Mozilla adds Dynamic First Party Isolation option to Firefox 77 - gHacks Tech News

ADVERTISEMENT

Mozilla adds Dynamic First Party Isolation option to Firefox 77

Mozilla's work on the Firefox browser's tracking protection feature continues unhindered. The organization has now enabled a new option in Firefox 77, currently on the Nightly channel, that is called Dynamic First Party Isolation.

Firefox users may use tracking protection presets currently or create custom rule sets for blocking certain elements on websites that may be used for tracking.

When it comes to blocking cookies, the four custom options that are available in Firefox Stable are:

  • Cross-site and social media trackers
  • Cookies from unvisited sites.
  • All third-party cookies (may break some sites).
  • All cookies (will cause websites to break).

A fifth option has been added to Firefox 77 Nightly. To access the controls, load about:preferences#privacy in the Firefox address bar and select "custom" under Enhanced Tracking Protection. A click on the menu next to cookies should display the new option.

  • Cross-site and social media trackers, and isolate remaining cookies.

firefox-77-dynamic first party isolation

A warning is displayed when the new cookie behavior is selected:

Blocking trackers and isolating cookies could impact the functionality of some sites. Reload a page with trackers to load all content.

Some sites may not function correctly if certain elements are blocked on them. Mozilla suggests that users disable tracking protection on the site by adding an exception, to allow it to load correctly in the browser.

Firefox users may also use the following preference, network.cookie.cookieBehavior, to change the cookie handling of the browser.

  • Value of 1 -- Block all third-party cookies.
  • Value of 2 -- Block all cookies.
  • Value of 3 -- Block cookies from unvisited sites.
  • Value of 4 -- New Cookie Jar policy (prevent storage access to trackers)
  • Value of 5 -- Dynamic First-Party Isolation.

Note that tabs need to be reloaded before the new value takes effect.

Mozilla implemented First-Party Isolation in Firefox 55 as a Tor uplift feature. The feature has never been exposed as a preference in Firefox but users could enable it by setting privacy.firstparty.isolate to true in the Firefox web browser.

First party isolation means that all identifier sources and browser state are scoped (isolated) using the URL bar domain.

Cookies, Cache, Dom Storage, and more are affected by the preference if it is enabled in Firefox. One reason why it is not enabled by default by Mozilla is that it may break some websites when enabled.

Firefox users who have set privacy.firstparty.isolate in the browser won't see any change when they switch the cookie blocking value to include dynamic first-party isolation.

Now You: Do you block (some) cookies in your browser? (via Techdows)

Summary
Mozilla adds Dynamic First Party Isolation option to Firefox 77
Article Name
Mozilla adds Dynamic First Party Isolation option to Firefox 77
Description
Mozilla enabled the new cookie blocking feature Dynamic First Party Isolation in Firefox 77 as a setting in the Enhanced Tracking Protection preferences.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: »

Comments

  1. Iron Heart said on April 17, 2020 at 8:24 am

    Unless they remove the hardcoded built-in trackers (Firefox on Android), the invasive telemetry, and their ability to remotely change settings (Normandy Pref Rollout) and to remotely insert unknown code without user approval (Firefox Experiments), no joy. Sorry.

    Why is gHacks giving a shady browser that only 5% of the total web population use such a platform? Oops, guess I have to seek shelter now…

    1. c3po said on April 17, 2020 at 9:39 am

      Well, they are not going to advertise “some other epic browser” that is highly suspicious and has annoying fans …

      1. Klaas Vaak said on April 17, 2020 at 11:05 am

        @c3po: why not?

      2. Iron Heart said on April 17, 2020 at 11:21 am

        @c3po

        I don’t know where Firefox fans derive their right from to call other browsers “suspicious” at this point. Look at the Mr. Robot and Cliqz debacles Mozilla started, there you’ve got enough “suspicious”, buddy. The donations the Mozilla Foundation hands out to some questionable organizations are not really trust instilling, either.

        You’ve certainly got enough “suspicious” to deal with, already.

    2. Klaas Vaak said on April 17, 2020 at 10:15 am

      @Iron Heart: in principle there is nothing wrong with a “small usage” browser a platform. It’s part of the market and some Ghacks commenters use it. Eventually, if (or when?) FF goes the way of Internet Explorer, i.e. when it fades away below a point, it will no longer be relevant to give it a platform.

      In the mean time, it provides certain commenters, incl. KV, with a subject of ridicule – what more can we ask for? ;-)

    3. Rosmano said on April 17, 2020 at 11:27 am

      Why do you care so much that Ghacks reports changes to Firefox that you constantly spam every freaking news article about Firefox? If you don’t like it just move along and carry on.

      They give platform to numerous other small software options.
      5% of the browser market equates to hundreds of millions of users. You have plenty of browsers and companies that do the same or worse.

      With Firefox you can easily disable the “invasive” telemetry that gives them system information, you can go to about:config and disable the other options. If you had half a brain you could simply use that if it bothers you so much. But I guess you just prefer to annoy the heck out of other Ghacks readers.

      1. Iron Heart said on April 17, 2020 at 11:46 am

        @Rosmano

        > Why do you care so much that Ghacks reports changes to Firefox that you constantly spam every freaking news article about Firefox?

        Because people still have illusions when it comes to Firefox’s privacy level. And I am not spamming at all, contrary to you. The worth of your comment was basically zero, while my comment at least hints at Firefox’s issues.

        > If you don’t like it just move along and carry on.

        So people do not deserve being warned about shady things going on in Firefox? Does explaining these shady things offend you?

        > 5% of the browser market equates to hundreds of millions of users.

        Not really, a fairly big number of installations are duplicates because people e.g. have a PC and a smartphone and might use FF on both. Some installations are also inactive.

        > You have plenty of browsers and companies that do the same or worse.

        If you ask me, Mozilla is only rivaled by Opera in terms of shadiness. But then, they are advertising themselves as the more privacy-friendly alternative. That’s an obvious lie of course, but they should be held to that standard regardless.

        > With Firefox you can easily disable the “invasive” telemetry that gives them system information, you can go to about:config and disable the other options.

        “You can opt out!” is a damn lame excuse, buddy. Firefox deserves criticism for its default settings, not for your own complex modification (Why were your modifications necessary again?) I have no idea about anyway. Why? Because most people use Firefox with the default settings.

        > If you had half a brain you could simply use that if it bothers you so much.

        Well, I can totally do it, which does not mean that the default configuration isn’t shitty and isn’t deserving of criticism. I don’t see how one relates to the other. My criticism does not necessarily always revolve around myself.

        > But I guess you just prefer to annoy the heck out of other Ghacks readers.

        If the truth is annoying to you, then there are still the three monkeys, I guess.

      2. Akagi said on April 17, 2020 at 1:51 pm

        @Rosmano,

        because he totally has a job an a personal life. And this is coming from someone else who doesn’t like Firefox.

        Bashing Firefox got boring and I don’t think there is any point to it as Firefox is running itself into the ground better than anyone else can talk crap about it.

        But this guy is tireless – every article he is there like a broken record:

        “Firefox sucks, Brave is good, I don’t know what to do with my life…”

      3. Iron Heart said on April 17, 2020 at 2:04 pm

        @Akagi

        Because Firefox deserves this kind of criticism, and so do the nasty fanboys who are bashing other browsers all day long, while being unable to bear even the slightest criticism of Firefox. And I am not really able to leave the house these days, because of the general rules that apply these days. Apart from that, it is generally my business what I am doing with my time, wouldn’t you agree?

        Brave is better than Firefox for privacy, out of the box anyway, that’s a fact. It’s not just my opinion.

    4. m3city said on April 17, 2020 at 11:31 am

      Because it’s the best web browser out there. It surpasses Chrome when it comes to privacy, customisation possibilities, real addons store, performance on computers from low-end to high end. They are focused to deliver the best browser for masses, support free and honest internet. And while some decisions can be controversive, its still the best we have. Why do you keep whining on every post about firefox? Just move on, man. Be a happy chrome, palemoon, vivaldi, opera user. You can event try on KMeleon if you want. Just stop shitting on every good feature mozilla adds.

      I have not seen so negative comments on ghacks 5 years ago.

      1. Klaas Vaak said on April 17, 2020 at 12:21 pm

        @m3city: the relevance of those customisations has evolved into being necessary only to correct nefarious changes that Mozilla seems to introduce with each new update.

        Mozilla may be “focused to deliver the best browser for masses, support free and honest internet” but that is not what they do, to put it mildly.

        As for criticising FF, why do you need to use non-arguments? If you had any real ones you would use those and be able to wipe what you describe as “nonsense” off the table.

        Incidentally, it seems to me you are as free as a bird to skip comments you don’t like, I doubt there is someone holding a gun to your head forcing to read every comment.

      2. Iron Heart said on April 17, 2020 at 12:23 pm

        @m3city

        > It surpasses Chrome when it comes to privacy,

        Default settings? Nope.

        > customisation possibilities,

        about:config and userChrome.css are on the chopping block.

        > real addons store,

        AMO is no better and no worse than the Chrome Web Store. Quality of the extensions doesn’t differ at all, ever since Mozilla switched to Chrome’s extension format.

        > performance on computers from low-end to high end.

        Big, fat NO.

        > They are focused to deliver the best browser for masses, support free and honest internet.

        The “best” is relative when Google Chrome is the competition, and even then FF falls short (at least Chrome has decent performance while impairing your privacy). And Mozilla supports many things, including communication networks harnessed by Antifa groups (RiseUp), but certainly not a free and honest Internet. They stood idly by when heavy duty DRM was turned into a web standard, and allowed the DRM blackbox in their browser. Free and honest Internet – my ass.

        > And while some decisions can be controversive, its still the best we have.

        Ungoogled Chromium is the best we have, it has a stellar track record as well.

        > Why do you keep whining on every post about firefox? Just move on, man.

        Maybe because Mozilla is Janus-faced, lying to their users while being funded by Google money? Is that a sufficient enough reason?

        > Be a happy chrome, palemoon, vivaldi, opera user.

        Out of these, only Pale Moon is trustworthy.

        > You can event try on KMeleon if you want. Just stop shitting on every good feature mozilla adds.

        As long as they don’t remove the user-hostile anti-features, I will continue to talk about them.

        > I have not seen so negative comments on ghacks 5 years ago.

        Yes, because they were not that shitty five years ago.

      3. Yuliya said on April 17, 2020 at 12:36 pm

        >I have not seen so negative comments on ghacks 5 years ago.
        Well no, because up until 2018 it, mozilla was a somewhat decent organisation. In 2018 they suddenly decided to steal all their userbase data which their browser could reach, gave us all the middle finger – now that I’m thinking about it, not even that since they have never opened publicly about that incident, it remained burried in bugzilla – and attempted to move on, hoping nobody will notice it. Tough luck, I did, and many other users by the looks of it. And yes, I will make sure to remember everyone about this incident even in the article where it says mozilla is finally gone with their browser reaching 0% market share.
        Attempts like hijacking other browsers and tracking usser activity outside firefox are not helping – well, it’s not helping them, it only makes criticising mozilla easier for me.

