ToDo: diffs FF111-FF112

[earthlng]

FF112 is scheduled for release Apr. 11th

FF112 release notes
FF112 for developers
FF112 security advisories

---

61 diffs ( 31 new, 15 gone, 15 different )

new in v112.0:

• FYI: these are not RFP, they are FPP which is different (see below) and these are WiP
  • pref("privacy.resistFingerprinting.randomization.daily_reset.enabled", false);
  • pref("privacy.resistFingerprinting.randomization.daily_reset.private.enabled", false);
  • pref("privacy.resistFingerprinting.randomization.enabled", false); - e.g. to be removed in 1829643

---

FYI: FPP: Mozilla are going to very slowly roll out a thing called FPP (FingerPrint Protection) into PB windows. This is a WiP. It will be ready when they announce it.

Phase 1 includes fonts at vis level 2 (i.e only allow os system fonts), subtle canvas randomizing (excluding IsPoinInPath and isPointInStroke), and I think window positions = 0. Last but not least, removing math entropy in audio for all FF users - note this does not remove all entropy, and RFP has additional protections which should then make all RFP users the same per platform (because Hrtz etc affect results but RFP sets those).

There will be a combination of 4 prefs: 2 x RFP, 2 x FPP, for all and pb modes. And not all combinations will be engineered. And RFP should always take precedence over FPP. One thing I do know is that down the road we can use RFP in normal mode, and FPP in PB mode - which might be a great way to reduce breakage for some users frequent sites. I do know we cannot have the reverse (RFP in pb mode and FPP in normal mode) edit: RFP always overrides FPP, so any split would be FPP in normal mode, and RFP in PB mode.

In the future, FPP can be a choice for those who don't like or can't use RFP but do want some randomizing. FPP is going to very compat, to the point where webcompat will be able to override individual protections on troublesome sites. So if FB breaks webcompat silently disables the problematic protection for FB when they add that site compat rule - so clearly this is a very different threat model, but may suit some people. Over time more protections will be added to FPP. I see this as replacing the need for Canvas Blocker

In order to enable/disable parts of FPP in testing, the two toms (ritter, schuster) and tim, and I'm sure there some more on the team, as a WiP, have engineered each protection as a target. So each target can globally be flipped on and off. This same targeting is somewhat related to the per site compat thing - but the pref itself is global. This same mechanism will also be able to be used for RFP (but super not recommended). In TB for example it would be locked off. Oh, and FPP will be tied to ETP.

So this answers all the people's questions about .. can I use RFP but turn off timezone and prefers-light. While I don't really recommend it, I need to think thru the ramifications a bit more. RFP is certainly more robust than an extension, and we're only confident of fooling naive scripts (don't get me wrong, advanced scripts have different levels of advanced, so full RFP most certainly does have an effect), so my gut feeling is that this is fine too.

That's all I'm going to say. All this is available in public bugzillas, and I know as much as that. I just spent a week in costa rica with the tor project (and tom ritter was there too, and we had a session on FPP as to what it is and how it relates to, or could enhance, RFP). Other than that (public info), it's all inhouse and tightly kept a secret (fair enough)

So that's about all I know (there is more: like exceptions and cascading iframes, i.e cross domain, but let's not go down the rabbit hole just yet), and it's fairly complicated and a WiP, so please don't ask questions. Let's just wait and see what happens when it lands and is announced by Firefox (because by then it should be robust and working as planned)

-thorin

---

changed in v112.0:

FYI

• pref("browser.contentblocking.features.strict", "tp,tpPrivate,cookieBehavior5,cookieBehaviorPBM5,cm,fp,stp,emailTP,emailTPPrivate,lvl2,lvl2PBM,rp,rpTop,ocsp,qps,qpsPBM");
• prev: tp,tpPrivate,cookieBehavior5,cookieBehaviorPBM5,cm,fp,stp,lvl2,lvl2PBM,rp,rpTop,ocsp,qps,qpsPBM
• diff: emailTP, emailTPPrivate added

