ToDo: diffs FF90-FF91

[earthlng]

FF91 is scheduled for release Aug. 10th

FF91 release notes [when ready]
FF91 for developers
FF91 security advisories

---

79 diffs ( 35 new, 31 gone, 13 different )

new in v91.0:

• pref("network.proxy.failover_direct", true); - https://hg.mozilla.org/integration/autoland/rev/b633563955ad - proxy direct failover #1247
• 0913 pref("network.http.windows-sso.enabled", false);

---

ignore

click me for details

==NEW

pref("apz.doubletapzoom.defaultzoomin", "1.2");
pref("browser.display.windows.non_native_menus", 2);
pref("browser.places.interactions.typing_timeout_ms", 3000);
pref("browser.shell.setDefaultBrowserUserChoice", true);
pref("dom.events.coalesce.touchmove", false);
pref("dom.ipc.processPrelaunch.lowmem_mb", 4096);
pref("dom.script_loader.full_parse", false);
pref("dom.security.https_only_fire_http_request_background_timer_ms", 3000);
pref("dom.serviceWorkers.mitigations.bypass_on_fault", true);
pref("dom.serviceWorkers.mitigations.navigation_fault_threshold", 3);
pref("dom.serviceWorkers.navigationPreload.enabled", false);
pref("dom.window.clientinformation.enabled", true);
pref("dom.window.sidebar.enabled", true);
pref("extensions.webidl-api.expose_mock_interface", false);
pref("gfx.webrender.low-quality-pinch-zoom", false);
pref("image.avif.apply_transforms", true);
pref("javascript.options.external_thread_pool", true);
pref("javascript.options.site_based_pretenuring", true);
pref("layout.css.d-property.enabled", false);
pref("layout.css.element-content-none.enabled", false);
pref("layout.css.fit-content-function.enabled", false);
pref("layout.css.font-size-adjust.basis.enabled", false);
pref("network.dns.copy_string_before_call", true);
pref("network.dns.force_waiting_https_rr", false);
pref("network.proxy.default_pac_script_socks_version", 4);
pref("network.trr.default_provider_uri", "https://mozilla.cloudflare-dns.com/dns-query");
pref("network.trr.skip-check-for-blocked-host", false);
pref("remote.active-protocols", 2);
pref("remote.prefs.recommended", true);
pref("screenshots.browser.component.enabled", false);
pref("signon.improvedPasswordRules.enabled", true);
pref("signon.usernameOnlyForm.enabled", false);
pref("widget.gtk.follow-firefox-theme", true);

==REMOVED or HIDDEN

pref("browser.enableAboutThirdParty", false);
pref("browser.messaging-system.personalized-cfr.scores", "{}");
pref("browser.messaging-system.personalized-cfr.score-threshold", 5000);
pref("browser.proton.contextmenus.enabled", true);
pref("browser.proton.doorhangers.enabled", true);
pref("browser.proton.modals.enabled", true);
pref("browser.tabs.remote.useOriginAttributesInRemoteType", true);
pref("doh-rollout.provider-steering.enabled", true);
pref("doh-rollout.provider-steering.provider-list", "[{ \"name\": \"comcast\", \"canonicalName\": \"doh-discovery.xfinity.com\", \"uri\": \"https://doh.xfinity.com/dns-query\" }]");
pref("doh-rollout.trr-selection.enabled", false);
pref("dom.select_events.enabled", true);
pref("dom.serviceWorkers.parent_intercept", true);
pref("extensions.allowPrivateBrowsingByDefault", false);
pref("extensions.blocklist.useMLBF", true);
pref("extensions.blocklist.useMLBF.stashes", true);
pref("general.smoothScroll.mouseWheel.migrationPercent", 100);
pref("intl.charset.detector.ng.in.enabled", true);
pref("intl.charset.detector.ng.jp.enabled", true);
pref("intl.charset.detector.ng.lk.enabled", true);
pref("layout.css.moz-outline-radius.enabled", false);
pref("layout.css.outline-follows-border-radius.enabled", true);
pref("marionette.prefs.recommended", true);
pref("network.trr.resolvers", "[{ \"name\": \"Cloudflare\", \"url\": \"https://mozilla.cloudflare-dns.com/dns-query\" },{ \"name\": \"NextDNS\", \"url\": \"https://firefox.dns.nextdns.io/\" }]");
pref("security.caps.allow_uri_is_ui_resource_in_checkloaduriflags", false);
pref("security.cert_pinning.hpkp.enabled", false);
pref("security.cert_pinning.max_max_age_seconds", 5184000);
pref("security.cert_pinning.process_headers_from_non_builtin_roots", false);
pref("services.blocklist.addons-mlbf.collection", "addons-bloomfilters");
pref("services.blocklist.addons-mlbf.signer", "remote-settings.content-signature.mozilla.org");
pref("services.sync.prefs.sync.browser.urlbar.resultBuckets", true);
pref("widget.system-colors-follow-theme", false);

