ToDo: diffs FF102-FF103

[earthlng]

FF103 is scheduled for release July 26th

FF103 release notes
FF103 for developers
FF103 security advisories

---

68 diffs ( 34 new, 19 gone, 15 different )

new in v103.0:

• FYI: pref("browser.display.os-zoom-behavior", 1); this ticket 1782287 explains it

removed, renamed or hidden in v103.0:

• 6012 pref("security.pki.sha1_enforcement_level", 1); 1766687 - 0e2d566

changed in v103.0:

• 7016 pref("network.cookie.cookieBehavior", 5); // prev: 4

ignore

click me for details

==NEW

pref("browser.aboutwelcome.templateMR", false);
pref("browser.download.open_pdf_attachments_inline", false);
pref("browser.newtabpage.activity-stream.discoverystream.recentSaves.enabled", false);
pref("devtools.browserconsole.enableNetworkMonitoring", false);
pref("devtools.browsertoolbox.scope", "everything");
pref("dom.events.asyncClipboard.readText", false);
pref("dom.fullscreen.modal", false);
pref("dom.text-recognition.enabled", false);
pref("fission.enforceBlocklistedPrefsInSubprocesses.tmp", false);
pref("fission.omitBlocklistedPrefsInSubprocesses.tmp", false);
pref("gfx.direct3d11.reuse-decoder-device-force-enabled", false);
pref("image.decode-sync.enabled", false);
pref("javascript.options.experimental.array_find_last", false);
pref("layout.css.has-selector.enabled", false);
pref("layout.css.linear-easing-function.enabled", false);
pref("layout.expose_high_rate_mode_from_refreshdriver", true);
pref("media.av1.force-thread-count", 0);
pref("media.av1.new-thread-count-strategy", false);
pref("media.videocontrols.picture-in-picture.display-text-tracks.toggle.enabled", true);
pref("network.allow_raw_sockets_in_content_processes", false);
pref("network.http.origin.redirectTainted", true);
pref("network.trr.retry_on_recoverable_errors", true);
pref("pdfjs.annotationEditorEnabled", false);
pref("privacy.restrict3rdpartystorage.preferences.learnMoreURLSuffix", "total-cookie-protection");
pref("remote.experimental.enabled", false);
pref("security.tls.ech.disable_grease_on_fallback", true);
pref("security.tls.ech.grease_probability", 50);
pref("security.tls.ech.grease_size", 100);
pref("security.webauthn.ctap2", false);
pref("widget.windows.alternate_fullscreen_heuristics", true);
pref("widget.windows.fullscreen_marking_workaround", 0);
pref("widget.windows.uwp-system-colors.enabled", true);
pref("widget.windows.uwp-system-colors.highlight-accent", false);

==REMOVED, RENAMED or HIDDEN

pref("browser.newtabpage.activity-stream.discoverystream.compactLayout.enabled", false);
pref("browser.preferences.instantApply", false);
pref("devtools.devices.url", "https://code.cdn.mozilla.net/devices/devices.json");
pref("devtools.netmonitor.features.serverSentEvents", true);
pref("devtools.netmonitor.features.webSockets", true);
pref("devtools.remote.tls-handshake-timeout", 10000);
pref("dom.ipc.shims.enabledWarnings", false);
pref("dom.menuitem.enabled", false);
pref("fission.frontend.simulate-events", false);
pref("fission.frontend.simulate-messages", false);
pref("plugins.flashBlock.enabled", true);
pref("reader.improvements_H12022.enabled", false);
pref("urlclassifier.flashAllowExceptTable", "except-flashallow-digest256");
pref("urlclassifier.flashAllowTable", "allow-flashallow-digest256");
pref("urlclassifier.flashExceptTable", "except-flash-digest256");
pref("urlclassifier.flashSubDocExceptTable", "except-flashsubdoc-digest256");
pref("urlclassifier.flashSubDocTable", "block-flashsubdoc-digest256");
pref("urlclassifier.flashTable", "block-flash-digest256");