      4. T J said on April 17, 2020 at 12:45 pm

        @ m3city

        ” I have not seen so negative comments on ghacks 5 years ago ”

        + 1

        You may like the discussions in the links below unless Martin considers them too far off topic :

        https://www.lifewire.com/types-of-internet-trolls-3485894
        https://www.howtogeek.com/465416/what-is-an-internet-troll-and-how-to-handle-trolls/

      5. Iron Heart said on April 17, 2020 at 1:41 pm

        @T J

        Disagreement and criticism /= Trolling, unless you maliciously try to imply the latter is the case when the former is. Anyway, don’t care about the troll moniker, it is overused these days.

      6. T J said on April 17, 2020 at 4:03 pm

        @ Iron Heart

        @ Iron Heart

        MY, MY.

        Aren’t you a sensitive soul. As soon as another poster mentions negative, anti – Firefox comments, what do you do? Jump in and start saying “ME, I’m not a troll”.

        Then you as good as admit you are a troll by making the following remark
        ” Anyway, don’t care about the troll moniker, it is overused these days.”

        Read the links above and you will find some definitions of troll behaviour which match you exactly.
        Then, of course, who follows your lead but your Best Friends Forever Yuliya and Klaas Vaak.

        Don’t wear your typing finger out replying. :)

      7. Iron Heart said on April 18, 2020 at 8:49 pm

        @T J

        > Then you as good as admit you are a troll by making the following remark.

        I don’t admit any nonsensical claims you freely make up as you go, sorry. I get trolled here sometimes, by people stealing my user name and posting nonsense. Now, that’s trolling. What I do is having an opinion different from yours, something you fail to respect. Instead you come up with name calling (“troll” etc.) that are nothing but your sorry substitute for actual arguments.

        > Read the links above and you will find some definitions of troll behaviour which match you exactly.

        The high number of my posts come to pass because I have to deal with nonsensical accusations like yours all the time. Apart from that, I am not here to provoke, I simply hold an opinion different from yours. Deal with it.

        > Don’t wear your typing finger out replying. :)

        If you wouldn’t make up nonsense accusations all the time, I would have more spare time. Think about it.

      8. Brooklyn said on April 17, 2020 at 3:06 pm

        “Because it’s the best web browser out there. It surpasses Chrome when it comes to privacy, customisation possibilities, real addons store, performance on computers from low-end to high end. They are focused to deliver the best browser for masses, support free and honest internet.”

        That all made me chuckle, clearly not a true word in the whole statement. We all know ff isn’t great for privacy especially out of the box and is getting worse. FF and privacy are very much like Edge and privacy. They make a song and dance about how they’re stopping OTHERS tracking you but are fine doing the exact same things themselves. They are a typical do as I say not as I do company, there’s nothing honest about them anymore.

        I remember when quantum came out and mozilla showed those benchmarks that no-one could reproduce that ff is both faster and more memory efficient than chrome. It was and still is both slower and uses more ram and you obviously notice that more on low end machines. High end machines hide all sorts of sloppiness.

      9. Anonymous said on April 18, 2020 at 9:58 pm

        You are all right.. in this real world opensource software ecosystem will not work without governmental finance and academia support. By this way some BIIIGGG brothers (supporters) invading opensource communinty silently under the hood.
        Mozilla does rigt something well with default search partners etc.
        When it comes to browse with default settings after install eg. Firefox vs. Gologoliath’s Browser mozilla is unbeatable privacy friendly.

      10. Iron Heart said on April 19, 2020 at 8:50 am

        @Anonymous

        > When it comes to browse with default settings after install eg. Firefox vs. Gologoliath’s Browser mozilla is unbeatable privacy friendly.

        That’s outright wrong. Firefox’s default privacy settings are shitty, roughly in the same league of Chrome. Check out the gHacks user-js. on GitHub, and then return to me. You can modify Firefox to become privacy respecting, by default it is certainly not, @Brooklyn is right regarding this.

      11. Pants said on April 19, 2020 at 10:10 am

        > Check out the gHacks user-js. on GitHub, and then return to me

        WTF are you talking about? (don’t answer). Don’t drag my work into your BS, or misrepresent what I fucking do. You’re the main reason I don’t post here anymore. Don’t bother answering (but I’m sure you will, with more BS or fallacies)

        First: stop equating telemetry with privacy and actually analyze it: no PII is collected, data is anonymized in buckets, data is not retained forever, the source code is open source (and scrutinized), the telemetry is available for anyone to inspect. And there are other points but I’m not going to go there: this should be enough to get the point across. Telemetry is also essential when dealing with such a complex beast as web tech and such a wide diverse range of users. Firefox is not some niche fork that can rely on someone else doing the work. And as for default opt-in on Telemetry: if it was default opt-out, then they basically wouldn’t get any data (anecdotal: but I’d be pretty sure 90% of users wouldn’t change it). As you repeatedly say, “defaults matter” – which is why Mozilla is responsible with what is collected, and how they handle it. Nothing is ever perfect, and in the past bugs or bad decisions have been made: this is common in any large code project: as long as the organization learns from it. And Firefox gives users a UI option to opt out. Just fucking turn it off if you don’t like it. As for the other few telemetry points not covered by the UI (coverage ping for example), do I like them personally, not particularly: but they have valid reasons for getting those stats, and there is no PII.

        Secondly: stop equating privacy with open web standards. Once again, Firefox is not some niche browser: DEFAULTS MATTER (to quote you again) – things need to work for end users from the get-go. Just because Firefox has hundreds, thousands of more tweaks than other browsers simply shows that a lot more can be done – but they basically all break things when you change them – which is why Firefox doesn’t ship that way.

        What a user.js with so many options can do HIGHLIGHTS the fact that other browsers lack those options.

        tl;dr: you have no fucking idea what you are talking about

      12. Iron Heart said on April 19, 2020 at 11:41 am

        @Pants

        > WTF are you talking about? (don’t answer).

        I merely mentioned your repo. Laughing at you being afraid of me answering, by the way. You probably know that I will be dissecting your bullshit one by one. You are not wrong.

        > Don’t drag my work into your BS, or misrepresent what I fucking do.

        You want to hear what you are doing? You make people keep using a spyware product that shits on privacy by giving You’re the main reason I don’t post here anymore.

        Obviously, you are still reading this blog, and you’ve just posted. Not saying that I would miss you, though.

        > Don’t bother answering (but I’m sure you will, with more BS or fallacies)

        Most of the settings of your user.js are impractical anyway because they cause breakage in real life, but sure, I am the BS master here…

        > but they basically all break things when you change them

        …your own words.

        > First: stop equating telemetry with privacy and actually analyze it:

        Firefox has other privacy issues aside from telemetry, my dude:

        beacon.enabled
        network.prefetch-next
        network.http.speculative-parallel-limit
        network.dns.disablePrefetch
        urlbar.speculativeConnect.enabled
        app.shield.optoutstudies.enabled
        app.normandy.enabled
        media.video_stats.enabl
        etc. pp.

        There is much shit going on even if we totally exclude telemetry.

        > Telemetry is also essential when dealing with such a complex beast as web tech and such a wide diverse range of users.

        Most telemetry covers the application behavior, tracks functions of the browser users use most often, not its failures on websites. *facepalm*

        > Firefox is not some niche fork that can rely on someone else doing the work.

        Cry me a river. Software as complex as a Linux distro is being developed without telemetry, don’t be foolish. How do you explain that away? The key is having QA staff, telemetry is just a sorry replacement for that QA staff once they become too expensive. Microsoft inserted most of its telemetry just before it fired its QA team. Pure coincidence of course, lol.

        > And as for default opt-in on Telemetry: if it was default opt-out, then they basically wouldn’t get any data (anecdotal: but I’d be pretty sure 90% of users wouldn’t change it).

        Are you implying that I should be sad about Mozilla not getting data which they shouldn’t collect in the first place?

        > Nothing is ever perfect, and in the past bugs or bad decisions have been made: this is common in any large code project: as long as the organization learns from it.

        1) Mozilla doesn’t learn from it.
        2) They were involved in privacy scandals that were just unworthy of their “reputation” (which they still have with a lots of people, not with me so far). “Cliqz” FF Experiment, need I say more? This one literally sent the browsing history of users back to the mothership.

        > And Firefox gives users a UI option to opt out.

        about:config is hardly a UI option. The telemetry option in the settings doesn’t turn off all telemetry, you know that damn well: Telemetry Coverage – does that term ring any bells with you?

        > Just fucking turn it off if you don’t like it.

        And then you(!) pontificate about “defaults matter” – what a joke.

        > but they have valid reasons for getting those stats, and there is no PII.

        What valid reason is there for Mozilla to know whether or not I use a competitor product:

        https://www.ghacks.net/2020/04/09/mozilla-installs-scheduled-telemetry-task-on-windows-with-firefox-75/

        Pants, I am waiting for your explanation for this one. Good luck.

        > Once again, Firefox is not some niche browser: DEFAULTS MATTER (to quote you again) – things need to work for end users from the get-go.

        Above, I have listed just some of the settings they could safely change without any breakage, but don’t, because they do not give a fuck.

        > Just because Firefox has hundreds, thousands of more tweaks than other browsers simply shows that a lot more can be done – but they basically all break things when you change them – which is why Firefox doesn’t ship that way.

        As I said, much of your user.js is impractical because the majority of the tweaks therein would break websites – as you have just admitted yourself.

        > What a user.js with so many options can do HIGHLIGHTS the fact that other browsers lack those options.

        What good is an option I can’t use because it would be impractical? Much of the changes that can actually be implemented in real life, I can also achieve with Chromium, if not in its settings, then with extensions. That’s the truth.

        > tl;dr: you have no fucking idea what you are talking about

        Says the guy whose user.js is f*****g broken because most of the changes would break websites. Yes, I am the one not knowing anything, lol. Continue to give Firefox fanboys an excuse for recommending this spyware to unsuspecting people with your broken user.js, you won’t be missed.

      13. Iron Heart said on April 19, 2020 at 11:47 am

        Small corrections:

        *
        > Don’t drag my work into your BS, or misrepresent what I fucking do.

        You want to hear what you are doing? You make people keep using a spyware product that shits on privacy by giving them your questionable user.js which breaks stuff, enabling them to say: “Here, use this user.js to make Firefox more private, you just have to change 1.294.937 entries, and it will be fine.” You are contributing to this spyware product being recommended to unsuspecting individuals, instead of doing the right thing and contributing to a more privacy-respecting fork, like LibreWolf. Can’t say I respect you too much for it.

        * media.video_stats.enabled

      14. ShintoPlasm said on April 19, 2020 at 1:52 pm

        @Iron Heart:

        Regarding your responses to Pants – when all’s said and done, the key thing about telemetry (even as broad as you say Mozilla’s is) is that it contains no PII. There are various ways to ensure that telemetry does not contain any data that can be traced back to you as an individual. Do you have any evidence that Mozilla’s collected telemetry contains PII? Because if not, then where’s the problem?

