changelog: v92, v93

[Thorin-Oakenpants]

changelog: v92, v93

• date: 11-October-2021
• foreword: These are all the changes since the last changelog (v91).

FF92 release notes
FF92 for developers
FF92 security advisories

FF93 release notes
FF93 for developers
FF93 security advisories

---

CHANGELOG

• [all changes 91-92]
• [all changes 92-93]
• links to bugzilla tickets and default pref changes in Firefox are in our ToDo diffs issues
  • ToDo: diffs FF91-FF92 issue
  • ToDo: diffs FF92-FF93 issue
• for all the rest see the full list of pref changes below

⭐ your friendly reminder to run prefsCleaner

---

OTHER NEWS

• @practik added some missing [SETTING] tags in missing [SETTING] tags #1260 and 8404e8a 🍰
• @a1346054 made improvements to prefsCleaner and tidied up some files in Simple maintenance improvements #1255 and prefsCleaner.sh: Fix invalid regular expression #1258 🍺
  • and thanks @Xathros1 tested and picked up a bug 🍕

---

ALL CHANGES

• new in user.js v92
  • see firefox suggest #1257

user_pref("browser.urlbar.suggest.quicksuggest", false);
user_pref("browser.urlbar.suggest.quicksuggest.sponsored", false);

• made active in user.js v92
  • see reminder: revisit proxy direct failover #1251

   // user_pref("network.proxy.failover_direct", false);

• moved to 9999: DEPRECATED / REMOVED in user.js v93

   // user_pref("security.ssl3.rsa_des_ede3_sha", false);

---

STATS

 STATS v92/v93: up to and including section 4500, minus the parrots
 =========
    total: 233
 inactive:  49
           ---
   active: 184
  default:  13 (at least)
      n/a:   2 (of the three prefs in 0204, only one will apply)
           ---
  flipped: 169 (at most)

ALL HAIL PANTS

[rusty-snake]

https://github.com/arkenfox/user.js/wiki/4.1-Extensions

-* Neat URL
-   * [outdated](https://github.com/Smile4ever/Neat-URL) and covered by ClearURLs and uBlock Origin's `AdGuard URL Tracking Protection`
+* Neat URL, ClearURLs
+   * redundant with uBlock Origin's `removeparam`

ClearURLs is only redundant with uBlock Origin's removeparam and Skip Redirect (or Request Control rules).

import Actually Legitimate URL Shortener Tool

Nice. I think I can minimize my list.

[Thorin-Oakenpants]

I was just about to mention this. @fxbrit and I have have been talking about it recently

@DandelionSprout see https://github.com/arkenfox/user.js/wiki/4.1-Extensions#small_orange_diamond-extensions-in-no-particular-order and 👍 on your list

---

I actually compared Neat URLs and removed it from the list of extensions a while ago: everything was already covered by AdBlock's list. Neat URLs was stagnant and had limited rules

I didn't do a full check, but looking at https://github.com/ClearURLs/Rules/blob/master/data.json https://github.com/ClearURLs/Rules/blob/master/data.min.json, the global ones should be covered already (these are well known), and personally, I'm not going to get any mileage out of almost all the per-site ones, but of course any list needs to be universal - I suspect most if not all of these are already covered by the two lists mentioned

As for the rest of ClearURLs

• hyperlink auditing is already covered by prefs
• history API is not a thing - it is scoped per eTLD+1 edit: I need to rephrase this
• eTAGs is not a threat with network partitioning/FPI
  • in-session: you can use TC or one off PB mode windows
  • otherwise the way to get a new identity is from sanitizing on close, new session, and don't forget to change your IP - like Tor Browser

[g-2-s]

^ Fantastic, that's 1 extension less! Now, is there a way to manage cross-origin referers within Firefox itself so I can get rid of Smart Referer as well? Actually can't uB0 control referers as well? uM used to have the option if I remember right.

