Proposal: Add a systemwide policy for Firefox to disable antifeatures and improve security and browsing experience

The Firefox experience has been subpar since a long time. Users are greeted with

• advertizing
• sponsored links
• search engines with embedded tracking parameters
• data shared with third parties for arbitrary purposes
• no adblocker by default and often not even “recommended”
• pocket, a proprietary service collecting a lot of data
• studies, doing A/B tests on your local machine without consent
• “privacy preseriving attribution” as if ads were the solution for a sustainable internet

policy file

I propose to not only change some build parameters, but add a systemwide policy file that disables antifeatures and makes Firefox a browser that people can use without worries.

Users would add this in /etc/firefox/policies/policies.json, distros would install it somewhere in /usr/lib

{
    "policies": {
        "Extensions": {
            "Install": [
                "https://addons.mozilla.org/firefox/downloads/latest/ublock-origin/latest.xpi"
            ]
        },
        "SearchEngines": {
           "Remove": [
                "DuckDuckGo",
                "Google",
                "Bing",
                "Ecosia"
            ],
            "Add": [
                {
                    "Name": "DuckDuckGo",
                    "URLTemplate": "https://duckduckgo.com/?q={searchTerms}",
                    "Method": "GET",
                    "IconURL": "https://duckduckgo.com/favicon.ico",
                    "Alias": "ddg"
                }
            ],
            "Default": "DuckDuckGo"
        },
        "ExtensionSettings": {
            "google@search.mozilla.org": {
                "installation_mode": "blocked"
            },
            "bing@search.mozilla.org": {
                "installation_mode": "blocked"
            },
            "ecosia@search.mozilla.org": {
                "installation_mode": "blocked"
            },
            "amazondotcom@search.mozilla.org": {
                "installation_mode": "blocked"
            },
            "youtube@search.mozilla.org": {
                "installation_mode": "blocked"
            },
            "yahoo@search.mozilla.org": {
                "installation_mode": "blocked"
            },
            "startpage@search.mozilla.org": {
                "installation_mode": "blocked"
            },
            "ebay@search.mozilla.org": {
                "installation_mode": "blocked"
            }
        },
        "SearchSuggestEnabled": false,
        "DisablePocket": true,
        "DisableFirefoxStudies": true,
        "DisableFormHistory": true,
        "DisableTelemetry": true,
        "EnableTrackingProtection": {
            "Value": true,
            "Cryptomining": true,
            "Fingerprinting": true,
            "EmailTracking": true,
            "Exceptions": [
                "https://netflix.com"
            ]
        },
        "FirefoxHome": {
            "Search": true,
            "TopSites": false,
            "SponsoredTopSites": false,
            "Highlights": false,
            "Pocket": false,
            "SponsoredPocket": false,
            "Snippets": false,
            "Locked": true
        },
        "FirefoxSuggest": {
            "WebSuggestions": false,
            "SponsoredSuggestions": false,
            "ImproveSuggest": false,
            "Locked": true
        },
        "HttpsOnlyMode": "force_enabled",
        "LegacySameSiteCookieBehaviorEnabled": false,
        "LegacySameSiteCookieBehaviorEnabledForDomainList": [
            "example.org","192.168.*", "localhost"
        ],
        "NetworkPrediction": false,
        "NewTabPage": false,
        "PopupBlocking": {
            "Allow": [
                "http://example.org/"
            ],
            "Default": true,
            "Locked": true
        },
        "PostQuantumKeyAgreementEnabled": true,
        "UserMessaging": {
            "ExtensionRecommendations": false,
            "UrlbarInterventions": false,
            "MoreFromMozilla": false,
            "FirefoxLabs": true
        },
        "SSLVersionMin": "tls1.2"
    }
}

Note that disabling pocket is only possible in ESR for arbitrary reasons. I am not sure why, and the docs are not really helpful.

It is also not possible to remove search engines like that, the methods above don’t seem to work. Note that the default search engines contain tracking parameters and should be replaced with vanilla ones.

prefs.js

I saw Fedora uses a systemwide prefs.js for presets, which is interesting. Many things can be changed there, maybe search engines too.