        PS: I specialised in Privacy cyber security and consulting, and worked in that field for years.

      15. Iron Heart said on April 19, 2020 at 3:32 pm

        @ShintoPlasm

        Telemetry in Firefox is linked to a unique ID. But that’s not the point, is it?

        https://bugzilla.mozilla.org/show_bug.cgi?id=1435714

        My point is that Firefox collects telemetry about things they do not need to know, for example whether I not I use a competitor product. That’s none of their business, and does not help to improve Firefox in any way. I also think that it is wrong to collect telemetry in order to save cost (QA staff can be laid off), this is just data collection which doesn’t need to happen.

        But then again, telemetry is not, and was never, my biggest gripe I have with Firefox. It is unnecessary, sure, but there are bigger fish to fry.

        For example, do you think it is okay that Mozilla can remotely change your preferences (Normandy Pref Rollout) as they see fit? Do you think it is okay that they can insert unknown code remotely without resorting to the standard update functionality (Firefox Experiments)? Do you think it is okay that they can force-roll out add-ons (Mr. Robot add-on incident), which users never agreed to install? Do you think it is okay that they misuse the Firefox Experiments to infiltrate your browser with Cliqz, a system add-on which then preceded to send your browsing history AND website interaction data (and that was PII, linked to other telemetry data) back to the mothership? Do you think the bad privacy defaults (see my short settings list above alone) are justifiable? And this is not even including the Pocket disaster. … …

        Some of the highlights:

        https://old.reddit.com/r/firefox/comments/74n0b2/mozilla_ships_cliqz_experiment_in_germany_for_1/do0xc7q/ (so much for “no PII”, lol)

        https://old.reddit.com/r/firefox/comments/74n0b2/mozilla_ships_cliqz_experiment_in_germany_for_1/ (The data, collected with a unique ID, is then supposedly “anonymized” on their server, as if we could ever verify… Yes, I believe that.)

        There is more, but I think it is clear that telemetry is not the biggest issue here. In fact, it is one of the more minor ones, I am just mentioning that along with everything else, as I disagree with telemetry as well.

        > PS: I specialised in Privacy cyber security and consulting, and worked in that field for years.

        It’s not like I can verify this here. You can have these qualifications, but without a way of verification that exceeds my own belief, it is pointless to bring them up. Wouldn’t you agree?

      16. ShintoPlasm said on April 19, 2020 at 5:09 pm

        @Iron Heart:

        Thank you for the detailed response. I agree that there is no credible way for you to verify my credentials, I merely mentioned it to give better context around my understanding of PII and ‘privacy’ as used in the cyber-security and legal sectors in which I work(ed).

        If I’m not mistaken, you’re primarily concerned about being able to fully control what your browser does, not necessarily whether your personal information (and by extension your personal safety and security) is at risk of being exposed. Based on Mozilla’s (and Cliqz’s) privacy policies, publicly audited source code and general reputation, there is little to suspect that they do NOT properly anonymise any PII which may have been touched in any of the cases you mentioned. I know this may sound naïve to you, but you’d be surprised how seriously most established tech companies take their own policies – because the legal and financial ramifications could be severe. I know this because I work exactly in this field – but feel free to remain sceptical. Overall, my impression is that one’s PII is not actually at risk but that’s just me.

        As for Mozilla doing stuff remotely to your browser without your direct control: I guess this is a question of how much (if at all) you’d trust this company with only performing benign operations for the user’s benefit. I understand from your posts that you don’t trust them at all, and I’m fine with that. I am more ambivalent here, because Firefox does a lot of stuff that I like (e.g. its font rendering, general stability, and the fact that some extension APIs are exclusively available in Firefox).

        Finally, I disagree with some of your interpretations of the Cliqz experiment, because I do believe that the PII was sufficiently anonymised. I don’t like that it was an opt-in experiment, nor do I like some of Mozilla’s tactics in recent years, but I guess I’m simply more concerned with explicit PII breaches and far less with software doing some clandestine singing and dancing in the background.

      17. Iron Heart said on April 19, 2020 at 9:49 pm

        @ShintoPlasm

        > Thank you for the detailed response. I agree that there is no credible way for you to verify my credentials, I merely mentioned it to give better context around my understanding of PII and ‘privacy’ as used in the cyber-security and legal sectors in which I work(ed).

        I do believe you, merely wanted to say that gHacks is not the place. :)

        > If I’m not mistaken, you’re primarily concerned about being able to fully control what your browser does, not necessarily whether your personal information (and by extension your personal safety and security) is at risk of being exposed.

        Well, I am concerned about both, because the former is usually related to the latter. Whenever sneaky methods are involved, there is something to gain – data. But yeah, you’ve summarized my concerns pretty well. And there is a tad of bitterness involved, too, since Firefox wasn’t historically known for such things, sadly this has changed.

        > Based on Mozilla’s (and Cliqz’s) privacy policies, publicly audited source code and general reputation, there is little to suspect that they do NOT properly anonymise any PII which may have been touched in any of the cases you mentioned.

        The problem is that they were collecting the browsing history and website interaction data in the first place. It’s just none of their business, anonymized or not.

        > I guess this is a question of how much (if at all) you’d trust this company with only performing benign operations for the user’s benefit.

        Knowing their history, this trust is fully gone here. But that’s not the point, again. Methods to insert new code without having to resort to the update functionality shouldn’t exist in the first place. If users turn updates off, be it recommended or not, then I expect Mozilla NOT to interfere with the program by inserting new code. When I’ve set a setting a certain way, then I expect Mozilla NOT to be able to change it from their headquarters.

        > I am more ambivalent here, because Firefox does a lot of stuff that I like (e.g. its font rendering, general stability, and the fact that some extension APIs are exclusively available in Firefox).

        Their technical merits are not what I am criticizing, so yeah. I think the reason most people use Firefox is because it is not made by Google, but this reason gets undermined because:

        1) Mozilla is funded by Google.
        2) Mozilla doesn’t protect your privacy by default (presumably because of 1), but that’s speculation).

        I just don’t think that they are deserving of their reputation at this point, IMHO it got totally undermined by their questionable actions in the past and in the present.

        > I don’t like that it was an opt-in experiment,

        It was opt-out, and came with the very Firefox download.

        All in all, you’ve summarized my concerns fairly well. I also commend you for writing a non-hyperbolic reply. I am not a Firefox hater, I am just saying that they are undeserving of their reputation. I am not senselessly hating against it, my goal is to inform people about the real situation of the product, which is not quite what the Mozilla marketing promises. That’s all. If those problems didn’t exist in FF, I wouldn’t say anything negative about it.

      18. Pants said on April 19, 2020 at 5:17 pm

        Apologies to everyone else for this wall of text.

        Feel free to reply (oh noes, I’m shaking in my boots). Get that last word in Iron Heart. Feel superior and smug. FYI: I’m not going to reply back.

        You either have the reading comprehension of a toddler, or deliberately choose to use any fallacy you can think of to swamp the comments section with walls of text and attack anyone with valid counter-arguments or points of view. It’s pointless trying to have any sort of conversation with you.
        https://en.wikipedia.org/wiki/List_of_fallacies

        “Laughing at you being afraid” – you think too highly of yourself: I was merely trying to spare everyone your walls of text of repeated garbage, sweeping generalizations, and mostly misinformation. Personally I don’t want to waste my time engaging with you: this is why I don’t (normally <– added for you) post comments

        "Obviously, you are still reading this blog" – well done, genius. Yes, I can scan articles and comments. And I posted a comment here, congrats. I think you just want to argue against every sentence (you do this a lot: full dissection of every word and nitpicking). I urge you to seek medical help – seriously, I'm concerned about your mental health.

        "As I said, much of your user.js is impractical because the majority of the tweaks therein would break websites – as you have just admitted yourself." – I said no such thing. I said they would break "things" – that could be something internal, an open standard, or a web site. The majority (of ghacks user.js tweaks) in fact do not break websites. Perferences by their very nature change how something works: so of course they break "things". Also, the ghacks user.js is a TEMPLATE for users to adapt to their threat model – so I think you're missing the point of why it was created.

        "Firefox has other privacy issues aside from telemetry" – as do all browsers: most are open standards. I'm not going to go into detail here, because I'm not going to waste my time with you – and it would take far too long. It's not as simple as you make it sound. Firefox has loads of privacy features, many of which other browsers don't have. Where they can, they implement privacy (or the ability to flip it on). Other browsers don't do anywhere near as much as what Firefox does. Niche browsers/forks can then leverage off this.

        "The key is having QA staff" – QA cannot replicate users: e.g who uses what and how. QA cannot replicate every setup, OS, and configuration. QA cannot get real world stats on web standard usage. Of course Firefox have QA. Differences between developing an application vs an operating system: you're comparing apples to oranges, AFAIC.

        "Are you implying that I should be sad" – it's not about you

        "about:config is hardly a UI option" – I meant the one in about:preferences. And yes, it is an option – this master switch covers 99% of telemetry Firefox collects (not 99% of related telemetry preferences)

        "you know that damn well: Telemetry Coverage" – you mean the "coverage ping". Indeed, I addressed the few non-UI telemetry items in the same paragraph

        "And then you(!) pontificate about “defaults matter”" – you still don't get it. All major browsers ship with telemetry. Without they could not provide as good a product: and again, it's not about bugs per see: it's about usage and real world stats: i.e knowing when something is being used etc. The issue here is with privacy. The key is is how that data is stored and used. You don't seem to understand the difference between telemtery and privacy

        "Pants, I am waiting for your explanation for this one" – it's covered by the UI telemetry option. Do I like it, nope. Is it a privacy issue. Nope.

        "I can also achieve with Chromium, if not in its settings, then with extensions" – why are you bringing up extensions? We were discussing default settings. Oh I see … another fallacy

        "instead of doing the right thing and contributing to a more privacy-respecting fork, like LibreWolf" – for the record: LibreFox took several user.js projects (inclduing ghacks user.js), combined them all, disabled everything it could think off and thought that was the cat's whiskers. It wasn't even checked, included large amounts of contradictory settings, deprecated settings, reduced privacy, made fingerprinting more unique than most, and broke web sites and functionality more than anything else (because they turned off basically everything they could think of). The guy even came to me and asked for advice, and took some on board: but I didn't dig too deep because it was an absolute mess. And then he vanished when he started to get called out on all the issues, or realized just how much work it is. LibreWolf is no better, and they really don't have a clue what they're doing, IMO. Nothing much has changed from the original and they don't keep up with changes.

        You seem to have a fixation on:
        – telemetry: which has an visible on/off option for users, and has minimal privacy risks (it's secure, it's not sold, it's de-anonymized to the best standards, contains no PII)
        – blaming a major browser for shipping with open standards
        – bringing up years old issues: while valid at the time, they no longer are
        – looking at everything in black and white

        PS: you still have no fucking idea what you're talking about

        … aaaaand queue the walls of text reply

      19. Tom Hawack said on April 19, 2020 at 6:22 pm

        @Pants, a brilliant comment and I couldn’t approve it more than I do. IronHeart’s comments, all a logorrhoea of their own, are also the reason why I practically don’t post here anymore. I discovered some time ago there was no point debating with him/her but having to go through is upside-down fuzzy illogical rhetoric has become excessively fastidious.

