My most essential fix is getting the unbranded builds of Firefox so that I can control my own browser. These builds have no FF branding and they've disabled auto-update in them but they have the major advantage of actually allowing you to edit your extensions/add-ons without having to play security theater with Mozilla's automated signing portal every time you make a change.
And no, running the unstable developer builds is not an option. The dev line goes back to "alpha"/aurora in the old times and it still plays that role. It crashes in my experience on weird setups.
Yeah, I really wish they'd allow auto-update for the unbranded builds. Now I just do it manually, often. But with the profiles being the same it's not too bad. It's much better than having to ask Moz every time I tweak an extension.
Sure. It's technically possible for me to re-make Mozilla's infrastructure with a great effort. But what I mean is, Mozilla doesn't want to provide support (like security updates) or services for their browser unless they completely control it. Probably the argument is that this prevents ignorant users from accidentally downloading unbranded and accidentally installing some malware extension and blaming FF brand for it. But it's about branding and perception far more that security or resources.
> These builds have no FF branding and they've disabled auto-update in them but they have the major advantage of actually allowing you to edit your extensions/add-ons without having to play security theater with Mozilla's automated signing portal every time you make a change.
“Security” isn’t even the word I’d use for what extension signing seems to do. After all, full-out malware — the illegal stuff — can replace firefox.exe with their own.
What it really seems to be intended to protect against is legal-but-scummy applications like Oracle Java that installed random toolbars and add-ons that almost nobody wants. They can legally install an add-on, but patching Firefox itself would be a clear-cut trademark violation, so they won’t do that. Since the Java installer ran with the same permissions that a regular user runs as, they can’t really stop that thing without stopping you.
The phrase I’d use to describe this is brand protection, not security.
Unlike many Firefox forks, it tracks modern Firefox. I believe they run a similar set of tweaks to Tor browser, just without the Tor. This is quite nice. It’s autoplay blocking has actual teeth: I’m delighted when YouTube’s annoying autoplay-next-video is foiled by it.
Since it is smaller and from a less well-known group of developers, I can totally understand this being untenable. But the added risk is worth it for me, because while it isn’t perfect, it feels like I have gotten a little slice of control back with it.
I don’t think they ever shipped it without the ability to disable it, I’m just happy it doesn’t work by default. It will try, but it can’t actually play unless you click. This tiny detail made me instantly feel more in control again.
Makes me wonder what the web would be like if browsers were never subject to this conflict of interest in the first place and always prioritized keeping the user in control.
Easy fix: just allow it to autoplay using the icon in the address bar. And you can add this allowance permanently.
This is how it should work. It only doesn’t because autoplay is great for metrics and it’s nice for their metrics that all major browsers allow YouTube to autoplay.
Yeah, the annoying thing about that button is it defaults to “on”, though.
So if you’re, say, opening a video in incognito because you want to watch a single video without that channel being recommended for the next 6 months, that little autoplay button is always toggling itself back on.
Came here to state the same, for a few years my firefox fix was to use waterfox[1] instead of firefox.
And now my best firefox fix is to use librewolf[2] instead of waterfox instead of firefox.
I had enough of mozilla treating me and my business like sh*t when the silently dropped alsa support on a ESR release and justifying by saying linux distro package maintainer should have not disabled our surveillance and tracking and no one wants to work on ALSA as it is a mess, turns mozilla code was a mess and in a matter of days someone came up volunteering to do the works they refused to, but then they switched their stance to say it's too late they're not going back to alsa just deal with it.
So I dealt with it by switching to waterfox which supported alsa with no plan of stopping and allowed firefox extensions to keep working.
When will mozilla stop hurting its own product by trying to make it the same as google's browser and mistreating their user base and supporters ?
Librewolf applies a few very small patches to the Firefox codebase (to remove Mozilla's VPN promotion, etc), but I don't think they have the resources to maintain dropped features, or any other significant deviations from the official codebase. I view it as a custom Firefox build rather than a fork.
I find the experience way better than vanilla youtube in a browser. It allows to remove all youtube annonyances (autoplay, comments, suggestions, ads, in video ads, and more) and tweak a number of things.
Only a couple downside for me, the playlist support is a bit shaky and once in while a video will fail to load or start and requires closing and reopening the window.
It looks like a great project, but I'm afraid it exceeds the privacy protections rendering it somewhat unfeasible to be a primary browser.
uBO pre installed, telemetry turned off, etc are all great steps, but the lack of DRM, for example, makes it a deal breaker for me. Brave, despite their shady practices with their own ads and cryptocurrency, is at the sweetspot balance between privacy and functionality.
I find the time it takes to fine tune my Firefox worth the work, but Librewolf looks like a project I would gladly trust with good privacy defaults.
I'm not 100% sure, but I think vanilla Firefox also comes with DRM disabled. Like on librewolf, you can just enable DRM and be on your way.
One thing I've found, is that even if you enable DRM, librewolf sometimes still fails on Netflix. Just the other day I got redirected to a help page about Microsoft silverlight when trying to play a movie, had to fallback to Firefox.
Last time I tried Vivaldi, it did vertical tabs, but they weren't nested. I find it useful to be able to get a nested tree structure of tabs that show where the tab I clicked came from.
What do you like better about it? As a chromium user, I’d be happy just to have a TST option that sits in the same window, not a separate window that causes focus issues.
I've been looking for a replacement for OneTab. The import/export functionality is broken (doesn't carry over the tab group titles) and although not everyone would like that, I'd prefer to have cross-device sync.
i like that tab stash uses bookmarks to save things instead of some database. it means you can still access your stashed tabs from another device without needing the extension. (which is useful if you are syncing your bookmarks to your phone)
Do you have steps to reproduce the problem? I just tried testing this in Firefox (Nightly) 100 and Firefox doesn't delete the partial download. I started to download a 1 GB zip file from https://www.thinkbroadband.com/download, disabled my Wi-Fi during the download, and quit Firefox. In my Downloads folder I see a zero-sized placeholder file called "1GB.zip" and a 9 MB temporary file called "1GB._VXIwgNp.zip.part".