Here we would just follow arkenfox user.js and set the essentials, as breaking user experience is not a goal

Search engine issues

https://www.google.com/search?client=firefox-b-d&channel=entpr&q=helloworld&sei=O37FZ-T2BPztkdUP-fiS8AQ

https://www.ecosia.org/search?tt=mzl&q=helloworld

https://www.bing.com/search?pc=MOZI&form=MOZLBR&q=helloworld

https://duckduckgo.com/?t=ffab&q=helloworld

https://de.wikipedia.org/wiki/Spezial:Suche?search=helloworld&sourceid=Mozilla-search&ns0=1

normandy

This component allows Mozilla to add or remove extensions from computers remotely, which is something pretty critical. It is part of “Firefox Studies”

while the tor project disabled it during build it is simpler to disable it in the preset prefs.js

If this needs patches it would be unfortunate but a privacy improvement for users.

adjacent threads:

• why is firefox built with telemitry enabled
• is Fedora affected by the new TOS
• will Fedora keep shipping firefox

Note that Fedora already provides certain customization:
Tree - rpms/firefox - src.fedoraproject.org

It would be optimal to stick to one provisioning method and consolidate the settings.

In addition, packages should avoid writing configs under /etc since this goes against the paradigm of incremental provisioning for local customization and creates unnecessary work for merging configs on upgrade.

Thanks, yes the system installed directory would be a different one.

Interesting, default prefs! Yes in that case it could be added there and would behave the same but without locks I suppose, so the UX impact of not being able to change some settings would be gone.

prefs.js also have some more abilities but not all afaik, like preinstalling extensions

I agree with pretty much all of your ideas about a better Firefox experience - bar one.
I do use uBlock Origin, it is seriously great.
But I do not think any extensions should be installed by default. Sometimes extensions are bought or sold, sometimes they get malware added. Extra trust is placed in an extension.
Some people also see ads as a feature. (Oh well!).

I’ve gone to about:config and false’d extensions.pocket.enabled for a while now to get rid of the icon on release Firefox Win/Linux/FreeBSD. I haven’t checked if it actually disabled Pocket though (don’t see why it wouldn’t with the icon gone and setting name)

I would also recommend changing app.normandy.enabled to false. Normandy is a silent remote execution component that allows Mozilla to add and remove addons in Firefox without user permission or notification. It also allows remote studies and settings/preference changes without user notification.

Wait what? You can install extensions through RPM packages? Why would you do that?

* disabling pocket through that policy. It could be just added to the fedora prefs.js

So this gets a little complicated. Since Normandy allows Mozilla to queue up commands to silently add/remove addons from all copies of Firefox in existence on startup, there are some concerns that this might be abused if anyone ever compromised the Mozilla Normandy servers. It would allow an attacker to force-uninstall your favorite ad-blocker, and then force install a hostile malware addon that reports all URLs you visit to a tracking server. It’s not clear if a hostile addon has full access to stored username/passwords. There is some hope that addons installed via RPM, which are owned by root, would not be so easy to uninstall remotely. Admittedly, RPM-based Firefox addons don’t provide any protection against silent forced installs of malware addons being distributed via a (theoretical) compromise in the Mozilla Normandy servers.

What an interesting idea.
So I uninstalled my extension uBlock, closed Firefox. Installed via RPM

sudo dnf install mozilla-ublock-origin

Restarted Firefox - the extension was not there, so rebooted computer and wow there it is, uBlock via RPM.

Getting back the original proposal, I would be a definite “no” on any sort of third-party paid advertising or sponsored links. I would support a reasonable exception for donation links and FOSS projects. But third-party for-profit advertising is a no-go, it can get patched out at build time, since Open Source licenses give us the freedom to do this. Studies and A/B testing should be opt-in only, since they can make troubleshooting issues very difficult with preferences/settings changing with user knowledge or permission.

I would use a systemwide policy. Works the same but does not rely on packaging

So we disable ads, normandy, telemitry in the prefs?

I don’t support most of these proposed changed. The distribution should not interfere to this degree with how a 3rd party application ships. If we prefer a different browser to be included as the default browser we can support that, but we shouldn’t cripple the existing browser just because our preferences differ from their defaults.

To address a few of the mentioned points:

• advertizing + sponsored links

In it’s current form Firefox needs this kind of funding to keep operating. It’s easy to disable manually if wanted. Blocking it upfront will make Firefox an unsustainable project.

• search engines with embedded tracking parameters

Setting DuckDuckGo as the default does not solve this problem. In the end DDG are also a company and we just don’t know what they do with our data. Also their search is largely based on Bing’s. Apart from that Firefox is heavily dependent on Google’s funding to keep operating.