==CHANGED

pref("browser.contentblocking.features.strict", "tp,tpPrivate,cm,fp,stp,lvl2,rp,rpTop,ocsp,qps"); // prev: "tp,tpPrivate,cookieBehavior5,cookieBehaviorPBM5,cm,fp,stp,lvl2,rp,rpTop,ocsp,qps"
pref("browser.safebrowsing.provider.mozilla.lists", "base-track-digest256,mozstd-trackwhite-digest256,google-trackwhite-digest256,content-track-digest256,mozplugin-block-digest256,mozplugin2-block-digest256,ads-track-digest256,social-track-digest256,analytics-track-digest256,base-fingerprinting-track-digest256,content-fingerprinting-track-digest256,base-cryptomining-track-digest256,content-cryptomining-track-digest256,fanboyannoyance-ads-digest256,fanboysocial-ads-digest256,easylist-ads-digest256,easyprivacy-ads-digest256,adguard-ads-digest256,social-tracking-protection-digest256,social-tracking-protection-facebook-digest256,social-tracking-protection-linkedin-digest256,social-tracking-protection-twitter-digest256"); // prev: "base-track-digest256,mozstd-trackwhite-digest256,google-trackwhite-digest256,content-track-digest256,mozplugin-block-digest256,mozplugin2-block-digest256,block-flash-digest256,except-flash-digest256,allow-flashallow-digest256,except-flashallow-digest256,block-flashsubdoc-digest256,except-flashsubdoc-digest256,ads-track-digest256,social-track-digest256,analytics-track-digest256,base-fingerprinting-track-digest256,content-fingerprinting-track-digest256,base-cryptomining-track-digest256,content-cryptomining-track-digest256,fanboyannoyance-ads-digest256,fanboysocial-ads-digest256,easylist-ads-digest256,easyprivacy-ads-digest256,adguard-ads-digest256,social-tracking-protection-digest256,social-tracking-protection-facebook-digest256,social-tracking-protection-linkedin-digest256,social-tracking-protection-twitter-digest256"
pref("dom.block_reload_from_resize_event_handler", false); // prev: true
pref("dom.fileHandle.enabled", false); // prev: true
pref("dom.streams.transferable.enabled", true); // prev: false
pref("extensions.InstallTriggerImpl.enabled", false); // prev: true
pref("gfx.direct3d11.reuse-decoder-device", true); // prev: -1
pref("layout.css.backdrop-filter.enabled", true); // prev: false
pref("layout.display_partial_background_images", true); // prev: false
pref("mathml.scriptminsize_attribute.disabled", true); // prev: false
pref("mathml.scriptsizemultiplier_attribute.disabled", true); // prev: false
pref("media.autoplay.block-webaudio", true); // prev: false
pref("services.sync.engine.tabs.filteredSchemes", "about|resource|chrome|file|blob|moz-extension|data"); // prev: "about|resource|chrome|file|blob|moz-extension"
pref("urlclassifier.disallow_completions", "goog-downloadwhite-digest256,base-track-digest256,mozstd-trackwhite-digest256,content-track-digest256,mozplugin-block-digest256,mozplugin2-block-digest256,goog-passwordwhite-proto,ads-track-digest256,social-track-digest256,analytics-track-digest256,base-fingerprinting-track-digest256,content-fingerprinting-track-digest256,base-cryptomining-track-digest256,content-cryptomining-track-digest256,fanboyannoyance-ads-digest256,fanboysocial-ads-digest256,easylist-ads-digest256,easyprivacy-ads-digest256,adguard-ads-digest256,social-tracking-protection-digest256,social-tracking-protection-facebook-digest256,social-tracking-protection-linkedin-digest256,social-tracking-protection-twitter-digest256"); // prev: "goog-downloadwhite-digest256,base-track-digest256,mozstd-trackwhite-digest256,content-track-digest256,mozplugin-block-digest256,mozplugin2-block-digest256,block-flash-digest256,except-flash-digest256,allow-flashallow-digest256,except-flashallow-digest256,block-flashsubdoc-digest256,except-flashsubdoc-digest256,goog-passwordwhite-proto,ads-track-digest256,social-track-digest256,analytics-track-digest256,base-fingerprinting-track-digest256,content-fingerprinting-track-digest256,base-cryptomining-track-digest256,content-cryptomining-track-digest256,fanboyannoyance-ads-digest256,fanboysocial-ads-digest256,easylist-ads-digest256,easyprivacy-ads-digest256,adguard-ads-digest256,social-tracking-protection-digest256,social-tracking-protection-facebook-digest256,social-tracking-protection-linkedin-digest256,social-tracking-protection-twitter-digest256"