      20. Iron Heart said on April 19, 2020 at 11:01 pm

        @Tom Hawack

        It is known that you jump on every opportunity to bash me, and that you congratulate every commenter who does. Enjoy being Pants’s claqueur, hiding behind his / her back while this goes on.

        Also, keep going with the “As long as Iron Heart is here, I refuse to comment, even though I just did… Ban him now!” nonsense that has proven so effective in the past.

      21. Tom Hawack said on April 20, 2020 at 11:29 am

        I have to correct Iron Heart’s quote referring to what I have never wrote : “As long as Iron Heart is here, I refuse to comment, even though I just did… Ban him now!”

        This is relevant of someone who mistakes reality with one’s own interpretation of his environment, and more widely tries to build this reality in conformity with his convictions if not certitudes. Pants is right when he evokes medicine.

        When Iron Heart writes (and I’m quoting, not interpreting), “It is known that you jump on every opportunity to bash me, and that you congratulate every commenter who does […].” : known? Really? Again, you’re attempting to universalize your own thoughts.

        As for being anyone’s “claqueur” facts show, should we consider gHacks only, that I have never been anyone’s. I started reading and commenting here more than 10 years ago, first as user named “Transcontinental” then as my present pseudo, and always spoke my truth independently, trying to add a touch of humor here and there, debating honestly… but I have met after so many years one and one only user with whom dialog is impossible because of his/her very mentality, and that is of course Iron Heart. This fellow does have a few “claqueurs” of his own, unfortunately, but at least they remain accessible, I mean psychologically and intellectually.

        The idea here, to emphasize on the start of my comment, is my advice to be extremely cautious with Iron Heart’s quotes, assertions, developments, essentially a tsunami of blabla.

      22. Iron Heart said on April 20, 2020 at 2:55 pm

        @Tom Hawack

        Please spare us the “my reality is different from your reality” contrived BS. Everyone who follows the comment section here knows that you are doing what I just said you were doing. You are not subtle about it, and you do not go about it intelligently.

        “Oh, this person bashes Iron Heart, I’ll signal my approval right away!”… It’s not that hard to grasp, you jump on it every chance you get.

        As for “medicine”. Tommy, at least I am not some pensioner who wastes his time on gHacks waiting for the anti-Iron Heart comment to appear, so that he can jump on it in no time. I am not sure I am not the one needing help here. Do you have nothing better to do with your time, don’t you think it is time to get rid of this fixation?

        Your freely made up claim that nobody can have a normal conversation with me was proven wrong in this very thread, in case this has escaped your attention:

        https://www.ghacks.net/2020/04/17/mozilla-adds-dynamic-first-party-isolation-option-to-firefox-77/#comment-4460607

        Maybe the key to have a normal conversation with me is to treat me like a human being and leaving the jerk mode off for once. Just a thought.

        And “bla bla”, I mean… Seriously, this is coming from Tom the Talker, the veteran expert of blabla. If you say so, then it must be true. I don’t claim to have expertise in this field.

      23. Iron Heart said on April 19, 2020 at 10:50 pm

        @Pants

        My god, what a load of rubbish. I questioned myself whether or not i should even bother replying to this diatribe, to this toxic mixture of unfairness, ripped out of context quotes, baseless accusations, and worthless justifications, but eventually I decided to reply to it, because I can’t let some of the rubbish stand just like that. Apologies to everyone for this load of text as well.

        > Get that last word in Iron Heart. Feel superior and smug.

        So, you expect me to just let this diatribe of yours, this logorrhoea (as Tom the Talker would put it) stand uncommented. Don’t think so. This was you wanting to have the last word, but it didn’t work.

        > FYI: I’m not going to reply back.

        That doesn’t cause me any grief.

        > I was merely trying to spare everyone your walls of text of repeated garbage, sweeping generalizations, and mostly misinformation.

        If you wanted to spare us all these things, then why did you publish your comment? It contains all of it. Projection seems to be going on in your mind, accuse others of the very things you do.

        > well done, genius. Yes, I can scan articles and comments.

        So much for you having left… Point still stands.

        > (you do this a lot: full dissection of every word and nitpicking)

        Well, at least I am not ripping the words of others out of context, like you just did. Well done.

        > I urge you to seek medical help – seriously, I’m concerned about your mental health.

        That’s fairly below the belt, but I would have expected no different from you. As long as I am not autistically compiling a list of nonsensical settings that gets ever longer and ever breaks more shit, as long as it’s not my sole purpose in life to further the adoption of a spyware with my work, as long as I have friends and a life outside of GitHub, in short: As long as I am not like you, I will be fine. Don’t worry too much.

        > I said no such thing. I said they would break “things” – that could be something internal, an open standard, or a web site.

        Most of your annotations you put right above your settings say “This setting may break web standard X, used by website Y.”, or points to a Bugzilla entry which says things to the same effect. Your tremendous work of art does of course break websites left and right, everybody taking a look at your user.js can verify this easily. Whom are you trying to fool here? I mean, really?

        > The majority (of ghacks user.js tweaks) in fact do not break websites.

        Good one. At least you haven’t lost your humor after all this time dwelling on GitHub and compiling your lists.

        > Perferences by their very nature change how something works: so of course they break “things”.

        Some of your stuff is badly researched, friend. That is what I meant. You recommend changing some settings which obviously break stuff, because of bad and insufficient research. There are also non-breaking settings, and needless to say, I was not talking about them.

        > I’m not going to go into detail here, because I’m not going to waste my time with you – and it would take far too long. It’s not as simple as you make it sound.

        They could change the values of several non-breaking settings for better privacy. Sometimes, it is indeed as easy as it sounds, believe it or not. You’ve done good sparing us your gobbledegook on why it’s supposedly not possible when it clearly is (thousands of people have already changed these settings). Also, I weep because you don’t want waste your time for me. Believe me, I weep. It’s true.

        > Where they can, they implement privacy (or the ability to flip it on). Other browsers don’t do anywhere near as much as what Firefox does.

        Again, I can achieve the non-breaking stuff with other browsers as well.

        > QA cannot replicate users: e.g who uses what and how. QA cannot replicate every setup, OS, and configuration.

        Wrong. You don’t need to replicate every single configuration. For example, if you want to test if something works on Nvidia GPUs, you don’t need every single Nvidia GPU in the lab, because the differences between them aren’t that big. Only the basic architecture is being checked. You don’t know how QA works.

        > Differences between developing an application vs an operating system: you’re comparing apples to oranges, AFAIC.

        Complexity is roughly the same, nothing is “apples and oranges” here. Microsoft used to develop an entire OS incl. browser without having telemetry for years. Weak excuse for the use of telemetry.

        > it’s not about you

        Thankfully, I must say.

        > I meant the one in about:preferences. And yes, it is an option – this master switch covers 99% of telemetry Firefox collects (not 99% of related telemetry preferences)

        Check. So where is the option that turns of FF Experiments and Normandy Pref Rollout (so that the pref changes you apply actually stick with the browser, haha) in the settings? Oops, it doesn’t exist.

        > Without they could not provide as good a product:

        I stopped reading there. How does Pale Moon do it then? Your “telemetry is necessary” nonsense is weak and gets ever weaker.

        > it’s covered by the UI telemetry option. Do I like it, nope. Is it a privacy issue. Nope.

        The question was: Why do they need to collect it? Why do they need to know whether or not I use a competitor product? Still waiting.

        > why are you bringing up extensions? We were discussing default settings. Oh I see … another fallacy

        The very same extensions that are also necessary for Firefox, genius. No fallacy here. And regarding “default settings”, you shouldn’t dive into this topic too much, Pantsy Wantsy, Firefox is no match for e.g. Ungoogled Chromium in that department. It doesn’t even equal Brave. And the default settings are how most people use the browser. Well, except for Firefox it seems, in the Firefox community people point to your havoc-causing user.js and say 1.284.493 need to be changed…” /s

        > LibreWolf is no better, and they really don’t have a clue what they’re doing, IMO. Nothing much has changed from the original and they don’t keep up with changes.

        Then you should actually attempt to do a better job. Compile your list, change all the entries. Compile the browser (if you are capable of doing that, which I doubt). Change the branding, set up an updater. Let’s see how successful the thoroughly broken “Pants Browser” will be. Your endeavor will be fun to watch. And no, LibreWolf is no more or less broken than your breakage-causing user.js. I actually thought you would be a good fit for the project.

        > telemetry: which has an visible on/off option for users, and has minimal privacy risks (it’s secure, it’s not sold, it’s de-anonymized to the best standards, contains no PII)

        I consider it a lesser issue, supposed fixation notwithstanding.

        > blaming a major browser for shipping with open standards

        I blame them for shipping with shitty default privacy settings (you know, the way most people will use the browser). Nothing more, nothing less. And spare us your “standards” gobbledegook, DRM is also a web standard, and nobody knows what this blackbox really does, because nobody is able to look at the actual code. “Standards”, pfft.

        > bringing up years old issues: while valid at the time, they no longer are

        The people who made these decisions are still working for Mozilla, don’t see how their track record is supposedly irrelevant now. I am sure they are a totally different company from the one they were two years ago. /s Who is supposed to believe that?

        > looking at everything in black and white

        Not quite. I am bringing up real issues, and I don’t criticize Firefox when I don’t need to. In a way, my assessment of it is more just than your view through the rose-colored glasses. But then, I get it, if Firefox had decent privacy settings, you wouldn’t have anything to do anymore, judging by the time you spend on GitHub alone the very purpose of your life would likely be threatened, so you try to justify the shitty defaults that enable your work. To some degree, it’s understandable.

        > you still have no fucking idea what you’re talking about

        Says the guy who is responsible for a user.js that creates more problems than it solves. Coming from you, this sounds like a compliment.

      24. Pants said on April 20, 2020 at 8:51 am

        OK, I have a few minutes to kill, lets play this silly game: just to call you out since you are clearly misrepresenting the ghacks user.js. That and it’s actually quite funny seeing how you reply (which I know you will). Walls of text be damned, you already ruin so many comment sections with that tactic.