- I use Sidebery for tabs, and have disabled the horizontal tab panel on the top using oldschool userChrome.css file.
- I use the dark theme. However, that makes lots of pages use dark theme as well, so I've changed layout.css.prefers-color-scheme.content-override in about:config to not follow my theme, but my OS settings. (So I can have dark themed web pages during evening, but not all the time)
- And I use containers a lot. Very well integrated with Sidebery I feel.
gfx.webrender.all shouldn't be needed anymore. Does it make a difference for you? i.e. Does the value of "Compositor:" change if you change the pref and restart?
I used TreeStyleTab for a while but it never quite felt "right" and all the tweaks to get rid of the top tab bar are such a pain. It almost seems like too much with all the nested tabs (I know you can turn these off)
I hate to say it but the best vertical tab implementation I've seen is in Edge. Easily toggle-able between horizontal/vertical tabs, there's a way to collapse it to just favicons, you can use collections to group tabs together (like in Chrome). It's honestly one of the features that keeps me coming back to Edge, privacy be damned.
I think the only feature I really miss from Firefox is container tabs.
$ cat userChrome.css
/* Hide horizontal tabs at the top of the window */
#main-window[tabsintitlebar="true"]:not([extradragspace="true"]) #TabsToolbar > .toolbar-items {
opacity: 0;
pointer-events: none;
}
#main-window:not([tabsintitlebar="true"]) #TabsToolbar {
visibility: collapse !important;
}
/* Hide the "Tree Style Tab" header at the top of the sidebar */
#sidebar-box[sidebarcommand="treestyletab_piro_sakura_ne_jp-sidebar-action"] #sidebar-header {
display: none;
}
It sort of annoys me that 'pocket' can't just be disabled from the UI bar to hide it everywhere, but that's not nearly as annoying as the last link you provided...
The Telemetry stuff is insanely invasive and really needs to all have one _system_ level toggle for it rather than the like _twenty_ different flags and settings (even with the 5 dupes from the article's dump cleaned up)...
When I see this list, my question is, are there entries which are redundant and only in there, because the original author didn't understand them?
From my understanding f.e.
toolkit.telemetry.enabled = false
Should disable everything under
toolkit.telemetry.*
Furthermore I would expect the UI flag to disable telemetry to overrule all other settings and globally disable telemetry
In a couple min of searching it looked unlikely that I'd find any current documentation about these flags, the bhrPing and hybridContent are probably remains, but were still present in my existing profiles.
Huge fan of Firefox (and Mozilla in general, leaving aside the recent controversies) for a decade and a half. But after the great improvements in performance as part of Quantum (v57), the last 2 years or so have been a slow degradation of performance for all power users (esp. users who keep a large number of tabs open, and especially so on OSX. Firefox is almost always the single biggest memory hog on my system, and pushes the fan spinning at full speed every few hours.
I wish there was more focus from Mozilla on continuously improving (or atleast keeping stable) Firefox performance, instead of these cycles of degradation, 1 great release to fix issues, and then a few years of ignoring perf again. ;(
Firefox performance is very important to Mozilla. Mozilla has a dedicated Firefox performance team and some of the team members are "tab hoarders" with (literally) thousands of tabs, so they have a personal interest in keeping Firefox performing well with many tabs. :)
If you experience a performance problem, you can use the Firefox profiler to record a performance profile and share it in a Bugzilla bug report. Having a profile makes a performance bug much easier to diagnose and hopefully fix.
The profiler is easy to use: it's just a toolbar button to start/stop recording. Here are the instructions for enabling it:
With custom userchrome currently slated for getting axed, what I want most from Mozilla right now is a built in way to:
1. Hide the unnecessarily huge sidebar header (allowing addons to show their own arbitrary fully custom sidebars separate from the official sidebar system could also work)
2. Hide the default tab bar
I currently run a vertical tab setup with Sidebery that looks great with custom userchrome, but the release that kills userchrome will make it too much of a mess to bother with a redundant tab bar and ugly space stealing sidebar header.
Additionally, an “adaptive” theme that pulls colors from the OS like Sublime Text’s adaptive theme does would be greatly welcome. While it’s nice that Firefox comes with a dark theme (and that there are plenty of third party dark themes), it’s irritating that it’s always a different shade than the rest of the OS — both the background colors (which change dynamically with wallpaper-adaptive appearance enabled) and accent colors (which is user specified on both macOS and Windows and soon on Linux with GNOME too).
I'm somewhat active on r/FirefoxCSS, and have substantially customized my Firefox UI. Never saw any deprecation notices in the console, or a message on the subreddit.
I highly doubt Firefox would ever drop support for userChrome. The themes aren't nearly as powerful and low level. The about:config toggles works as a footgun protection. I have yet to see any technical reason for them to drop support.
That said, Firefox has dropped support for small yet useful features for no apparent reason, so there is a non-zero chance of them dropping support for userChrome customizations.
Killing userChrome would be extremely on brand for Mozilla, so I'm sure it will happen at some point. Killing features beloved by a subset of power users appears to be a guiding design principle there. I've seen userChrome suggested as the fix for all kinds of UX regressions that Firefox pushed on users. But if Firefox is willing to go out of its way to break the UX in various ways, why would I ever trust it to maintain that support?
Of course people are going to find ways around it, simply because the alternatives are still so much worse, but it definitely disappoints me to see that we have to be fighting this constant war with the developers at Mozilla who are continuing to oppress users while thinking that they're doing the right thing.
What I want from Firefox is a mode, even hidden behind about:config, even by a combination of settings, that results in 0 network traffic upon start and all traffic is associated with my UI interactions.
Even with telemetry off, all kinds of information about my browsing behavior from the myriad connections it makes upon start and exit can be gleaned. Certificate chain updates, etc can be delayed until a secure connection is requested by me.