==CHANGED

pref("browser.newtabpage.activity-stream.feeds.section.topstories.options", "{\"api_key_pref\":\"extensions.pocket.oAuthConsumerKey\",\"hidden\":true,\"provider_icon\":\"chrome://global/skin/icons/pocket.svg\",\"provider_name\":\"Pocket\",\"read_more_endpoint\":\"https://getpocket.com/explore/trending?src=fx_new_tab\",\"stories_endpoint\":\"https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=en-US&feed_variant=default_spocs_off\",\"stories_referrer\":\"https://getpocket.com/recommendations\",\"topics_endpoint\":\"https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_lang=en-US\",\"show_spocs\":false}"); // prev: "{\"api_key_pref\":\"extensions.pocket.oAuthConsumerKey\",\"hidden\":true,\"provider_icon\":\"pocket\",\"provider_name\":\"Pocket\",\"read_more_endpoint\":\"https://getpocket.com/explore/trending?src=fx_new_tab\",\"stories_endpoint\":\"https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=en-US&feed_variant=default_spocs_off\",\"stories_referrer\":\"https://getpocket.com/recommendations\",\"topics_endpoint\":\"https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_lang=en-US\",\"show_spocs\":false}"
pref("browser.startup.preXulSkeletonUI", true); // prev: false
pref("dom.input_events.strict_input_vsync_alignment", true); // prev: false
pref("dom.security.https_first_pbm", true); // prev: false
pref("dom.visualviewport.enabled", true); // prev: false
pref("dom.w3c_pointer_events.implicit_capture", true); // prev: false
pref("dom.w3c_pointer_events.scroll_by_pen.enabled", true); // prev: false
pref("fission.bfcacheInParent", true); // prev: false
pref("gfx.webrender.software.unaccelerated-widget.allow", true); // prev: false
pref("layout.extra-tick.minimum-ms", 4); // prev: -1
pref("network.trr.uri", ""); // prev: "https://mozilla.cloudflare-dns.com/dns-query"
pref("places.forgetThisSite.clearByBaseDomain", true); // prev: false
pref("widget.gtk.alt-theme.dark", true); // prev: false

[earthlng]

some bugzilla tickets

• apz.doubletapzoom.defaultzoomin
  Bug 1713589. If double tap zoom can't find a rect to zoom in to and we are zoomed out then zoom in some small default amount.

• browser.display.windows.non_native_menus
  Bug 1714357 - Use a nicer media query for proton context menus.

• browser.enableAboutThirdParty
  Bug 1713855 - Part1: Remove the Third-Party Modules section from about:support.
  Bug 1669036 - Part10: Add a new section "Third-Party Modules" to about:support

• browser.messaging-system.personalized-cfr.scores
  Bug 1695764 - Remove code related to CFR ML Experiment

• browser.messaging-system.personalized-cfr.score-threshold
  Bug 1695764 - Remove code related to CFR ML Experiment

• browser.places.interactions.typing_timeout_ms
  Bug 1716606 - Replace keyup handling of history metadata typing metrics with C++ implementation

• browser.proton.contextmenus.enabled
  Bug 1714357 - Use a nicer media query for proton context menus.

