The great browser section cleanup #2081
Conversation
dngray
added
WIP
|
Still not sure if outright removing Decentraleyes is the correct way to go. It may not help if people enable FPI, but if they don't then decentraleyes will atleast give you partial protection. |
Not really no. The reason we would suggest removing it is because it doesn't actually work as the resources are horribly out of date. @Thorin-Oakenpants does describe #1430 (comment) why FPI is really the only way to achieve these addons set out to do. That being said, when LocalCDN is available for Fenix, we could revisit this. According to the author it works in a different mode of operation where:
This would be infinitely more useful than Decentraleyes, even if your use case is simply to save bandwidth. I think like other things, we really should be suggesting people do things that don't actually work. I have been using |
|
I've decided with we will do separately #1257 |
|
I've decided to tackle #1257 in it's own PR, not this one. |
|
@dngray It's worth adding that when it comes to anti fingerprinting. |
That's way too generalized, and makes no sense. I can't even tell what you mean If you mean it's better to spoof to trackers than to block trackers: I disagree. Blocking the source of the FPing is the first step of many (but ultimately a game of whack a mole). Actual fingerprinting countermeasures are for when something gets through If you mean disabling an API vs dealing with it, then the only reason to do that would be because there isn't a solution. For example, Tor Browser disable the web audio API. The entropy comes from floating points and the math libraries play a role. Since legitimate web audio API use is pretty much non-existant, then it's easier for RFP/Tor Uplift/TB to de-prioritize it and kick it upstream to the standards body. Meanwhile, all TB users are still exactly the same on that web audio metric: so it's effectively the same as if they were spoofing as far as entropy goes It really depends on the metric. Generally speaking, you want anti-fingerprinting to cause as little breakage or side-effects as possible: but if there's no solution, it's better to disable the API and everyone will be the same, than allow the entropy to leveraged. Note: we're talking about sets of users: you cannot hide your engine, you cannot hide that you are FF vs TB, you cannot hide if you have RFP on or not, etc. /end of rambling |
|
As far as I can tell, the following recommendations are already the default values:
So, I think they can be removed for the sake of brevity, right? |
|
Firefox 86 has introduced a concept called "Total Cookie Protection" for both desktop and Android. The Temporary Containers add-on is now probably unnecessary. If this is true, then we can remove that section. Further, they are introducing dynamic first-party isolation if Enhanced Tracking Protection is set to "strict". So |
"Total Cookie Protection" is dFPI.
FTR: AFAIK only if ETP=strict is not the default. If FPI will be removed, it must also be recommended to set this to strict, otherwise it's much lower protection.
It's still "necessary" (whatevery this means), because it provides automatic clean within a session. dFPI only isolates different sites, while TC can also isolate the same site. Assuming that the automatic mode is used. |
|
Does Cookie AutoDelete cover the same cleaning that Temporary Containers does? It allows automatically removing cookies, LocalStorage, cache, IndexedDB, plugin data and service workers. |
|
New Firefox 87 update has introduced a new default HTTP Referrer policy and SmartBlock. |
|
@dngray and all this fork of decentraleyes seems to be getting very frequent updates has anyone looked into it? |
|
Firefox recently introduce site isolation, it seem's to me that it would be a good addition to this PR |
|
There are so many merge requests that aren't in the preview page, that I can't keep up with all of them.
|
|
Agree with 4-9 but:
I think doing nothing (i.e. how it is now, just double-click a script that transfers the user.js) is preferable to working with a GUI. Besides, if they're already working with about:config, why overcomplicate it by introducing a new thing?
Unless you can link those websites you're referring to (and they're actually broken until you allow a domain), that kinda tells me you haven't learned how to use it perfectly. https://github.com/gorhill/ublock/wiki/Overview-of-uBlock's-network-filtering-engine Do you think gorhill would remove the option in the first place, if it were a good one?
Because it's always better to be platform-agnostic and work with your data yourself when it comes to privacy (and convenience in this case, as you're not locked into Firefox). Not to mention, if you care at all about privacy, it's a bad idea to sign into a Firefox account.. in Firefox. Don't do it. Also, CPU usage? lol |
|
Copied from another comment: |
Because as I said, people will think it's advanced tweaks and can only done with you agree to "accept the risk of modifing these values". Doing it on in the gui takes even less time.
