Merge branch 'pre-v94' into 'master'

address #93, #94 and #95 See merge request librewolf-community/settings!22
2021-11-02 00:09:40 +00:00 · 2021-11-02 00:09:40 +00:00 · c7ebafbd3c
commit c7ebafbd3c
parent 9072aa85b4 f0a2d5d706
3 changed files with 108 additions and 78 deletions
--- a/distribution/policies.json
+++ b/distribution/policies.json
@ -8,7 +8,6 @@
        "DisableSystemAddonUpdate": true,
        "DisableFirefoxAccounts": true,
        "DisableProfileImport": false,
-        "DisableMasterPasswordCreation": true,
        "DisableFirefoxStudies": true,
        "DisableTelemetry": true,
        "DisableFeedbackCommands": true,
@ -31,7 +30,7 @@
        },
        "Extensions": {
            "Install": [
-                "https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.38.2-an+fx.xpi"
+                "https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.38.6-an+fx.xpi"
            ],
            "Uninstall": [
                "google@search.mozilla.org",
--- a/docs/Changelog.md
+++ b/docs/Changelog.md
@ -1,8 +1,48 @@
 This changelog will be used from now on to document changes in a precise manner, with a list of changes for each setting version.
 Setting versions are documented using the pref `librewolf.cfg.version`, available in about:config.

+## 3.0
+
+**target commit**:
+
+**base librewolf version**: 94.x
+
+**References**:
+- as reported in #95 and discussed [here](https://gitlab.com/librewolf-community/browser/linux/-/issues/246) we are re-enabling TP by default, setting it to strict.
+- the sponsored shortcuts in about:preferences#home were already locked, now they are properly hidden.
+
+**Notes**: all the removed preferences were either related to disabling TP, or unecessary when using strict mode. as a result of this trimming the tracking protection section of the .cfg file doesn't need to exist anymore.
+
+#### Added preferences
+```
+defaultPref("browser.topsites.useRemoteSetting", false); // hide sponsored shortcuts button from about:preferences#home
+defaultPref("privacy.resistFingerprinting.letterboxing", false); // expose hidden letterboxing pref, but do not enable by default
+```
+
+#### Removed preferences
+```
+lockPref("privacy.trackingprotection.enabled", false);
+lockPref("privacy.trackingprotection.pbmode.enabled", false);
+lockPref("privacy.trackingprotection.annotate_channels", false);
+defaultPref("browser.safebrowsing.provider.mozilla.updateURL", "");
+defaultPref("browser.safebrowsing.provider.mozilla.gethashURL", "");
+defaultPref("privacy.trackingprotection.cryptomining.enabled", false);
+defaultPref("privacy.trackingprotection.fingerprinting.enabled", false);
+defaultPref("browser.contentblocking.cryptomining.preferences.ui.enabled", false);
+defaultPref("browser.contentblocking.fingerprinting.preferences.ui.enabled", false);
+```
+
+#### Changed preferences
+```
+pref("browser.contentblocking.category", "strict");
+```
+
 ## 2.0

+**target commit**: from 6451faa167568313e5ed065fcb3ee2bb76132063 to b17a1ed657e22ac61b4399699223d36724b842e7
+
+**base librewolf version**: 92.x
+
 **References**:
 - [web content can no longer access the battery api](https://bugzilla.mozilla.org/show_bug.cgi?id=1313580).
 - http alternative services are [isolated by network partitioning and FPI](https://github.com/arkenfox/user.js/blob/269cf965bd51022ca69823f8f66a8e402280d856/user.js#L1350) and they are unchanged even in tor browser. from a security standpoint, the alternate service will need to provide the certificate of the origin in order to be considered trusthworthy.
@ -120,7 +160,7 @@ defaultPref("browser.download.useDownloadDir", false); // force user interaction
 pref("browser.urlbar.quicksuggest.scenario", ""); // disable firefox suggests and hide its UI
 ```

-#### Commented prefs
+#### Commented preferences
 ```
 // pref("network.trr.mode", 2); // previously uncommented defaultPref with value 5 
 // pref("network.trr.uri", "https://dns.quad9.net/dns-query"); // previously uncommented defaultPref with empty value
@ -173,7 +213,7 @@ defaultPref("browser.safebrowsing.downloads.enabled", false);

 ## 1.6

-**target commit**:
+**target commit**: 192f51abe21e9aeb9b01d396079e9b8533cab7bb

 **base librewolf version**: 91.x

--- a/librewolf.cfg
+++ b/librewolf.cfg
@ -9,13 +9,23 @@
 
 */

-defaultPref("librewolf.cfg.version", "2.0");
+defaultPref("librewolf.cfg.version", "3.0");

-// -------------------------------------------
-// # SANITIZING COOKIES AND HISTORY, SESSIONS
-// -------------------------------------------
+// -------------------------------
+// # SANITIZING, TP, SESSIONS
+// -------------------------------