[earthlng]

some bugzilla tickets

• browser.aboutwelcome.templateMR
  Bug 1774063 - Added a 'browser.aboutwelcome.templateMR' pref to support MR 2022 onboarding

• browser.contentblocking.features.strict
  Bug 1776760 - Enable dFPI by default for Beta and Release via cookieBehavior pref.
  Bug 1763660 - Add query parameter stripping pref to ETP strict.
  Bug 1734328 - Part 4: Add disallow relaxing referrer policies for top navigation to the ETP strict list.
  Bug 1664995 - Part 4: Enable OCSP partiitoning in strict mode.

• browser.display.os-zoom-behavior
  Bug 1773633 - Allow configuring OS zoom behavior.

• browser.download.open_pdf_attachments_inline
  Bug 1772569, add a preference so that pdf files sent as attachments can be opened either inline or download, and default to downloaded,

• browser.newtabpage.activity-stream.discoverystream.compactLayout.enabled
  Bug 1774813 - Pocket newtab removing old layout that's not needed.
  Bug 1717682 - Pref and implementation for compact 4 card row layout for Pocket newtab.

• browser.newtabpage.activity-stream.discoverystream.recentSaves.enabled
  Bug 1774473 - Pocket newtab recent saves section.

• browser.preferences.instantApply
  Bug 1325637 - Remove browser.preferences.instantApply pref.

• devtools.browserconsole.enableNetworkMonitoring
  Bug 1764348 - Enable browser console / browser toolbox console users turn on network monitoring manually

• devtools.browsertoolbox.scope
  Bug 1770363 - [devtools] Implement on-demand multiprocess debugging in TargetCommand API.

• devtools.devices.url
  Bug 1770899 - [devtools] Use RemoteSettings devtools-devices collection.

• devtools.netmonitor.features.serverSentEvents
  Bug 1771277 - [devtools] Remove the websocket and server sent events prefs

• devtools.netmonitor.features.webSockets
  Bug 1771277 - [devtools] Remove the websocket and server sent events prefs

• devtools.remote.tls-handshake-timeout
  Bug 1770869 - remove unused client certificate authentication for remote devtools

• dom.block_reload_from_resize_event_handler
  Bug 1772850 - Let dom.block_reload_from_resize_event_handler=false ride the trains.

• dom.events.asyncClipboard.readText
  Bug 1744524: part 5) Add pref for enabling clipboard.readText() gated by a "Paste" button.

• dom.fileHandle.enabled
  Bug 1764771 - Disable IDBMutableHandle support by default

• dom.fullscreen.modal
  Bug 1771151 - Make modal dialog code more generic, and make it apply to fullscreen too behind a pref.

• dom.ipc.shims.enabledWarnings
  Bug 1773044 - Remove the dom.ipc.shims.enabledWarnings pref.

• dom.menuitem.enabled
  Bug 1372276 - Remove HTML menuitem.

• dom.streams.transferable.enabled
  Bug 1770627 - Ship transferable streams
  Bug 1659025 - Add dom.streams.transferable.enabled

• dom.text-recognition.enabled
  Bug 1759504 - Put the text recognition UI behind an experimental feature

• extensions.InstallTriggerImpl.enabled
  Bug 1772901 - Disable InstallTrigger methods.

• fission.enforceBlocklistedPrefsInSubprocesses.tmp
  Bug 1772599 - Use a temporary pref for a few weeks while we vette the behavior

• fission.frontend.simulate-events
  Bug 1771630 - Remove unused fission.frontend.* prefs.

• fission.frontend.simulate-messages
  Bug 1771630 - Remove unused fission.frontend.* prefs.