        The ghacks user.js
        325 prefs in total (up to and including section 4500: anything after that is inactive)
        95 of those prefs are inactive (commented out)
        230 prefs are active
        13 of those are enforcing the default value
        217 actual pref changes at most (it’s actually less than that due to some OS differences)

        These 217 pref changes are listed under 156 numbered items

        19 of these 156 numbered items (12%) have [setup-web] tags to help with breakage as users tweak their TEMPLATE: i.e the end user decides the breakage they can live with to suit their threat model

        Search these 156 items covering 217 pref changes for the word break returns
        – 0211 setup-web tag: obscure xim/ibus input for CJK languages when forcing system locale as en-US
        – 0709 setup-chrome tag: obscure issue with extension UNC paths on network shares
        – 2010 setup-web tag: webgl: clearly disabling the webgl api will break webgl
        – 2302 setup-web tag: service workers: clearly disabling sw’s api will break them
        – 1660 setup-chrome tag: linux and extensions outside scoped directories
        – 4001 setup-web tag: FPI can break cross-domain logins
        – 4501 setup-web tag: RFP can break site functionality

        So … in a template users are expected to change to suit
        – 2.3% or 5 prefs, out of 217 that are changed by default, have information written about them that they can break web sites: the other two are about extensions
        – 12.2% or 19 items, of 156 numbered items covering the active pref changes, have setup-web tags indicating possible web breakage

        Iron Heart quotes
        – “Most of the settings of your user.js are impractical anyway because they cause breakage in real life”
        – “much of your user.js is impractical because the majority of the tweaks therein would break websites”
        – “What good is an option I can’t use because it would be impractical” (context: talking about all the pref changes)
        – “Here, use this user.js to make Firefox more private, you just have to change 1.294.937 entries”
        – “a list of nonsensical settings that gets ever longer and ever breaks more shit” – actually, it has been reduced over time and breaks less shit: also, it’s a template
        – “Most of your annotations you put right above your settings say “This setting may break web standard X, used by website Y.”” – right .. two items out of 156 say this
        – “Your tremendous work of art does of course break websites left and right” – that’s not empirical
        – “people point to your havoc-causing user.js and say 1.284.493 need to be changed” – wow, that’s more changes than actually exist

        Me: someone who has used the user.js with only a few changes for the last five or so years, almost exclusively (I do have secondary portable setups, and other browsers), and someone who has actually researched and deep-dived and contributed to changes (both at FF and at Tor) – vs you (a non Firefox user) who is repeated called out by others and trolls and shills

        Quit while you’re behind: or keep spouting nonsense, you’re just digging a deeper hole and making yourself look more ridiculous – exaggerating and making up alternative facts to suit your narrative – you remind me of another toddler

        “Some of your stuff is badly researched, friend. That is what I meant. You recommend changing some settings which obviously break stuff, because of bad and insufficient research”

        Breakage can be subjective: it depends on the threat model: which the user can change because it’s a template. You need to get over this “breakage” thing. Maybe look up the word “template”, maybe search what a “threat model” is. It’s almost as if you can’t comprehend logic. I’m beginning to think you really do have the reading comprehension of a toddler. As for the research, no-one is perfect and web tech is constantly changing: but show me the proof that my research is so BAD and INSUFFICIENT. And I don’t mean one or two instances: I mean show a pattern of how dire it is.

        If you love LibreWolf so much, why is it then that LibreFox took all of the ghacks user.js, added some extras from old projects and obsolete lists, and flipped every pref on. Anyone could do this, in about 10 minutes. No research required. So your beloved LibreWolf (pref change wise) is basically ghacks user.js with obsolete and conflicting prefs, extra web-site breaking prefs changed .. and with all the documentation removed – and yet you think it’s better. Hilarious.

        For the record: I don’t need to compile anything or put out a “Pants Browser”, because I can already it achieve in a stock standard Firefox.

        … aaaaaaand queue more walls of text .. lets see if we can LIBERATE GHACKS!!

      25. Tom Hawack said on April 20, 2020 at 2:16 pm

        @Pants, @[All], I’ve been using Ghacks-user.js ever since its version 0.10 (July 2017), at a time it was first introduced here on ghacks.net before getting its own Github repository, and as so many of us have never encountered a single issue and have always been more than extremely happy with the results but also with all the commented information specific to every setting. I am not an expert, Ghacks-user.js does not require me to be, it is so well explained that anyone who takes the time to follow those explanations will be amazed by the work. The GitHub repository is there for novice as well as advanced users, no elitism there, questions are answered clearly, free of whatever arrogance.

        Obviously anyone who doesn’t understand that hasn’t used Ghacks-user.js.

        @Pants, I believe I’m right if I state you’re not the kind of person who needs gratitude and encouragements because your aim is not fame but commitment to clarity and optimization of Firefox settings and, as you stated here above, all this is possible given these settings are available, Firefox makes them available whilst other browsers do not, period!

        Ghacks-user.js is a, I’d dare say “the” reference for Firefox settings’ optimization, its aura goes beyond a circle of aficionados, I read it mentioned on several sites. How can anyone deny such a great achievement profitable for all Firefox users?

      26. Iron Heart said on April 20, 2020 at 2:42 pm

        @Tom Hawack

        Are you done yet patting Pants on the back, Tom? The gHacks-user.js is a mess, and it’s broken. If you claim to use it without having done alterations of your own, I don’t believe you in the slightest. The web is unusable if you actually use most or all of it. You know that, I know that, presumably even Pants knows that.

        It being profitable (doubtful wording for something that’s thoroughly broken) for Firefox users only contributes to the adoption of the spyware, recommended to unsuspecting individuals by wannabe “experts” who use it. Unless Pants comes out with a fork of his own (I know that won’t happen, takes a too much effort for someone of his / her calibre) that offers an actual alternative uninfluenced by Mozilla, I won’t pay respect to anything he or she does, much of which is highly questionable anyway.

        He / she is not doing any coding, not any improvement whatsoever at the actual code level happens at his / her repo. Why should I rate his / her work over that of e.g. Pale Moon? Makes no sense, objectively. He / she is just not up there.

      27. Pants said on April 20, 2020 at 9:25 am

        Me
        > I meant the one in about:preferences. And yes, it is an option – this master switch covers 99% of telemetry Firefox collects (not 99% of related telemetry preferences)

        You
        > Check. So where is the option that turns of FF Experiments and Normandy Pref Rollout (so that the pref changes you apply actually stick with the browser, haha) in the settings? Oops, it doesn’t exist.

        So I was talking about the actual UI option in about:preferences – the master switch which I said accounts for 99% of Firefox’s telemetry. And I mentioned that there are others without an actual UI: i.e in about:config. I never said the normandy pref had a UI option, did I? So what does “check” mean? Did you think you caught me out in a lie?

        Lets break it down:
        – The “telemetry” part of normandy is shield studies
        – shield studies are short lived (usually 14 days)
        – the type of data collected is (almost always) categories 1 and 2 (technical and interaction data)
        https://wiki.mozilla.org/Firefox/Data_Collection
        – the number of shield studies is tiny
        – the information from shield studies is tiny
        – shield studies are typically 1-2% of randomly selected participants

        Shield studies contribute almost zero to the overall telemetry since they are so few, short-lived and collect very little data for specific targeted testing (and they follow the same rules re privacy: no PII, de-anonymized, secure, not sold etc – there may be partners but they are also bound by privacy policies). Shield studies wouldn’t even account for 1%. I stand by my statement.

        You said “check” and I say “checkmate” – you really do need to learn how to comprehend written statements

      28. Iron Heart said on April 20, 2020 at 3:36 pm

        @Pants

        > just to call you out since you are clearly misrepresenting the ghacks user.js.

        I am calling it out for what it is, you meant.

        > That and it’s actually quite funny seeing how you reply (which I know you will).

        Am I expected to let your bullshit just stand like that, or what? Not gonna happen, sorry.

        > i.e the end user decides the breakage they can live with to suit their threat model

        That’s not the whole truth and you know that. The average surfer is exposed to most if not all threat models, so most of your settings would have to be applied in theory. Except that they can’t be applied, since that would break stuff.

        > actually, it has been reduced over time and breaks less shit: also, it’s a template

        Long term, it got much longer. The Activity Stream and the new telemetry settings already ensured that it got longer. Whom are you trying to fool? Also, “template”… The average surfer is exposed to most if not all threat models, again, whom are you trying to fool?

        > that’s not empirical

        …but still true and the real life experience of anyone using actually your tremendous work of art.

        > wow, that’s more changes than actually exist

        Rhetorical exaggeration for a list that is confusing, gets ever longer, and is thoroughly broken.

        > Maybe look up the word “template”, maybe search what a “threat model” is.

        Template, my ass. One is usually exposed to most threat models, that’s where it ceases to be a “template”.

        > Search these 156 items covering 217 pref changes for the word break returns

        Please, Pants, do not insult our collective intelligence. There are also numerous synonyms of “break” like “renders X unfunctional”, “may impair the functionality of X”, “may cause problems with X”, “has known issues with X” etc. You can also link at some Bugzilla entry which describes breakage without further commenting it yourself etc. Only the dumbest of the dumb would fall for your word play.

        > someone who has used the user.js with only a few changes for the last five or so years, almost exclusively (I do have secondary portable setups, and other browsers),

        So you use secondary Firefox setups and other browsers, as your user.js is not workable in real life, making you use a backup just to be sure. Color me surprised.

        > and someone who has actually researched and deep-dived and contributed to changes (both at FF and at Tor)

        [Editor: removed the unsubstantiated claim]

        > vs you (a non Firefox user) who is repeated called out by others and trolls and shills

        Unsuccessful attempts at calling me out and name calling don’t count, Pants.

        > As for the research, no-one is perfect and web tech is constantly changing: but show me the proof that my research is so BAD and INSUFFICIENT. And I don’t mean one or two instances: I mean show a pattern of how dire it is.

        Anyone actually using your shit as provided can attest to the fact. Just a few neat examples:

        https://old.reddit.com/r/firefox/comments/f0vyyd/ghacks_userjs_configuration_for_privacy_without/ (“I’m sure a few of you have tried out the ghacks user.js and found that it breaks a ton of sites.”)

        https://old.reddit.com/r/privacy/comments/ankocb/this_is_interesting_firefox_hardening_with_ghacks/efw40t1/ (“The ghacks user.js is a template which aims to provide as much privacy and enhanced security as possible, and to reduce tracking and fingerprinting as much as possible – while minimizing any loss of functionality and breakage (but it will happen).”) Notice that? It “will happen”, “tries to minimize”, haha.

        And this is my absolute favorite:

        https://old.reddit.com/r/privacy/comments/evmi8x/experiences_with_hardened_firefox/ (No need to quote, lists all the obvious breakage your shit causes quite nicely.)

        Need I go on?

        > If you love LibreWolf so much,

        I don’t love it, I consider it ill-researched and broken. That’s why I thought you would be a good fit for the project. Regardless, I am still giving more kudos to them as compared to you, since they are at least trying to provide an alternative to Firefox, while you just support the adoption of the spyware. Again, I challenge you to do it better than them. Create a fork based on your own stuff, let’s see how successful it turns out to be. I can’t wait.

        > For the record: I don’t need to compile anything or put out a “Pants Browser”, because I can already it achieve in a stock standard Firefox.

        [Editor: removed the unsubstantiated claim]

        > lets see if we can LIBERATE GHACKS!!

        You can’t even successfully liberate Firefox, how can you be expected to liberate anything else? Maybe gHacks will be liberated of your ill-researched user.js and the pseudo-experts who use it one day.

