Remove a few legacy prefs #228

@celenity wrote in #228 (comment):

It looks like browser.newtabpage.activity-stream.feeds.section.topstories.options is still used in ESR, so let's keep it for now, but add a [ESR] tag at the end, so that we can remember to remove it for next ESR cycle.

I can add it back, but since Pocket is dead, it should not be able to show any stories anymore.

Edit: Or did you mean the UI toggle?

Hope you don't mind me adding a few more things while I go through Phoenix.

Not sure if I am reading the code wrong/missing something, but shouldn't intl.allow-insecure-text-input be OSX only?

I just tested browser.preferences.experimental.hidden being set to true and it did not appear at all on first launch.

there's a policy too, since v130.0.1. also the dependence on telemetry/studies (comment) no longer applies in version 146+ (ref -> should it be allowed to be enabled by the user?), but still does apply to ESR.

from the ticket:

Both Firefox Labs and one of either studies or telemetry must now be
disabled to fully disable Nimbus.

Since https://mozilla-ohttp.fastly-edge.com does not return anything anymore

@degausser Nice to see you here too :)

Thank you so much, great work here @any1here!

@any1here wrote in #228 (comment):

Not sure if I am reading the code wrong/missing something, but shouldn't intl.allow-insecure-text-input be OSX only?

You're right, good catch. I see you added the [OSX-ONLY] tag to the end of the intl.allow-insecure-text-input pref - also make sure to add it to the end of the title (/// Crash on insecure password input) - otherwise it'll just result in an empty /// Crash on insecure password input section appearing in the prefs for releases outside of OS X.

Not sure about removing browser.search.widget.inNavBar. I am not able to find anything setting this. If I missed something, I will revert that commit.

fyi, network.proxy.type != 5 prevents BITS usage for background updates (= via the scheduled task)

user_pref("app.update.background.previous.reasons", '["on Windows but cannot usually use BITS"]')

https://searchfox.org/firefox-main/source/toolkit/mozapps/update/BackgroundUpdate.sys.mjs#213-219
https://searchfox.org/firefox-main/source/toolkit/mozapps/update/UpdateService.sys.mjs#864-872

I made accessibility.uia.enable windows only, since it only has any meaningful impact there. No idea why they set it for other platforms.

I added privacy.restrict3rdpartystorage.heuristic.recently_visited_time with value 0 for defense in depth. Normally it does nothing since privacy.restrict3rdpartystorage.heuristic.recently_visited is set to false

@degausser
Do you know if setting security.sandbox.content.shadow-stack.enabled to true causes any problems? I added it in the default false state.

@any1here #110

also as said in the librewolf pull comments, network.http.referer.defaultPolicy.trackers*->1 breaks youtube embeds with error 153, e.g. itch.io homepage

https://developers.google.com/youtube/terms/required-minimum-functionality#embedded-player-api-client-identity:~:text=strict%2Dorigin%2Dwhen%2Dcross%2Dorigin

@degausser
I was planning on adding your recommendations after I had finished my initial scroll through of Phoenix. Currently I am just seeing what catches my eye.

I have finished my scroll through. Everything below this comment (except 1 2) come from suggestions @degausser made here librewolf/settings#107 (comment)

Or should this be a new PR?

@any1here native messaging is covered in the WebCompat wiki entry and was fairly recently closed as wontfix. i stand by what i wrote about it in the comment (disabled signons + keepassxc not working ootb is bad), but i don't think it's a wanted change in phoenix. (likely the same with jit, fpp, rs intervals...). for example disabling push is covered in Network Connections as "not recommended".

if desired, a new pr in general seems cleaner, to facilitate merging this one without hassle.

@celenity for phoenix, at least these could be considered:

// cloudflare turnstile gets intermittently stuck with this
--accessibility.blockautorefresh
--network.http.prompt-temp-redirect

// breaks YouTube embeds with error 153 (see this pr also)
--network.http.referer.defaultPolicy.trackers*

// this draws a hovering hand cursor over clickable links only after the whole page has loaded (there is no "hand with spinner" cursor, at least on Windows); bad concession
--browser.spin_cursor_while_busy

// no reason to disable extended taskbar shortcut menu on Windows
--browser.taskbar.lists*

// reenable alt key to show menu
--ui.key.menuAccessKeyFocuses

// reenable animated webpage loading thumbnail, instead of an hourglass
--ui.prefersReducedMotion

permissions.default.localhost->2 could at least get a wiki entry about this; one would already need a BlockLAN (on by default in assets.json) uBO list @@ scoped exception to get it working, and then allow the permission prompt.

btw, dom.text_fragments.create_text_fragment.enabled no longer exists in firefox-main, and the entry is in the context menu by default; it exists in ESR as default false.

