user.js: reminder: revisit proxy direct failover

so my thinking is, we should make this inactive, and add a setup tag, something along the lines of

  • if you use a proxy, and you trust your extensions…

As default true, this is actually a security measure, against malicious addons. Security trumps possible proxy leaks. Now this is only for system principal proxy leaks, and Tor Browser can’t afford that. And TB users shouldn’t be installing addons. Firefox doesn’t have that restriction

Most users, I assume, aren’t using a proxy, and the pref only makes sense at false if you do. Inactive is the best fit, especially given the security aspect.

eg

/* 0706: disable proxy direct failover for system requests [FF91+]
 * [WARNING] Default true is a security feature against malicious extensions
 * [SETUP-CHROME] If you use a proxy and you trust your extensions ***/
   // user_pref("network.proxy.failover_direct", false);

edit: https://github.com/arkenfox/user.js/commit/044e3e76e8690934c5c89ce7969257b44bf38a6b

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 1
  • Comments: 15 (8 by maintainers)

Most upvoted comments

Just the first pref, IMO - to ensure no “system” requests bypass your proxy - “system” here meaning system principal, not “system” addon

There is no need to stop system addons being updated IMO, which is why I put them in the 7000s don't bother section with a big fat [WHY]. And since it can (and has) been used to push security features, well, security trumps anything else - and in this case, the perceived issue is/was the possibility that Mozilla could push “experiments” - using quotes because it’s not experiments as per the normal “studies” 0340 - an example would perhaps be the DoH rollout xpi. And sure, they can get telemetry, but there’s nothing wrong with that - they make sure not to collect any PII, it’s just things like errors and hit rates etc), plus I believe everything must respect the master telemetry switch. And they all basically come with pref on/off switches. So I don’t really see any issue TBH.

Some people like to remove all those system addon xpi’s, and you do get them back on updates from memory, and allowing them to update means they will come back every day you open Firefox. But there’s no need, just disable the relevant system addons using prefs, and/or the system addon isn’t a privacy issue (like compat).

The other thing that some people like is make Firefox have as few unsolicited outbound connections - which is a bit silly. You need them to check for updates: apps, certs/crlite, revocations, blocklists, safebrowsing local data, and so on - but we do nix a few where appropriate, just not security related ones. The mantra that any such connection not explicitly asked for by the user is a privacy issue and part of the femto jewish botnet is just nuts (hi 4chan 👋 )

+3
Thorin-Oakenpants on Oct 26, 2021

Regarding version: I had probably choose 91-1, ie {FIREFOX-RELEASE}-{ARKENFOX-RELEASE}, like distros do it with packages {UPSTREAM-RELEASE}-{DOWNSTREAM-RELEASE}.

+2
rusty-snake on Oct 27, 2021

but that’s the installer ,right? what about the updater?

If you extract the MAR you can spot the add-on under browser/features/proxy-failover@mozilla.org.xpi so I’d say yes.

+1
Jee-Hex on Oct 27, 2021

I couldn’t change the tag (well, I could do another release, but I can’t be fucked), but I did change the title to use 91-1 and edited the description

+1
Thorin-Oakenpants on Oct 27, 2021

https://github.com/arkenfox/user.js/releases/tag/91.1 - Hope I didn’t fuck anything up

edit: PS deleted the v91 release

Edit: If anyone wants to check my immaculate work - here is the v91-91.1 diffs - @rusty-snake

Edit: I forgot the updater.sh changes, sorry, not sorry

+1
Thorin-Oakenpants on Oct 27, 2021
Read more comments on GitHub
← user.js: override.js file no longer overriding user.js file in FF58+
user.js: RFP causes Cloudflare to loop infinitely [bugzilla 1735193] →