Firefox Quiet

Discussion in 'privacy technology' started by Slink489, Apr 10, 2015.

  1. Slink489

    Slink489 Registered Member

    Mar 28, 2015
    Seems like every new version of Firefox has new privacy/security eroding settings showing up. This normally forces the user to hunt down ways to counter act what the Devs did. Basically, a PITA. So I offer a general purpose "user.js" file containing various settings to "Quiet" Firefox. Mind you, this is rude and crude and may not contain needed prefs. I envision a "one-stop-drop-in" file any user can make use of. Simply cut/copy/paste and shove it where it needs to be... While we can. Here we go:

    // ###### <Start Copy> ######

    // user.js
    // Version 00.00.2
    // Stick it where? Multiple OS and places?

    // Firefox
    // Version: 36.0.0
    // Build: o_O
    // Other: o_O

    // Notes:
    // Rude and Crude!

    //New Tab Page - Why would I want this??
    user_pref("browser.newtabpage.enabled", false);
    user_pref("browser.newtabpage.enhanced", false);
    user_pref("browser.newtabpage.introShown", false);
    user_pref("", "");
    user_pref("", "");
    user_pref("browser.newtab.preload", false);
    user_pref("browser.send_pings", false);
    user_pref("", "");

    user_pref("extensions.getAddons.cache.enabled", false);

    // I'm not really social??
    user_pref("social.remote-install.enabled", false);
    user_pref("social.toast-notifications.enabled", false);

    // Screw the media!
    user_pref("media.gmp-manager.certs.1.commonName", "");
    user_pref("media.gmp-manager.certs.2.commonName", "");
    user_pref("media.gmp-manager.url", "");
    user_pref("media.peerconnection.enabled", false);

    // Huh?
    user_pref("loop.enabled", false);
    user_pref("loop.soft_start_hostname", "");
    user_pref("geo.enabled", false);
    user_pref("beacon.enabled", false);

    //This section for masking browser ID if needed...
    //user_pref("general.appname.override", "Netscape");
    //user_pref("general.appversion.override", "5.0 (Windows)");
    //user_pref("general.buildID.override", "20131025151332");
    //user_pref("general.oscpu.override", "Windows NT 6.1; WOW64");
    //user_pref("general.platform.override", "Windows NT 6.1; WOW64");
    //user_pref("general.useragent.locale", "en-US");
    //user_pref("general.useragent.override", "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0");
    //user_pref("general.useragent.vendor", "");
    //user_pref("general.useragent.vendorSub", "");
    //////////////Not Used////////////////
    //user_pref("gecko.buildID", "20131025151332");
    //user_pref("productSub.override", "20100101");
    //user_pref("navigator.system", "Windows NT 6.1; WOW64");
    //user_pref("navigator.appVersion", "5.0 (Windows)");
    //user_pref("navigator.buildID", "20131025151332");
    //user_pref("navigator.geckoVersion", "25.0");
    //user_pref("navigator.version", "25.0");

    // Why are these here?
    user_pref("network.http.accept.default", "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8");
    user_pref("network.http.accept-encoding", "gzip, deflate");
    user_pref("network.http.pipelining", true);
    user_pref("network.http.pipelining.maxrequests", :cool:;
    user_pref("network.http.pipelining.ssl", true);
    user_pref("network.http.proxy.pipelining", true);
    user_pref("network.prefetch-next", false);

    // Other stuff
    //user_pref("image.http.accept", "image/png,image/*;q=0.8,*/*;q=0.5");
    //user_pref("accept_charsets", "*");
    //user_pref("charset_default", "");/user_pref("intl.accept_languages", "en-US,en;q=0.5");

    // Why no GUI option for this?
    //user_pref("javascript.enabled", false);

    // Possible settings for browser performance
    // User risk!!!

    // ###### <End Copy> ######


    Any ideas, suggestions, and/or corrections accepted.

  2. Stefan Froberg

    Stefan Froberg Registered Member

    Jul 30, 2014
    Looks good to me.
    One privacy addition that could be done is to force Firefox to cache it's stuff in memory and never use disk.

    Below is the snippet of my prefs.js file (now user.js ?) when I was porting Firefox for uClibc library.