[rusty-snake]

If you do not need exceptions, the user.js does it already for you

user.js/user.js

Lines 606 to 612 in 85438d0

	/* 1601: control when to send a cross-origin referer
	* 0=always (default), 1=only if base domains match, 2=only if hosts match
	* [SETUP-WEB] Known to cause issues with older modems/routers and some sites e.g vimeo, icloud, instagram ***/
	user_pref("network.http.referer.XOriginPolicy", 2);
	/* 1602: control the amount of cross-origin information to send [FF52+]
	* 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/
	user_pref("network.http.referer.XOriginTrimmingPolicy", 2);

And if you use a hardened TC, SR is already redundant.

[crssi]

@rusty-snake What does SR stands for? Smart Referer?

Thank you

[rusty-snake]

Jup

[crssi]

Thank you 😄

Do you think that in that case (TC hardened) the Skip Redirect would also fall into redundant category?

Cheers

[rusty-snake]

No, the reason why hardened TC makes referer, window.opener and window.name extensions redundant is that it effectively does "copy url, open new tab, paste url" on XOrigin links.

[gwarser]

@Thorin-Oakenpants please don't even suggest importing this list (ClearURLs). It's obviously in wrong format (JSON).

[rusty-snake]

ClearURLs to µBlock origin converter

[crssi]

That is so cool @rusty-snake 😄
Where you will publish the "filter" file for uBO and how often will be updated?

Cheers

[gwarser]

@rusty-snake interestingly it causes interstitial redirection warning after clicking link in google alert digest in gmail. These two filters:

*$removeparam=sa,domain=google.*
*$removeparam=usg,domain=google.*

ClearURLs does not trigger it.

---

And comma must be escaped?

Probably something worth creating improvements issue.

[rusty-snake]

@crssi Currently I'm not planing to publish it anywhere (and will delete the gist sooner or later). But if anyone uses it as a start, fixes the last bugs, implements exceptions and sets up a github actions which periodically (e.g. weekly) runs it ...

@gwarser Probably because I did not implemented exceptions (and referralMarketing is missing to)

And comma must be escaped?

According to the adguard docs, you must escape ,, $ and /. Anyway I couldn't find a way to make it work.

[rusty-snake]

Probably something worth creating improvements issue.

What I found so far

1. /regex/$removeparam=/regex/ does not work. Workaround: append ,all
2. | is highlighted in regexps – Improve/refine syntax highlighter uBlockOrigin/uBlock-issues#1134 (comment)
3. [a-z]{1,3} does not work and I could not find a way to make it work (e.g. \,) – Implement $queryprune parameter uBlockOrigin/uBlock-issues#760 (comment)
4. Matching literal $ is also difficult (I need to check if you can use %24 or \x24 does not work)

[gitthehubs]

^ Fantastic, that's 1 extension less! Now, is there a way to manage cross-origin referers within Firefox itself so I can get rid of Smart Referer as well? Actually can't uB0 control referers as well? uM used to have the option if I remember right.

Technically you can use the removeparam modifier to remove the referrer in the url. If you enable 'AdGuard URL Tracking Protection' in uBO and open the list you will see that some referrers are already removed in some cases. You can globally remove the referrer in all urls if you want, but that will probably break some sites and you will need to exclude those sites again from removing the referrer, as done with Smart Referrer.

I am just a beginner with the syntaxx, so the following example may be incorrect (and maybe someone can correct it if so).

$removeparam=referrer
@@||exludedsite.org^$removeparam=referrer

Source: AdGuard's removeparam's documentation
https://kb.adguard.com/en/general/how-to-create-your-own-ad-filters?aid=16593#removeparam-modifier

[rusty-snake]

@gitthehubs this does not make Smart Referrer/network.http.referer.XOriginPolicy redundant. The HTTP-Referer is a HTTP-Header and not part of the query-string of an URL.