---

ignore

click me for details

==NEW

pref("browser.history_swipe_animation.disabled", false);
pref("browser.newtabpage.activity-stream.discoverystream.spoc-topsites-positions", "1");
pref("browser.promo.cookiebanners.enabled", false);
pref("browser.translations.useHTML", false);
pref("browser.urlbar.resultMenu.keyboardAccessible", true);
pref("dom.checkedUnsafePtr.dumpStacks.enabled", false);
pref("dom.element.popover.enabled", false);
pref("dom.memory.foreground_content_processes_have_larger_page_cache", true);
pref("dom.window_position_size_properties_replaceable.enabled", true);
pref("gfx.webgpu.ignore-blocklist", false);
pref("gfx.webrender.dcomp-video-check-slow-present", true);
pref("gfx.webrender.max-shared-surface-size", 2048);
pref("gfx.webrender.scissored-cache-clears.enabled", true);
pref("gfx.webrender.scissored-cache-clears.force-enabled", false);
pref("javascript.options.wasm_extended_const", true);
pref("layout.css.exp.enabled", false);
pref("layout.css.forced-color-adjust.enabled", false);
pref("layout.css.motion-path-offset-position.enabled", false);
pref("network.auth.supress_auth_prompt_for_XFO_failures", true);
pref("network.trr.ohttp.config_uri", "");
pref("network.trr.ohttp.relay_uri", "");
pref("network.trr.ohttp.uri", "");
pref("network.trr.use_ohttp", false);
pref("print.save_as_pdf.use_page_rule_size_as_paper_size.enabled", false);
pref("privacy.query_stripping.listService.logLevel", "Error");
pref("privacy.trackingprotection.emailtracking.pbmode.enabled", true);
pref("security.sandbox.utility-wmf-cdm.lpac.enabled", false);
pref("security.tls.ech.grease_http3", false);

==REMOVED, RENAMED or HIDDEN

pref("browser.display.normal_lineheight_calc_control", 2);
pref("browser.display.show_loading_image_placeholder", false);
pref("browser.urlbar.weather.zeroPrefix", true);
pref("dom.fileHandle.enabled", false);
pref("editor.css.default_length_unit", "px");
pref("editor.hr_element.allow_to_delete_from_following_line", true);
pref("editor.initialize_element_before_connect", true);
pref("editor.positioning.offset", 0);
pref("editor.resizing.preserve_ratio", true);
pref("editor.use_div_for_default_newlines", true);
pref("gfx.webgpu.force-enabled", false);
pref("layout.css.moz-box-flexbox-emulation.enabled", false);
pref("security.sandbox.content.tempDirSuffix", "");
pref("security.sandbox.plugin.tempDirSuffix", "");
pref("widget.pause-compositor-when-minimized", true);

==CHANGED

pref("browser.newtabpage.activity-stream.discoverystream.saveToPocketCard.enabled", true); // prev: false
pref("browser.newtabpage.activity-stream.discoverystream.sendToPocket.enabled", true); // prev: false
pref("dom.media.autoplay-policy-detection.enabled", true); // prev: false
pref("dom.mozTextStyle.enabled", false); // prev: true
pref("dom.quotaManager.backgroundTask.enabled", true); // prev: false
pref("dom.sitepermsaddon-provider.separatedBlocklistedDomains", "shopee.co.th,shopee.tw,shopee.co.id,shopee.com.my,shopee.vn,shopee.ph,shopee.sg,shopee.com.br,shopee.com,shopee.cn,shopee.io,shopee.pl,shopee.com.mx,shopee.com.co,shopee.cl,shopee.kr,shopee.es,shopee.in,alipay.com,miravia.es"); // prev: "shopee.co.th,alipay.com,miravia.es"
pref("dom.workers.pFetch.enabled", true); // prev: false
pref("gfx.max-alloc-size", 2147483647); // prev: 500000000
pref("gfx.webrender.dcomp-video-sw-overlay-win", true); // prev: false
pref("html5.inert.enabled", true); // prev: false
pref("layout.css.linear-easing-function.enabled", true); // prev: false
pref("layout.css.overflow-overlay.enabled", true); // prev: false
pref("layout.forms.reveal-password-context-menu.enabled", true); // prev: false
pref("security.webauth.u2f", false); // prev: true

[earthlng]

some bugzilla tickets

• browser.contentblocking.features.strict
  Bug 1818292 - Add email tracking protection to ETP strict.
  Bug 1808212 - Part 3: Adding the content blocking pref setting for the level2 list pref in private windows.
  Bug 1783496 - Add cookieBehavior5,cookieBehaviorPBM5 back to strict ETP pref so dFPI item is shown in the strict category.
  Bug 1778457 - Enable query parameter stripping in Private Browsing Mode if ETP strict is enabled.
  Bug 1776760 - Enable dFPI by default for Beta and Release via cookieBehavior pref.

• browser.display.normal_lineheight_calc_control
  Bug 1814626 - Expose line-height resolution to style, and use it from ToResolvedValue.

• browser.display.show_loading_image_placeholder
  Bug 1817360 - Remove browser.display.show_loading_image_placeholder.
  Bug 1817360 - Clean-up image icon loading code.

• browser.history_swipe_animation.disabled
  Bug 1820270 - Bring back swipe-to-navigation flag.
  Bug 1773057 - Remove browser.history_swipe_animation.disabled pref.