The amount of unsolicited and virtually uncontrollable network traffic from macOS, Microsoft Office, Adobe Creative Suite, etc is bad enough, I expect more from Mozilla that never stops marketing its privacy features.
I believe I have the right to control when and for what purpose the computer and software that I own communicates with third parties.
It seems this could be accomplished by extensions - at the very least for tab-related requests, as far as I know - since uBlock Origin has a setting that holds every request until it can update the filter lists.
Similarly, I have developed a habit of opening a new tab that loads about:home before I exit. That way, the other tabs act as active bookmarks. I'm not immediately faced with any given one of them when I start a new session. I don't know if anyone else does this, but it also saves me from loading any pages unless I really want to see what it is.
I find your demands reasonable, especially the principle where HTTP traffic is initiated if and only if carried out in response to direct user interaction.
The thing with right to control, though, is that someone, somehow has to develop a browser and make ends meet.
they fired a ton of engineering talent working on exciting tech (servo) to chase some bundled vpn rebrand. what a misguided move, like most everything they've done in non-engineering space. sad.
before, i would have donated hundreds or more if there was a way to pay directly for firefox and thunderbird. but not anymore.
(Cue complaints about it not being the right way to fund Firefox, because it’s not a pure donation. Before you go down that road, tell me: what evidence do you have that pure donations would get enough transactions to be worth the overhead? Have they ever worked at scale for any other software?)
Their business model doesn't have to be donation-based. It can be, (surprise!) purchase based.
I pay for lots of software I use, and do so happily if it delivers value — it would be extremely easy for me to justify paying for what's probably one of the apps I use the most. Why can't we pay for good browsers, that put the focus squarely on being the best tool to access the www? Why can't that money be used to hire back some of the talent Mozilla has been letting go? I say it elsewhere in this thread — Mozilla should let us pay for the bloody thing.
I would pay for a "Firefox Pro" which allowed greater control/modifications for power users.
Make it open source, but have the official download for builds (and source code?[0]) be payed. Bonus points if the download bundle includes source code and a simplified build process.
[0] obviously it'll be mirrored in 2 seconds, but still.
the few people who might pay for a firefox pro would probably not even pay the wages of the people required to setup the payment and infrastructure therein.
I don't mind sending telemetry data however, as long as I'm reasonably convinced that Mozilla isn't doing anything shady with it.
However, I respect the “Telemetry? Absolutely not” stance and can only hope and pray that Firefox PMs use telemetry as only ONE among a whole host of other signals to support decision-making.
That creates a branding risk. If the idea spreads that Firefox is a paid product you might scare people away from the free version and the net impact becomes negative.
Honestly, the real branding risk is Mozilla's brand being tarnished by firing engineering talent, bundling Pocket, adding opt-out telemetry, etc. I'll take the branding risk that saves a beloved browser and company, over the branding risk that destroys both.
I honestly think the core dev work on Firefox could be done by 6 devs. I get an impression that half their devs are doing UI tweaks, which could be left alone for a decade without any issues.
The rest, outside of core, seem to write code as you mention. Product additions which most always give zero real value, no income, and even detract from the brand.
This might be a new low point for HN discourse regarding Firefox. Wow.
No, you can't maintain an entire modern browser (25 million lines of code) with 6 people.
You probably can't even maintain a complete multi-architecture, JIT-enabled Javascript engine with 6 people. Or GPU-accelerated rendering that works across thousands of hardware / software combinations. Much less that plus all the other things a browser has to do.
People always post this in reply. I don't want to donate to the Mozilla Foundation's CEO salary package, or their navel-gazing side projects, or their endless reshuffling of deckchairs. I want to fund _Firefox_, the only browser engine keeping us from an endless monopoly of Chrome reskins.
So you need to fund either individual developers or a 3rd party like Igalia to develop the features you want, including the work to ensure it will end up in the upstream repo and not in a fork.
Since that's "a donation with restrictions", you can probably set up a grant / anything with a contract instead. It may be onerous for an individual, but get enough people to be worth the effort and it should work fine.
Donations to the Mozilla Foundation support the Foundation's outreach and education efforts, not Firefox development. Firefox is developed by the Mozilla Corporation, which is a for-profit entity owned by the Foundation and is not donation-supported.
As far as I remember the problem was that you can donate to Mozilla foundation, but not the Mozilla corporation ( which is responsible for Firefox + other stuff ). There is no direct way to finance/donate for Firefox developement (without other projects).
But eventually the “need” for never-ending growth means a manager somewhere will be looking to eek out that x% growth - and their individual (professional) needs will lead to suggesting monetizing the paid user base…
Why would this be a default, or an inevitability? Sounds like a reasonable incentive structure for VC-funded companies looking to be a unicorn. But it’s far from the only option culturally. It certainly doesn’t seem like the sort of thing that makes sense for Mozilla.
Don't know, but I think one part of the solutions is to drastically simplify the web stack and separate essential (content-oriented) from incidental (app) tasks.
Do yt, twitter really have to live in the browser?
I hope they won't. All notifications I need and even more I get from my phone. I hate to ignore multiple notifications for the same event from multiple devices, I'd prefer to ignore it only once.
This makes it sound like these initial connections are there to earn Mozilla money. Updating certificate lists, checking for updates, that's all just housekeeping stuff.
I also find it very strange that so many people here disable telemetry. Really weakens complaints about removed features, if you're disabling the primary way that shows you're using it.
This comment is a deathflag which you should become attuned to, so you can stay ahead of the curve.
Telemetry driven catabolism is a feedback loop which can not be halted once it's begun.
What's happening under the surface is that the project has reached the maximum complexity it ever can, after which it collapses being unable to maintain even low-maintanance features, let alone add new ones. Complexity unlike funding is fundamental, and just throwing money at it will not halt the process.
Seeing rude obstructionist PR types showing up on bugzilla was the first outward facing symptom there was a cultural problem driven by an underlying material problem. An insider could probably tell you an even earlier warning sign.
