Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Disaster Plans for Firefox XUL Sunset

Disaster Plans for Firefox XUL Sunset

Public URL:Github Gist
Status: Incomplete
Last Updated:2017-04-22 04:59 EST

Threat Summary

In their November blog post, Add-ons in 2017, Mozilla announced an aggressive plan to deprecate XUL APIs without having assured a porting path for existing APIs.

Most significantly, this will kill off the Classic Theme Restorer extension which I rely on to keep the UI suitably comfortable, as the Australis theme has elements (eg. the "toolbar in a panel" hamburger menu) which are even more unappealing to me than Google Chrome's crippled design.

As such, this document tracks my plans to investigate alternatives to my current Firefox extension load-out, both within Firefox (possibly with custom source patches) and on other browsers.

(The latter case will be necessary as a plan B in case addon ports are planned but their developers or the developers of APIs they depend on miss the Firefox 57 deadline.)

Timeline [2]

January 23rd, 2017 Firefox 52.0b1 enters beta channel
March 7th, 2017 Firefox 52 enters ESR channel.
April 18th, 2017 No new XUL addons will be signed by AMO
April 22nd, 2017 Switch to Firefox ESR builds when 53.0a2 enters Ubuntu Aurora PPA
June 12th, 2017 Firefox 57.0a1 moves XUL behind a pref in nightly channel
August 7th, 2017 Firefox 57.0a2 moves XUL behind a pref in aurora channel
October 2nd, 2017 Firefox 57.0b1 removes XUL from beta channel
November 14th, 2017 Firefox 57.0 removes XUL support from stable channel
January 16th, 2018 Firefox 52.6 is last ESR release currently scheduled
January 17th, 2018 Check Mozilla Rapid Release Calendar for updates
TBD Last supported XUL-capable release (probably Firefox 52.8)
TBD Migrate off Firefox if extension support is insufficient

High-level Tasks

Tasks

Possible Immediately, No Urgent Deadlines

☐ Do I need to compile my own Firefox ESRs to disable signing enforcement?
☐ Investigate SeaMonkey's future plans
☐ Investigate compatibility between my extensions and SeaMonkey
☐ Investigate compatibility between my extensions and Pale Moon
☐ Investigate options for setting up a forced transparent DNS proxy to work
around Google pinning the DNS for YouTube ads in Chromium.
☐ Complete extension/feature porting matrices

Time-Specific

☐ Follow Unbranded [3] Firefox 52 to avoid a 56.0->52 ESR downgrade when 57 comes out.

Persistent Data Stores to Be Made Browser-Agnostic

☑ Passwords (KeePass)
☐ Saved Session/Open Tabs
☐ Bookmarks
ScrapBook storage
☐ Extension preferences:
├─☐ Greasemonkey scripts & script data stores
├─☐ HistoryBlock blacklist
├─☐ HTTPS Everywhere preferences and custom rules
├─☐ NoScript settings
├─☐ RefControl settings & whitelist
├─☐ Stylish styles
├─☐ uBlock Origin settings
└─☐ uMatrix settings and whitelist

Solutions Under Consideration

  • Turn off Firefox updates:

    • Migrate high-risks tasks (eg. banking, PayPal, etc.) to Chromium
    • Install the last XUL-capable ESR release of Firefox.
    • Set up an aggressive Firejail sandbox, including the X11 SECURITY extension. (May require upgrading off Kubuntu 14.04 LTS to fix PulseAudio support)
  • Find an equivalent set of extensions for Pale Moon, SeaMonkey, or Chromium.

  • Migrate security extensions to an HTTP proxy, completely independent of any specific browser.

  • Convert most of TiddlyFox's functionality into a local HTTP daemon which re-creates the old XULConnect APIs as HTTP APIs which trigger prompt dialogs.

    • If I can think of a good design for a mechanism for extensions to securely prompt to be added to the extension manifest's allowed origins, this might actually do better as a generic "extended capabilities" host for the native messaging API, which any extension can make use of if installed.

      The downside being, since Firefox doesn't have a way to opt out of extensions signing in all builds, I may have to stick to an HTTPS CORS API to get anything even remotely signable.