I will leave this PR as-is until @celenity can give input on what can be changed in Phoenix.

Edit: I reverted the last 2 commits regarding native-messaging

Thank you for your feedback @degausser! To address your points:

// cloudflare turnstile gets intermittently stuck with this
--accessibility.blockautorefresh
--network.http.prompt-temp-redirect

Do you mind sharing more details here - ex. can you provide an example of an impacted website (would help for testing)? I'm not saying that you're wrong, this may very well be an issue (and if so, those prefs can indeed be reconsidered. I'm just surprised to hear this as it's not a problem I've encountered or heard from other users).

// breaks YouTube embeds with error 153 (see this pr also)
--network.http.referer.defaultPolicy.trackers*

I don't like having to relax those prefs, but I agree that it unfortunately seems necessary, so I'm fine with setting those back to the default values (2 ) until we can find a better solution (This should be covered by @any1here's PR).

// this draws a hovering hand cursor over clickable links only after the whole page has loaded (there is no "hand with spinner" cursor, at least on Windows); bad concession
--browser.spin_cursor_while_busy

I see what you're saying - it appears to do this on at least macOS as well (I just tested it). Will have to think about it - I think it's overall a nice feature from a UX perspective, but I agree it's not ideal that it prevents the hand cursor from drawing unless the whole page has loaded.

// no reason to disable extended taskbar shortcut menu on Windows
--browser.taskbar.lists*

Fair enough, good catch. I'll enable browser.taskbar.lists.enabled and browser.taskbar.lists.tasks.enabled for next release - those seem both harmless and legitimately useful. I think we should probably keep browser.taskbar.lists.frequent.enabled and browser.taskbar.lists.recent.enabled though.

// reenable alt key to show menu
--ui.key.menuAccessKeyFocuses

You're right, will enable for next release. No reason to disable IMO.

// reenable animated webpage loading thumbnail, instead of an hourglass
--ui.prefersReducedMotion

Not sure how to feel about this one, curious how others feel.

permissions.default.localhost->2 could at least get a wiki entry about this; one would already need a BlockLAN (on by default in assets.json) uBO list @@ scoped exception to get it working, and then allow the permission prompt.

Great point, thanks for bringing this up. Will do some testing. Honestly, instead of removing permissions.default.localhost, I think I'd rather remove/disable the Block LAN uBo list - I agree we shouldn't set both, and I think it's better to rely on native browser features for functionality like this over extensions where possible.

@celenity Thank you for your consideration.

cloudflare turnstile

can be tested e.g. here ->https://www.techspot.com/. I recall testing it in late December - it manifested as a intermittently stuck redirect, after automatically or manually ticking the captcha box. However I cannot reliably reproduce it now - the prompt informing of the redirect flashing multiple (2-3) times isn't ideal (I guess it does its job), but doesn't prevent the turnstile to eventually suceed. However, I tested with JIT disabled back then, but with stock Firefox settings now, so maybe the js check just sometimes timed out, on slow(er) hardware. Still not great, but reload (CTRL+R) eventually coerced it through (turnstile again->website).

permissions.default.localhost

As far as I can tell, the ui in about:preferences#privacy doesn't allow manually entering exceptions, and with 2 it doesn't show any indicator in urlbar, to add an 'allow' exception for current webpage. The BlockLAN list are mostly exceptions; all of them would break. IMHO 0 (default prompt) and keeping the list is a better choice, at least for now.

btw, click'n'load-relevant entry

@degausser

As far as I can tell, the ui in about:preferences#privacy doesn't allow manually entering exceptions, and with 2 it doesn't show any indicator in urlbar, to add an 'allow' exception for current webpage. The BlockLAN list are mostly exceptions; all of them would break. IMHO 0 (default prompt) and keeping the list is a better choice, at least for now.

Yeah, I did some testing, and I'm inclined to agree with you. Fixed for next release: 62fb7dd81e.