• browser.newtabpage.activity-stream.discoverystream.saveToPocketCard.enabled
  Bug 1819712 - Turn on Save To Pocket button
  Bug 1788063 - Pocket newtab pref to hide Pocket story descriptions based on region.
  Bug 1787522 - Pocket newtab limit save to Pocket card hover button to specific regions.

• browser.newtabpage.activity-stream.discoverystream.sendToPocket.enabled
  Bug 1820019 - Turn on Save To Pocket button landing page

• browser.newtabpage.activity-stream.discoverystream.spoc-topsites-positions
  Bug 1805589 - Pocket newtab add Discovery Stream topsites to topsites list earlier.

• browser.promo.cookiebanners.enabled
  Bug 1808441 - Add Cookie Banner Promo on PB new tab.

• browser.translations.useHTML
  Bug 1813782 - Allow about:translations to work on HTML via a pref;

• browser.urlbar.resultMenu.keyboardAccessible
  Bug 1813517 - Add hidden pref for allowing Tab to skip over the menu button.

• browser.urlbar.weather.zeroPrefix
  Bug 1817038 - Move weather suggestion keywords to Nimbus.
  Bug 1814795 - Support keyword-based weather suggestions in addition to zero-prefix.

• dom.checkedUnsafePtr.dumpStacks.enabled
  Bug 1789399 - Print out the creation stack and the last assignment stack of CheckedUnsafePtr when it is unsafe.

• dom.element.popover.enabled
  Bug 1820544 - Add popover attribute and part of basic popover functionality.

• dom.fileHandle.enabled
  Bug 1500343 - Part 4: Remove IDL for IDBFileHandle/FileRequest/MutableFile
  Bug 1764771 - Disable IDBMutableHandle support by default

• dom.media.autoplay-policy-detection.enabled
  Bug 1812189 - enable autoplay policy detection API.

• dom.memory.foreground_content_processes_have_larger_page_cache
  Bug 1815069, add dom.memory.foreground_content_processes_have_larger_page_cache pref to control page cache behavior in content processes,

• dom.mozTextStyle.enabled
  Bug 1818409 - Disable mozTextStyle by default.

• dom.quotaManager.backgroundTask.enabled
  Bug 1820823 - Flip dom.quotaManager.backgroundTask.enabled on all channels that support background tasks.
  Bug 1788986 - Part 2: Use a background task for QM shutdown cleanup

• dom.sitepermsaddon-provider.separatedBlocklistedDomains
  Bug 1824812 — Add more shopee domains to the site permissions blocklist.
  Bug 1812195 — Add alipay.com and miravia.es to the site permission blocklist.
  Bug 1795927 - Add SitePermsAddon blocklist.

• dom.window_position_size_properties_replaceable.enabled
  Bug 1816472 - Make individual size / position properties really readonly.

• dom.workers.pFetch.enabled
  Bug 1812039 - enable PFetch in default.
  Bug 1351231 - Preference for PFetch.

• editor.css.default_length_unit
  Bug 1815827 - part 1: Get rid of editor.css.default_length_unit pref
  Bug 1745882 - Move all editor prefs in all.js to StaticPrefList.yaml

• editor.hr_element.allow_to_delete_from_following_line
  Bug 1815827 - part 2: Get rid of editor.hr_element.allow_to_delete_from_following_line pref

• editor.initialize_element_before_connect
  Bug 1815827 - part 3: Get rid of editor.initialize_element_before_connect pref

• editor.positioning.offset
  Bug 1815827 - part 4: Get rid of editor.positioning.offset pref
  Bug 1745882 - Move all editor prefs in all.js to StaticPrefList.yaml

• editor.resizing.preserve_ratio
  Bug 1815827 - part 5: Get rid of editor.resizing.preserve_ratio pref
  Bug 1745882 - Move all editor prefs in all.js to StaticPrefList.yaml

• editor.use_div_for_default_newlines
  Bug 1815827 - part 6: Get rid of editor.use_div_for_default_newlines pref
  Bug 1745882 - Move all editor prefs in all.js to StaticPrefList.yaml

• gfx.max-alloc-size
  Bug 1759728 - Increase max-alloc-size to the maximum value of int32_t.

• gfx.webgpu.force-enabled
  Bug 1814745 - Don't require a browser restart to update dom.webgpu.enabled.

• gfx.webgpu.ignore-blocklist
  Bug 1814745 - Don't require a browser restart to update dom.webgpu.enabled.

• gfx.webrender.dcomp-video-check-slow-present
  Bug 1818685 - Disable video overlay if mVideoSwapChain->Present() is very slow on Windows

• gfx.webrender.dcomp-video-sw-overlay-win
  Bug 1816026 - Enable video overlay of software decoded video until release on Windows

• gfx.webrender.max-shared-surface-size
  Bug 1817033 - Make MAX_SHARED_SURFACE_SIZE configurable with a preference

• gfx.webrender.scissored-cache-clears.enabled
  Bug 1818047 - Add prefs to control WebRender scissored cache clears.