    # Don't store anything to disk ...

    # ... instead but your stuff into memory and let it
    # automatically resize.
    # Don't worry, your porn surfing will be cleaned after
    # you shutdown your browser or at the very least,
    # when you next time restart your computer :)

    # Enable this just in case it was disabled. Otherwise
    # your in memory cache will be useless.

    # Don't store your SSL content into disk
    # It *was* enabled (Argh!!!)

    Of course, that was in the days when firefox version was 18 so maybe some of those settings have changed?
  3. Yuki2718

    Yuki2718 Registered Member

    Aug 15, 2014
    I think it's very good attempt.
    Here's my user.js (some irrelevant items removed) for reference or food for discussion.
    //user_pref("app.crashreporter.autosubmit", false); for Win8
    //user_pref("app.crashreporter.prompted", false); for Win8
    user_pref("beacon.enabled", false);
    user_pref("breakpad.reportURL", "");
    user_pref("browser.aboutHomeSnippets.updateUrl", "");
    user_pref("browser.bookmarks.max_backups", 0);
    user_pref("browser.cache.disk.capacity", 0);
    user_pref("browser.cache.disk.enable", false);
    user_pref("browser.cache.disk.smart_size.enabled", false);
    user_pref("browser.cache.disk_cache_ssl", false);
    user_pref("browser.cache.offline.capacity", 0);
    user_pref("browser.cache.offline.enable", false);
    user_pref("browser.display.use_document_fonts", 0);
    user_pref("browser.dom.window.dump.enabled", false);
    user_pref("", false);
    user_pref("", 0);
    user_pref("browser.fixup.alternate.enabled", false);
    user_pref("browser.formfill.enable", false);
    user_pref("browser.formfill.expire_days", 1);
    user_pref("browser.formfill.saveHttpsForms", false);
    user_pref("browser.helperApps.alwaysAsk.force", true);
    user_pref("browser.history.allowPopState", false);
    user_pref("browser.history.allowPushState", false);
    user_pref("browser.history.allowReplaceState", false);
    user_pref("browser.newtab.preload", false);
    user_pref("", "");
    user_pref("", "data:application/json,{}");
    user_pref("browser.offline-apps.notify", false);
    user_pref("browser.pagethumbnails.capturing_disabled", true);
    user_pref("", false);
    user_pref("browser.send_pings.require_same_host", true);
    user_pref("browser.sessionhistory.max_entries", 2);
    user_pref("browser.sessionstore.max_resumed_crashes", 0);
    user_pref("browser.sessionstore.privacy_level", 2);
    user_pref("browser.sessionstore.resume_from_crash", false);
    user_pref("browser.slowStartup.notificationDisabled", true);
    user_pref("browser.ssl_override_behavior", 0);
    user_pref("browser.taskbar.lists.frequent.enabled", false);
    user_pref("browser.taskbar.lists.maxListItemCount", 0);
    user_pref("browser.urlbar.autocomplete.enabled", false);
    user_pref("browser.urlbar.autoFill", false);
    user_pref("browser.zoom.siteSpecific", false);
    user_pref("camera.control.autofocus_moving_callback.enabled", false);
    user_pref("camera.control.face_detection.enabled", false);
    user_pref("datareporting.healthreport.about.reportUrl", "");
    user_pref("datareporting.healthreport.documentServerURI", "");
    user_pref("datareporting.healthreport.service.enabled", false);
    user_pref("datareporting.healthreport.uploadEnabled", false);
    user_pref("datareporting.policy.dataSubmissionEnabled", false);
    user_pref("device.sensors.enabled", false);
    user_pref("dom.battery.enabled", false);
    user_pref("dom.disable_window_open_feature.close", true);
    user_pref("dom.disable_window_open_feature.menubar", true);
    user_pref("dom.disable_window_open_feature.minimizable", true);
    user_pref("dom.disable_window_open_feature.personalbar", true);
    user_pref("dom.disable_window_open_feature.scrollbars", true);
    user_pref("dom.disable_window_open_feature.titlebar", true);
    user_pref("dom.disable_window_open_feature.toolbar", true);
    user_pref("dom.enable_performance", false);
    user_pref("dom.enable_resource_timing", false);
    user_pref("dom.event.clipboardevents.enabled", false);
    user_pref("dom.gamepad.enabled", false);
    user_pref("dom.idle-observers-api.enabled", false);
    //user_pref("dom.indexedDB.enabled", false); required to proper addon function
    user_pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false);
    user_pref("dom.ipc.plugins.reportCrashURL", false);