As the project collapses it will grow tumors (eg Pocket). Totally random pieces of junk code which don't coherently belong to the base project.
In the terminal stage it loses its ability to even remove features, or bolt on tumors. Tweaking the logo, churning the UI, and redesigning the website are the only actions the zombie project is physically able to take. So that's what it does.
I agree. It's fucking ridiculous that someone at Mozilla forgetting to renew a cert resulted in the simultaneous disabling of every single Firefox extension on earth. I wouldn't be surprised if someone (an activist, a gay person, etc) in an oppressive country died as a result of suddenly losing their VPN/privacy extensions.
I sure hope that none of the people that are in danger trust in the obscurity provided by in browser vpns.
If they do then it always was just a question of time for them to be found out, as just adding a webrtc session to the website makes their ip transparent again. Same with unique dns queries etc
Is there a phrase that describes the process of taking something one thinks is bad - here, Firefox extensions being disabled - and searching for the most egregious possible negative consequence that might have occurred (here, someone being murdered), and then using that as a hypothetical? The goal is obviously to try to increase the emotional weight of the argument against... whatever... but I'm seeing this demilogical construction used more and more in the wild and would like to know its name.
> searching for the most egregious possible negative consequence that might have occurred
On the one hand, stretching consequences is bad. On the other hand, thinking about a "one in a million" consequence isn't stretching when something affects a million people.
Maybe that example is closer to "one in a billion" or higher? We can hope so.
Hyperbole? I agree with your sentiment, but it's been the 'Internet rant' rhetoric for decades IME. Find a HN thread, with a moderate number of comments, without it.
IMHO, such comments are so tired, poisonous, and add so little that if I were king of HN, I would ban them. They may be hard to define, but 'no hyperole' is a start.
It's also not beyond the realm of possibility that the person responsible for monitoring this cert read your post just now, contemplated the potential gravity of their mistake, and decided that they couldn't live knowing those potential consequences.
There is no limit to what can disgusting thoughts could be posited in a hypothetical.
The person responsible for monitoring the cert was the proximal cause but not the ultimate cause. The ultimate cause was the colossal fool who decided a cert check failure should cause an immediate and nonconsensual disabling of all extensions instead of a pop-up box warning the user their extensions may be untrustworthy. That's like a car's ECU slamming on brakes because it failed to read the tire pressure.
My comment was a response to your singling out the "someone at Mozilla forgetting to renew a cert" which you referred to earlier. You are correct in acknowledging that you had only identified a proximal cause in your grandparent post.
I agree that the underlying problem is that extensions were disabled without user notification. The correct behaviour is simple enough: if any extension gets disabled for ANY reason other than manually by the user, the browser should lock out ALL network connections until the user has acknowledged this change of state. Someone should submit this to bugzilla as a high priority fix, if it hasn't already been done.
Someone should submit this to bugzilla as a high priority fix, if it hasn't already been done.
Not gonna happen. These days Mozilla doesn't even pretend to give a damn about user control. "We know better than you" has been the watchword for a while now.
That's not an argument, that's just emotional guff. Sure, they change the UI around every now and again. But they also maintain a firehose of improvements which keep users in control of things which actually matter, like Firefox's highly configurable enhanced tracking protection.
Not gonna happen? If you refuse to partake in the most minimal of engagement with the process, don't complain if you don't like the outcome.
things which actually matter, like Firefox's highly configurable enhanced tracking protection.
What's your criteria for things that actually matter? For example, as an adblocking, scriptblocking person, whether or not a company tracks me has no impact on my life whatsoever. What does have an impact on my life is my web browser being half-crippled and my mobile browser being a pile of half-working shit that soft-locks if I open it too quickly after closing it.
Well a popup asking if it okay to check for updates which would run every x times the browser is launched or on a schedule. The popup should have an option to not ask again for those that get annoyed. Otherwise the browser would need to call home to see if an update is available before asking if you want the new version of course.
It shouldn't. Users should be using a package manager to manage software. Windows fucked up users expectations by not including a sane one by default... ever. And no, Windows Store doesn't count.
Package managers are a necessary evil on systems where installing software scatters a bunch of files all over because of a dogmatic adherence to an obsolete FHS. It’s a huge burden on either the distro maintainers or the developers to produce new packages for already-written software, which often results in outdated or broken releases available in the package repos.
And now every language ecosystem has one or more package managers for development libs - pip, conda, cargo, npm, opam, dub, etc. - and then optional package managers like choco, homebrew, and probably some others I missed. It’s a huge mess. So instead we throw up our hands and just bundle everything we need in a container and duplicate the _whole distro_ because the “package” ecosystem is such a disaster.
The sane way to handle software installs and uninstalls would have been cp/rm.
One more addition to my rant here - could we pick even more ridiculous, unintuitive names for package manager binaries? zypper? apt-get? yum? xbps-install? pacman at least kind of reminds you of “package manager”. This isn’t meant to dump all over the hard work that goes into all these. I suppose too that “install” is taken by a command which copies files with certain flags (anyone ever use this?).
Every one of these uses different flags too, so for someone who uses a number of different distros it’s a huge pain to remember them and switch back and forth.
FreeBSD at least uses the eminently sensible “pkg” command with flags like “search” and “add.”
You don't own Firefox. You have a license to use it. Background network traffic is not a big deal. Ignoring downloading important updates the bandwidth the requests use is not significant. In such a large and complex piece of software as a web browser I do not understand why traffic should be associated with UI interactions. How is the browser supposed to show a notification when someone tweets? Would you prefer to hit a "Check for Notifications" button or would you prefer to just get a notification. The latter option has a million times better UX.
> Would you prefer to hit a "Check for Notifications" button or would you prefer to just get a notification. The latter option has a million times better UX.
I would a love a button for every action. Particularly for things like check for notifications. The current problem is that someone else believes they know what a better UX is, any by better they mean better for the company for whatever reason.
