about:config-uring Firefox 57+ for deployment

by FGM In Firefox
Firefox Quantum
Firefox Quantum. CC BY-SA 3.0 by Mozilla

Mozilla just launched Firefox 57 with the new Quantum-Engine and the new Photon UI. Also, a lot of APIs changed or were deleted. But what does this mean for deploying Firefox in your company?
Well, you’re probably using the Firefox ESR in your company. The new Firefox gets it’s ESR in may 2018 with Firefox 60 ESR (not with version 59 like initially planned) and the 52 ESR end of life will be August 28th 2018.

Since there will be a few versions until 60, a lot of things will change from the current stable 57.0.x. For example, Mozilla just announced a “policy engine” that aims to help deploying Firefox. This is currently in early development state and the wiki is very vague; however they “intend to bring Windows Group Policy support soon”, which should make deployment easier / more comfortable in Windows environments.

However, I took a look at the Firefox 57 to check the changes in Quantum since version 52 ESR.

This article is for giving admins an idea of what changed in Firefox and what is possible, however it doesn’t cover everything you might want to adapt. All changes in Firefox configurations are made on your own risk and may lead to unexpected behavior.
This article is especially made for use with a config file that is well maintained and NOT for building such a config file from the start.

Obvious changes
Showing the new design of Firefox showing the new newtab page with a huge ad by Mozilla to fund money.
Screenshot of the newtab page of Firefox 57

The first thing you will noticed is: The tabs are now angular again. Also, the home button is now on the left side besides the reload button. The reload, back- and forward buttons aren’t fitting seamlessly into the address bar anymore and are separated from the bars with an empty space. This empty space is also on the other side of the address bar, or, if you have it, besides the search bar. This space can be removed manually with the customization tool or via the UserChrome.css. The next thing is the search bar: It doesn’t appears by default in new profiles. Therefore, the old address bar got pimped to an unified bar. Features like one-click buttons for different search providers etc. are now integrated into the address bar. However, the search bar still appears for old profiles, if not deleted before.

A lot of things on the right side beside the address and search bar disappeared. Not really though, as it’s now consolidated in the “library”. This contains bookmarks, pocket, history, downloads, synced tabs and screenshots. The download button will only appear after you’ve downloaded something, the other library options won’t have a dedicated button by default.

Wait, what’s that with the screenshots? Well, Mozilla integrated a handy screenshot function. Our problem: there are two options for saving the screenshots: save locally or upload to the Mozilla cloud. And no, I haven’t found a “disable” switch for the upload function.

The hamburger menu now doesn’t contain buttons and the positions of the options there are currently not customizable.

Besides the mentioned, there are a lot of cosmetical UI changes which aren’t important to us (to me).

What is extremely important for us is the new design for the newtab-page. Actually, design is not the right word. It’s completely new. In older Versions, the page showed only the most used websites with thumbnails. Now it’s a mix of most used websites (“top sites”), suggested news articles from pocket and a mix of your favorites and your history called “activity-stream”.

The good news: a lot of that can be customized. I’ll describe it below.

The new extension system

Besides the obvious changes in Firefox 57, Mozilla launched a new extension system, called WebExtensions. This new system is much safer than the old one, but it also isn’t compatible with old extensions. If you’re using extensions, please test yourself if there are compatible versions available.

The bad news: Flash is still supported by the new browser. The Java extension on the other hand is not supported anymore and will not work. During my tests I also recognized that Ciscos WebEx works with Firefox 57 without problems and other extensions for business software just need an update.

Config Options

The activity stream

The biggest problem with the activity-stream for us is the pocket integration. The suggested news articles brings at least two things: It loads external content without asking and it might distract the users (“Workers should work and not read news articles” – Big Boss vs. “That was an interesting article. Now why did I opened a new tab?” – A User).

Here’s what you can add to your config file to disable the suggesting feature. Don’t forget to adapt the pref to defaultPref oder lockPref if preferred for your usecase.

// Deactivate the “Suggested by Pocket” (Default value: true)
pref(“browser.newtabpage.activity-stream.feeds.section.topstories”, false );

If you don’t trust the switch above, you can neuter the Pocket API for the “topstories” by setting the value to “” or “[]” like below.

// Neuter the Pocket API for the topstories option in the activity stream
pref(“browser.newtabpage.activity-stream.feeds.section.topstories.options”, []);

The activity stream also has some telemetry functions, which can be disabled with

// Disable telemetry for the activity stream
pref(“browser.newtabpage.activity-stream.feeds.telemetry”, false);

If you don’t trust the switch above, you can neuter the telemetry of the activity stream by setting the value to “” or “[]” like below.

