[tbb-bugs] #27268 [Applications/Tor Browser]: preferences cleanup

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Oct 11 04:13:59 UTC 2019 

#27268: preferences cleanup
--------------------------------------------+--------------------------
 Reporter:  rzb                             |          Owner:  tbb-team
     Type:  defect                          |         Status:  new
 Priority:  Medium                          |      Milestone:
Component:  Applications/Tor Browser        |        Version:
 Severity:  Normal                          |     Resolution:
 Keywords:  ff60-esr, TorBrowserTeam201809  |  Actual Points:
Parent ID:                                  |         Points:
 Reviewer:                                  |        Sponsor:
--------------------------------------------+--------------------------

Comment (by Thorin):

 Here's an updated list for cleaning up for ESR68, including some missing
 bugzillas etc. I may have missed a couple of things, but this is a start.
 There are maybe some more RFP redundant items from my ghacks user.js
 section 4600

 [1] https://github.com/ghacksuserjs/ghacks-
 user.js/blob/master/user.js#L1489
 [2] https://github.com/ghacksuserjs/ghacks-user.js/issues/123 [my
 deprecated items and sources list]

 **Housekeeping**
 - close #28370 as a duplicate of this ticket (it's in the list below)
 - close #32028 as a duplicate of this ticket (everything there is in this
 list)
 - this ticket: change keyword to `ff68-esr` etc

 **Urgent?**
 - FF28: `intl.charset.default` - https://bugzilla.mozilla.org/910192
    * you **need** to fix this **asap** in #20025 with
 `intl.charset.fallback.override`
 - FF46: `browser.pocket.api`, `browser.pocket.enabled`,
 `browser.pocket.site` - https://bugzilla.mozilla.org/1215694
    * **if needed**, replace with `extensions.pocket*` which are currently
 not covered

 **Deprecated**
 - FF24: `plugin.expose_full_path` - https://bugzilla.mozilla.org/883671
 - FF31: `dom.network.enabled` - https://bugzilla.mozilla.org/960426
    * replaced by ''dom.netinfo.enabled'' which is already covered
 - FF43: `media.audio_data.enabled` - https://bugzilla.mozilla.org/1206091
 - FF45: `devtools.appmanager.enabled` -
 https://bugzilla.mozilla.org/1216590
 - FF46: `datareporting.healthreport.service.enabled` -
 https://bugzilla.mozilla.org/1234526
 - FF47: `datareporting.healthreport.about.reportUrlUnified` -
 https://bugzilla.mozilla.org/1236580
 - FF50: `browser.safebrowsing.enabled` -
 https://bugzilla.mozilla.org/1025965
    * the two main switches are already covered:
 ''browser.safebrowsing.malware.enabled'',
 ''browser.safebrowsing.phishing.enabled''
 - FF52: `media.gmp-eme-adobe.visible` -
 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1329538,1337121
 - FF52: `media.gmp-eme-adobe.enable` -
 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1329538,1337121
 - FF53: `security.tls.unrestricted_rc4_fallback` -
 https://bugzilla.mozilla.org/1130670
 - FF54: `media.eme.apiVisible` - https://bugzilla.mozilla.org/1242321
 - FF55: `dom.enable_user_timing` - https://bugzilla.mozilla.org/1344669
 - FF59: `datareporting.healthreport.about.reportUrl` -
 https://bugzilla.mozilla.org/1352497
 - FF60: `extensions.hotfix.id` - https://bugzilla.mozilla.org/1356331
 - FF60: `browser.newtabpage.preload` -
 https://bugzilla.mozilla.org/show_bug.cgi?id=1355166
 - FF61: `network.jar.block-remote-files` -
 https://bugzilla.mozilla.org/1427726
 - FF63: `browser.search.countryCode` -
 https://bugzilla.mozilla.org/1462015
 - FF67: `dom.event.highrestimestamp.enabled` -
 https://bugzilla.mozilla.org/1485264

 **Not in DXR**
 - FF54?: `browser.download.manager.scanWhenDone` -
 https://bugzilla.mozilla.org/851471 (best I can find)
    * https://hg.mozilla.org/mozilla-central/rev/baf05f61bc14
 - FF55?: `browser.download.manager.retention`
    * https://hg.mozilla.org/mozilla-
 central/rev/ccfe5420876a232a834afe88597228d832afb089

 **RFP Redundant**
 - **NOTE**: RFP overrides these and **FFS** no-one should disable RFP
 - `dom.maxHardwareConcurrency` - https://bugzilla.mozilla.org/1360039
    * or at least set as value `2` to match RFP
 - `ui.use_standins_for_native_colors` -
 https://bugzilla.mozilla.org/1485266
 - `browser.zoom.siteSpecific` - https://bugzilla.mozilla.org/1369357
 - `dom.enable_resource_timing` & `dom.enable_performance`
    * check with tom, 100% sure this is covered by tom's RFP
 reduceTimerPrecision prefs
    * not sure if RFP ''overrides'' these: i.e disabling the API vs
 rounding it: for all I know you might be causing perf issues: ask tom :)
 - `privacy.use_utc_timezone` - https://bugzilla.mozilla.org/1330890
    * is this an old Tor Browser only pref? is there old code to rip out?
    * RFP already spoofs as UTC

 **RFP Redundant Part 2**
 - **NOTE**: RFP overrides these, some are deprecated AFAICT (e.g vendor),
 current values are out of sync with ESR68, and maintaining it is extra
 work
  - `general.appname.override`
  - `general.appversion.override`
  - `general.oscpu.override`
  - `general.platform.override`
  - `general.productSub.override`
  - `general.buildID.override`
  - `general.useragent.vendor`
  - `general.useragent.vendorSub`

 **RFP Redundant Part 3**: probably changes fingerprint, maybe entropy
 - **NOTE**: we need to make a decision/double-check here on these
 - `dom.netinfo.enabled` - https://bugzilla.mozilla.org/1372072
    * this pref disables the API: you get an error or "undefined"
    * the pref is only default true on mobile: RFP returns "unknown"
    * so removing the pref would create two buckets: mobile vs desktop
 - `media.webspeech.synth.enabled` - https://bugzilla.mozilla.org/1333641
    * same thing: disabling vs spoofing
    * needs double checking: but the new FP is universal AFAIK
 - `media.video_stats.enabled` - https://bugzilla.mozilla.org/1369309
    * same thing: disabling vs spoof
    * needs double checking: some RFP values are the same, some are
 bucketized so **may** create more entropy: check with tom
 - `dom.gamepad.enabled` - https://bugzilla.mozilla.org/1337161
    * RFP hides gamepad from content
    * not sure if the FP changes and is universal
 - `device.sensors.enabled` - https://bugzilla.mozilla.org/1369319
    * RFP already disables the device censor
    * not sure if the FP changes but it should be universal
 - `privacy.suppressModifierKeyEvents`-
 https://bugzilla.mozilla.org/buglist.cgi?bug_id=1222285,1433592,1438795
    * is this an old Tor Browser only pref?
    * RFP already spoofs keyboard events and suppress keyboard modifier
 events (SHIFT and both ALT keys)

 **Not sure**
 - `browser.startup.homepage_override.buildID`
    * RFP spoofs the navigator.buildID as `201810010000001`, productSub and
 UA still use `20100101`
    * https://bugzilla.mozilla.org/583181
    * so not sure what value you want here, I only included it because it's
 bundled with all the other general.override prefs. I think it should be at
 the top with the other startup prefs

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/27268#comment:17>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list