• browser.proton.doorhangers.enabled
  Bug 1714352 - Remove browser.proton.doorhangers.enabled pref

• browser.proton.modals.enabled
  Bug 1714349 - Remove browser.proton.modals.enabled pref

• browser.shell.setDefaultBrowserUserChoice
  Bug 1703578 - Part 3: Invoke WDBA to set UserChoice.

• browser.startup.preXulSkeletonUI
  Bug 1705470 - Flip pref for skeleton UI to ride the trains to release
  Bug 1680258 - Enable skeleton UI on nightly

• browser.tabs.remote.useOriginAttributesInRemoteType
  WIP: Bug 1713713 - Remove pref that decides if OriginAttributes should be used in a remote type
  Bug 1695037 - Enable the consideration of OriginAttributes when selecting processes,
  Bug 1630908 - Part 1: Pass OriginAttributes to be included with remote type,

• doh-rollout.provider-steering.enabled
  Bug 1714486 - [DoH] Allow pref values to override Remote Settings.
  Bug 1704158 - [DoH] Turn on provider steering by default.

• doh-rollout.provider-steering.provider-list
  Bug 1714486 - [DoH] Allow pref values to override Remote Settings.

• doh-rollout.trr-selection.enabled
  Bug 1714486 - [DoH] Allow pref values to override Remote Settings.

• dom.events.coalesce.touchmove
  Bug 1712825 - Allow coalescing touchmove events in BrowserChild

• dom.input_events.strict_input_vsync_alignment
  Bug 1714467 - Enable dom.input_events.strict_input_vsync_alignment in all channels
  Bug 1706794 - Enable dom.input_events.strict_input_vsync_alignment in Nightly again

• dom.ipc.processPrelaunch.lowmem_mb
  Bug 1717122: Reduce preallocated processes for low-memory machines

• dom.script_loader.full_parse
  Bug 1717642 - Add a pref to force full parse for OMT compiled JS scripts from the ScriptLoader.

• dom.security.https_first_pbm
  Bug 1716991: Enable HTTPS-First Mode in PBM Mode

• dom.security.https_only_fire_http_request_background_timer_ms
  Bug 1717797: HTTPS-First and HTTPS-Only: Convert static 3000ms background request delay to rely on a pref

• dom.select_events.enabled
  Bug 1717552 - Remove dom.select_events.enabled

• dom.serviceWorkers.mitigations.bypass_on_fault
  Bug 1503072 - Add mitigation to bypass SW on navigation fault.

• dom.serviceWorkers.mitigations.navigation_fault_threshold
  Bug 1720410 - Unregister SW when reach navigation fault threshold.

• dom.serviceWorkers.navigationPreload.enabled
  Bug 1564235 - P1 Pref for serviceworker.navigationPreload API.

• dom.serviceWorkers.parent_intercept
  Bug 1496997 - Remove dom.serviceWorkers.parent_intercept pref

• dom.visualviewport.enabled
  Bug 1551302. Enable visual viewport on desktop platforms.

• dom.w3c_pointer_events.implicit_capture
  Bug 1669729 - Ship implicit pointer capture for touch;

• dom.w3c_pointer_events.scroll_by_pen.enabled
  Bug 1707080 - Enable dispatch_by_pointer_messages on Nightly

• dom.window.clientinformation.enabled
  Bug 1717072 - Add window.clientInformation

• dom.window.sidebar.enabled
  Bug 1717612 - Disable window.sidebar from early-beta-or-earlier

• extensions.allowPrivateBrowsingByDefault
  Bug 1661517 - Removed extensions.allowPrivateBrowsingByDefault preference.

• extensions.blocklist.useMLBF
  Bug 1706391 - Disable blocklist v2 by default
  Bug 1706391 - Remove blocklist.useMLBF.stashes=false option

• extensions.blocklist.useMLBF.stashes
  Bug 1706391 - Remove blocklist.useMLBF.stashes=false option

• extensions.webidl-api.expose_mock_interface
  Bug 1682632 - part2.7: ExtensionMockAPI.

