Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

reminder: revisit proxy direct failover #1251

Closed
Thorin-Oakenpants opened this issue Sep 7, 2021 · 15 comments
Closed

reminder: revisit proxy direct failover #1251

Thorin-Oakenpants opened this issue Sep 7, 2021 · 15 comments
Labels
enhancement

Comments

@Thorin-Oakenpants
Copy link
Contributor

Thorin-Oakenpants commented Sep 7, 2021
edited
Loading

so my thinking is, we should make this inactive, and add a setup tag, something along the lines of

  • if you use a proxy, and you trust your extensions...

As default true, this is actually a security measure, against malicious addons. Security trumps possible proxy leaks. Now this is only for system principal proxy leaks, and Tor Browser can't afford that. And TB users shouldn't be installing addons. Firefox doesn't have that restriction

Most users, I assume, aren't using a proxy, and the pref only makes sense at false if you do. Inactive is the best fit, especially given the security aspect.

eg

/* 0706: disable proxy direct failover for system requests [FF91+]
 * [WARNING] Default true is a security feature against malicious extensions
 * [SETUP-CHROME] If you use a proxy and you trust your extensions ***/
   // user_pref("network.proxy.failover_direct", false);

edit: 044e3e7
@Thorin-Oakenpants
Copy link
Contributor Author

obligatory link #1247 to previous discussion

@Thorin-Oakenpants Thorin-Oakenpants mentioned this issue Oct 11, 2021
Closed
@Thorin-Oakenpants
Copy link
Contributor Author

Thorin-Oakenpants commented Oct 25, 2021
edited
Loading

reopening

We have

/* 0307: disable System Add-on updates ***/
user_pref("extensions.systemAddon.update.enabled", false); // [FF62+]
user_pref("extensions.systemAddon.update.url", ""); // [FF44+]

Here is my Nightly (installed) and my arkenfoxed Stable (portable)

  • Beta is installed as well and has it
  • I update portable via the app update, not by reinstalling over the top
    ProxyFailover

I have flipped those two prefs in my stable arkenfox to see if I get the system addon

Update: that's works
sysadd

@Jee-Hex
Copy link

Jee-Hex commented Oct 26, 2021

Addon is included in the installer from 95.0a1 BuildID 20211015095004 and 94.0b8 onward so theoretically all users should receive it by FF94 (and FF91.3.0esr?) anyway.

@Thorin-Oakenpants
Copy link
Contributor Author

but that's the installer ,right? what about the updater?

@g-2-s
Copy link

g-2-s commented Oct 26, 2021
edited
Loading

If I'm using a Socks5 proxy in Firefox do I want

user_pref("network.proxy.failover_direct", false);
user_pref("extensions.systemAddon.update.enabled", false);
user_pref("extensions.systemAddon.update.url", "");

in my user-overrides.js? Or is it just the first pref the relevant one here?

@Thorin-Oakenpants
Copy link
Contributor Author

Thorin-Oakenpants commented Oct 26, 2021
edited
Loading

Just the first pref, IMO - to ensure no "system" requests bypass your proxy - "system" here meaning system principal, not "system" addon

There is no need to stop system addons being updated IMO, which is why I put them in the 7000s don't bother section with a big fat [WHY]. And since it can (and has) been used to push security features, well, security trumps anything else - and in this case, the perceived issue is/was the possibility that Mozilla could push "experiments" - using quotes because it's not experiments as per the normal "studies" 0340 - an example would perhaps be the DoH rollout xpi. And sure, they can get telemetry, but there's nothing wrong with that - they make sure not to collect any PII, it's just things like errors and hit rates etc), plus I believe everything must respect the master telemetry switch. And they all basically come with pref on/off switches. So I don't really see any issue TBH.

Some people like to remove all those system addon xpi's, and you do get them back on updates from memory, and allowing them to update means they will come back every day you open Firefox. But there's no need, just disable the relevant system addons using prefs, and/or the system addon isn't a privacy issue (like compat).

The other thing that some people like is make Firefox have as few unsolicited outbound connections - which is a bit silly. You need them to check for updates: apps, certs/crlite, revocations, blocklists, safebrowsing local data, and so on - but we do nix a few where appropriate, just not security related ones. The mantra that any such connection not explicitly asked for by the user is a privacy issue and part of the femto jewish botnet is just nuts (hi 4chan 👋 )

@GlassGruber
Copy link

GlassGruber commented Oct 27, 2021
edited
Loading

Interesting, should ba92918 be back ported to 91 for ESR?

@Thorin-Oakenpants Thorin-Oakenpants mentioned this issue Oct 27, 2021
Closed
@Thorin-Oakenpants
Copy link
Contributor Author

Thorin-Oakenpants commented Oct 27, 2021
edited
Loading

https://github.com/arkenfox/user.js/releases/tag/91.1 - Hope I didn't fuck anything up

edit: PS deleted the v91 release

Edit: If anyone wants to check my immaculate work - here is the v91-91.1 diffs - @rusty-snake

Edit: I forgot the updater.sh changes, sorry, not sorry

@GlassGruber
Copy link

LGTM, you have also cleaned up Github releases so I guess people can't find easily the old release.

Possibly a nitpick would be to name the release something like 91.0-patch? Just to avoid possible confusion with Firefox version 91.1. I'm not very familiar with Github releases and maybe it's not worth the hassle. Also the release description is clear enough, but beware the howling RTFM wereuser... 😝

@Thorin-Oakenpants
Copy link
Contributor Author

there's no broken links, I changed a few links for diffs to use v91.1 instead of v91, but hey look, not broken - 91.0...92.0 - so I stopped

i just removed the old v91 so new arkenfox ESR users will get the only version that matters

Well it's not a patch per say, it the whole kit and caboodle, I would call it a hotfix if anything, but that's what the .1 signifies anyway

@GlassGruber
Copy link

Ofc, my point is mostly that your versions follows similar to Firefox and maybe, that could create confusion in a user, typical example: "can this work with ESR 91.$lastver?" (but could totally be asked anyway no matter the version scheme used!)

Ever considered using semver ?

there's no broken links, I changed a few links for diffs to use v91.1 instead of v91, but hey look, not broken - 91.0...92.0 - so I stopped

GJ hunting them pesky links!

@rusty-snake
Copy link
Contributor

Regarding version: I had probably choose 91-1, ie {FIREFOX-RELEASE}-{ARKENFOX-RELEASE}, like distros do it with packages {UPSTREAM-RELEASE}-{DOWNSTREAM-RELEASE}.

@Thorin-Oakenpants
Copy link
Contributor Author

I couldn't change the tag (well, I could do another release, but I can't be fucked), but I did change the title to use 91-1 and edited the description

@GlassGruber
Copy link

IIRC tags can only be deleted and created, so yea you should delete the tag and recreate it to rename it, I don't know how it works with Github releases, but is totally fine IMO right now. 👍

@Jee-Hex
Copy link

Jee-Hex commented Oct 27, 2021

but that's the installer ,right? what about the updater?

If you extract the MAR you can spot the add-on under browser/features/proxy-failover@mozilla.org.xpi so I'd say yes.

@Thorin-Oakenpants Thorin-Oakenpants mentioned this issue Nov 23, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Milestone
No milestone
Development

No branches or pull requests
5 participants
@GlassGruber @Thorin-Oakenpants @rusty-snake @g-2-s @Jee-Hex