Adapting & fixing core settings

Following https://github.com/intika/Librefox/issues/34 many settings have to be defaulted to a different value while leaving the choice for the user… Here are some pro developer feedback for Librefox

Eloston

What do you think made ungoogled-chromium successful ?

“Success” is a pretty broad term. I will assume you define “success” based on the number of users, what users say about the project, and the kinds of bug reports this project receives. In that case, there are several points I can note (in no particular order of importance):

• Continual desire to improve the project and oneself. I think this is the most important point. I mainly gather ideas based on feedback, experiences from this and past software projects, and experimenting with software in general. I also gather ideas by reading code and docs from Google, reading technical blog posts about software, and reading about new developments in software engineering.

• Dedicating a lot of time to the project. Especially in the following areas:

• Consistent attention to overall quality of documentation, code, and user experience (building the browser, using the browser, downloading pre-built binaries, reading documentation, etc.)

  • Responding to feedback on GitHub.
  • Considering all aspects of a bug, enhancement, request, question, etc.
  • Leaving a good impression on anyone who comes by. This happens in a number of ways, but a lot of this happened via the points I made above.
  • Contributors keep the momentum going. Particularly in updating Chromium versions.
  • The Chrome/Chromium userbase is large. The number of people concerned about privacy/security and Google’s role in privacy is also decently large. Having a number of people interested in a project like this helps a lot.
  • In the beginning (some time before the first spike of users), I went to a few different places to advertise this project. Then, I let other people spread the word. This works because of the number of interested users.

Also one thing, a lot of people asked me about mozilla trademark (Firefox) while i was disturbing a patched version it’s curious that uc did not face this problem, i guess google folks are more permissive.

This project is not widely known, and people aren’t confusing it with the trademarked Chrome and Chromium. If it becomes an issue, then I’ll be fine with changing it.

Do you have any advice/comments regarding the direction of my project ?

I don’t know much about Firefox, so I can’t give you any specific advice. Hopefully my comments on what made this project successful will help you too. Regardless, I am glad that my project has inspired you to create Librefox. I wish you luck with it!

Moonchild

• Block third-party cookies: Can block some sites (Add it as a choice)
• Completely disable the password manager how does this improve privacy, exactly, by forcing users to type their credentials every time? ( … )
• Completely disables IPv6 support. ( … )
• Completely disables all parts of the blocklist, including known broken gfx driver issues. This will expose users to many issues with known graphics driver problems ( … )
• Completely disables integration with the add-ons site. (addon can still be installed its just that there is no integration - add it as a choice ?)
• Completely disables extension updates (Add it as a choice)
• Completely disables Windows jumplists, because… ( … )
• Completely disables pre-loading of known HSTS domains; this opens the user up to first-time-visit spoofing. HSTS preloading is harmless, blocked because it’s supplied by Mozilla? ( … )
• Completely disables OCSP, but enables OCSP stapling, which won’t work with disabled OCSP. ( … )
• Conflicting prefs with result that at best a CRL fallback is used, and at worst no checking is performed at all and revoked certs are accepted as secure. Well done Librefox, you broke https authentication checks. ( … )
• Not forced but default; WebGL and layers acceleration is force-enabled. This will break the browser on many more systems because of GFX issues (especially hybrid and mobile chips), especially if blocklist entries aren’t checked or used. ( … )
• Completely disables webgl2 and forces webgl minimum-capability mode. This pretty much makes webgl useless. No reason to do this, since the (already enforced) fingerprinting protection already mitigates any potential webgl leaks. Fingerprinting protection doesn’t enforce minimum capability mode for a reason. ( … )
• Disables clipboard events, breaking many sites that use JS to place data on the clipboard… ( … copy button still works)
• Done with lockPref (Add it as a choice)
• Considering there are plenty of duplicate entries in there you may find it frustrating that it doesn’t take unless you hunt down all copies of a setting ( … There is no duplicate but related settings).
• IMHO it’s just another example of copy-pasta of insane configurations ( … Settings have been tested but any way)
• It’s not even a rebuild, it’s just reconfigured ( … )
• Check wolfbeast reply

Pants

• Extensions update notice
• Warn and provide a checklist (because of insane niche settings)
• Provide the support for users to make changes and understand wtf just happened
• Librefox is breaking shit left right and center - it’s too much mate! It’s a shell of a browser and it’s kinda dangerous.
• The project needs to be differentiated (Currently it’s reinventing the wheel)
• The “Dangerousness” of some settings
• Added prefs from god knows where (We don’t add everything for a reason, so you’ll need to look at that as well)
• There’s the lock pref stuff
• Stripping important things out like Safe Browsing
• Dropping recommending extensions
• New users may be put at risk.
• People can achieve what you’re done with a user.js - sure, I haven’t exactly followed what core FF changes you have done, but they aren’t needed IMO.
• You have to assume that anyone who uses your product has no knowledge or skills 😃
• Wiki full of things like important stuff to check when first getting it. recommended extensions.
• You have a lot of work in front of you, and I can’t help but feel you had no idea that this will suck the life out of you, and consume all your time. I don’t want you to die intika , I like ya. kiss
• Don’t listen to some of the rabid commentators on your repo. Just because that’s how they like it, doesn’t mean it’s a good default (I have read some ludicrous ideas from some of them already).

Also, already looked at, but need to re review for new version

/* ALREADY COVERED: by master pref extensions.pocket.enabled ***/
    extensions.pocket.api                                                ""
    extensions.pocket.oAuthConsumerKey                                   ""
    extensions.pocket.site                                               ""
/* INFO URLS ETC: require user interaction (e.g Help>Submit Feedback) ***/
    app.feedback.baseURL                                                 ""
    app.releaseNotesURL                                                  ""
    browser.contentblocking.reportBreakage.url                           ""
    datareporting.healthreport.infoURL                                   ""
    toolkit.crashreporter.infoURL                                        ""
    toolkit.telemetry.infoURL                                            ""
    privacy.trackingprotection.introURL                                  ""
/* DEFAULT IS SAME
   this is generally a bad idea: if FF disables something due to a security concern, the
   end user who doesn't keep up to date with changes 
   (IF you do them) is now fucked over) ***/
    browser.offline-apps.notify                                          true
    browser.safebrowsing.passwords.enabled                               false
    html5.offmainthread                                                  true
    security.sri.enable                                                  true
    security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256                         true
    security.ssl3.ecdhe_ecdsa_aes_256_sha                                true
    security.ssl3.ecdhe_ecdsa_chacha20_poly1305_sha256                   true
    security.ssl3.ecdhe_rsa_aes_128_gcm_sha256                           true
    security.ssl3.ecdhe_rsa_aes_256_sha                                  true
    security.ssl3.ecdhe_rsa_chacha20_poly1305_sha256                     true
/* NOT PRIVACY etc related ***/
[i] browser.download.animateNotifications                                false
    browser.tabs.closeTabByDblclick                                      true
/* covered by dom.enable_performance (& also RFP) ***/
    dom.enable_performance_navigation_timing                             false
/* is only exposed to chrome 
   ( https://trac.torproject.org/projects/tor/ticket/27268#comment:2 ) ***/
    dom.mozTCPSocket.enabled                                             false
/* only used in a single test ***/
    browser.formfill.expire_days                                         0
/* specifically removed because people don't understand it 
   (and we don't want to encourage Tor over FF) ***/
[i] network.dns.blockDotOnion                                            true