    user_pref("dom.server-events.enabled", false);
    //user_pref("", false); required for sync
    user_pref("dom.vibrator.enabled", false);
    user_pref("dom.w3c_touch_events.enabled", 0);
    user_pref("experiments.enabled", false);
    user_pref("experiments.manifest.uri", "");
    user_pref("experiments.supported", false);
    user_pref("extensions.adblockedge.patternsbackups", 1);
    user_pref("extensions.getAddons.cache.enabled", false);
    user_pref("extensions.webservice.discoverURL", "");
    user_pref("geo.enabled", false);
    user_pref("geo.wifi.uri", "");
    user_pref("gfx.downloadable_fonts.enabled", false);
    user_pref("image.cache.size", 0);
    user_pref("keyword.enabled", false);
    user_pref("layout.css.visited_links_enabled", false);
    //user_pref("loop.server", ""); ??
    user_pref("media.autoplay.enabled", false);
    user_pref("media.cache_size", 0);
    user_pref("media.peerconnection.enabled", false);
    user_pref("", false);
    user_pref("media.video_stats.enabled", false);
    user_pref("network.allow-experiments", false);
    user_pref("network.automatic-ntlm-auth.allow-proxies", false);
    user_pref("network.cookie.cookieBehavior", 1);
    user_pref("network.cookie.lifetime.days", 1);
    user_pref("network.cookie.thirdparty.sessionOnly", true);
    user_pref("network.dns.disableIPv6", true);
    user_pref("network.dns.disablePrefetch", true);
    user_pref("network.dnsCacheEntries", 0);
    user_pref("network.http.accept-encoding", "identity");
    user_pref("network.http.prompt-temp-redirect", true);
    user_pref("network.http.spdy.enabled", false);
    user_pref("network.http.spdy.enabled.v3-1", false);
    user_pref("network.predictor.enabled", false);
    user_pref("network.prefetch-next", false);
    user_pref("", true);
    user_pref("", true);
    user_pref("network.protocol-handler.warn-external.nntp", true);
    user_pref("network.protocol-handler.warn-external.snews", true);
    user_pref("network.websocket.enabled", false);
    user_pref("offline-apps.allow_by_default", false);
    user_pref("pfs.datasource.url", "");
    user_pref("plugin.default.state", 1);
    user_pref("plugin.scan.Acrobat", "99.0");
    user_pref("plugin.scan.Quicktime", "99.0");
    user_pref("", 0);
    user_pref("plugin.state.np_prsnl", 0);
    user_pref("plugin.state.npatgpc", 0);
    user_pref("plugin.state.npauthz", 0);
    user_pref("plugin.state.npbispbrowser", 0);
    user_pref("plugin.state.npboxedit", 0);
    user_pref("plugin.state.npchip", 0);
    user_pref("plugin.state.npciscowebcommunicator", 0);
    user_pref("plugin.state.npesteid-firefox-plugin", 0);
    user_pref("plugin.state.npfacebookvideocalling", 0);
    user_pref("plugin.state.npgcplugin", 0);
    user_pref("plugin.state.npgoogleupdate", 0);
    user_pref("plugin.state.npmcafeemss", 0);
    user_pref("plugin.state.npmcffplg", 0);
    user_pref("plugin.state.npmeetingjoinpluginoc", 0);
    user_pref("plugin.state.npmozcouponprinter", 0);
    user_pref("plugin.state.npmvtplugin", 0);
    user_pref("plugin.state.nppdf", 0);
    user_pref("plugin.state.npplayerplugin", 0);
    user_pref("plugin.state.nprobloxproxy", 0);
    user_pref("plugin.state.npskypewebplugin", 0);
    user_pref("plugin.state.npspwrap", 0);
    user_pref("plugin.state.npunity3d", 0);
    user_pref("plugin.state.npvidyoweb", 0);
    user_pref("plugin.state.npviewright", 0);
    user_pref("plugin.state.npwebcard", 0);
    user_pref("plugins.enumerable_names", "");
    user_pref("print.save_print_settings", false);
    user_pref("security.OCSP.require", true);
    user_pref("security.cert_pinning.enforcement_level", 2);
    user_pref("security.remember_cert_checkbox_default_setting", false);
    user_pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false);
    user_pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false);
    user_pref("security.ssl3.rsa_des_ede3_sha", false);
    user_pref("security.ssl3.rsa_fips_des_ede3_sha", false);
    user_pref("security.ssl3.rsa_rc4_128_md5", false);
    user_pref("security.ssl3.rsa_rc4_128_sha", false);
    user_pref("security.tls.version.min", 1);
    user_pref("security.tls.version.max", 3);
    user_pref("security.xpconnect.plugin.unrestricted", false);
    user_pref("social.remote-install.enabled", false);
    user_pref("social.toast-notifications.enabled", false);
    user_pref("toolkit.telemetry.server", "");
    user_pref("webgl.disabled", true);
  4. Slink489