        > So I was talking about the actual UI option in about:preferences – the master switch which I said accounts for 99% of Firefox’s telemetry. And I mentioned that there are others without an actual UI: i.e in about:config. I never said the normandy pref had a UI option, did I? So what does “check” mean? Did you think you caught me out in a lie?

        You know damn well that every setting you change in Firefox is potentially at risk as long as you don’t also disable Normandy Pref Rollout and Firefox Experiments. This is why I asked where I can find those in the preferences. Without them being dealt with, any pref change is potentially worthless and can be overturned by Mozilla. But you knew that already.

        > You said “check” and I say “checkmate”

        So much for thinking “highly of oneself”… You haven’t “checkmated” anything so far, and I doubt you ever will.

      29. Pants said on April 21, 2020 at 2:04 am

        I’m not trying to have a conversation with you, I’m just going to keep showing how stupid your reasoning is, and show you up for the argumentative fallacy-laden troll that you are

        “You know damn well that every setting you change” … so every time I clarify or debunk your question/accusation due to your inability to comprehend, you change the question/topic to something different

        According to you: everyone is exposed to all threat models, all the time, in all situations, and thus the concept of a threat model does not exist. Okay, thanks for the sweeping generalizations. That’s not how it works. That’s not how anything works.

        “Long term, it got much longer” – I’m the author, I should know. It actually got shorter (which is not a good metric): but more importantly, it got less prefs, and less active prefs e.g. to quantify that: to a year ago. You clearly haven’t even read it. But don’t let facts get in the way.

        You clearly don’t understand what the words “almost exclusively” means. And clearly you don’t understand compartmentalizing and using multiple browsers is a real thing: e.g. my main browser vs a secondary one for a different threat model or ease of use. Is this meant to be some sort of gotcha moment, where I’m exposed as a fraud or something?

        “There are also numerous synonyms of “break” like “renders X unfunctional”, “may impair the functionality of X”, “may cause problems with X”, “has known issues with X” etc. You can also link at some Bugzilla entry which describes breakage without further commenting it yourself etc. Only the dumbest of the dumb would fall for your word play.”

        You clearly haven’t even read it. You’re just making things up again. There are zero instances of “render/s” (one warning in an commented out pref about possible rendering of text !== web site breakage), zero instances of “impair/s” … a single instance of “cause/s a problem” which is under a setup-web tag etc.

        That’s why I gave the stats on the setup-web tags: 12% : to illustrate that these covered all the web-breakage (that we know of: after 5 years) – not your repeated claims of “most”.

        And, typically, you change the accusation/attack to now include any wording in related source material – which I seriously doubt you have read. The whole point of the setup tags is to make known breakage self-inclusive to the user.js, so end users can troubleshoot to suit their needs

        You still don’t seem to understand what a template is, and that I and the project have never said that breakage wouldn’t happen – we explicitly said it would. And those reddit links are just example of users who found that some prefs break things: which is clearly stated would happen. It’s like, “hey, use Tor Browser”, “thanks dude, but it breaks things” – a hardened setup is going to break shit – the whole point is you need to adjust it to suit your needs.

        Those examples don’t even show anything to do with the question: which was your accusation that my research is BAD and INSUFFICIENT – which you can’t prove, so you use another fallacy and try and answer something else / change the topic / move the goal posts

        You have no idea of how or what I contribute to Firefox/Tor Browser (and it’s not just opening issues: which you actually said is “not contributing” – thanks for insulting all bug issuers). You have no idea of my coding skills. What does coding skills have to do with it? Maybe my contributions lie in a different area: like testing, or documentation, or providing support, or finding “holes” that need patching, etc. Or maybe I influenced changes at early discussion levels. Or maybe I did code? You don’t know, so instead you make unfounded accusations and attack the messenger.

        “checkmate” – just a play on words illustrating your initial use of the word check like some eureka moment

        “lets see if we can LIBERATE GHACKS!!” – probably flew right over your head, but this was a reference to another toddler (the one in the White House), seeing as it seems so apt when dealing with you

        Looking forward to your walls of text reply that will only serve to illustrate my points of how ignorant, trollish and fallacy-laden you are. Ignorance I can understand (we’re always learning), it’s the trolling, shilling and vomit-inducing fallacy tactics that make you, and this comments section, practically a waste of time.

        Enjoy it while it lasts: as long as you keep spouting nonsense AT me, I’ll keep replying. I can keep this up for months, years even – except, thank goodness, Martin has finally had enough of your type of behavior

  2. Anonymous said on April 17, 2020 at 8:51 am

    Imho a better solution is to allow all cookies but have FF delete them on exit; then exit FF at least once per day. That way you prevent cookies from being used to create long-term surf profiles of yourself. Of course other fingerprinting methods still work, but that’s a different story.

    1. Marco said on April 21, 2020 at 8:24 pm

      @Pants. First of all, thanks for your hard work.

      Second, don’t feed the troll. He plays the long game. He doesn’t care. He has a mission. He behaves like a troll in the sense that he pretends to ignore the difference between stating an opinion and imposing one. He harasses this comment section. He silence people who could give more valuable contributions. And the more you fight him, the more he harasses.

      Maybe he is just someone without anything better to do. Regardless, I’m tired of his FUD.

      To anyone who can’t stand this Iron Heart troll anymore, let’s melt his heart and deny him the attention he so strongly craves.

      Add this to “My filters” section in uBlock Origin:

      ghacks.net##.comment-item:has-text(Iron Heart)

      Iron Heart is gone. Thank you, Raymond.

      I will never see his inevitable response. And it feels good, man.Try it.

      1. Pants said on April 22, 2020 at 7:59 am

        @Marco

        I know his method is the long game, and his tactics are to just wear others out with flat out denials, lies and fallacy. But my game is better. He’s easy to manipulate, set off, and show him up for what he his. And it was a hill I was willing to die on – i.e to get rid of Iron Heart’s inflammatory, repeated, often off topic, usually factually incorrect, vitriol and his abuse of others.

        And it only took a few posts to achieve it – not that I did it, it’s entirely up to Martin: but maybe it finally pushed Martin to make a decision: because I was prepared to reply to every single of Iron Hearts posts (and he would of course just have to reply back). I can guarantee that I have more resources and time than him, and a longer game. And maybe that got Martin’s attention, along with what he already knew from so many other commentators’ frustration: readers who actually bring something to the table. Martin isn’t stupid and he knows Iron Hearts behavior hurts this business.

        See my last post and last words. Martin had already informed me that new posting guidelines would be put in place and that behavior like Iron Heart’s will no longer be tolerated. Have you noticed how he didn’t reply – or more accurately, his reply wasn’t published? Have you noticed how quiet some of the other Firefox posts have become – albeit minor articles about extensions. Time will be the test, but I trust Martin. I expect Iron Heart will probably just turn his attention elsewhere now, to easier targets (reddit? hackernews? 4chan?) – because that’s what bullies and trolls do – tuck their tail between their legs and run for easier targets when confronted.

        So, assuming Martin lets this one last post here through .. Thank you Martin, for finally taking a stand, controlling YOUR platform, and enabling usable civil on-topic discussion (for browser/web-tech articles). No more walls of text of “insert your description here”. Finally, I might be able to re-join the conversation where relevant and collectively we’re all better off sharing our insight and knowledge. Looking forward to Martin’s post about the changes (if he does one)

        PS: In before anyone starts screaming “Freedom of Speech” and “Censorship”: this is Martin’s platform, and he has the right to moderate it as he sees fit. Martin doesn’t come into your house and tape your mouth and start screaming his views.

        PPS: Marco: yes, I saw your reddit question: already knew that – but I think it’s not a good strategy – it’s important to not create filter bubbles: besides, If I can’t see him, I can’t call him out :)

  3. SpywareFan said on April 17, 2020 at 10:23 am

    @Martin: thanks for the info, it seems that with FF77 they will also resolve the CSP issue https://www.ghacks.net/2019/05/23/firefox-csp-issue-may-cause-extension-conflicts/

    @Iron: at least in FF you still can disable all the nasty things and extensions work as expected, something that with Chromium browsers you can forget (https://bugzilla.mozilla.org/show_bug.cgi?id=1462989#c45). Your beloved Brave does nastiest things than FF, like adding “trojan” keys to the registry (see my last comment here https://www.ghacks.net/2020/04/09/mozilla-installs-scheduled-telemetry-task-on-windows-with-firefox-75/ ) to leverage FF NPAPI plugins, thankfully disabled by Moz long time ago.
    Good luck with your sense of security… I will never touch again a spyware Google Chromium even with a pole!

    1. Rosmano said on April 17, 2020 at 11:29 am

      Fully agree with you SpywareFan. These guys throwing stones at one glass house, when their own house is made of crystal don’t know what the hell they’re doing.

      Heck, if they’re using Windows, logged into Google accounts, or use Facebook or Twitter they’re being tracked anyway by much less scrupulous companies.

      1. Iron Heart said on April 17, 2020 at 12:26 pm

        @Rosmano

        > Fully agree with you SpywareFan. These guys throwing stones at one glass house, when their own house is made of crystal don’t know what the hell they’re doing.

        If Firefox is the reference value of privacy, then the house of Ungoogled Chromium and even Brave is strong like a tank.

        > Heck, if they’re using Windows, logged into Google accounts, or use Facebook or Twitter they’re being tracked anyway by much less scrupulous companies.

        Yes, because that would be likely for someone concerned about privacy. Ridiculous does not even begin to describe it.

    2. Marco said on April 22, 2020 at 2:39 pm

      @Pants, I’m glad you had the time and patience to expose him like the fanatic with illusions of grandeur that he really is. I don’t have the skills to wage a flame war in a foreign language with someone as committed to fallacies as he is. Perhaps I’m getting old.

      About the bubble, i agree with you on principle. In this case, however, it’s just me claiming the right to clean up the garbage on my screen. uBlock Origin is a content blocker, after all :)

      Oh, and let me correct my wrongdoing and give credit (and say thanks) to user ajaxmix, who taught me how to filter the troll on Reddit.

      BTW, this is even more effective because it blocks only his posts and not people referencing his name:

      ghacks.net##.comment-item:has-text(Iron Heart said)

      For what you’ve said, the use of this filter may be already unnecessary.

      I’m a long time gHacks user.js guy who benefits from your work.

      Thanks for that, too.

  4. Gary D said on April 17, 2020 at 11:22 am

    @ Martin Brinkmann

    In your article,
    “Mozilla extends add-ons support in new Firefox for Android browser April 16, 2020” , you seem to have deleted at least two comments one of which was from T J. I do not recall the other posters names.

    Why?

    1. Martin Brinkmann said on April 17, 2020 at 12:09 pm

      Comments are only removed in some cases, e.g. if they are off-topic or contain nothing but personal attacks.

      1. Klaas Vaak said on April 17, 2020 at 12:24 pm

        @Martin Brinkmann: +10

      2. notanon said on April 17, 2020 at 4:06 pm

        @Martin,

        Yet you let Iron Heart, Klaas Vaak, Yuliya, etc. post nothing but garbage comments that by your own standards are off-topic or contain zero content.

