Firefox

My notes regarding Firefox browser.

How to enable scrollbars and arrows

New Firefox follows painful trend to hide scrollbars and even when they appear there are now arrow buttons, making it really bad when mouse-wheel does not work...

To correct this (at least on Linux) you have to:

• enter about:config in Address bar
• to show always scrollbars, search layout.testing.overlay-scrollbars.always-visible and set it to true (from: https://superuser.com/questions/1720362/firefox-scroll-bar-disappearing)
• to enable arrows buttons, search widget.non-native-theme.gtk.scrollbar.allow-buttons and set it to true (from: https://forums.linuxmint.com/viewtopic.php?t=330849)
• restart Firefox

Please note that in my case it does not help to set System Settings -> Appearance -> Show scroll bars. in Firefox Settings.

Logging DNS requests

Firefox is surprisingly active even before you start browsing. To get at least some clue what is is happening I adapted Windows approach from: https://superuser.com/questions/1104255/is-it-possible-to-see-the-dns-resolving-query-in-firefox-developer-tools to Linux using least possible level of logging.

Here is my script ~/bin/firefox-logging-dns.sh

#!/bin/bash
set -xeuo pipefail
NSPR_LOG_FILE=$HOME/tmp/firefox-dns-`date '+%s'`.log \
	NSPR_LOG_MODULES=timestamp,nsHostResolver:1 \
	/usr/bin/firefox "$@"
exit 0

When you run it, list log files sorted by date using ls -lrt ~/tmp/ Then I simply filter log like this:

tail -f ~/tmp/firefox-dns-XXXXXXXX.log.moz_log | fgrep 'Calling getaddrinfo for host'

And watch it - for example when you visit some simple web page...

• here is example when I visit https://gitlab.com

  awk '/Calling getaddrinfo for host/{print $NF}' xxxxxxx.log | tr -d '][' | sed 's/\.$//'
  
  gitlab.com
  about.gitlab.com
  cdn.cookielaw.org
  geolocation.onetrust.com
  cdn.bizible.com
  munchkin.marketo.net
  extend.vimeocdn.com
  images.ctfassets.net
  player.vimeo.com
  capture.navattic.com
  fresnel.vimeocdn.com
  i.vimeocdn.com
  f.vimeocdn.com
  ocsp.pki.goog
  www.googletagmanager.com
  s.swiftypecdn.com
  capture.navattic.com
  epsilon.6sense.com
  ocsp.r2m03.amazontrust.com
  

• please note that there is no guarantee that all DNS requests are shown - rather estimate.

Private lapses

On GNOME based Linux Firefox happily uses system geoclue service to know your location.

Additional privacy concerns are from Gentoo:

Normandy:

• it allows Mozilla to change your setting or even install Extensions remotely to your computer(!!!) See https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1827717
• workaround: in about:config search for app.normandy.enabled and ensure that it is false

DNS test

NOTE: you have to disable DoH (DNS over https) and other techniques to see DNS requests from Firefox

Here is what I get when running tcpdump -n port 53 and running firefox-esr=115.11.0esr-1~deb12u1 on fresh Debian 12 with XFCE4

• detectportal.firefox.com - should be possible deactivate here: https://support.mozilla.org/en-US/questions/1157121
  • about:config -> network.captive-portal-service.enabled switch to false
  • js preferences -> user_pref("network.captive-portal-service.enabled", false);
• contile.services.mozilla.com
  • unable to find - maybe browser.topsites.contile.enabled may control it...
• firefox.settings.services.mozilla.com - this should control it: signon.management.page.breach-alerts.enabled
  • but it still access it...
• push.services.mozilla.com
  • some notes are here: https://support.mozilla.org/en-US/questions/1261510

Summary. I appended following settings to my /etc/firefox-esr/firefox-esr.js

// disable detectportal.firefox.com
// https://support.mozilla.org/en-US/questions/1157121
pref("network.captive-portal-service.enabled", false);

// disable contile.services.mozilla.com
pref("browser.topsites.contile.enabled", false);

// disable firefox.settings.services.mozilla.com
// IT STILL DOES NOT STOP FIREFOX FROM ACCESSING settings.services!
pref("signon.management.page.breach-alerts.enabled", false);

// disable push.services.mozilla.com
// https://support.mozilla.org/en-US/questions/1261510
pref("dom.push.enabled", false);
pref("dom.push.connection.enabled", false);
pref("dom.push.serverURL", "");

Using policies

Jus by accident found that some Firefox features could be disabled via Policy files. From this video: https://www.youtube.com/watch?v=y9AOuPPrMq4

Some basic information is on:

• https://support.mozilla.org/en-US/kb/customizing-firefox-using-policiesjson
• https://mozilla.github.io/policy-templates/

In your firefox you can try about:policies in address bar to see if they are applied and if there are any errors.

More privacy nightmares

Location:

• contacting: location.services.mozilla.com right at startup
• fix in /etc/firefox/defaults/pref/syspref.js

  // disable access to: location.services.mozilla.com
  pref("browser.region.network.url", "");
  

Remote settings:

• evil that is impossible to disable (other then filtering with proxy)
• contacts forever firefox.settings.services.mozilla.com
• see https://bugzilla.mozilla.org/show_bug.cgi?id=1598562 and https://bugzilla.mozilla.org/show_bug.cgi?id=1600450
• they are making humiliating excuse why it can't be disabled...
• I know no workaround for this (enabling test mode make it seriously vulnerable)

Service Workers:

• https://support.mozilla.org/en-US/questions/1242384
• about:debugging#workers
• about:serviceworkers (empty in my case)

Network connection list:

• about:networking#http (and other tabs)

Experiment:

• here is example that causes crash when Firefox attempts to make any non-local network connection - note: we must also disable creepy error reporting (that is of course enabled as default)

• script ff-force-local-connections.sh

  #!/bin/bash
  set -xeuo pipefail
  MOZ_CRASHREPORTER_DISABLE=1 MOZ_DISABLE_NONLOCAL_CONNECTIONS=1 /usr/bin/firefox "$@"
  exit 0
  

• you should see immediate crash, in my case with:

  FATAL ERROR: Non-local network connections are disabled and a connection attempt to
  content-signature-2.cdn.mozilla.net (34.160.144.191) was made.
  You should only access hostnames available via the test networking
  proxy (if running mochitests) or from a test-specific httpd.js server (if running xpcshell tests).
  Browser services should be disabled or redirected to a local server.
  

Resources

• https://wiki.archlinux.org/title/Firefox/Privacy