I understand your intention is to launch "cold" Firefox instance that does not call home, update the "safe browsing" databases etc, so this will probably not be of any help, but you may try launching it with `--offline` command line argument and uncheck the (alt) "Menu > File > Work Offline" when you are ready to "reveal yourself". For testing it with throwaway profile you can do:
firefox --offline --no-remote --profile <path where throwaway profile folder can be created>
The `--offline` argument is quite strange for a several reasons:
1. it is quite undocumented, but works from what I've tried. It is not even exposed in `firefox --help | more`. It used to be mentioned at MDN page [1] but that is gone now.
2. From what I've tried now, offline mode lets you browse localhost, what seems super useful but I don't recall it have always been this way.
3. Also browsing properly cached pages seems to work super well; not sure it is due service workers finally caught up and works or proper HTTP headers are used nowadays. Interesting is that even the hard refresh of cached page gives you cached version in offline mode. (Again, I'm not sure it used to be this way in the past. I remember that nearly no webpage worked well in offline mode few years back.)
I have not run any network traffic audit so I cannot verify it really does not attempt to reach for something outside localhost.
(Update) And one more thing: when using Profile Manager there is a nifty "Work offline" checkbox in there. Run
firefox --profilemanager
There is also checkbox "Use selected profile without asking" that when unchecked presumably adds
[General]
StartWithLastProfile=0
to the `<appdata>\Mozilla\Firefox\installs.ini`. I've found this handy to do if you occasionally mess with various Fx versions and want to be sure you will not unintentionally load "nightly" profile with "stable" executable.
"I believe I have the right to control when and for what purpose the computer and software that I own communicates with third parties."
Theoretically we already have this control. We can edit the Firefox source to disable the undesired traffic before compiling. In practice it takes me more time and resources to compile Firefox than it does to compile the kernel for the host OS (NetBSD). Most Firefox users probably use binaries and do not compile from source.
I would prefer to see a smaller, less featureful additonal version of Firefox that compiles faster and with fewer required resources. For advanced users, this would remove the friction against making source changes and compiling as opposed to using binaries. It would also potentially open up an opportunity for others to create customised versions of Firefox with, e.g., reduced attack surface, less need for "updates" and better suited to avoiding telemetry, and internet advertising-related surveillance.
The actual or effective inability to compile from source places more control with Mozilla and less control with the user. Thus we continually find Firefox users on HN pleading with Mozilla to make changes instead of making the changes themselves.
Are there specific Chrome keyboard shortcuts you're missing in Firefox? Firefox has some aliases for Chrome and Safari keyboard shortcuts. Adding a new alias is pretty uncontroversial if it doesn't conflict with an existing Firefox keyboard shortcut.
Citation needed. The addon certainly seems far less legitimate than Decentraleyes. For instance, who maintains this, why did they fork it, who has validated it isn't a malicious fork, etc etc. At least for Decentraleyes you have it being popular and "Recommended" by Firefox which puts a certain expectation to not be a flaming pile of malware.
I'm consistently surprised that nobody ever talks about HTTP referrers, which are the most egregious of all privacy-invading functionalities -- and are enabled by default in EVERY browser, including the privacy-centric ones. If you're not blocking referrers, you don't have a sliver of privacy online.
The Referer Control plugin is probably still the best option, even though it hasn't been updated in a long time. There are a few newer ones that supposedly deal with the issue of sites breaking, but I haven't tried them.
uBlock Origin can block them. Some poorly coded sites will break with them blocked, so you'll have to whitelist them. Anything from Atlassian is notable, so Jira/Confluence/Bitbucket.
People talk about Referer constantly in privacy-related fora, the problem is that there's also still an enormous numbers of sites which will break if it's disabled. Browsers have gradually stripped it down to just the origin, and I expect we'll see it disappear entirely in non-same-origin non-TLS situations eventually, but there's not much more they can do by default.
> Browsers have gradually stripped it down to just the origin
The big caveat is that the new browser policies will only default to origin if the website didn't specify the header, which means the website owner is still in control of whether it gets shared with the third party.
If you mean the originating website, it could send its own URL in any header or parameter, so masking its ability to set Referer would be useless without also some complex supporting feature like ITP / Privacy Budget.
Command-Shift-A takes you to the extensions configuration page. Other than that, some extensions have a button which you can add to the menu by using Firefox’s menu configuration tool.
One thing I do is re-enable the searchbar and then disable the "everything you type in the URL bar is sent to Google" option.
However, recent Firefox has this annoying feature where if you type in the search box on the main page it redirects your typing into the URL bar instead of the search box, making it then fail because a search is not a URL.
Every now and then I catch myself doing some odd: On a new os installation, using firefox to download librewolf and ms-edge. Many moons ago it would have been using IE to download firefox. What's happened here!
-- about:profiles is actually a useful way to manage multiple logins. I used to have one set of accounts in ff, another in chrome. But now I just have multiple windows open in different profiles (and themes to distinguish) each with different login states.
> about:profiles is actually a useful way to manage multiple logins. I used to have one set of accounts in ff, another in chrome. But now I just have multiple windows open in different profiles (and themes to distinguish) each with different login state
Note that if you spend a lot of money online, extensions like Honey or Capital One Shopping won't work as they often use a url parameter for tracking affiliates and thus giving out cash back.
291 comments
[ 4.4 ms ] story [ 312 ms ] threadhttps://wiki.mozilla.org/Add-ons/Extension_Signing#Unbranded... - the linked 97.0.1 is still exploitable with the xslt bug so you have to dig into the build system at,
https://treeherder.mozilla.org/#/jobs?repo=mozilla-release&s...
And no, running the unstable developer builds is not an option. The dev line goes back to "alpha"/aurora in the old times and it still plays that role. It crashes in my experience on weird setups.
Depending on you OS, it may be easier to eg. use an apt repo if you are running a Debian derivative.
“Security” isn’t even the word I’d use for what extension signing seems to do. After all, full-out malware — the illegal stuff — can replace firefox.exe with their own.