    Slink489 Registered Member

    Mar 28, 2015
    Big thanks for putting that 'user.js' list up there Yuki2718! Many of those settings I didn't even know about nor do I know precisely what they do. But as a simple drop-in file, it keeps Firefox quiet. Not a peep as far as Firefox 36 and my testing goes. Way better then my train wreck 'user.js' ;)

    Now I'm a bit confused as to what to do here. Should I go back and edit my OP and just supply a link to the Yuki2718 post, or should I edit the OP with a copy of my newly created train wreck user.js.

    And thanks Stephan for reminding me to do that. I'm using a SF build of firefox built for portability and I expect to put it on a USB drive. Probably more then one person will use it, so I'd guess it wise to not continuously splatter the USB drive with useless crap. Security and privacy concerns go without saying.

    As for questions/discussion:

    What's the difference with this?

    user_pref("", "data:application/json,{}");
    user_pref("", "");

    Why this?

    user_pref("extensions.webservice.discoverURL", "");

    Since I don't use it here, I'd guess this doesn't belong?

    user_pref("extensions.adblockedge.patternsbackups", 1);

    For a completely unrelated question, are the 'blocklist.addons' checks truly necessary?

  5. inka

    inka Registered Member

    Oct 21, 2009
    Check out the "firefox lockdown" thread here in the wilders forums.

    I'm still using a pre-australis version of firefox (and TorBrowser v3.65, with TorButton and Tor stuffs removed) but I've test-driven firefox versions as recent as v33... and, for the newer versions, my list of "non-sane, and privacy-unfriendly" default preference values numbered 180+

    I don't have a comprehensive list to share. Instead, I'll point out that for newer ff versions, several necessary (for the sake of sanity) prefs have been removed.
    Relying on "preferences" is an exercise in futility. Firefox has devolved, from user-agent (aka web browser) to Agent of the State (Mozilla, and their TrustedPartners).
    Websocket functionality was incorporated into firefox by Mozilla in 2011/2012. It's 2015, and we STILL have no ability to monitor/marshall websocket traffic.
    SPDY, and server.push and beacon.enabled and ping.enabled ...isn't it obvious that we're collectively being sold down the pike?

    We're inundated with continual messages (er, "news") to keep us running scared. Gotta stay safe, gotta stay updated, gotta https...
    yet most of the vulnerabilities are break/fix shite, introduced via addition of the various "features" shoehorned into the "web browser".
    Welcome to the new web. Your "web browser" no longer simply places requests & retrieves requested assets on your behalf.
    Instead, it "gets into bed with" webservers... dims the lights, switches over to SPDY and continually whispers li'l blackbox secrets back-n-forth with the server.

    Among the latest, greatest (forthcoming) firefox "features", via messageManager, scripts will be permitted to "talk to" same-domain scripts which are running in other tabs.
    Behind-your-back. Without your consent. You can't "opt out" of this behavior by toggling a pref.
    Short of some not-yet-invented extension, you can't restrict the behavior to a set of sites you've whitelisted.
    In case you're wondering "What's the problem? It's only permitted for same-domain":
    Yah. googleANALytics script iframed into tabA is granted ability to harvest and cross-reference data from tabB... AND has ability to siphon your PC resources, tracking your mouse cursor movements every 2 milliseconds, and stream this tracking data via long-running (encrypted, blackbox) SPDY connection...

    edited to add:
    I'm convinced we need a fork.
    That fork probably needs to be opensource AND payware, with bounties collected in exchange for feature requests, and a portion of subscription fees set aside as rewards granted to vulnerability hunters. Instead of having out-of-band "updates" forced upon users, non-subscribing users will be resigned to manually downloading and fully reinstalling an updated version; subscribing users will (have an option to) be presented with clearly described KBxxxx patches (ala Windows Update), with a tickbox controlling whether or not each given patch shall be installed.
    Last edited: Apr 15, 2015
  6. deBoetie

    deBoetie Registered Member

    Aug 7, 2013
    Excellent observation, people imagine browsers as somehow neutral, simple and under their control. I'm much more reminded of the era when there were attempts to keep mainframes going with smart-terminals. But now the mainframes have returned in disguise, the servers have taken over the browsers so they are not doing your bidding, not in the way that it's easy to control or know about.

    I'm actually going for Plan B, which is to reduce the amount I use browsers and reduce their functionality to a bare minimum. Wipe-on exit sandboxes and VMs complete the picture.
  7. Justintime123

    Justintime123 Registered Member

    Jun 15, 2013
    OK, bit paranoid for good reason....why are some Mozzila wesites located on Edgecast Networks servers - Verizon in Washington D.C. when they could be located on servers elsewhere. Map shows located at the White House LOL. Or, is it just a 'privilege few' that get routed there? ;)
    Washington D.C. United States
    Pre-Snowden, when I was doing human rights activity in another country, my computer got hacked into by a rootkit. I was providing live news feed to a major network and a major newspaper. Strange thing my other computers were also hacked into even though not connected to the network. The hack came via my activated Bluetooth on all my computers. At first, I thought foreign agents from the foreign gov. but the ip address logs showed DoD.
    Last edited: Apr 15, 2015
  8. marzametal

    marzametal Registered Member

    Mar 19, 2014
    Excellent thread... just went nuts and applied all the rules in a sandboxed x64 Pale Moon...
  9. Stefan Froberg

    Stefan Froberg Registered Member

    Jul 30, 2014
    Well, Firefox is not exactly small (12+ million LOC) project to fork.
    So why not clear the table and start from the beginning?

    My own browser project ( is still just 30,000 LOC of C++ and I could certaintly use help with fixing bugs and adding features.
  10. JConLine

    JConLine Registered Member

    Apr 16, 2009
    OK-Where does this file need to be?