$removeparam=referrer
@@||exludedsite.org^$removeparam=referrer

Alternative syntax: $removeparam=referrer,domain=~example1.com|example2.com

referrer

You also need to cover referer

$removeparam=referrer

This may break CSRF protection on some sites. Anyway it should only cause denies.

[gitthehubs]

@rusty-snake ooww.. I forgot about that difference, thanks for your explanation!

[gwarser]

According to the adguard docs, you must escape ,, $ and /. Anyway I couldn't find a way to make it work.

\x2C should work. Maybe backslash escape will be implemented in future uBlockOrigin/uBlock-issues#760 (comment)

I also noticed there are two filters which look very similar, like duplicates:

$removeparam=/^__mk_[a-z]{1\,3}_[a-z]{1\,3}=/,domain=amazon.*
||amazon./s?$removeparam=/^__mk_[a-z]{1,3}_[a-z]{1,3}=/

? And second one does not have commas escaped at all.

[Thorin-Oakenpants]

speaking of uBlock Origin .. how you guys doing?

[rusty-snake]

https://codeberg.org/rusty-snake/firefox-config/src/branch/main/assets/uBlockOrigin:My_rules.txt
https://codeberg.org/rusty-snake/firefox-config/src/branch/main/assets/uBlockOrigin:My_filters.txt

[Thorin-Oakenpants]

I meant the 10M mark :) 🎉

As for settings, I don't really see the point anymore in blocking downloadable fonts (I used to)

[rusty-snake]

I too often reset my profile because of debugging or reinstalling to get high numbers 😢.

[Thorin-Oakenpants]

I think mine was last installed when legacy web extensions were deprecated, so about FF57. For a long time, uBO was pretty much relaxed, and most blocking was at uMatrix level. I think it used to chug along at 15%.

I only have one regular site that spikes figures - arstechnica repeatedly tries to load something uBO blocks, and I get about a thousand "blocks" a minute

The overall count doesn't really mean anything ... I just wanted an excuse to celebrate drunk and naked :)

[Thorin-Oakenpants]

I too often reset my profile because of debugging or reinstalling to get high numbers 😢.

That's what test profiles/browsers are for :)

stroke me gently to make me grow

[ghost]

@Thorin-Oakenpants , How did you install all those Profiles ?

[rusty-snake]

That's what test profiles/browsers are for :)

Actually I have test browser, now I just need to start using them 😇

---

@Loki-L1130 Firefox Portable

[ghost]

@rusty-snake , I got it. I know about the Portable Version but forget about it.

[gwarser]

Official tar's can also be used:

[rdk@on Apps]$ grep '^Exec' *.desktop
Firefox-beta.desktop:Exec[$e]=GTK_USE_PORTAL=1 $HOME/Apps/firefox-beta/firefox -P "beta-test"
Firefox-beta-tmp.desktop:Exec[$e]=mkdir -p /tmp/beta && GTK_USE_PORTAL=1 $HOME/Apps/firefox-beta/firefox -profile /tmp/beta
Firefox-esr.desktop:Exec[$e]=GTK_USE_PORTAL=1 $HOME/Apps/firefox-esr/firefox -P "esr-test"
Firefox-esr-tmp.desktop:Exec[$e]=mkdir -p /tmp/esr && GTK_USE_PORTAL=1 $HOME/Apps/firefox-esr/firefox -jsconsole -profile /tmp/esr
Firefox-mobile.desktop:Exec=GTK_USE_PORTAL=1 /usr/lib/firefox/firefox -P "mobile"
Firefox-nightly-test.desktop:Exec=MOZ_USE_XINPUT2=0 GTK_USE_PORTAL=1 /home/rdk/Apps/firefox-nightly/firefox -P "nightly-test"
Firefox-nightly-test-tmp.desktop:Exec[$e]=mkdir -p /tmp/nightly && GTK_USE_PORTAL=1 $HOME/Apps/firefox-nightly/firefox -profile /tmp/nightly
Firefox-stable.desktop:Exec=LC_ALL=pl GTK_USE_PORTAL=1 /usr/lib/firefox/firefox -P "stable-test"
Firefox-stable-tmp.desktop:Exec[$e]=mkdir -p /tmp/stable && GTK_USE_PORTAL=1 /usr/lib/firefox/firefox -profile /tmp/stable
Waterfox-classic.desktop:Exec[$e]=GTK_USE_PORTAL=1 $HOME/Apps/waterfox-classic/waterfox -P "waterfox-classic"
Waterfox-classic-tmp.desktop:Exec[$e]=mkdir -p /tmp/waterfox-classic && GTK_USE_PORTAL=1 $HOME/Apps/waterfox-classic/waterfox -profile /tmp/waterfox-classic -jsconsole
Waterfox-current.desktop:Exec[$e]=GTK_USE_PORTAL=1 $HOME/Apps/waterfox/waterfox -P "waterfox"
Waterfox-current-tmp.desktop:Exec[$e]=mkdir -p /tmp/waterfox && GTK_USE_PORTAL=1 $HOME/Apps/waterfox/waterfox -profile /tmp/waterfox -jsconsole
[rdk@on Apps]$ 