What it really seems to be intended to protect against is legal-but-scummy applications like Oracle Java that installed random toolbars and add-ons that almost nobody wants. They can legally install an add-on, but patching Firefox itself would be a clear-cut trademark violation, so they won’t do that. Since the Java installer ran with the same permissions that a regular user runs as, they can’t really stop that thing without stopping you.
The phrase I’d use to describe this is brand protection, not security.
https://librewolf.net/
Unlike many Firefox forks, it tracks modern Firefox. I believe they run a similar set of tweaks to Tor browser, just without the Tor. This is quite nice. It’s autoplay blocking has actual teeth: I’m delighted when YouTube’s annoying autoplay-next-video is foiled by it.
Since it is smaller and from a less well-known group of developers, I can totally understand this being untenable. But the added risk is worth it for me, because while it isn’t perfect, it feels like I have gotten a little slice of control back with it.
YouTube has this built-in nowadays. The button is at the bottom of the player, on the right hand side, on the left of the subtitles/captions button.
Though I have that in vanilla Firefox and it works fine for me on YouTube.
Makes me wonder what the web would be like if browsers were never subject to this conflict of interest in the first place and always prioritized keeping the user in control.
This is how it should work. It only doesn’t because autoplay is great for metrics and it’s nice for their metrics that all major browsers allow YouTube to autoplay.
So if you’re, say, opening a video in incognito because you want to watch a single video without that channel being recommended for the next 6 months, that little autoplay button is always toggling itself back on.
https://github.com/dessant/youtube-autoplay#readme
And now my best firefox fix is to use librewolf[2] instead of waterfox instead of firefox.
I had enough of mozilla treating me and my business like sh*t when the silently dropped alsa support on a ESR release and justifying by saying linux distro package maintainer should have not disabled our surveillance and tracking and no one wants to work on ALSA as it is a mess, turns mozilla code was a mess and in a matter of days someone came up volunteering to do the works they refused to, but then they switched their stance to say it's too late they're not going back to alsa just deal with it.
So I dealt with it by switching to waterfox which supported alsa with no plan of stopping and allowed firefox extensions to keep working.
When will mozilla stop hurting its own product by trying to make it the same as google's browser and mistreating their user base and supporters ?
[1]: https://www.waterfox.net/ [2]: https://librewolf.net/
I find the experience way better than vanilla youtube in a browser. It allows to remove all youtube annonyances (autoplay, comments, suggestions, ads, in video ads, and more) and tweak a number of things.
Only a couple downside for me, the playlist support is a bit shaky and once in while a video will fail to load or start and requires closing and reopening the window.
[1]: https://freetubeapp.io/
uBO pre installed, telemetry turned off, etc are all great steps, but the lack of DRM, for example, makes it a deal breaker for me. Brave, despite their shady practices with their own ads and cryptocurrency, is at the sweetspot balance between privacy and functionality.
I find the time it takes to fine tune my Firefox worth the work, but Librewolf looks like a project I would gladly trust with good privacy defaults.
One thing I've found, is that even if you enable DRM, librewolf sometimes still fails on Netflix. Just the other day I got redirected to a help page about Microsoft silverlight when trying to play a movie, had to fallback to Firefox.
- media.autoplay.default = 5
- media.autoplay.blocking_policy = 2
Is there an equivalent extension for Chrome that you know of?
Probably only a problem for people with lots of tabs.
I've been considering https://github.com/sienori/Tab-Session-Manager, not sure if folks have tried that and would/would not recommend.
As for password manager, I'm happy with Bitwarden. I came across https://github.com/dani-garcia/vaultwarden recently, but I'm not currently self-hosting.
And instead of the bad UX about:config page, every tweak is in a configuration text file and you can easily override them.
1. http://kb.mozillazine.org/User.js_file
2. https://github.com/pyllyukko/user.js/
- I use the dark theme. However, that makes lots of pages use dark theme as well, so I've changed layout.css.prefers-color-scheme.content-override in about:config to not follow my theme, but my OS settings. (So I can have dark themed web pages during evening, but not all the time)
- And I use containers a lot. Very well integrated with Sidebery I feel.
-- Disable accessibility services https://www.ghacks.net/2021/08/25/firefox-tip-turn-off-acces...
-- Enable webrender all https://www.ghacks.net/2020/12/14/how-to-find-out-if-webrend...
-- Disable Pocket https://support.mozilla.org/en-US/kb/disable-or-re-enable-po...
-- Add Ublock Origin https://addons.mozilla.org/en-US/firefox/addon/ublock-origin...
-- Disable Telemetry https://www.howtogeek.com/557929/how-to-see-and-disable-the-...
Do you know if this includes all of the bells and whistles for webrenderer? I still see many webrenderer releated about:config options with false
I hate to say it but the best vertical tab implementation I've seen is in Edge. Easily toggle-able between horizontal/vertical tabs, there's a way to collapse it to just favicons, you can use collections to group tabs together (like in Chrome). It's honestly one of the features that keeps me coming back to Edge, privacy be damned.
I think the only feature I really miss from Firefox is container tabs.
For many users this is TST's main benefit.
The Telemetry stuff is insanely invasive and really needs to all have one _system_ level toggle for it rather than the like _twenty_ different flags and settings (even with the 5 dupes from the article's dump cleaned up)...
toolkit.telemetry.enabled = false
Should disable everything under
toolkit.telemetry.*
Furthermore I would expect the UI flag to disable telemetry to overrule all other settings and globally disable telemetry
toolkit.telemetry.enabled and toolkit.telemetry.unified have a complex relationship.
In a couple min of searching it looked unlikely that I'd find any current documentation about these flags, the bhrPing and hybridContent are probably remains, but were still present in my existing profiles. There are some additional prioping entries under the telemetry module which are associated with Nightly / dev builds.I wish there was more focus from Mozilla on continuously improving (or atleast keeping stable) Firefox performance, instead of these cycles of degradation, 1 great release to fix issues, and then a few years of ignoring perf again. ;(
If you experience a performance problem, you can use the Firefox profiler to record a performance profile and share it in a Bugzilla bug report. Having a profile makes a performance bug much easier to diagnose and hopefully fix.