• fission.omitBlocklistedPrefsInSubprocesses.tmp
  Bug 1772599 - Use a temporary pref for a few weeks while we vette the behavior

• gfx.direct3d11.reuse-decoder-device
  Bug 1776800 - Let zero copy hardware decoded video to release on intel GPU on Windows
  Bug 1774018 - Enable reuse-decoder-device on Nightly on Nightly / Early Beta

• gfx.direct3d11.reuse-decoder-device-force-enabled
  Bug 1776800 - Let zero copy hardware decoded video to release on intel GPU on Windows

• image.decode-sync.enabled
  Bug 1774849 - Always use sync decoding during reftests.

• javascript.options.experimental.array_find_last
  Bug 1704385: Add pref for Array.findLast

• layout.css.backdrop-filter.enabled
  Bug 1578503 - Enable backdrop-filter by default

• layout.css.has-selector.enabled
  Bug 1771896 - Add simple parsing and matching support for :has

• layout.css.linear-easing-function.enabled
  Bug 1764126 - Part 4: Add parsing for linear easing function and gate it behind pref.

• layout.display_partial_background_images
  Bug 1775237. Let progressive background images ride the trains.
  Bug 1773023. Restrict progressive background images to nightly again for now.
  Bug 1770920. Let progressive background images ride the trains.
  Bug 1231622. Allow drawing CSS images that don't have a complete frame.

• layout.expose_high_rate_mode_from_refreshdriver
  Bug 1771718, nsRefreshDriver::IsInHighRateMode(),

• mathml.scriptminsize_attribute.disabled
  Bug 1772697 - Disable various legacy MathML features on all channels.

• mathml.scriptsizemultiplier_attribute.disabled
  Bug 1772697 - Disable various legacy MathML features on all channels.

• media.autoplay.block-webaudio
  Bug 1773577 - enable the pref 'media.autoplay.block-webaudio'.

• media.av1.force-thread-count
  Bug 1773768 - force set thread count for dav1d decoder.

• media.av1.new-thread-count-strategy
  Bug 1771986 - introduce new thread count strategy for dav1decoder.

• media.videocontrols.picture-in-picture.display-text-tracks.toggle.enabled
  Bug 1764120 - Subtitle font size settings in PiP window.

• network.allow_raw_sockets_in_content_processes
  Bug 1770485 - Make content process socket threads use a regular event loop, with a pref

• network.cookie.cookieBehavior
  Bug 1776760 - Enable dFPI by default for Beta and Release via cookieBehavior pref.

• network.http.origin.redirectTainted
  Bug 1605305 - Consistently provide an Origin header for normal requests.

• network.trr.retry_on_recoverable_errors
  Bug 1772111 - Allow to retry TRR for recoverable errors,

• plugins.flashBlock.enabled
  Bug 1773043 - Remove flashblock from SafeBrowsing

• privacy.restrict3rdpartystorage.preferences.learnMoreURLSuffix
  Bug 1774739 - Update ETP preferences section for TCP in standard mode.

• reader.improvements_H12022.enabled
  Bug 1767846 - Remove MSU Reader Mode improvements pref.
  Bug 1753117: Add pref for UI changes to Reader Mode.

• remote.experimental.enabled
  Bug 1777951 - Enable partially implemented WebDriver BIDi features on Nightly channel only.

• security.pki.sha1_enforcement_level
  Bug 1766687 - remove support for SHA1 signatures in all certificates (including imported roots)
  Bug 1767099 - convert some security PKI preferences to static prefs
  Bug 1767489 - disable sha-1 signatures in certificates by default

• security.tls.ech.disable_grease_on_fallback
  oBug 1770907 - Disable ECH GREASE when retrying connections.

• security.tls.ech.grease_probability
  Bug 1774001 - Bump Nightly to 50% ECH GREASE probability.
  Bug 1770627 - Ship transferable streams
  Bug 1774001: Enable ECH GREASE on Nightly
  Bug 1767974 - Add preferences for ECH GREASE Mode.

• security.tls.ech.grease_size
  Bug 1767974 - Add preferences for ECH GREASE Mode.

