Questions

[enoryw]

Regarding user.js:

• Can it be assumed that user.js only ever contains bits of Securefox, Fastfox, etc. and won't ever contain any unique settings or values not found from any of these configs? If the intention is to track settings from all those variants for a comprehensive complete user.js, then tracking the Betterfox's user.js itself is not necessary at all since all of settings are set exactly by the rest of the variants? I started off reviewing user.js but it seems like I would be better off copying all of the variants into a clean user.js instead? EDIT: Hmm, looks like user.js does contain unique settings, not sure if mistake: this line is not in Peskyfox.

• Does it make sense to have some duplicate commented out settings like here? Seems like it would be preferable to reduce redundant comments. Also in Securefox, this setting is referenced twice where it is set, but then later commented out because it's a default: user_pref("browser.helperApps.deleteTempFileOnExit", true);.

• Is searchfox a good reliably way to check if settings are deprecated? I paste in browser.newtabpage.activity-stream.feeds.telemetry and there were no results--it's deprecated, right? It'd be nice if there's a way to script parsing a config file to check for deprecated options every time Firefox updates (I don't see them publishing the adding/changing/removal of such options).

• Wouldn't it be better (safer and more predictable) to enforce defaults rather than including them for reference but commented out? I would think there's a risk of Firefox changing defaults.

Questions on some settings:

• It looks like user.js contains only essentials from the other grouped configurations like Securefox. But user.js just disables OCSP and offers no alternatives? As I understand CRLite is preferable to OCSP but it is only configured in Securefox. So is it still correct that disabling OCSP but not necessarily enabling CRLite is still considered essential and enabling CRLite with OCSP disable is only considered further strengthening but not essential?

• user_pref("full-screen-api.warning.timeout", 0) is set but it seems a low but non-zero value is preferable for security reasons, no?

I think what I will do is be as comprehensive as possible with Betterfox and see if there's breakages, then slowly add stuff from Arkenfox where appropriate.

Much appreciated.

[yokoffing]

Can it be assumed that user.js only ever contains bits of Securefox, Fastfox, etc. and won't ever contain any unique settings or values not found from any of these configs?

Correct.

If the intention is to track settings from all those variants for a comprehensive complete user.js, then tracking the Betterfox's user.js itself is not necessary at all since all of settings are set exactly by the rest of the variants? I started off reviewing user.js but it seems like I would be better off copying all of the variants into a clean user.js instead?

If variants = Peskyfox, Securefox, etc., then you could, if you want all the explanations surrounding the prefs. The user.js does not have a lot of explanations because people get overwhelmed easily. As a maintainer, it would make my life easier to have it all in one big file (less errors when editing documents), but I've gotten a lot of positive feedback for keeping things separate.

EDIT: Hmm, looks like user.js does contain unique settings, not sure if mistake: this line is not in Peskyfox.

Fixed in the future 146 release.

Does it make sense to have some duplicate commented out settings like here? Seems like it would be preferable to reduce redundant comments. Also in Securefox, this setting is referenced twice where it is set, but then later commented out because it's a default: user_pref("browser.helperApps.deleteTempFileOnExit", true);.

Fixed in the future 146 release.

Is searchfox a good reliably way to check if settings are deprecated? I paste in browser.newtabpage.activity-stream.feeds.telemetry and there were no results--it's deprecated, right? It'd be nice if there's a way to script parsing a config file to check for deprecated options every time Firefox updates (I don't see them publishing the adding/changing/removal of such options).

Sometimes. But browser.newtabpage.activity-stream.feeds.telemetry is still in the latest version of Firefox.

Wouldn't it be better (safer and more predictable) to enforce defaults rather than including them for reference but commented out? I would think there's a risk of Firefox changing defaults.

This method can have unintended consequences.

It looks like user.js contains only essentials from the other grouped configurations like Securefox. But user.js just disables OCSP and offers no alternatives? As I understand CRLite is preferable to OCSP but it is only configured in Securefox. So is it still correct that disabling OCSP but not necessarily enabling CRLite is still considered essential and enabling CRLite with OCSP disable is only considered further strengthening but not essential?

https://securityonline.info/firefox-switches-to-crlite-ditching-ocsp-for-better-speed-and-privacy/
https://blog.mozilla.org/en/firefox/crlite/
https://letsencrypt.org/2024/12/05/ending-ocsp

user_pref("full-screen-api.warning.timeout", 0) is set but it seems a low but non-zero value is preferable for security reasons, no?

I've never considered this, but it's a fair point.