The profiler is easy to use: it's just a toolbar button to start/stop recording. Here are the instructions for enabling it:
https://profiler.firefox.com/
1. Hide the unnecessarily huge sidebar header (allowing addons to show their own arbitrary fully custom sidebars separate from the official sidebar system could also work)
2. Hide the default tab bar
I currently run a vertical tab setup with Sidebery that looks great with custom userchrome, but the release that kills userchrome will make it too much of a mess to bother with a redundant tab bar and ugly space stealing sidebar header.
Additionally, an “adaptive” theme that pulls colors from the OS like Sublime Text’s adaptive theme does would be greatly welcome. While it’s nice that Firefox comes with a dark theme (and that there are plenty of third party dark themes), it’s irritating that it’s always a different shade than the rest of the OS — both the background colors (which change dynamically with wallpaper-adaptive appearance enabled) and accent colors (which is user specified on both macOS and Windows and soon on Linux with GNOME too).
I’m sure it’ll make waves and be all over the front page of HN when the date is decided upon.
I highly doubt Firefox would ever drop support for userChrome. The themes aren't nearly as powerful and low level. The about:config toggles works as a footgun protection. I have yet to see any technical reason for them to drop support.
That said, Firefox has dropped support for small yet useful features for no apparent reason, so there is a non-zero chance of them dropping support for userChrome customizations.
Even with telemetry off, all kinds of information about my browsing behavior from the myriad connections it makes upon start and exit can be gleaned. Certificate chain updates, etc can be delayed until a secure connection is requested by me.
The amount of unsolicited and virtually uncontrollable network traffic from macOS, Microsoft Office, Adobe Creative Suite, etc is bad enough, I expect more from Mozilla that never stops marketing its privacy features.
I believe I have the right to control when and for what purpose the computer and software that I own communicates with third parties.
In combination with tabs defaulting to unloaded in a new instance of the browser, this adds some control over memory consumption and network activity.
The thing with right to control, though, is that someone, somehow has to develop a browser and make ends meet.
No, but seriously, Mozilla — I'll pay you real dollars for this.
they fired a ton of engineering talent working on exciting tech (servo) to chase some bundled vpn rebrand. what a misguided move, like most everything they've done in non-engineering space. sad.
before, i would have donated hundreds or more if there was a way to pay directly for firefox and thunderbird. but not anymore.
at least the CEO's salary keeps going up: https://news.ycombinator.com/item?id=24563698
Unfortunately, there's no such option for Firefox.
(Cue complaints about it not being the right way to fund Firefox, because it’s not a pure donation. Before you go down that road, tell me: what evidence do you have that pure donations would get enough transactions to be worth the overhead? Have they ever worked at scale for any other software?)
I pay for lots of software I use, and do so happily if it delivers value — it would be extremely easy for me to justify paying for what's probably one of the apps I use the most. Why can't we pay for good browsers, that put the focus squarely on being the best tool to access the www? Why can't that money be used to hire back some of the talent Mozilla has been letting go? I say it elsewhere in this thread — Mozilla should let us pay for the bloody thing.
Make it open source, but have the official download for builds (and source code?[0]) be payed. Bonus points if the download bundle includes source code and a simplified build process.
[0] obviously it'll be mirrored in 2 seconds, but still.
Might as well just ask for donations.
I’m not sure what in my brain says “Telemetry? Absolutely not”, but that’s how it is for me (and why I don’t use the Developer Edition).
However, I respect the “Telemetry? Absolutely not” stance and can only hope and pray that Firefox PMs use telemetry as only ONE among a whole host of other signals to support decision-making.
The rest, outside of core, seem to write code as you mention. Product additions which most always give zero real value, no income, and even detract from the brand.
No, you can't maintain an entire modern browser (25 million lines of code) with 6 people.
You probably can't even maintain a complete multi-architecture, JIT-enabled Javascript engine with 6 people. Or GPU-accelerated rendering that works across thousands of hardware / software combinations. Much less that plus all the other things a browser has to do.
See the sections "How will my donation be used?" and "Don’t Mozilla products, like Firefox, earn income?" here: https://donate.mozilla.org/en-US/faq/#item_8
How do you propose notifications for new YouTube videos or tweets to work then?
Do yt, twitter really have to live in the browser?
I also find it very strange that so many people here disable telemetry. Really weakens complaints about removed features, if you're disabling the primary way that shows you're using it.
What's happening under the surface is that the project has reached the maximum complexity it ever can, after which it collapses being unable to maintain even low-maintanance features, let alone add new ones. Complexity unlike funding is fundamental, and just throwing money at it will not halt the process. Seeing rude obstructionist PR types showing up on bugzilla was the first outward facing symptom there was a cultural problem driven by an underlying material problem. An insider could probably tell you an even earlier warning sign.
As the project collapses it will grow tumors (eg Pocket). Totally random pieces of junk code which don't coherently belong to the base project. In the terminal stage it loses its ability to even remove features, or bolt on tumors. Tweaking the logo, churning the UI, and redesigning the website are the only actions the zombie project is physically able to take. So that's what it does.
If they do then it always was just a question of time for them to be found out, as just adding a webrtc session to the website makes their ip transparent again. Same with unique dns queries etc
"Reductio ad absurdum"
https://en.m.wikipedia.org/wiki/Reductio_ad_absurdum
Or "Logical Extreme"
https://en.m.wikipedia.org/wiki/Logical_extreme
On the one hand, stretching consequences is bad. On the other hand, thinking about a "one in a million" consequence isn't stretching when something affects a million people.
Maybe that example is closer to "one in a billion" or higher? We can hope so.
IMHO, such comments are so tired, poisonous, and add so little that if I were king of HN, I would ban them. They may be hard to define, but 'no hyperole' is a start.
That is quite the hyperbole and under your own rules you would be banned.
There is no limit to what can disgusting thoughts could be posited in a hypothetical.