// Neuter the telemetry for the activity stream (Default value: https://tiles.services.mozilla.com/v4/links/activity-stream )
pref(“browser.newtabpage.activity-stream.telemetry.ping.endpoint”, []);

You may want to customize the activity stream for your users, you may want to set default top sites. By default, it’s set to things like YouTube, Facebook, Reddit, Amazon and whatever Mozilla set as default for your country. The value can easily be changed with yoururl1,yoururl2,yoururl2 and set with

// Set default sites in the activity stream
pref(“browser.newtabpage.activity-stream.default.sites”,  https://intranet.mycompany.com,https://www.mycompany.com,https://groupware.mycompany.com,https://pizzaservice.com/partnerlinkid=8754879647 );

If you want to show more of the topsites, you can rise the number from 6 to 12 (two rows) or even 24 (four rows), which makes the site look more like the old newtab page.

// Show more topsites in activity stream (Default value: 6)
pref(“browser.newtabpage.activity-stream.topSitesCount”, 24);

It’s also possible to disable the “Highlights” section in the activity stream with

// Disable the highlights section in activity stream (Default value: true)
pref(“browser.newtabpage.activity-stream.feeds.section.highlights”, false);

Mozilla sometimes want to give information about that they need money or about net neutrality or whatever they want over a field on the bottom of the activity stream. You can disable it with

// Disable information fields of Mozilla in the activity stream when opening a new tab
pref(“browser.newtabpage.activity-stream.feeds.snippets”, false);
pref(“browser.newtabpage.activity-stream.disableSnippets”, true);

So, did you configured your activity stream for your users? Okay. Then I will show you now how to disable it. 😛

Getting the old about:newtab page back

Don’t want to use this fancy new activity stream thing and want to deliver a consistent experience for your users?

// Disable the activity stream and get back the old newtab page (Default value: true)
defaultPref(“browser.newtabpage.activity-stream.enabled”, false);

Security relevant options

Screenshot options
Shows the options given when taking a Screenshot: Save or upload
The save options for screenshots: download or upload to Mozilla

As mentioned above, Mozilla also integrated a screenshot option. This is a useful tool, but the user can choose after every shot if he want to download (save) the screenshot or if he want

to upload it to the Mozilla cloud. If you don’t want to let users upload their screenshots, you should disable the screenshot feature:

// Disable screenshot feature with cloud upload (Default value: false)
lockPref(“extensions.screenshots.disabled”, true);

There also is an not further described devtool option that enables audio for screenshots. It’s already disabled by default, but you might lock it.

// Lock option for taking audio with screenshots (Default value: false)
lockPref(“devtools.screenshot.audio.enabled”, false);

Tracking protection
Shows the Tracking protection options
Tracking protection options

Tracking protection is an option that is present in Firefox since version 42. Until 52 ESR, it’s only available in private windows. In 57, it’s also possible to activate it for everything, while the default still is private windows only. The advantage of the tracking protection is besides better privacy faster loading of websites, as tracking scripts won’t be loaded and aren’t able to slow down the loading of the page respectively. This is accomplished by loading lists of trackers from disconnect.me. By default, a “basic protection” list is used, which allows some trackers in order to maintain functionality for all(?) websites.  Mozilla provides a list of preferences associated with tracking protection.

// Setting tracking protection (Default value: false)
pref(“privacy.trackingprotection.enabled”, true);
// Setting strict tracking protection table (might break some websites) (Default value: test-track-simple,base-track-digest256 )
pref(“urlclassifier.trackingTable”, test-track-simple,base-track-digest256,content-track-digest256 );

Speculative connect

Firefox 57 offers a new predictive load option besides the old network.predictor.enabled, there is a new option. This option makes it possible to load websites faster when you’ve already been there before. While you’re typing the domain in the urlbar, Firefox does not only autocomplete the domain, he also looks for the DNS entries and does an TLS and TCP handshake. This makes loading faster, but also makes some unnecessary DNS lookups and handshakes. Disable this with

// Disable predictive DNS lookups, TLS and TCP handshakes when FF does autocomplete of a domain in the urlbar (via https://www.ghacks.net/2017/07/24/disable-preloading-firefox-autocomplete-urls/ ) (Default value: true)
lockPref(“browser.urlbar.speculativeConnect.enabled”, false);

Opt-out options

There is a new option to opt-out of studies. You set it with

// Opt-out of opt-out studies (Default value: true)
lockPref(“app.shield.optoutstudies.enabled”, false);

Also, there is a “experiments” option in the new Firefox. You may have heard of the magically appearing “looking glass” extension that Mozilla installed without asking for users in the US. Jep,  you want to deactivate it. Trust me.