• no adblocker by default and often not even “recommended”

Adding a default adblocker interferes with the notion of a free web. It’s not up to the distro/plugin to decide by default which information people should be allowed to see. If you want an adblocker, it is easy to install.

• pocket, a proprietary service collecting a lot of data

This does not interfere with the user if not used.

• studies, doing A/B tests on your local machine without consent

This is not an invasion of privacy. If you don’t like it, disable it.

Yes you absolutely have a point. But Firefox is still FOSS, and with this argumentation you morally put the implications of a company over the implications of all the users.

Firefox is not a good browser by default. It is a data kraken and by shipping it as it, we may keep Mozillas weird business model alive, but all the users suffer from it.

I dont see a clear morally implication that tells us we should put Mozillas interests above the users. Because no, nearly nobody changes their browser configs. Only 50% even install a single addon.

As said, they dont make the RPM, this is free work of a distribution, they are not the vendor. They have their Flathub Flatpak (which is insecure but lol they dont care) if they want a browser with their standards.

Yes because the way they chose to get their money is shady. There is no way to donate to firefox. You can donate to the Mozilla foundation to pay whoever does whatever, but not the browser itself.

If they need money, they should stop this “around 5 corners” thing of getting it. Let people pay money and stop the surveillance capitalism, that may give them money, but with a ton of middle-men, data collection and environmental impact.

Yes it does because the manually set engines dont have the tracking parameters. We could configure way more too, for images, translators, wikipedia etc.

Lol I am sorry but that is a very weird phrasing. As if paid ads would be something objectively neutral for users.

But we can discuss about what distros should do.

Oh btw Fedora ships Chromium which falls under the same category

I have to check on that, not sure

@doug1 explained above why normandy is very critical

I will use Firefox with or without the changes. Only Chrom(ium) stands up against it in terms of usability.

You should set this thread to slow mode in preperation …

I think a wiki, webpage with Firefox changes would be great, wherever it is.

is normandy even still used?

Isn’t that called “nimbus” now?

I have trouble finding a clear config to disable nimbus, while normandy is clear

That is not the intention behind my standpoint.

I regard Fedora as a distribution that ships software as vanilla as possible, using the defaults as the upstream developers intend them to be used. If this does not unnecessarily infringe on the rights or security of end-users, which i don’t feel has been convincingly made the case here, there should be no reason to modify the upstream defaults just for preference.

I personally have no problem with any of the sponsored links, search engines, studies or telemetry. If it helps them make a better browser, great. I can understand if other people don’t like these things enabled in their browser, so it’s good they have the option to disable all of them.

The reality is that Mozilla is already on it’s hind feet, it’s fighting an uphill battle. Anything that we do to further compromise their position may result in them having to leave the browser space altogether. Their current funding and development approach may be lacking or in some of our eyes wrong, but it’s the reality that needs to be faced.

Ofcourse if anyone decides to fork Firefox, take full responsibility of further development and doesn’t require the same approach to funding, that would be great. I would very much support a project like that, even with donations. I am not really confident however that any party is currently up to that task. Developing a modern browser is very hard, and monetizing it as well.

I second this. I even use it on my work laptop (windows) and it makes slacking off far better without the ads

I agree with this because of the OBS Studio Flatpak ordeal.

Meh, I’m kind of convinced the privacy settings people want can be changed by that user. It’s your computer, your Fedora install, your Firefox profile. Firefox by itself vanilla works well, and tossing on uBlock Origin is a popular quick solution for most things.

I’d rather people be encouraged to look for settings to change. For years all I changed was extensions.pocket.enabled and media.ffmpeg.vaapi.enabled, but had other stuff toggled in GUI settings and respected on re-syncs. I looked at Arch Wiki’s Firefox pages for settings and changed what looked fun to mess with for a bit

It’s similar to those mega-script Windows privacy-enhancer things. Yeah, ain’t nobody validating 10K lines of text before running it to “protect themselves from Microsoft”. But people want privacy? Why not look for what you want specifically? Find the setting, test it, share it with others, and help create a list of settings for everyone.

Also, does this proposal help anyone business-wise? It doesn’t sound in Fedora’s best-interest to limit telemetry by others, and would probably brew bad-blood in some communities with Red Hat and IBM vs Mozilla.

If I had an app, set what I thought was balanced telemetry, and had some other group of people re-package my stuff and alter/remove that telemetry, I likely wouldn’t be happy.

Mostly yes, apart from pocket, pinned Google in the search (not the search engine) and some more