        You are a hypocrite.

        My own comments have been censored or completely deleted.

        Reddit mocks this site’s comment section.

        The only reason I go to this site, rather than a site like Ars Technica, is because it’s politically agnostic.

        But this safe space mentality is going to send me to The Register & similar sites sooner than later.

        Either don’t moderate the comments at all, or start cracking down on the shills like Iron Heart, Klaas Vaak, Yuliya, who troll every single Firefox article.

        Frankly, it’s pathetic.

      3. Samanto Hermes said on April 18, 2020 at 7:34 pm

        I think you meant “Firefox subreddit” instead of “Reddit”. I’m surprised that your comment hasn’t been removed.

      4. Iron Heart said on April 18, 2020 at 8:44 pm

        @Samanto Hermes

        notanon manages to get a comment published that literally calls the administrator a “hypocrite” and his blog management “pathetic”, and then complains about his comments supposedly not going through. You can stop taking him seriously right there, if you look at it logically.

        @notanon

        How many times have you demanded that we should be censored by now? How many times have you threatened to leave if @Martin Brinkmann doesn’t instantly bow to your demands? I’ve lost count, so much for “pathetic”. You still fail to respect my freedom of speech, and that of others, while we are actively respecting your(!) freedom of speech. We get berated by you all the time, seems like you have conveniently forgotten. You are very unfair, and you are out to bash us. Would you please stop? You are wasting my time, and presumably that of others. Thank you for your understanding. You are free to post here, but this nonsense starts to get old.

  5. Iron Heart said on April 17, 2020 at 11:35 am

    @SpywareFan

    > at least in FF you still can disable all the nasty things

    Nope. One example, Firefox on Android comes with hardcoded trackers, you are not able to remove those fully, certainly not with about:config. Some about:config settings are also hidden and you need to invest extensive research to disable the stuff hiding behind them, as they are not present initially.

    > and extensions work as expected

    Extensions work as expected in all browsers supporting extensions, as far as I am concerned. If you are referring to extensions not working on some internal sites of the browser for security reasons, then this is also true for Firefox. WebExtensions don’t even work on AMO, lmao.

    > Your beloved Brave does nastiest things than FF, like adding “trojan” keys to the registry (see my last comment here to leverage FF NPAPI plugins, thankfully disabled by Moz long time ago.

    Firefox is writing entries into the registry as well, many programs do, this is not even exclusive to browsers. The entries you are referring to are needed for Brave’s updater, those are not trojan entries, haha. They are needed so that Brave can update itself without asking for administrator privileges every single time. Firefox does the same thing for its internal updater. Do you recall ever having typed in an administrator password again after the initial installation of Firefox? No? Case closed.

    Apart from the internal updater, Firefox is also placing telemetry in the registry, and Brave does not do that. You can read about it in the very article you linked to (not sure how you could missed that, unless you wanted to miss it):

    https://www.ghacks.net/2020/04/09/mozilla-installs-scheduled-telemetry-task-on-windows-with-firefox-75/

    Firefox still supports NPAPI plugins, the most egregious one in particular, Adobe Flash. Support for NPAPI was never removed from the browser. Do you even know what you are talking about.

    > Good luck with your sense of security…

    Yes, Firefox and security…

    https://grapheneos.org/usage#web-browsing

    > I will never touch again a spyware Google Chromium even with a pole!

    Instead, you are touching the spyware Mozilla Firefox. User name checks out. Good luck.

    1. SpywareFan said on April 17, 2020 at 12:58 pm

      Please, now stop spreading lies and face the evidence.
      Firefox doesn’t add any WOW6432Node\MozillaPlugins entry, nor UGC does, Chrome had (has?) a similar trojan behaviour as Brave: https://support.google.com/chrome/forum/AAAAP1KN0B0AV0KvgO8pwc/?hl=lv .
      NPAPI plugins can be leveraged and was leveraged, now I understood why Brave was flagged as Trojan by Kaspersky, but your beloved browser still tries to leverage FF for it’s shady purposes.
      In Firefox Gorhill extensions work as expected, in Google Chromium browsers not, tested by myself.

      “WebExtensions don’t even work on AMO, lmao”
      You have nothing to laught about if you ignore that you can enable webext’s on AMO with about:config.

      Firefox has a C:\Program Files\Mozilla Firefox\firefox.exe|Telemetry 0 (zero) entry, those added by Brave are tojan/hijacker entries and remain untouched even after uninstallation, like it’s services, tasks and installation folder.
      I don’t care about android versions, I use my phone only to make calls, so your link is pretty useless to me.

      Brave is unsafe as Chrome, if not more. People: feel free to install Brave, but mind the risks!

    2. Yuliya said on April 17, 2020 at 1:16 pm

      AFAIK next firefox for Android won’t have about config anymore. Features like about config, user js, and user css are on the chopping block, currently all considered “legacy features”.

      1. Yuliya said on April 17, 2020 at 1:25 pm

        I stand corrected: about config is already gone: https://i.imgur.com/uluV3QB.mp4

      2. Iron Heart said on April 17, 2020 at 1:58 pm

        @Yuliya

        LOL, and “SpywareFan” (nomen est omen) is still raving about the things he can change in about:config, and then you come around with your Imgur link, lmao. That’s absolute gold.

        @SpywareFan

        > Please, now stop spreading lies and face the evidence.

        You are literally the one spreading lies here:

        > similar trojan behaviour as Brave:

        Again, the registry entries you found are there so that Brave’s updater can be operational. They are related to this, and only this. The very link you posted points to a text that states:

        “Thanks for posting in the Chrome forum. This might be happening for a few reasons. I suspect the add-on was installed by installing one of Google’s products such as Google Earth, Chrome, etc. to keep the programs updated. If anyone else in the community has anymore insights, please feel free to join the conversation.”

        source: https://support.google.com/chrome/forum/AAAAP1KN0B0AV0KvgO8pwc/?hl=lv (The very link you posted!)

        TO. KEEP. THE. PROGRAMS. UPDATED. You read that passage? And they are not in the Firefox directory, I can’t confirm here.

        > NPAPI plugins can be leveraged and was leveraged,

        Registry entries are not NPAPI plugins. Case closed.

        > now I understood why Brave was flagged as Trojan by Kaspersky,

        False positive. Kaspersky is the issue here, not Brave. Brave isn’t flagged as malware by Windows Defender, or Norton, or… Also, lol at you using an invasive antivirus that is likely spyware itself and buries itself deep into the operating system, and likely provides little if any benefit over the integrated Windows Defender.

        > but your beloved browser still tries to leverage FF for it’s shady purposes.

        Can’t confirm any kind of relationship between the Brave and Firefox directories here. I understand that you dislike Brave, but please remain with the facts and refrain from using too much hyperbole.

        > In Firefox Gorhill extensions work as expected, in Google Chromium browsers not, tested by myself.

        Can’t confirm. Anyway, I hardly need these extensions, brave has a built-in adblocker.

        > Firefox has a C:\Program Files\Mozilla Firefox\firefox.exe|Telemetry 0 (zero) entry,

        This is not what I meant. Mozilla has out of browser telemetry running in order to determine your default browser.

        > those added by Brave are tojan/hijacker entries

        No, stop spreading nonsense.

        > and remain untouched even after uninstallation, like it’s services, tasks and installation folder.

        Firefox leaves its profile folder behind as well, if you use the standard Windows uninstall routine. Again, what are you on about?

        > Brave is unsafe as Chrome, if not more. People: feel free to install Brave, but mind the risks!

        I would be more weary of the browser that can remotely change my settings and can remotely insert unknown code. Yes, I mean Firefox.

      3. SpywareFan said on April 17, 2020 at 3:59 pm

        I do not dislike Brave, I distrust Brave!

        Where did I wrote that I use KIS???

        The FF profiles folder is not the same of Brave 208MB installation folder with executables and libraries that can be executed via FF plugins (if an olde FF version is in use) or triggered by services/tasks leftovers.

        You are ignorant on how it works? Firefox load the plugins listed in the registry, even if the dll’s are in a different folder than FF installation, the same hijacking was made by Foxit (trojan) some time ago (I remember it very well..). Why your beloved browser need to use a vulnerable procedure for updates check? Why your browser needs to use FF for updates check?
        Case closed or you will insist ond defending a shady behaviour (amongst the others)?
        Brave adblocker is totally useless since Google Chromium is aganist privacy and security, everybody knows it, if you don’t know how to use Wireshark or Netstat and test it by yourself don’t worry, there are a lot of useful guides on the internet.
        Keep on defending your beloved (trojan/hijacker) browser, probably somebody someday will believe in your points of view. ;)

        PS: Mozilla gave us GPO’s, more than what did Brave.

      4. Iron Heart said on April 18, 2020 at 9:00 pm

        @SpywareFan

        > I do not dislike Brave, I distrust Brave!

        Both would be your prerogative.

        > The FF profiles folder is not the same of Brave 208MB installation folder with executables and libraries that can be executed via FF plugins (if an olde FF version is in use) or triggered by services/tasks leftovers.

        Sorry, the Brave directory is no shape or form related to the Firefox directory. If you open some file from the Brave directory in Firefox, then this has something to do with you choosing Firefox as the default program for that file type.

        > Why your beloved browser need to use a vulnerable procedure for updates check? Why your browser needs to use FF for updates check?

        What? Brave doesn’t use Firefox for its update check. I don’t have Firefox installed here and never had, and Brave updates itself just fine. That would also be kind of stupid, making your updater reliant on a competitor product being installed. *facepalm* And Brave’s updater also doesn’t use NPAPI plugins.

        > Case closed or you will insist ond defending a shady behaviour (amongst the others)?

        I can’t defend something that doesn’t exist. You imagine shadiness even when there is none. I wonder why… Lack of knowledge? Bashing Brave for fun?

        > Brave adblocker is totally useless since Google Chromium is aganist privacy and security, everybody knows it,

        Brave’s adblocker works just fine.

        > if you don’t know how to use Wireshark or Netstat and test it by yourself don’t worry, there are a lot of useful guides on the internet.

        I know how to use them, but this is kind of unrelated.

        > Keep on defending your beloved (trojan/hijacker) browser, probably somebody someday will believe in your points of view. ;)

        It’s not a trojan or hijacker, you are spreading nonsense. But what can one expect if you believe that any browser uses NPAPI plugins for its applications updates, as if that were even possible.

        > PS: Mozilla gave us GPO’s, more than what did Brave.

        Chromium-based browsers can be managed with GPOs:

        http://woshub.com/how-to-configure-google-chrome-via-group-policies/

        Do you know what you are talking about?