• fission.bfcacheInParent
  Bug 1715300 - Enable BFCache in parent.
  Bug 1715300 - Disable BFCache in the parent on GeckoView.

• general.smoothScroll.mouseWheel.migrationPercent
  Bug 1713485 - Remove unused migrationPercent pref.

• gfx.webrender.low-quality-pinch-zoom
  Bug 1717117: Enable low-quality-pinch-zoom pref on Android Nightly.
  Bug 1715935 - Add experimental low quality pinch-zoom mode.

• gfx.webrender.software.unaccelerated-widget.allow
  Bug 1715138 - Ship Software WebRender popups to release.

• image.avif.apply_transforms
  Bug 1696093 - AVIF image transform support.

• intl.charset.detector.ng.in.enabled
  Bug 1713627 - Remove code obsoleted by the replacing the Text Encoding menu with one item.
  Bug 1706864 - Enable chardetng for .in and .lk TLDs.

• intl.charset.detector.ng.jp.enabled
  Bug 1713627 - Remove code obsoleted by the replacing the Text Encoding menu with one item.
  Bug 1711476 - Enable chardetng for the .jp TLD.
  Bug 1706864 - Enable chardetng for .in and .lk TLDs.

• intl.charset.detector.ng.lk.enabled
  Bug 1713627 - Remove code obsoleted by the replacing the Text Encoding menu with one item.
  Bug 1706864 - Enable chardetng for .in and .lk TLDs.

• javascript.options.external_thread_pool
  Bug 1715562 - Turn on use of external thread pool for JS helper tasks
  Bug 1713335 - Add a pref to control use of XPCOM thread pool, default off

• javascript.options.site_based_pretenuring
  Bug 1715759 - Add a pref to control allocation site based pretrening

• layout.css.d-property.enabled
  Bug 1340422 - Part 11: Enable pref on nightly.
  Bug 1340422 - Part 1: Add SVG d property in CSS.

• layout.css.element-content-none.enabled
  Bug 1719239 - Disable support for content:none on elements due to webcompat issues.
  Bug 1699964 - [css-content] Implement 'content: none' for elements.

• layout.css.fit-content-function.enabled
  Bug 1312588 - Part 1: Add pref for fit-content().

• layout.css.font-size-adjust.basis.enabled
  Bug 1711479 - Implement CSS support for the optional adjustment-basis metric keywords for the font-size-adjust property (enabled on Nightly only for now).

• layout.css.moz-outline-radius.enabled
  Bug 1715984 - Remove -moz-outline-radius.

• layout.css.outline-follows-border-radius.enabled
  Bug 1715984 - Remove -moz-outline-radius.

• layout.extra-tick.minimum-ms
  Bug 1717162 - Allow extra tick mode to ride the trains.
  Bug 1708325 - Allow doing an extra refresh driver tick for user input events.

• marionette.prefs.recommended
  Bug 1719667 - [remote] Do not set recommended preferences when not wanted
  Bug 1695031 - Combine build flags --disable-marionette and --enable-cdp as --disable-webdriver.

• network.dns.copy_string_before_call
  Bug 1696138 - Make a copy of the host before calling getaddrinfo

• network.dns.force_waiting_https_rr
  Bug 1714506 - Force a transaction to wait for HTTPS RR,

• network.http.windows-sso.enabled
  Bug 1719301 - Remove version number from Windows SSO pref and policy.

• network.proxy.default_pac_script_socks_version
  Bug 1700857 - Add a pref to allow a user to use SOCKS5,

• network.proxy.failover_direct
  Bug 1720221 proxy failover to direct for system requests

• network.trr.default_provider_uri
  Bug 1713036 - Use Remote Settings config in DoH preferences UI.

