tell me if this is right? Or, can the "health report" be sent with toolkit.telemetry.unified = false?

[bogachenko]

user_pref("security.OCSP.require", true);

This option breaks some sites. sucks

if you do not turn it off .. you have to clean it every time - cert9.db

[bogachenko]

What do you say about this?

The "screenshot --imgur" command, with the help of which it was possible to publish screenshots on Imgur.com
user_pref("devtools.gcli.imgurClientID", "");
user_pref("devtools.gcli.imgurUploadURL", "");

[bogachenko]

@Thorin-Oakenpants blue button - "Try again."
Is this setting generally necessary?
As I said the problem it disappears for a while if you remove cert9.db and then again.

It's unpleasant, but if it's very IMPORTANT... you probably don't need to remove this setting

[earthlng]

devtools.gcli.* all got removed in FF64

@Woofy-Wolf extended telemetry is force-disabled in Release versions anyway so if you want to enable basic telemetry I think you'll probably have to comment-out and reset all of 0330, 0333 and 0334.
But don't force-enable anything because fe 0380 is nightly-only and if you send them data from release versions you'll stand out and possibly confuse them with errors that they can't replicate in nightly.

[bogachenko]

@Thorin-Oakenpants well disable, so disable.
ps: in the tor browser is also disabled

[bogachenko]

@Thorin-Oakenpants I understood you

[bogachenko]

@Thorin-Oakenpants Question (translation difficulties): what does it mean to move to 5000s

5000s what's this?

[bogachenko]

strings? or what?

[bogachenko]

Understood

[bogachenko]

@Thorin-Oakenpants like this #544 ? 😊

[earthlng]

I'd prefer to wait with changing autoplay until they land default-prompt in 64 or 65

[bogachenko]

damn

[earthlng]

re-assess all the warning and setup tags

👍