// Deactivate “Experiments” option that enables Mozilla to install extensions without asking (and probably much more).
lockPref(“experiments.enabled”, false);
lockPref(“experiments.supported”, false);
lockPref(“experiments.activeExperiment”, false);

You can also neuter the URL for experiments.

// Neuter the URL for expriments (Default value: https://telemetry-experiment.cdn.mozilla.net/manifest/v1/firefox/%VERSION%/%CHANNEL% )
lockPref(“experiments.manifest.uri”, []);

Telemetry

There is a new option you can deactivate in regarding telemetry (unfortunately not further specified).

// Disabling “ping-centre” telemetry (Default value: true)
lockPref(“browser.ping-centre.telemetry”, false);

Search options

Firefox got a new search concept. The search bar is now not showed by default anymore. There is an option to show that, browser.search.widget.inNavBar, but it’s not working with config files. Hopefully, this will be implemented into the new policy engine.

The new unified URL bar now has the options of the search bar. This means, that search suggestions and the search-provider buttons are now shown by default. If you want, you can disable this with

// Disable search suggestions in address bar (Default value: true)
defaultPref(“browser.urlbar.suggest.searches”, false);
// Disable search provider buttons in adress bar (Default value: true)
defaultPref(“browser.urlbar.oneOffSearches”, false);

Design options

Some design options are controllable over the configuration. For example, you can disable the autohide “feature” of  the downloads button:

// Always show downloads button (Default value: true)
defaultPref(“browser.download.autohideButton”, false);

Furthermore, the new library shows recent sites. To disable this, use

// Don’t show recent sites in Library (Default value: true)
pref(“browser.library.activity-stream.enabled”, false);

The new Firefox has some animations. If you want to disable these, use

// Disable Animations (Default values: true)
pref(“toolkit.cosmeticAnimations.enabled”, false);
pref(“browser.stopReloadAnimation.enabled”, false);

Firefox doesn’t show the old “Cached Web Content” and “Site Data” in about:preferences#privacy by default. To enable it, use

// Show  “Cached Web Content” and “Site Data” in about:preferences#privacy. Via https://www.askvg.com/firefox-tip-enable-offline-web-content-and-user-data-section-on-options-page/ (Default value: false)
lockPref(“browser.preferences.offlineGroup.enabled”, true);

Firefox 57 implemented an update tour that shows the user what’s new. It pops up after updating and on the newtab page. To disable it, use

// Disable tour through new functions of FF (Default value: true)
pref(“browser.onboarding.enabled”, false);

If you don’t want to disable it, you may want to adapt the shown features, for example when you disabled screenshots and sync.

// Customize update tour (hide sync and screenshots) (Default value: performance,library,screenshots,singlesearch,customize,sync )
lockPref(“browser.onboarding.updatetour”, “performance,library,singlesearch,customize”);

UserChrome.css options

We had a UserChrome.css in our organization that hided all sync buttons (which isn’t covered by just disabling sync in config). However, with FF 57 it didn’t work anymore. Furthermore, I wanted to delete the spaces around the address bar and the search bar. Here’s what I put into the UserChrome to accomplish this under FF 57:

@namespace url(http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul);
/* Hide Menu entry "Sign in to Sync" (via https://github.com/Aris-t2/CustomCSSforFx/blob/master/classic/css/buttons/appbutton_popup_sync_hidden.css ) */
#appMenu-fxa-container,
#appMenu-fxa-container + toolbarseparator {
 display: none !important;
} 
/* Hide "Send Page to Device"  (via https://github.com/Aris-t2/CustomCSSforFx/blob/master/classic/css/generalui/send_to_device_menuitems_hidden.css ) */
#context-sep-sendpagetodevice,
#context-sendpagetodevice,
#context-sep-sendlinktodevice,
#context-sendlinktodevice,
#pageAction-panel-sendToDevice,
#context_sendTabToDevice,
#context_sendTabToDevice + menuseparator {
 display: none !important;
}
/* Hide spaces around the address (and search-) bar */
#customizableui-special-spring1,
#customizableui-special-spring2 {
 display: none !important;
}

It’s probably also possible to show old icons by default with the UserChrome.css, but I haven’t managed to do so. If you know how to show or change the order, please let me know in the comments.

To sum up, the update changed a lot under the hood, brings a new design but still kept most options. Should’nt be a big problem to deploy, if you’re prepared for it.