• network.trr.skip-check-for-blocked-host
  Bug 1700405 - Make it possible to skip the NS check when a host is added into blocked list,

• places.forgetThisSite.clearByBaseDomain
  Bug 1717602 - Enable places.forgetThisSite.clearByBaseDomain for all channels.
  Bug 1705028 - Update places forget-this-site to clear storage by base domain.

• remote.active-protocols
  Bug 1712902 - [remote] Conditionally enable WebDriver Bidi on Nightly channel only.
  Bug 1693993 - [marionette] Move Marionette server code to /remote/marionette.

• remote.prefs.recommended
  Bug 1719667 - [remote] Do not set recommended preferences when not wanted

• screenshots.browser.component.enabled
  Bug 1715838 - Creates preference for new screenshot components.

• security.caps.allow_uri_is_ui_resource_in_checkloaduriflags
  Bug 1654488: Remove pref in CheckLoadURIWIthFlags which allows all UI resources to load

• services.blocklist.addons-mlbf.collection
  Bug 1706391 - Remove unnecessary RemoteSetting+blocklist prefs

• services.blocklist.addons-mlbf.signer
  Bug 1706391 - Remove unnecessary RemoteSetting+blocklist prefs

• services.sync.prefs.sync.browser.urlbar.resultBuckets
  Bug 1715484 - Stop syncing browser.urlbar.resultBuckets and rename the pref.
  Bug 1676469 - Convert matchBuckets to a granular list of result groups and rewrite the muxer to use it.

• signon.improvedPasswordRules.enabled
  Bug 1686071 - Add 'improved password rules' pref.

• signon.usernameOnlyForm.enabled
  Bug 1721971 - Disable multi-page login forms support on release channel
  Bug 1708455 - P10. Add signon.usernameOnlyForm.enabled preference

• widget.gtk.alt-theme.dark
  Bug 1709295 - Keep dark system color extraction behind a pref for now.

• widget.gtk.follow-firefox-theme
  Bug 1707872 - Make GTK theme follow the firefox theme globally.

• widget.system-colors-follow-theme
  Bug 1715145 - Rename widget.macos.respect-system-appearance to widget.macos.support-dark-appearance, and make the Firefox theme affect all windows if the pref is true.
  Bug 1707957 - Extract both light and dark system colors in GTK.

[Jee-Hex]

Should we follow TBB in flipping network.proxy.failover_direct to false?

[Thorin-Oakenpants]

IDK, are we using the Tor protocol?

[Thorin-Oakenpants]

FYI: removed

• pref("security.cert_pinning.hpkp.enabled", false);
• https://bugzilla.mozilla.org/show_bug.cgi?id=1715142
• https://hg.mozilla.org/mozilla-central/rev/6a10fc0722ef#l1.12
  • hardcoded value of 0
  • read the rest, removals of enforcement_level code

/* 1223: enable strict pinning
 * PKP (Public Key Pinning) 0=disabled 1=allow user MiTM (such as your antivirus), 2=strict
 * [SETUP-WEB] If you rely on an AV (antivirus) to protect your web browsing
 * by inspecting ALL your web traffic, then leave at current default=1
 * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16206 ***/
user_pref("security.cert_pinning.enforcement_level", 2);

IDK what it all means

edit:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Public_Key_Pinning

From version 72: this feature is behind security.cert_pinning.hpkp.enabled

@fxbrit

Knock yourselves out guys - https://searchfox.org/mozilla-central/search?q=pinning.enforcement&path=&case=false&regexp=false

• is 1223 not used in FF91+
• was 1223 not used prior to FF72 because we never set security.cert_pinning.hpkp.enabled = true

[Thorin-Oakenpants]

Just need someone to help with what to do with 1223, and I'm ready to release v91

[earthlng]

1223 is still used in FF91+: https://searchfox.org/mozilla-central/source/security/manager/ssl/PublicKeyPinningService.cpp#43

[earthlng]

IMO network.proxy.failover_direct is worth considering. It's not just about Tor but any proxy. If someone uses a proxy, they most likely don't want that to be bypassed