• gfx.webrender.scissored-cache-clears.force-enabled
  Bug 1818047 - Add prefs to control WebRender scissored cache clears.

• html5.inert.enabled
  Bug 1764263 - Let the inert attribute ride the trains.

• javascript.options.wasm_extended_const
  Bug 1814421: Prepare wasm extended-const for ship.

• layout.css.exp.enabled
  Bug 1814469 - Implement CSS exponential functions.

• layout.css.forced-color-adjust.enabled
  Bug 1591210 - Add forced-color-adjust property

• layout.css.linear-easing-function.enabled
  Bug 1819447 - Enable linear() easing function on all channels.

• layout.css.motion-path-offset-position.enabled
  Bug 1818666 - Support offset-position in the style system.

• layout.css.moz-box-flexbox-emulation.enabled
  Bug 1818811 - Make -moz-box-layout: flex default, and clean-up CSS.
  Bug 1816455 - Turn flex emulation on everywhere.
  Bug 1815255 - Enable flexbox emulation on nightly.

• layout.css.overflow-overlay.enabled
  Bug 1817189 - Ship overflow: overlay.

• layout.forms.reveal-password-context-menu.enabled
  Bug 1816988 - Enable reveal password context-menu.

• network.auth.supress_auth_prompt_for_XFO_failures
  Bug 1629307 - prevent auth prompts (status 401) if XFO checks fails.

• network.trr.ohttp.config_uri
  Bug 1815741 - implement DNS-over-Oblivious-HTTP

• network.trr.ohttp.relay_uri
  Bug 1815741 - implement DNS-over-Oblivious-HTTP

• network.trr.ohttp.uri
  Bug 1823358 - Add new network.trr.ohttp.uri pref

• network.trr.use_ohttp
  Bug 1815741 - implement DNS-over-Oblivious-HTTP

• print.save_as_pdf.use_page_rule_size_as_paper_size.enabled
  Bug 1793220 - Use at-page size rule as paper size when printing to PDF

• privacy.query_stripping.listService.logLevel
  Bug 1812594 - Refactor URLQueryStrippingListService init and shutdown logic.

• privacy.resistFingerprinting.randomization.daily_reset.enabled
  Bug 1816064 - Part 1: Implement the session key for generating the random noise key for fingerprinting randomization.

• privacy.resistFingerprinting.randomization.daily_reset.private.enabled
  Bug 1816064 - Part 1: Implement the session key for generating the random noise key for fingerprinting randomization.

• privacy.resistFingerprinting.randomization.enabled
  Bug 1816064 - Part 1: Implement the session key for generating the random noise key for fingerprinting randomization.

• privacy.trackingprotection.emailtracking.pbmode.enabled
  Bug 1818583 - Add a pref to control Email Tracking Protection in private windows.

• security.sandbox.plugin.tempDirSuffix
  Bug 1772089 p5: Remove content temp dir from Windows and masOS.

• security.sandbox.utility-wmf-cdm.lpac.enabled
  Bug 1793972: Enable an LPAC on the windows MF Media Engine utility process controlled by a pref.

• security.tls.ech.grease_http3
  Bug 1816952: Add HTTP3 ECH GREASE Pref.

• security.webauth.u2f
  Bug 1814487 - Pause rollout of CTAP2 support in 112.
  Bug 1814487 - Enable CTAP2 support.
  Bug 1809333 - Disable the U2F DOM API by default.
  Bug 1816500 - enable CTAP2 support in early beta.
  Bug 1752089 - Set security.webauthn.ctap2 true in nightly.

• widget.pause-compositor-when-minimized
  Bug 1768495 Part 3: Remove redundant pause-on-minimize in nsCocoaWindow, remove pref.

[rusty-snake]

pref("browser.contentblocking.features.strict", "tp,tpPrivate,cookieBehavior5,cookieBehaviorPBM5,cm,fp,stp,emailTP,emailTPPrivate,lvl2,lvl2PBM,rp,rpTop,ocsp,qps,qpsPBM"); // prev: "tp,tpPrivate,cookieBehavior5,cookieBehaviorPBM5,cm,fp,stp,lvl2,lvl2PBM,rp,rpTop,ocsp,qps,qpsPBM"

Diff: added emailTP,emailTPPrivate

[Thorin-Oakenpants]

OK, not seeing anything here to get excited about .. closing. If no one pipes up in the next 24 hrs or so, I'll do a cosmetic 112 release

[Thorin-Oakenpants]

I have edited OP to explain FPP