I agree that the underlying problem is that extensions were disabled without user notification. The correct behaviour is simple enough: if any extension gets disabled for ANY reason other than manually by the user, the browser should lock out ALL network connections until the user has acknowledged this change of state. Someone should submit this to bugzilla as a high priority fix, if it hasn't already been done.
Not gonna happen. These days Mozilla doesn't even pretend to give a damn about user control. "We know better than you" has been the watchword for a while now.
Not gonna happen? If you refuse to partake in the most minimal of engagement with the process, don't complain if you don't like the outcome.
What's your criteria for things that actually matter? For example, as an adblocking, scriptblocking person, whether or not a company tracks me has no impact on my life whatsoever. What does have an impact on my life is my web browser being half-crippled and my mobile browser being a pile of half-working shit that soft-locks if I open it too quickly after closing it.
How should auto-updater work then?
Users should and regular people should:
* not smoke
* not drink
* eat healthy food in moderate amounts
* ...
"Should" almost never works, especially at scale.
And now every language ecosystem has one or more package managers for development libs - pip, conda, cargo, npm, opam, dub, etc. - and then optional package managers like choco, homebrew, and probably some others I missed. It’s a huge mess. So instead we throw up our hands and just bundle everything we need in a container and duplicate the _whole distro_ because the “package” ecosystem is such a disaster.
The sane way to handle software installs and uninstalls would have been cp/rm.
Every one of these uses different flags too, so for someone who uses a number of different distros it’s a huge pain to remember them and switch back and forth.
FreeBSD at least uses the eminently sensible “pkg” command with flags like “search” and “add.”
You don't own Firefox. You have a license to use it. Background network traffic is not a big deal. Ignoring downloading important updates the bandwidth the requests use is not significant. In such a large and complex piece of software as a web browser I do not understand why traffic should be associated with UI interactions. How is the browser supposed to show a notification when someone tweets? Would you prefer to hit a "Check for Notifications" button or would you prefer to just get a notification. The latter option has a million times better UX.
I would a love a button for every action. Particularly for things like check for notifications. The current problem is that someone else believes they know what a better UX is, any by better they mean better for the company for whatever reason.
I have not run any network traffic audit so I cannot verify it really does not attempt to reach for something outside localhost.
[1] http://web.archive.org/web/20210530092017/https://developer.... (I have a super murky memory it might be me who added it there, but today I had to find SU answer mentioning it [2] to even try that) [2] https://superuser.com/questions/1691419/how-to-start-firefox...
(Update) And one more thing: when using Profile Manager there is a nifty "Work offline" checkbox in there. Run
There is also checkbox "Use selected profile without asking" that when unchecked presumably adds to the `<appdata>\Mozilla\Firefox\installs.ini`. I've found this handy to do if you occasionally mess with various Fx versions and want to be sure you will not unintentionally load "nightly" profile with "stable" executable.Theoretically we already have this control. We can edit the Firefox source to disable the undesired traffic before compiling. In practice it takes me more time and resources to compile Firefox than it does to compile the kernel for the host OS (NetBSD). Most Firefox users probably use binaries and do not compile from source.
I would prefer to see a smaller, less featureful additonal version of Firefox that compiles faster and with fewer required resources. For advanced users, this would remove the friction against making source changes and compiling as opposed to using binaries. It would also potentially open up an opportunity for others to create customised versions of Firefox with, e.g., reduced attack surface, less need for "updates" and better suited to avoiding telemetry, and internet advertising-related surveillance.
The actual or effective inability to compile from source places more control with Mozilla and less control with the user. Thus we continually find Firefox users on HN pleading with Mozilla to make changes instead of making the changes themselves.
(Name of setting NEW VALUE original value, description below it)
media.peerconnection.enabled FALSE true
Disables WebRTC, which blabs identifying info
gfx.downloadable_fonts.enabled FALSE true
Disables downloading of fonts in favour of system fonts - no download delay
webgl.disabled TRUE false
Disables WebGL, which blabs identifying info
browser.sessionhistory.max_entries 2 50
Disables tab history to prevent snooping by websites
browser.sessionhistory.max_total_viewers 1 -1
Reduces ram use on lesser machines
fission.autostart TRUE false
Enhances site isolation for security
browser.cache.disk.enable FALSE true
Disables local disk cacheing for speed
layout.css.visited_links_enabled FALSE true
Disables visited links data for privacy
dom.storage.enabled FALSE true
Disables local storage - Warning: breaks some sites!
> Disables tab history to prevent snooping by websites
How does this accomplish that? Websites can't access your browser history.
https://codeberg.org/nobody/LocalCDN/
Some slightly dated discussion about this on Reddit; not much seems to have changed to make LocalCDN compelling: https://www.reddit.com/r/privacytoolsIO/comments/fc05uh/just...
https://addons.mozilla.org/en-US/firefox/addon/referercontro...
The big caveat is that the new browser policies will only default to origin if the website didn't specify the header, which means the website owner is still in control of whether it gets shared with the third party.
1) Why are the extension settings intentionally buried? Takes 4 clicks to get to them.
2) I wish I can right click the extension icon and temporarily disable without laboriously going into the settings to do that.
However, recent Firefox has this annoying feature where if you type in the search box on the main page it redirects your typing into the URL bar instead of the search box, making it then fail because a search is not a URL.
firefox --screenshot ~/s.jpg https://example.com
Used to work nicely in older versions.
-- about:profiles is actually a useful way to manage multiple logins. I used to have one set of accounts in ff, another in chrome. But now I just have multiple windows open in different profiles (and themes to distinguish) each with different login states.
You could also use firefox containers: https://addons.mozilla.org/en-US/firefox/addon/multi-account...
[1] https://addons.mozilla.org/en-CA/firefox/addon/clearurls/
https://github.com/gorhill/uBlock/wiki/Static-filter-syntax#...
[1] https://www.reddit.com/r/uBlockOrigin/comments/rttrbp/no_lon...