-defaultPref("network.cookie.cookieBehavior", 5); // dFPI, same as strict mode
+/**
+ strict mode includes:
+ - dFPI for both normal and private browsing
+ - strict blocking lists for trackers, including crypto, fping and socialtracking
+ - shims to avoid breakage caused by blocking lists
+ - stricter policies for xorigin referrers
+ - cookie cleaning mechanism specific to dFPI
+*/
+pref("browser.contentblocking.category", "strict");
+
+defaultPref("network.cookie.cookieBehavior", 5); // dFPI is default for strict mode, but enforce
 defaultPref("network.cookie.lifetimePolicy", 2); // keep cookies until the browser is closed then delete everything minus exceptions

 // make third party and http cookies session-only
@ -141,6 +151,8 @@ defaultPref("privacy.resistFingerprinting.block_mozAddonManager", true); // prev
 defaultPref("browser.startup.blankWindow", false); // if set to true it breaks RFP windows resizing
 defaultPref("browser.display.use_system_colors", false); // default but enforced due to RFP

+defaultPref("privacy.resistFingerprinting.letterboxing", false); // expose hidden letterboxing pref, but do not enable by default
+
 // librewolf specifc pref that prevents rfp from forcing light theme, review
 lockPref("privacy.override_rfp_for_color_scheme", false);

@ -302,36 +314,6 @@ defaultPref("browser.download.autohideButton", false); // hide download button a
 defaultPref("browser.download.manager.addToRecentDocs", false); // do not add downloads to recents
 defaultPref("browser.tabs.loadBookmarksInTabs", true); // always open bookmarks in new tab

-// -----------------------------------
-// # TRACKING PROTECTION
-// -----------------------------------
-
-pref("browser.contentblocking.category", "custom"); // set tracking protection category, using pref solves the UI bug
-
-// enable / disable TP in normal and private browsing
-lockPref("privacy.trackingprotection.enabled", false);
-lockPref("privacy.trackingprotection.pbmode.enabled", false);
-
-lockPref("privacy.trackingprotection.annotate_channels", false); // reduce priority of trackers, remove if TP is on
-
-// remove urls to fetch contentblocking lists.
-// without these urls TP cannot work. the lists are not shipped with the browser but download on first launch.
-defaultPref("browser.safebrowsing.provider.mozilla.updateURL", "");
-defaultPref("browser.safebrowsing.provider.mozilla.gethashURL", "");
-
-// disable blocking lists and hide ui elements in custom mode UI, if TP is enabled revert to true
-defaultPref("privacy.trackingprotection.cryptomining.enabled", false);
-defaultPref("privacy.trackingprotection.fingerprinting.enabled", false);
-defaultPref("browser.contentblocking.cryptomining.preferences.ui.enabled", false);
-defaultPref("browser.contentblocking.fingerprinting.preferences.ui.enabled", false);
-
-// hide annoying ui elements from about:protections
-defaultPref("browser.contentblocking.report.lockwise.enabled", false);
-defaultPref("browser.contentblocking.report.monitor.enabled", false);
-lockPref("browser.contentblocking.report.hide_vpn_banner", true);
-lockPref("browser.contentblocking.report.vpn.enabled", false);
-lockPref("browser.contentblocking.report.show_mobile_app", false);
-
 // --------------------------------------
 // # EXTENSIONS
 // --------------------------------------
@ -401,7 +383,7 @@ lockPref("gecko.handlerService.schemes.ircs.0.uriTemplate", "");
 lockPref("gecko.handlerService.schemes.ircs.0.name", "");
 lockPref("browser.translation.engine", "");

-// disable welcome, what's new pages and ui tour
+// disable welcome, what is new pages and ui tour
 defaultPref("browser.startup.homepage_override.mstone", "ignore");
 defaultPref("startup.homepage_override_url", "about:blank");
 defaultPref("startup.homepage_welcome_url", "about:blank");
@ -410,6 +392,15 @@ lockPref("browser.messaging-system.whatsNewPanel.enabled", false);
 lockPref("browser.uitour.enabled", false);
 lockPref("browser.uitour.url", "");

+// hide annoying ui elements from about:protections
+defaultPref("browser.contentblocking.report.lockwise.enabled", false);
+defaultPref("browser.contentblocking.report.monitor.enabled", false);
+lockPref("browser.contentblocking.report.hide_vpn_banner", true);
+lockPref("browser.contentblocking.report.vpn.enabled", false);
+lockPref("browser.contentblocking.report.show_mobile_app", false);
+
+defaultPref("browser.topsites.useRemoteSetting", false); // hide sponsored shortcuts button from about:preferences#home
+
 // ------------------------------------
 // # NEW TAB PAGE
 // ------------------------------------