https://bugzilla.mozilla.org/show_bug.cgi?id=1429714 is about service workers.
Since there are problems with the way extensions use Content-Security-Policies to block these things, I wouldn't rely on uMatrix too much. The prefs are the most reliable way to block stuff.

uMatrix allows cookies IN but blocks them from going OUT

that's how it's supposed to work but extensions don't see the changes made to headers by other extensions and therefore it's possible that the cookie(s) will still be sent.

uMatrix allows cookies IN but blocks them from going OUT

that's how it's supposed to work but extensions don't see the changes made to headers by other extensions and therefore it's possible that the cookie(s) will still be sent.

Either you're using extensions which are adding there own cookies to the request header (after uMatrix striped it) or you're using malicious extensions which are sending a hidden/background request.

The question is: Why on earth are you using such extensions ?

after uMatrix striped it

that's not how it works. All extensions receive the headers in parallel and unmodified. It doesn't matter if uMatrix striped it because the next extension still sees the original cookie header.

The question is: Why on earth are you using such extensions ?

I don't but there are apparently people who have like 70+ addons or whatnot, and I'm just saying that it can happen. Here are just 2 examples of legitimate extensions that do or could modify the cookie header in certain situations:

https://github.com/snyderp/web-api-manager/blob/master/add-on/background_scripts/background.js#L58
https://github.com/scakemyer/cloudhole/blob/master/background.js#L216

The strategy looks good.

If you block the canvas via FF the canvas is completely handled by it and CB never kicks in.
When you allow via FF the canvas is handled by CB which will do what ever you specified it to do.

EDIT: when I messed around with this feature I think I also found a way to ignore the resistFingerprint setting (or answer). Not sure if this is useful or not...

Block does block the API and therefore generates errors in most pages that just assume that the API is accessible. If you want the same behaviour than in RFP=block you have to use the "white" random number generator.

The detection test is using canvas but only a minor subset of the API. The block mode may block before the RFP kicks in.

Can't find where I mentioned the idea of general API blocking, but hey look:

[dead link]

3P Request Blocker by Sw prevents your browser from connecting to 3rd party resource without user consent. Only 61.0 KiB

Re: pyllyukko/user.js#348

Correct if i'm wrong but shouldn't Cookie AutoDelete work with FPI already in Firefox 59?

Is there an easy way to find if it's working as intended, i mean, if it's deleting localStorage, etc with CA-D and FPI turned on? Sorry if i'm being a bit off-topic.

Thanks so much @Thorin-Oakenpants

Sweet ❤️

if FF prefs allow web workers, but uMatrix blocks them, there may be instances where the web site detects workers are available but can't actually use them, leading to breakage, rather than falling back to the non-web-worker version [read this somewhere on uM repo but can't find it now]

https://www.reddit.com/r/uMatrix/comments/7p7adg/web_workers/

As for privacy.resistFingerprinting, I had to disable it due to two reasons:

• it breaks the AMO site, since it thinks you're using a different browser version than you actually are, so extension compatibility is inaccurate, and
• it changes your time zone, which then makes time/date features, like in forums, inaccurate.

There may have been other issues as well, but I didn't get far enough in using it to find out. Are there solutions to these problems? I would really like to use this feature.

I'm not saying I plan to disable it permanently because of it, but I've had it disabled the past couple weeks while testing stuff, installing and trying out addons, and a feature like this should work for non-advanced users, who aren't going to know why the AMO site isn't working properly and know how to fix it. Not to mention you'd think Mozilla would make their feature not interfere with their own website. Just seems like a pretty significant oversight. Anyways, I was hoping someone knew of a pref or addon that would disable it on certain sites and/or AMO or that could override it so the user agent could be forced on those sites. Also, this should be mentioned in the OP, so people aren't caught off guard when they enable this pref then find AMO doesn't work right.

And I realize the time zone change is a feature, not a bug; I wasn't saying otherwise. I'm just saying that I would like the ability to have the benefits of resistFingerprinting without the subsequent issues caused by that. Ideally, it should provide a way to tell it to leave that alone. Since that's clearly not the case, again I was wondering if anyone knew of a way to override it.

Either you buy into the full RFP package, and everyone spoofs the same timezone, or its pointless

I understand how fingerprinting and uniqueness works, and that I would be setting myself apart by changing my time zone, but I suspect I would still be much less unique than if not using the pref at all, and therefore that it would by no means be pointless.

Well, that's why it's not been exposed to the public yet

I get that. All I was looking for was a workaround that hopefully somebody had found to fix this issue, to prevent having to change the setting every time the user wants to look at or install addons.

I don't follow. What does RFP have to do with this issue? Unless you meant that I provide some alternative for RFP

I was saying that in your canvas section, where you mention to use the pref, a simple caution that it will cause AMO to not work properly could be added so anybody that reads it will know about the breakage, so then when they go to AMO they'll be aware of it, vs just enabling it and then going there and not knowing why it's not working. I'm not saying they should be told to use it with caution, just that they should be cautioned (or perhaps a better word would be informed) about the issue. That's all.