  11. inka

    inka Registered Member

    Oct 21, 2009
    JC, the file is "user.js". It resides in your ff profile directory and contains a record of any preferences having user-set (non-default) values along with any
    preferences created post-install (manually by the user, or by extensions which have been installed).
    ( path will be something like .../firefox/profiles/1234n68893.default )

    Hmm, "shove it in there"? No.
    First, don't disturb user.js while firefox is running. (Futile, because ff will overwrite your edits.)

    Second, prior to editing, copy the existing user.js file to "user.js.old" or somesuch (just in case, eh).

    Third, understand that any lines bearing "//" (or, alternately "#" char) at beginning of line are (treated as comments and) ignored.

    Fourth, if you intend to "just paste", insert the additional lines at the BOTTOM of the existing user.js.
    Reason for this is that if ff parses the file and encounters any given prefname listed on multiple lines, the lower/later line displaces the earlier read value.

    Fifth, don't count on "all those commentary line" to still be there next time you open user.js to edit it. (so, save a copy of that commented list)
    Also, depending on which ff version you're using, bear in mind that ff may chuck duplicate/redundant lines (as well as any comment lines).

    Again, I'll point out that the thread titled "firefox lockdown" contains a lot of info regarding "messing with" ff prefs.
  12. JConLine

    JConLine Registered Member

    Apr 16, 2009
    Thanks inka, very helpful.

  13. TheWindBringeth

    TheWindBringeth Registered Member

    Feb 29, 2012
    That preference specifies a URI via which a JSON object, that contains NewTabPage directory information, can be retrieved. The first approach provides an empty JSON object via a data scheme URI. IOW: Here is our answer, no need to retrieve it via network request, there is no directory information. The second approach has an empty string for the URI, which makes it impossible to retrieve a JSON object. IOW: We can't retrieve directory information.

    I think both approaches should work and produce the same results. However, that depends on how the code is written so you'd have to check it to be absolutely sure. One thing you want to watch out for are fallback mechanisms. For example, default data being used when new data isn't available or otherwise to the program's liking.

    The first approach seems a bit cleaner. The second approach is more convenient and consistent with common trends, such as replacing default URIs with blank strings or pointing them to an alternate host:port that won't respond (sometimes used for logging/testing).

    That is an example of pointing to an alternate host, which happens to be a special IP Address that is treated in different ways depending on context/application/OS. It will often be rejected as an invalid destination IP Address, in which case the desired effect should be achieved. I don't know why the originator went with that rather than "".

    Correct... that is specific to the AdblockEdge extension. Which is being discontinued come June 2015 BTW.

    Firefox downloads a blocklist which I am only partially familiar with. I believe it is, now at least, used to block bad extensions, plugins, DLLs, drivers, and certificates. Some related preferences would be extensions.blocklist.enabled and extensions.blocklist.url. I believe the downloaded blocklist can be seen in blocklist.xml which is in your profile folder. The default URL is currently:

    so there will be some limited information sent to Mozilla when it is retrieved. IIRC it is a GET request (no additional data sent in body) but you can double check that. Items that are blocked get reported via telemetry related features I believe (which most people will be blocking separately).

    Is this what you are referring to? If so, don't mess with it unless/until you have a solid reason to do so and have thought through the consequences and determined whether you need to compensate elsewhere.
    Last edited: Apr 18, 2015
  14. inka

    inka Registered Member

    Oct 21, 2009
    If I recall correctly, "yer own project" is closed-source, and webkit-based. For me, that absolutely makes it a non-starter.

    LOC (lines of code) is a misleading yardstick. In the span of an afternoon, the "Mozilla codebase" can be easily pared to 1/3 that size, and further pared via selective removal of unwanted (webrtc, etc) features.
  15. inka

    inka Registered Member

    Oct 21, 2009
    In case I didn't mention this in a prior post, substituting blank or empty string values in place of the default url strings is a BAD (ineffective) strategy.
    For many of the prefs, Firefox will treat these a broken/malformed, and will fallback to using its default values (retrieved from omni.ja and/or from within the compiled ff code).
  16. Stefan Froberg

    Stefan Froberg Registered Member

    Jul 30, 2014
    Not anymore:

    What's wrong with webkit? o_O

    Im not so sure about that. At least for me, when I ported Firefox 16 and later Firefox 18 to uClibc, it took me more than one afternoon to make any sense of the codebase. ;)
  17. TheWindBringeth

    TheWindBringeth Registered Member

    Feb 29, 2012
    Back when I got into this I wondered about that and whether the examples I came across were thoroughly tested. I tried it in some places and it did work. However, I emphasized .enabled and other prefs that disable features properly. Changing URLs was a secondary precaution, and one that soon shifted to localhost and local server URLs. So I drifted away from the subject.