      (Either way, I'd want to use Rust, do a lot of fuzzing, and iterate a lot on the design of the permissions prompts and extra protections like a blacklist/whitelist for what filesystem permissions can be requested without a power user pre-emptively adjusting the configuration file.)

about:config Tweaks

✓ = Equivalent functionality is built into Chromium or available as an addon
✗ = Must implement replacement myself
Key Firefox Chrome Solution
beacon.enabled false  
browser.download.lastDir.savePerSite true [5]
browser.link.open_newwindow 1  
browser.link.open_newwindow.override.external 3  
browser.link.open_newwindow.restriction 0  
browser.newtabpage.enabled false  
browser.send_pings.require_same_host true  
browser.sessionstore.privacy_level true  
browser.showQuitWarning true  
browser.startup.page -11[7]  
browser.urlbar.doubleClickSelectsAll false  
browser.urlbar.maxRichResults 12  
browser.urlbar.trimURLs false ✗ (Requires Source Patch)
dom.disable_window_open_feature.minimizable true  
dom.disable_window_open_feature.titlebar true  
dom.disable_window_open_feature.toolbar true  
dom.serviceWorkers.enabled false [6]
gecko.smoothScroll false  
image.animation_mode none [8]  
media.autoplay.enabled false  
media.eme.apiVisible false  
media.eme.enabled false  
middlemouse.contentLoadURL false  
network.cookie.cookieBehaviour 1  
network.cookie.lifetimePolicy 2  
network.dns.disablePrefetch true  
network.http.pipelining true  
network.http.pipelining.aggressive true  
network.http.pipelining.max-optimistic-requests 8  
network.http.proxy.pipelining true  
network.http.speculative-parallel-limit 0  
network.IDN_show_punycode true ✓ [4]
network.prefetch-next false  
nglayout.enable_drag_images false  
offline-apps.allow_by_default false  
privacy.clearOnShutdown.cache true  
privacy.clearOnShutdown.cookies false  
privacy.clearOnShutdown.downloads true  
privacy.clearOnShutdown.extensions-dta true  
privacy.clearOnShutdown.formdata false  
privacy.clearOnShutdown.history false  
privacy.clearOnShutdown.offlineApps false  
privacy.clearOnShutdown.openWindows false  
privacy.clearOnShutdown.sessions true?  
privacy.clearOnShutdown.siteSettings false  
privacy.cpd.cache true  
privacy.cpd.cookies false  
privacy.cpd.downloads false  
privacy.cpd.extensions-dta false  
privacy.cpd.extensions-sessionmanager false  
privacy.cpd.formdata false  
privacy.cpd.history false  
privacy.cpd.offlineApps false  
privacy.cpd.openWindows false  
privacy.cpd.passwords false  
privacy.cpd.sessions false  
privacy.cpd.siteSettings false  
privacy.donottrackheader.enabled true  
privacy.sanitize.sanitizeOnShutdown true  
privacy.trackingprotection.enabled true  
social.toast-notifications.enabled false  
spellchecker.dictionary en-CA  
xpinstall.signatures.required false ✓ --enable-easy-off-store-extension-install

Extensions

Legend
Port or direct equivalent available (or planned to be available on time)
~ Low confidence in developer's plans (ie. expect disruption with Fx 57)
Waiting for an acceptably concrete response from the developer(s)
Must implement replacement myself
N/A Addition or removal of a browser feature renders replacement unnecessary