I apologzie on this one. After playing a little with the green button, it didn't offer me any help. I was screwing up my uBO setup with other ways, that the grey buttion didn't seem to work on some websites.
If it's e2ee encrypted, I would rather trust Mozilla rather then that addon. An Account lets you sync your passwords too (when you're using Firefox Clockwise, which a lot of people will already do. I'm not going to discuss what it offers when comparing to Bitwarden and its addon). |
|
In this PR, the plan is to move away from specifying any |
We should make that part of this PR. |
@dngray please consider Mull Browser (#2248) it comes with all right settings out of the box. I think this is a lot easier for the general user. Another question, does anybody know if uBO also prevents ETag tracking? This currently is also a reason for listing ClearURLs. |
It don't. The work etag does not even appear in it's codebase.
Who cares? It's isolated. |
|
@rusty-snake if |
Is that a good decision tho? I also wanted to link a discussion from firefox's github about FPI, dFPI (= Total Cookie Protection) and all these terms. To summarize it, dFPI is their way to implement FPI in a more web compatible way. We can enable dFPI just by setting ETP in the UI to strict (which is also availabe for Firefox on android). |
|
@ph00lt0 Here's your reading: https://blog.mozilla.org/security/2021/01/26/supercookie-protections/ INANE for firefox under android, but I have no hint that this isn't the case for android.
|
Not some user.js. Your own user.js.
Not really. You have to dig through settings and look for the right buttons and checkmarks and stuff.
That's a bad mindset. You should always trust local (an open source addon) vs cloud (Mozilla).
Recommended where? On Windows? Mac? iOS? That's why I said platform-agnostic. For example, you probably shouldn't be using Firefox on Android. And you definitely shouldn't be using it on iOS. What are you gonna do about your bookmarks there? Not to mention, some platforms don't even have Firefox. |
|
ph00lt0 said
This is a complete parroting of what you said about Librewolf. I get that you're keen, but stop pushing obscure browsers and provide facts, not opinions - in the appropriate issue, not here. Why are these are all the right settings? How do you know? Where are your references and proof? What are your credentials/experience in all of this (optional but lends credence)? You also suggested a problematic extension Privacy Possum as an alternative, and one that has been abandoned for 3 years, for a problem that does not exist. And you keep making incorrect statements about a number of Firefox developments. Instead of personally blocking me because you don't like my factual answers, you should read what I'm telling you. Blocking someone doesn't suddenly make your points correct
Are you not able to check uBO yourself? And, no, etags are not currently a reason for listing ClearURLs. Etags are not even an issue. Neither is it the history API setting (this is a myth), nor the hyperlink auditing (you can use a pref). It is because it "clears" urls of tracking parameters. Side note: if uBO's new filters cover this, then ClearURLs could be probably be dropped IMO - needs a discussion, analysis elsewhere rusty-snake: "ETag tracking" Who cares? It's isolated. Do you block all cookies? And disable TLS Session tickets? me right now: to add to rusty's comment "do you change your IP"? It was already pointed out that etags are not an issue since FF85. More reading, less talking. Here is a link to what network partitioning covers. This is enabled by default for all users, all platforms If you still think etags are an issue, then please explain why, so I can explain why it isn't. |
|
So I did some digging how does the new list from Adguard compare to ClearURLs. I believe the new list from adguard has a long way a head of it before it catches the list form ClearURLs (unless they copy their work, which makes more sense IMO). Also some people on Reddit pointed out that the list from adguard didn't remove the parameters from sites like bing (do they even have referrral parameters?) and some parameters from amazon. And here's the list for ClearURLs: https://gitlab.com/anti-tracking/ClearURLs/rules/-/raw/master/data.min.json You can compare the parameters for each site. I compared 2 or 3 (including amazon), and CleanURLs seems to have more parameters. Everything I said could be wrong and I may didn't understand the whole concept of their lists, so feel free to correct me (while still being polite, I'm trying to learn for myself and to protect my privacy and benefit others from this, just like most people who are spending their free time discussing such topics here) |
Description
Resolves: #1326
Resolves: #1931
Resolves: #2005
Resolves: #1430
Resolves: #1313
Resolves: #1704
Resolves: #1328
Resolves: #2117
Resolves: #1292
Resolves: #2169
Check List
I understand that by not opening an issue about a software/service/similar addition/removal, this pull request will be closed without merging.
I have read and understand the contributing guidelines.
The project is Free Libre and/or Open Source Software