    Now you say this, and I wonder again. I decided to run a simple test. I used primitive code to identify and dump prefs of interest, and created the TestAutoconfig.js file below. Which sets "" user values for those preferences. I installed a fresh copy of FirefoxPortable 37.0.1. I hooked up the TestAutoconfig.js file, and also deleted the default searchplugins. Then fired it up while running a sniffer.

    There was a DNS query for but no connections/requests. I waited for awhile... still nothing. As opposed to the surge of traffic I would normally see when launching this portable. I interacted with it, trying to trigger related requests. Still nothing. The "" seemed to work well. Eventually, I did find a few places where URLs may be hard coded. Help->Firefox Help caused a DNS query for which did not resolve. Help->About Firefox triggered an update check that went through to History->Report a suspected web forgery went through to However, there aren't visible preferences for those and I wasn't setting them to "".

    Although limited testing, this reinforces the idea that it works. Well, that it *should* work unless someone forgot/forgets to honor "". That if we see a case where it isn't treated in that way, it would be good to file a bug report.

    Thoughts? Can you remember where you saw the treatment you described? If it is in current or future code, I'd like to look at an example.

    Edit: Code removed, different and more flexible version shared in later post
    Last edited: Apr 21, 2015
  18. inka

    inka Registered Member

    Oct 21, 2009
    Stefan, I thank you for your decision to opensource CyberDragon. I haven't yet tested the newer (past 2) versions. The prior versions certainly reflected a good start, offering several innovate features and a clever tabbed configuration sidebar. "What's wrong with webkit"... did I post on github (dunno what pseudonym) my worry that you're "building on a foundation of sand"? Hasn't Google abandoned further developmental support of webkit (in favor of Blink), and hasn't QT5 already "deprecated" the libs/components you're using?

    That's a fair point. I exaggerated my statement to only counter the seemingly misplaced fixation/observation regarding LOC.
    I don't want to "throw the baby out along with the bath water". Until/unless CyberDragon has a robust extensions framework in place...
    (IIRC, when I inquired {excuse me if I'm mis-remembering, I might be thinking of Dooble browser} the reply was that "such a framework is not on the roadmap", along with a brief explanation why)
    ...although I would be willing to continue beta testing as time permits, I can't entertain the notion of using, depending on, an extensionless browser.
  19. inka

    inka Registered Member

    Oct 21, 2009
    TWB, my tests were long-running.
    Some of the callouts in which fallback urlstrings are employed (if user-set value is blank) are event driven, others are timed.
    A callout to retrieve extensions blacklist, for instance, may not recur until a month has elapsed.
    "Can you remember where you saw the treatment you described?"
    Off the cuff, I seem to recall that values for "extensions.update.background.url" and "extensions.update.url" were ignored (fallback used, if blank user-set value).
    I'll dig through my notes searching for additional examples; might be quicker for me to just grep .mozilla.(com|net|org) within extracted omni.ja content as well as in /browser portion of the codebase.
    Last edited: Apr 20, 2015
  20. Stefan Froberg

    Stefan Froberg Registered Member

    Jul 30, 2014
    That is correct. Google (the major contributor to WebKit project) decided to fork WebKit and came up with Blink.
    They throwed lot's of code out, which is generally a good thing (less code, less bugs).

    However, I think that Digia (current manager of Qt) rushed too much when they jumped to Google's bandwagon, freezed QtWebKit (Qt port of WebKit engine) and
    introduced QtWebEngine (Qt port of Blink).

    As can be seen from here, the state of the new engine is nowhere near complete and will probably take till Qt 5.6 untill it has all the features that QtWebKit had:

    And because this, untill the new engine is ready, there is currently no other real alternative than to continue using QtWebKit, which is working just fine despite it's freezed status and will probably do so at least year or two.

    Of course, I have a plan B in case that QtWebEngine fails to make it's promise and QtWebKit has been left to bit rot. Switch to WebKitGTK+ and possibly write a wrapper C++ library around it (if there is none already?). That would give the latest WebKit engine that is supported.

    Well, now that the code is out, everything is certainly possible.

    I would be more than happy to see if someone comes up with true plugin architecture for CyberDragon that could make it flexible.
    So that every part could be freely exchanged and extended (tracker blocker, cookie blocker etc...).
    People could write their own extension/plugin and load it to CyberDragon with just adding or replacing of one .dll or .so file in plugins directory.
    That would be nice. (

    Also, Im not very happy with tracker blocker performance when large number of blocker rules have been loaded. That's another place for improvement.
    And inline ad blocking would be nice too (that can be done after Iframe sandboxing protection has been completed/working).
    And need to make new RPM Linux version too (have barebone SPEC file somewhere here....).
    And if someone want's to make CyberDragon prettier, offering differents "skins" or "themes", then that is possible too with CSS like stylesheets (

    Sooo much work .....
  21. TheWindBringeth

    TheWindBringeth Registered Member

    Feb 29, 2012
    I improved my TestAutoconfig to make it easier to set the prefs in different ways and figure out which set method led to activity. Updated copy below. I also created a script to assure FirefoxPortable was fully removed/reinstalled/configured in between tests. To eliminate the tedious/error-prone and attempt to assure identical starting conditions for each test. The changes contributed to an immediate discovery: the user value for app.update.url is ignored and only the default value is used. Which rings a bell. I think I read about that decision, somewhere, but forgot about it until I saw the behavior.

