changelog: v96

[Thorin-Oakenpants]

• date: 23-January-2022
• foreword: These are all the changes since the last changelog (v95).

FF96 release notes
FF96 for developers
FF96 security advisories

---

CHANGELOG: [all changes]

• links to bugzilla tickets and default pref changes in Firefox are in our ToDo: diffs FF95-FF96 issue
• for all the rest see the full list of pref changes below

⭐ your friendly reminder to run prefsCleaner

---

PART ONE: normal stuff

• new in user.js v96
  • eme.ui - added back in - see 87bd868

   // user_pref("browser.eme.ui.enabled", false);
   // user_pref("dom.securecontext.allowlist_onions", true); // [FF97+]
   // user_pref("network.proxy.allow_bypass", false);

• made inactive in user.js v96
  • update prefs: moved to personal and inactive because not updating is solely on the end-user
  • SWers - see 8860c90#commitcomment-61742243
  • push requires opting into subscriptions and is not a privacy or tracking issue and it requires SWers (see previous point)

   // user_pref("app.update.auto", false); // [NON-WINDOWS]
   // user_pref("browser.search.update", false);
   // user_pref("dom.push.enabled", false);
   // user_pref("dom.serviceWorkers.enabled", false);

• removed in user.js v96
  • insecure text - see 09d62d2
  • the three dom prefs - see 0634a56
  • note: push is not included in the user.js 6050 for prefsCleaner (nor in the scratchpad script) as it would reset users subscriptions, and if a user has no subscriptions, Firefox resets it anyway

   // user_pref("dom.caches.enabled", "");
   // user_pref("dom.storageManager.enabled", "");
   // user_pref("dom.storage_access.enabled", "");
   // user_pref("security.insecure_connection_text.enabled", "");
   // user_pref("dom.push.userAgentID", "");

• moved to 9999: DEPRECATED / REMOVED in user.js v96

user_pref("app.update.background.scheduling.enabled", false); // [WINDOWS]

---

PART TWO: dFPI/TCP/ETP STRICT

⭐ update your cookies and site exceptions from FPI syntax - see #1281 (comment)

We have moved to ETP Strict (dFPI/ Total Cookie Protection)

• you can read more at
  • move from FPI to dFPI #1051
  • some dFPI questions #1337
• do not create repo noise with questions about ETP custom
  • see do not ask about ETP Custom or RFPTargets #1334
• tl;dr: FPI sooner or later is going to cause problems and/or you will miss out on usability and protections
  • FPI is not maintained upstream: mozilla do not want the extra engineering and complexity of two code paths
  • FPI has already missed out on extra partitioning (such as service workers)
  • FPI has already been on the cusp of missing out on extra partitioning (such as websockets) - I was lucky enough to spot this and alert sysrqb to get it into ESR91.1+. We won't always be so lucky
  • FPI will likely miss out on future partitioning in the pipeline (such as 308 redirects, pool parties, etc)
  • TCP is actively worked on
  • TCP works better with sanitizing
  • TCP is being rolled out to all Firefox users (in ETP Standard)
  • ETP Strict comes with extra benefits
  • blah blah blah
  • FYI: currently the only non-partitioned item in TCP is blobs - see 1686111 and privacy.partition.bloburl_per_agent_cluster

diffs in user.js v96

• see 2700s: this is the ETP / Partitioning section
• see 6008 - FPI enforced as false (otherwise it causes ETP Strict to change)
• see 6009 - shims enforced in case people think this is to do with Smart Blocking heuristics (e.g. click FB button to login = 2702)
• see 6050 - the other FPI prefs removed (they've always been inactive anyway)
• see 7016 - some items added and with others all made inactive as they are set at runtime
• ⚠️ do not delete webcompat system addons: not that arkenfox endorses deleting these, but I know some of you do it anyway, so consider yourself told

// changed
user_pref("browser.contentblocking.category", "strict"); // was custom
user_pref("privacy.firstparty.isolate", false); // was true

// made inactive
   // user_pref("network.cookie.cookieBehavior", 5); // was 1
   // user_pref("privacy.trackingprotection.enabled", true);
   // user_pref("privacy.trackingprotection.socialtracking.enabled", true);

// new
user_pref("extensions.webcompat.enable_shims", true);
user_pref("privacy.partition.serviceWorkers", true);
   // user_pref("privacy.antitracking.enableWebcompat", false);
   // user_pref("privacy.partition.network_state.ocsp_cache", true);
   // user_pref("network.http.referer.disallowCrossSiteRelaxingDefault", true);

// removed
   // user_pref("privacy.firstparty.isolate.block_post_message", "");
   // user_pref("privacy.firstparty.isolate.restrict_opener_access", "");
   // user_pref("privacy.firstparty.isolate.use_site", "");

---

STATS

 STATS v96: up to and including section 4500, minus the parrots
 =========
    total: 212
 inactive:  42
           ---
   active: 170
  default:  21 (at least)
      n/a:   2 (of the three prefs in 0204, only one will apply)
           ---
  flipped: 147 (at most)

[crssi]

Thank you sooo much. ❤️

[GlassGruber]

Thank you!!
Is the hail set still going? 🛐

ALL HAIL PANTS

Collect the set

• Red Pandas, Puss, Trash Pandas, Sting. Mr Nutterbutter, Snow Leopard

^{Orko says "say hi to your mom for me"}

[Thorin-Oakenpants]

Is the hail set still going?

Sure is. You can't stop a cult truth and freedom

[Kein]

dom.webaudio.enabled to false by default crashes web Discord now.
Please add to the directive's default description

[fxbrit]

dom.webaudio.enabled hasn't been active since v90.

[Thorin-Oakenpants]

dom.webaudio.enabled hasn't been active since v90.

more than that ... arkenfox explicitly says not to use it

user.js/user.js

Lines 1229 to 1230 in 10044fc

	/*** [SECTION 8000]: DON'T BOTHER: FINGERPRINTING
	[WHY] They are insufficient to help anti-fingerprinting and do more harm than good

[fxbrit]

#1345 (comment)

dayum I totally missed this one