• security.webauthn.ctap2
  Bug 1757589 - Add pref to switch between 'old' and 'new' authenticator code

• services.sync.engine.tabs.filteredSchemes
  Bug 1773154 - Reduce number of scheduled sync calls in sync-after-tab-change
  Bug 1754899: Call sync after location change

• widget.windows.alternate_fullscreen_heuristics
  Bug 1732517 - [3/5] Decouple Firefox/Windows fullscreen state

• widget.windows.fullscreen_marking_workaround
  Bug 1732517 - [4/5] Fix fullscreen marking on Windows 7

• widget.windows.uwp-system-colors.enabled
  Bug 1775310 - Add some accent-color-based dark mode system colors on Windows.

• widget.windows.uwp-system-colors.highlight-accent
  Bug 1776556 - Restore Windows' accent-color / system-color behavior for now.

[rusty-snake]

The only thing that looks interesting to me besides security.pki.sha1_enforcement_level removal and network.cookie.cookieBehavior=5 as default is browser.download.open_pdf_attachments_inline.

[fxbrit]

FYI for Nightly users:pdfjs.annotationEditorEnabled doesn't exist thesse, see pdfjs.annotationEditorMode instead.

@Thorin-Oakenpants anything left to look at for #1508? do you want to add the pdf prefs as enforced defaults?

[Thorin-Oakenpants]

I just haven't gotten around to finishing off checking what those prefs do exactly, but my first instinct is we don't need to do anything with them

I don't just move prefs to ignore willy nilly, I actually look up and deep dive a lot of them - I only move some without checking if it's obvious - like threadcounts

I decided to take an extended break .. what's the hurry? Am happy not reading any bugzilla/moz stuff for a while

[fxbrit]

no hurry, I was actually offering myself to do the deep dive if there is still something you want to know; I already read the pdf stuff for example.

[Thorin-Oakenpants]

so I haven't looked at the last two, and I do not see any issues at face value based on my instincts

• pretty sure the pdf, even if inline, is isolated
• who cares if you annotate a pdf
  • IDK if it works with pdfjs.enableScripting = false, but with that false there is no way, AFAIK, for a pdf to exfil anything (even it could read annotations)

over to you guys to do some work .. I'm off to for some 🐟 and 🍟

[fxbrit]

from my understanding of the bugzilla browser.download.open_pdf_attachments_inline is staying to false as the idea is to NOT open PDFs inline, but instead to do what chrome does: download them to disk and then open them as files in a new tab, using the file:// scheme.

key comments:

• https://bugzilla.mozilla.org/show_bug.cgi?id=1772569#c6
• https://bugzilla.mozilla.org/show_bug.cgi?id=1772569#c19

the pref was introduced to give a choice, so it's behavioral and there isn't a change in how the native reader works. PDFs like https://www.apple.com/privacy/docs/Building_a_Trusted_Ecosystem_for_Millions_of_Apps_A_Threat_Analysis_of_Sideloading.pdf will for example still open in the built in reader without a download occurring; one would think that if it was safe before this release, it still is. if by isolation you mean the storage, then according to about:cache?storage=memoryafter opening that pdf the relative entries are partitioned with a key for the apple domain.

[rusty-snake]

• browser.download.open_pdf_attachments_inline should stay false by default and arkenfox does not need to touch it.
• pdfjs.annotationEditorEnabled is disabled for now and got renamed anyway so IMO we can ignore it for 103.

[Thorin-Oakenpants]

for me a pdf opened in a browser tab is not file:// .. https://www.w3.org/WAI/ER/tests/xhtml/testfiles/resources/pdf/dummy.pdf .. and has no PartitionKey (IDK what happens if inline). I read something recently about all this with the change to downloads, the revert to tmp pref, issues with extension (i.e .exe etc) saving.

I wasn't thinking of partitioning (and inline on the first party is not covered by partitioning on that first party) - what I meant by isolated was permissions - pdfjs has limited js ability (which we disable anyway) - I think it might be better explained in the moz hacks/blog/planet when they added pdf js. AFAIConcerned, an inline pdf is just a dumb element in the page

[opusforlife2]

What does "opening PDFs inline" mean? That instead of downloading them, they are opened in a new tab using that URL?

[rusty-snake]

Yes, if it has an Content-Disposition: attachment it is opened in a (new?) tab instead of being downloaded.