    I proceeded to focus on lockPref, which should be immune to that type of decision...

    I pointed the URLs to a local HTTP server, and then again to a local HTTPS server. Ran 20 minutes tests, which included some manual manipulation to provoke certain requests. The results were good. Amongst the prefs that were used to reach the local server were app.update.url, extensions.blocklist.url, extensions.update.url, and extensions.update.background.url.

    I reran the same type of test for an hour using empty strings. Those prefs just mentioned should have been tested/used during the period, as they were in the earlier tests. Yet I saw no requests. Which suggests that the empty strings "worked" during *this* period. I did see one thing that behaved differently... Help->Keyboard Shortcuts was blocked when I provided my own URL but it wasn't blocked when I used an empty string. The related pref is, which is referenced in a number of places.

    Having clarified my test results, on to your comment. I may take advantage of your pointer and look at the code. Thank you. However, I suppose we can't rule out different handling under different conditions and/or at different times. Even if we set the prefs to well formed URLs. I mean, even if there isn't a hard coded fallback mechanism in there now... one could be added in the future. So, as with anything, it would be wise to monitor for leaks. Which I often do (so far so good) but need to tighten up a bit.

    FWIW, and please bear in mind that my extractor is still under development, here is a list of hosts that I pulled from FirefoxPortable 37.0.1 pref values... (edited to add some more I found)...


                    // From searchplugins
    Oh, and current TestAutoconfig...
    // Comment first line
      var msg = "WARNING: For testing purposes only.  Do NOT use your normal " + 
                "profile.  Hit cancel if unsure.";
      if(Services.prompt.confirm(null, "TestAutoconfig", msg) != true)
        throw new Error("User hit cancel to abort startup");
      // This pref list based on a quick review of FF 37.0.1 Portable
      var urlPrefs = ['',
      // Log options
      var logValues         = true;
      var logFilename       = "TestAutoconfig.log";  // Put in tmp dir
      // Hostname options
      var scheme            = "http";
      var defHost           = ""
      var port              = "7777";
      var path              = "/";
      var hostPrepend       = scheme + "://";
      var hostAppend        = ":" + port + path;
      var uniqueHostSuffix  = ".testing.localhost";
      // Test control
      var setEmptyStrings   = false;  // Use empty string or a custom URL?
      var prefSpecificHosts = false; // Use defHost or a pref specific hostname?
      var testProfile       = 4;
      var testName          = "UrlPrefTest";
      var testVersion       = "0.2";
      var logOutput         = setEmptyStrings ? "SettingEmptyStrings" : "";
      var log               = function(s){if(logValues){if(s != "")logOutput += s + "\n";}};
      var prefHost          = defHost;
      var defaultPrefHost   = defHost;
      var lockPrefHost      = defHost;
      var prefValue         = "";
      var defaultPrefValue  = "";
      var lockPrefValue     = "";
      for(var i=0; i<urlPrefs.length; i++)
        var prefName = urlPrefs[i];
            var hostBase = prefName.replace("_", "-"); // ToDo: Additional replacements?
            prefHost  = hostBase + ".pref" + uniqueHostSuffix;
            defaultPrefHost = hostBase + ".defaultPref" + uniqueHostSuffix;
            lockPrefHost = hostBase + ".lockPref" + uniqueHostSuffix;
          prefValue = hostPrepend + prefHost + hostAppend + "pref/" + prefName + "/";
          defaultPrefValue = hostPrepend + defaultPrefHost + hostAppend + "defaultPref/" + prefName + "/";
          lockPrefValue = hostPrepend + lockPrefHost + hostAppend + "lockPref/" + prefName + "/";
          case 1:
            pref(prefName, prefValue);
          case 2:
            defaultPref(prefName, defaultPrefValue);
          case 3:
            pref(prefName, prefValue);
            defaultPref(prefName, defaultPrefValue);
          case 4:
            lockPref(prefName, lockPrefValue);
          case 5:
            throw new Error("Invalid testProfile");
        var logfile = Services.dirsvc.get("TmpD", Components.interfaces.nsILocalFile);
        var foStream = Components.classes[";1"]
        foStream.init(logfile, 0x02 | 0x08 | 0x20, parseInt("0666", 8), 0); 
        var converter = Components.classes[";1"]
        converter.init(foStream, "UTF-8", 0, 0);
      var desc = testName + " " + testVersion +
                 ", setEmptyStrings=" + setEmptyStrings + 
                 ", prefSpecificHosts=" + prefSpecificHosts + 
                 ", testProfile=" + testProfile +
                 ", logValues=" + logValues +
                 ", logFile=" + logfile.path;
      lockPref("TestAutoconfig", desc);
      displayError("TestAutoconfig", e.message);
    Last edited: Apr 24, 2015
  22. inka