      5. SpywareFan said on April 19, 2020 at 9:23 am

        “Sorry, the Brave directory is no shape or form related to the Firefox directory.”
        I was referring to your previous comment:
        “Firefox leaves its profile folder behind as well, if you use the standard Windows uninstall routine”
        Brave leaves installation folder behind after uninstallation, so the executables are still there… Not so hard to understant that it’s a shady behaviour.
        “If you open some file from the Brave directory in Firefox…”
        I never said that I open files in firefox, I said that Brave add registry entries for Firefox to load it’s shady update NPAPI’s (so if you use and old FF it can be hijacked).
        “Brave’s updater also doesn’t use NPAPI plugins.”
        So why they’re present in both registry and installation folder? https://postimg.cc/QVPyK8kR
        “Brave’s adblocker works just fine.”
        No, it fails in multiple ways.
        “I know how to use them, but this is kind of unrelated.”
        Another lie, since you’re unable to see where your browser fails.
        “Chromium-based browsers can be managed with GPOs”
        True, but you have to modify the Policies\Google key name with the one of the fork + manually add specific policy settings. (do you see how much Google is buried deep inside of chromium? lol)

        You are hijacking all Firefox posts for spread the Word of Brave, but you are also omitting the bad things it does besides trying to subvert what was written by others.

        My apologizes to Martin and all the Ghacks readers, but I can’t stand misleading advertising and misinformation, I will quit answering to Iron posts from now.
        Best regards.

      6. Iron Heart said on April 19, 2020 at 12:05 pm

        @SpywareFan

        > Brave leaves installation folder behind after uninstallation, so the executables are still there… Not so hard to understant that it’s a shady behaviour.

        Again, so does Firefox. And any other browser I know of.

        > I never said that I open files in firefox, I said that Brave add registry entries for Firefox to load it’s shady update NPAPI’s (so if you use and old FF it can be hijacked).

        Brave doesn’t do that, and it would not make any sense for it to do that.

        > So why they’re present in both registry and installation folder?

        1) This folder and all of its entries was created by Brave, not Firefox.
        2) This folder and all of its entries are not part of the Firefox directory.
        3) The two directories do not interact with each other.

        In the description it states “BaveSoftware Update”. This is just Brave’s god forsaken updater, what are you on about? It’s called “MozillaPlugins” because of the tech the updater uses, it’s named that way in Chrome as well. There is no relationship whatsoever with the Firefox directory.

        Chrome / Chromium / Brave also can’t even use NPAPI, they are using PPAPI. Research it, understand it, and then return to me. NPAPI is also totally unrelated to the updater.

        > No, it fails in multiple ways.

        It’s not an extension, but native code, and therefore is not under the same restrictions of Chrome extensions. You really don’t know what you are talking about.

        > Another lie, since you’re unable to see where your browser fails.

        This is still unrelated as far as the registry entries are concerned.

        > True, but you have to modify the Policies\Google key name with the one of the fork + manually add specific policy settings. (do you see how much Google is buried deep inside of chromium? lol)

        That is the job of the fork to fix, and yes, it is an easy fix. And no, “Google is not buried deep inside of Chromium”, if that were a fact instead of hearsay, projects like Ungoogled Chromium wouldn’t exist.

        > You are hijacking all Firefox posts for spread the Word of Brave, but you are also omitting the bad things it does besides trying to subvert what was written by others.

        Again, I can’t defend / discuss / argue against things that are imagined, because your imagination is misaligned with the facts here. There is nothing for me to discuss here, aside from pointing out that you imagine things due to a lack of understanding.

        > My apologizes to Martin and all the Ghacks readers, but I can’t stand misleading advertising and misinformation, I will quit answering to Iron posts from now.

        Your post is the very definition of misinformation. Based on a fundamental lack of understanding, you are spreading BS. Sorry, but this is the truth.

    3. prefersplants said on April 18, 2020 at 10:23 pm

      @IronHeart
      ‘some about:config settings are hidden………..in FF for android.
      Could you pls elaborate on this subject, namely, how to get at them?

      1. Iron Heart said on April 19, 2020 at 8:46 am

        @preferplants

        Well, there are about:config settings which exist, but are hidden. In order to interact with them, you need to create these settings. Here is how you do that:

        Go to about:config, then right click on any value (no matter which), and click “New…”, then you have to choose either string, integer, or boolean, depending on the type of the hidden settings (does it control a link, a number, or a true / false switch). Then insert the name of the setting, then choose its value (link, number, or true / false).

        One example of such a hidden setting is toolkit.coverage.opt-out (recently got renamed from toolkit.telemetry.coverage.opt-out). Firefox reports to Mozilla whether or not you have telemetry enabled. Yes, that’s right. They are collecting telemetry about your general telemetry status, even if you explicitly had telemetry enabled. You can stop this in about:config:

        Right click on any setting -> New… -> boolean -> toolkit.coverage.opt-out -> true

        More info about this setting here:

        https://www.ghacks.net/2018/09/21/mozilla-wants-to-estimate-firefoxs-telemetry-off-population/

        You can find all hidden settings relevant for privacy here (if you are dealing with a hidden setting, then it is marked with HIDDEN):

        https://github.com/ghacksuserjs/ghacks-user.js/blob/master/user.js

        But then again, as I’ve pointed out to @SpywareFan (who is sadly ignorant regarding this), changing about:config values can at best(!) disable things, you can’t outright remove nefarious components with about:config. Firefox Preview on Android comes with three built-in trackers (Leanplum, Google Analytics, Adjust). Maybe there is a setting to disable them, but you can’t really get rid of them, if you use FF on Mobile. The only thing you can do to avoid them entirely is using another browser, I’d recommend Fennec F-Droid (= Firefox, but with the bad stuff removed), other than that Bromite is my favorite (it’s the browser I am using myself):

        https://f-droid.org/de/packages/org.mozilla.fennec_fdroid/

        https://www.bromite.org/

        Hope this helped.

  6. pd said on April 17, 2020 at 1:10 pm

    This is completely brilliant. Mozilla doing exactly what it’s mission is: protect the web for everyone through enabling access to it without nefarious entities taking users’ privacy rights and spitting on them.

    Congrats Mozilla. You may make your fair share of dodgy choices but more often than not, the direction you’re taking Firefox over the last year or so is not only ideal, it’s courageous. Sticking it to the bastards who have manipulated every edge scenario of the web platform to spy on users.

    1. Iron Heart said on April 18, 2020 at 9:47 pm

      @pd

      You’ve forgotten the “/s”, friend.

  7. Kincaid said on April 17, 2020 at 3:18 pm

    Are all social media trackers third-party?

    Although more choices are definitely welcome, I’ve been blocking every third-party cookie for years, with zero problems.

    From the article, it sounds like these new settings will block less than my current setting, so I’ll probably stick with blocking all third-party cookies.

  8. DobbyBobz said on April 18, 2020 at 7:01 pm

    They’ve got to do something as one rather nasty and intrusive Ad is getting around FF 75/Earlier with some popup-redirect nefarious action. And I can just have a fraction of a second to see FF 75’s pop-up blocked warning only to have a redirect smashed in and a rather intrusive ad that’s denies any service for any back browser navigation except to trigger another intrusive ad every time that I press the back button.

    So some manner of blocking third party ad scripts built into FF and maybe that will solve the issue going forward.

    That and under the Linux version of Firefox 75 how does one get a Non-British, English spell checker working?

  9. Jonas said on April 19, 2020 at 3:59 am

    Martin, this is the worst article, and worst comments thread, I’ve ever seen on this website.

    First of all, it’s supposedly an article about new FF “Dynamic First Party Isolation”… which sounds like an interesting topic… yet you never explain clearly what that is, how it works. Something about cross-domain cookie access, perhaps? I’m left guessing — and I’m a very experienced web developer who codes several languages. Not good.

    Secondly, 99% of the comments have nothing to do with that topic, they’re just an endless and tedious flamewar over which browser is best or evil or whatever. I just skim through crap like that because it’s BORING. You shouldn’t have allowed any of them in this discussion (from every side, I’m not taking sides in the dispute here).

    tl,dr: The article is vague, and the comments-moderation is poor. Sorry to say but this is a new low for this website.

    1. a grey bearded user said on April 19, 2020 at 8:56 am

      fully agree with your comment

      1. Iron Heart said on April 19, 2020 at 9:44 am

        @Jonas

        Why is this type of comment always coming from readers who are not contributing anything themselves? Can’t remember a “Jonas” having posted something of interest recently. Just saying.

    2. Anonymous said on April 19, 2020 at 9:31 am

      Couldn’t agree more on the comments,just flame baiting and browser war stuff eg my browser is better than yours.Basically on every Firefox article.If the argument is about how a browser might be
      bad then they’re totally one eyed and hypocritical on this by only focusing on Firefox.
      At the same when there are articles on Chrome or Edge,they’ve got nothing to say even when you
      could consider that these browsers are just as bad if not worse.No comments to deter others from
      using them.

      1. Iron Heart said on April 19, 2020 at 12:07 pm

        @Anonymous

        > At the same when there are articles on Chrome or Edge,they’ve got nothing to say even when you could consider that these browsers are just as bad if not worse.

        Provably untrue:

        https://www.ghacks.net/2020/04/04/firefox-74-0-1-stable-out-with-important-security-fixes/#comment-4459282

        But don’t let the facts deter you.

      2. Anonymous said on April 19, 2020 at 2:11 pm

        Right that is one exception and that was in a Firefox article.Not on a consistent basis though when it comes to articles for Edge and Chrome.What does it matter to you what others use anyway.

    3. nonqu said on April 22, 2020 at 9:40 am

      I find the comments very interesting. Both Iron Heart and Pants have some good points.

      As for the feature it seems nearly completely pointless to people using uMatrix.

  10. Femail said on April 20, 2020 at 1:40 pm

    “Do you block (some) cookies in your browser?” ( quote from the original post )
    anybody? comments on this appriciated.

    I settle with the option: All third-party cookies (may break some sites ).

    So far none has ever broken.

    I clear everything after leaving each website.

    I use UblockOrigin ( and a few others) as I assume, they protect me better than the firefox options in the UI. at least I get the chance to see what exactly is being blocked.

    I have not yet tried the setting: privacy.firstparty.isolate
    I remember a lot of debate about this setting earlier on.
    maybe it’s time to give it a try.

    as for ghacksuserjs ( thank you @Pants )
    I recently sat down and started changing( those that made sense ) settings systematically
    so far I landed on 0390: disable Captive Portal detection.
    its a long way to go…
    so a little at a time prevents me from getting oh so tired

    thanks to the comments here, I changed other settings over the years but not in a systematical way.
    Maybe I’ve raised an awfull lot of entropy.
    I couldn’t tell. I dont have that amout of knowledge.
    but i’ve “almost” come to terms with the fact,
    that I will always remain somehow ignorant.
    So please:

    any comments on this?
    or input on cookiebehavior ?

  11. Ray said on April 20, 2020 at 8:02 pm

    Because of this article, I learned of the “Cross-site and social media trackers” option for the first time. I decided to use this as my default and use another addon, CookieMaster, to block all third-party cookies and block first-party cookies by default.

    The Cross-site and Social Media Trackers option is interesting because it claims to block local storage and indexedDB for trackers and I’ve always been looking for addons that allow me to block more of these items. I also already use Temporary Containers, which clears all these items when I close a tab, but I still like the ability to block whatever I want.