CanvasBlocker 0.4.6-Alpha1 does now also Audio... see here; kkapsner/CanvasBlocker#71 (comment)

I am sure that @kkapsner would appreciate some testing from you guys too.

Cheers

@Thorin-Oakenpants: I see you already updated the code URL. Now that @meh has given me full access rights on AMO, I've also create the privacy policy you requested a year ago: https://addons.mozilla.org/de/firefox/addon/smart-referer/privacy/
Sorry for the long delay, but I simply wasn't able to do this before today. 🙂

Edit: Thorin: done. And thanks. PS: I stripped out the /de part

browser.display.use_document_fonts

value can be toggled with Toggle Fonts add-on (AMO)

note that Toggle Fonts does not alter gfx.downloadable_fonts.enabled

You don't seem to understand fingerprinting very well. RFP & canvas currently lowers the entropy in that metric, in fact, it eliminates it by making everyone the same. As soon as you diverge from other RFP users, you stand out. Obviously it depends on the script, but I'm talking theoretically - which is how you need to approach it. Any hole is a hole that can be exploited.

It's not hard to detect RFP: you can just check timing rounding (which could be changed by a pref value - it sucks though because the check takes time: you could probably get away with 30ms). And there are other cumulative checks that could give it away (but not totally infallible). But since FF78 there's an even quicker method (less than 1ms, 100% correct, all the time).

And RFP does allow a site exception for canvas: it's not like you don't have some control.

Of the at least 8 methods to confound FPing, one is to lower entropy, one is to raise. Both have pros and cons. AFAIK, RFP canvas is going to become randomized - but until it does, don't undermine it - that's just stupid

Also: just so people are aware - don't use Waterfox: there is nothing it does that Firefox can't (there might be the one odd thing here or there: I'm not wasting my time checking). This does not include legacy extension support: which I consider the lack of in Firefox as a good thing, and the inclusion of in Waterfox as a security hole.

• HTTP UserAgent cleaner (extension, XUL/XPCOM) #517 (comment)

I feel many many more users would switch to Waterfox, especially this user.js crowd

Not if I can help it. There is no reason to use a fork.

OK, you really don't understanding FPing

I blend in MORE using a faked fingerprint canvas hash than using the one generated by RFP according to panopticlick.

And that there is the first flaw in your argument: panopticlick is not real world and the data is tainted (not the actual FPing, just the entropy). And that's not the site's fault, it's the nature of the beast and those who (repeated) visit, and who constantly tweak their metrics: thus artificially screwing the results.

since the standard now is to lie to the webserver

What does that even mean? In reality, the standard is not lying (most users don't install extensions, at least not canvas ones, and at least not in Firefox).

For those who do lie: they can be lowering or raising entropy. So if you mean randomizing is more prevalent, then I would say based on some numbers, that you're wrong. In Firefox (and it's trivial to detect that you are on Firefox), I don't know the number of RFP, but all the TB users (which uses Firefox) are lowering canvas. There's some 2 million TB users at any given time [1]. Overall, there would be more.

That figure there far outweighs the total (i.e not always online at the same time) FF users with canvas randomizing - CB has 50k installs, Canvas Defender 15K and so on.

But that doesn't even fucking matter: if the subset of users you are in lowers, then you do the same. You sure don't get it.

[1] https://metrics.torproject.org/userstats-relay-country.html

Also: just so people are aware ... [followed by a bunch of batshit crazyshake statements]

Clearly you need help.

Just visited uMatrix repos, @gorhill has Archived it all, says he won't spend any more time on uMatrix. uBO is nice and all for cosmetic filtering but it does not come anywhere close to the control you have in uMatrix. Disappointing - no discussion, no warning, just a guy opening an issue and getting told "forget it I'm done" and poof, everything archived :-(

not surprising at all given the number of commits on uBO vs. uM

i'm very disappointed by this - there's lots i could say about this but i'll refrain, suffice to say that i think some of his decisions are idiotic, starting with splitting uBO off from uM

Either you buy into the full RFP package, and everyone spoofs the same timezone, or its pointless

I understand how fingerprinting and uniqueness works, and that I would be setting myself apart by changing my time zone, but I suspect I would still be much less unique than if not using the pref at all, and therefore that it would by no means be pointless.

With Chameleon, your timezone can be automatically adapted to your IP. Ant in that precise case, it supersedes the RFP's GMT+0 timezone

I guess you refer to https://addons.mozilla.org/de/firefox/addon/chameleon-ext/.

No, you shouldn't use such extensions.

Useragents

• Randomly select from a list of browser profiles
• Choose between different platforms or device types
• Change user agent at specified interval

No further questions, Your Honor.

What should be done to make uBlock Origin handle trackers instead of the browser? I use AdNausuem so it'd be nice to be able to send a message