    inka Registered Member

    Oct 21, 2009
    Separately, monitoring changes to the pref values would be enlightening.
    Not quite a perfect monitor, but it's a good start:
    NoScript provides this (monitor changes to select prefkeys) as well, but it probably discards attempted changes rather than alerting (or even logging).

    I hope we can agree that it's a matter of WHEN rather than IF.
    Example (not specific to key values containing URLs):
    How many/multiple separate prefkey values must one now (realize exist and) alter in order to successfully prevent being subjected to "experiments"?
    Default for ff release channel is experiments ~= enabled.
    Suppose you had found/changed/locked "browser.experiments.enabled==false". Upon version update, Although mozilla hasn't RESET that pref value, they've introduced additional experiments -related prefkeys (henceforth ignoring the prior, which originally served as a 'killswitch' or 'opt out', in case you've discovered + changed + locked it)(sez me).

    We've also witnessed mozilla (update) CHANGING prefkey values.
    Recently for "Mozilla Hello" and, across prior versions, for HealthReport and "seer" and prefetch and spdy and oscp stapling and....

    With the above in mind, ESR is preferable to release channel

    That is almost certainly one of the numerous prefs I had in mind when I suggested "looking in the code". It's settable via mozconfig as a build-time variable, as are several others related to "branding". HOWEVER, without digging through my notes I'm typing "almost certainly" because NOT all the (arguably) branding-related URLs are settable via mozconfig; as though mozilla has nefariously planned ahead, in case someone develops a successful fork... mozilla can point to "Aha! If a user clicks Fn10+backspace+Shift+H ...see that link back to URL?" and demand cease-n-desist (or whatever) because "confusingly similar product... is damaging our brand". The immediate point here is that even if someone forking the codebase conscienciously attempts to "de-brand" the browser, inbuilt stuffs oh-so-conveniently exist to throw a wrench in the works. Blank string (in the pre-build config, or in the pre-build "\browser\..\prefs\preferences.js" file) won't prevent the build from completing, nor will it suppress the runtime hard-to-find ("easter egg" like Fn10+backspace+Shift+H) mozilla URL from being displayed.

    BTW, mentioning "oh-so-conveniently" reminds me (specific to grepping "mozilla." within the codebase):
    Most (but mind you, not all) of the individual sourcefiles bear an inline comment header
    "under penalty of galactic law blahblah... do not remove this notice. copyright Mozilla..."
    If this ~ Snipped as per TOS ~ was present in ALL sourcefiles, I'd chalk it up to standard FOSSiness. Since it's not... my disillusioned takeaway is that it represents "injected noise".
    Last edited by a moderator: Apr 21, 2015
  23. KeyPer4Life

    KeyPer4Life Registered Member

    Dec 18, 2013
    This pref set to 0 would have one to add security exception (e.g. by typing into
    location bar to get certificate. I take it that is what you want to do. // Tested on Pale Moon
    0= do not pre-populate the current URL as an exception & do not pre-fetch the SSL certificate.

    Setting this pref to 0 will crash Pale Moon browser . // Encountered a problem & needs to close message.
    Last edited: Apr 22, 2015
  24. TheWindBringeth

    TheWindBringeth Registered Member

    Feb 29, 2012
    Glanced at it, looks useful. Related thoughts: If the goal is to determine changes between builds, I think the export/diff approach is useful (remember there are some prefs which are tested for but aren't set by default unless you add them). If the goal is runtime detection of changes away from your desired settings, one approach would be to use an autoconfig file to not only apply desired settings but also pass information about those to an installed extension via separate pref(s). That way the installed extension would know exactly what to look for. I'm not sure if autoconfig code can setup the observer(s) and perform the watchdog function as well (thereby eliminating the need for a separate extension), but at some point I want to look into that.
    Last edited: Apr 22, 2015
  25. Slink489

    Slink489 Registered Member

    Mar 28, 2015
    Dumb question: Maybe I missed it, but is there no way to edit my original post?

    I was going to try and update the 'user.js' listing with what might be the last time I do that. With the wealth of info and certain comments from certain people in this thread and the 'lockdown' thread, keeping up with this is likely useless. But maybe a good start for the time being? No doubt the devs are going to clamp down on our ability to control the browser. Probably sooner than latter if not actually there and we don't know it yet.

    So what's left? Back to Links? Wait, wouldn't that break 90% of the web?