(this may not be safe for daily usage, some security features may not work because files can be modified by current user)

Ups...

:) popupPanelDisabledSections 1

[practik]

how you guys doing?

I'm at 2.725M (12%), also since FF 50-something, so … not blocking hard enough, I guess? I'm in what gorhill calls medium mode – just blocking 3rd-party frames and scripts but not passive resources. Would be interesting to get some more people's numbers to compare.

[gwarser]

You are worrying about this "12%"? It may be because when you are blocking more by dynamic filtering then some content does not have chance to load and issue more request, so less is reported as blocked.

[rusty-snake]

That's, and the sites you use.

As :pants: said she has one site that does a lot, I know that MS-Teams produces around 2 block per minute IIRC. But if you only/mustly use privacy friendly sites ...

[Thorin-Oakenpants]

ALL HAIL PANTS

^{Sting loves Pants (tiny space ones); Dune (1984)}

---

Pants Tip of the Day

• Use Reader Mode for when you gets sites with missing CSS and long top nav bar sections
• you can change your default reader colors and width
• I find on a lot of these one off news articles/blogs I come across - usually from hackernews links - that pictures that don;t show in normal mode, do in reader mode

examples (with my setup)

• https://www.callofduty.com/blog/2021/10/ricochet-anti-cheat-initiative-for-call-of-duty
• https://typesetinthefuture.com/2014/01/31/2001-a-space-odyssey/

here's some screenies

fuckno - see how far down the scroll position is

fuckyeah - 1 click

[Thorin-Oakenpants]

As :pants: said she has one site that does a lot

True, hasn't always been that way, only recently. I would say I scored an easy million or two off Arstechnica - sometimes I find myself reading comments for half an hour - don't know when it started, but I'm not a heavy user of that site at all

But I do block all 3rd party by default, and my rules only total 150 lines for ~40 sites with the bare minimum to make them work - so it's not like I see very many 3p scripts calling more scripts. Maybe I need to get off the internet more and start taking up serious drinking

[practik]

You are worrying about this "12%"?

Not worrying, it's just an interesting point of comparison. Even if it's not very meaningful cause it's just two people. Plus if you keep the conversation going long enough you get a picture of Sting and his mermaid tail :-)

[Thorin-Oakenpants]

As :pants: said she has one site that does a lot

True, hasn't always been that way, only recently. I would say I scored an easy million or two off Arstechnica - sometimes I find myself reading comments for half an hour - don't know when it started, but I'm not a heavy user of that site at all

FYI: just thought I would update on this - turns out that blocking "cookies" caused it, which I had been doing for years, so clearly something changed on the site - since I moved to dFPI (where cookieBehavior = 5) it doesn't happen