Always Enabled

Extension Firefox WebExtension Chrome
Classic Theme Restorer Use Chromium for partial fix? See List
Decentraleyes ✓ (Issue 124) ✓ Local CDN
Disable Ctrl-Q Shortcut … (Issue 10) [1]  
Download Panel Tweaker N/A (Bug 1269957) N/A
DownThemAll [11] [12]
Greasemonkey [13] ✓ Tampermonkey
Google search link fix
HistoryBlock ✓ (Bug 1334266)  
HTTPS Everywhere ✓ (Issue 7389)
InlineDisposition ✓ Undisposition
No Flash N/A (Issue 39)  
NoScript [15] ✓ (Bug 1214733)  
Pure URL ~ [16]  
RefControl ~ [17]
Save Text To File … (Issue 85)  
ScrapBook
Self-Destructing Cookies [19] Tab Cookies
Session Manager  
Shift + Scroll N/A (built-in)
Show Keyword N/A? [20] N/A
Stylish ✓ (Issue 166)
Tab Counter [21]
Tab Wheel Scroll ~ [23] [1] N/A (built-in)
TiddlyFox … (Issue 42)
Toggle Animated GIFs ~ (Issue 43) [22]
uBlock Origin ✓ (Bug 1309926) ✓ + uBO-Extra
uMatrix
withExEditor ✓ (Issue 23) Multiple [24]

TODO: Evaluate whether Disable Ctrl-Q and Cmd-Q is a suitable replacement for Disable Ctrl-Q Shortcut and monitor bug 1325692.

Optional or Situational

Extension Firefox Solution Chrome Solution
Automatic Save Folder N/A [9] [10]
Beef Taco [25]    
Cookie Time    
DOM Inspector [26]
Fangs    
FindBar Tweak   N/A
Flattr    
Form History Control    
InspectorWidget [26]
JSONView [14] [14]
Live HTTP Headers    
Password Exporter    
Private Tab    
Reddit Enhancement Suite    
restartFox   chrome://restart [18]
StumbleUpon    
Stylish Sync    
User Agent Switcher    
Video DownloadHelper ✓ (Bug 1310316)  

Classic Theme Restorer in Chrome

TODO: Enumerate tweaks in use

DownThemAll Successor

TODO: Explore options for integrating an external download manager with suitably comfortable support for selecting extracted URLs and sharing cookies (How's FlashGot's future looking?)

Candidates so far:

XUL Userstyles

Extension Status
Classic Theme Restorer - Misc. Fixes See sub-features
  Hide private browsing badge (use menu button color) TODO: Customize? Complete theme?
Restore pre-Australis narrow buttons in tab bar TODO: Possible with new theming API?
DownloadHelper - Hide Inactive, Compact Active  
DownThemAll - Remove 3.x GUI Clutter Obsolete with the death of DownThemAll
Firefox - Un-cluttered, Chrome-like Context Menu  
Firefox 43 - Revert stop/go/reload button size TODO: Possible with new theming API?
InspectorWidget - Hide Context Menu Entries Obsolete without XUL to inspect
Remove the newbie footer from Stylish Feature request sent
StumbleUpon - Hide Context Menu Entries TODO: Check how WebExtensions migration is affecting the StumbleUpon extension.
StumbleUpon - Hide Facebook/Twitter in Share Menu
StumbleUpon - Ultra-Compact Toolbar
StumbleUpon - Undo "always show referred count"

Footnotes

[1](1, 2) I suspect I'll have to implement this myself using a helper application which asks X11 for all input to the window and then replaces certain events with faked keyboard input.
[2]

Sources:

[3]Unbranded Firefox will be used to retain the Developer Edition ability to disable extension signing enforcement.
[4]Chrome has a different mitigation.
[5]

Chrome doesn't provide this internally and the extension API disallows this level of control, but it can be hacked around by some combination of the following:

  • Setting the Download directory to the filesystem root
  • Using an inotify-based watcher to move files out of the download directory once they finish downloading.
  • Using an extension like Downloads Router to give the inotify helper more information about where the downloads came from.
  • Just replacing the browser's built-in download support with an integration extension for an external download manager with routing support. (See DownThemAll Successor)
[6]

Chrome apparently has no way to disable service workers outright, but chrome://serviceworker-internals/ can be used to manage them.

Apparently it's possible for addons to flush them, but the Clear Service Worker extension has an ominous "Added Analytics Plugin" message in its description, so I'll have to write my own flusher. (Which may be better anyway, since it'd let me implement the behaviour I desire, which is more akin to what Self-Destructing Cookies does for cookies.)

I'm assuming it has something to do with service workers counting as cookies/site data.

[7]browser.startup.page: -11 means "Prompt for session to load" and is provided by the Session Manager extension.
[8]image.animation_mode: none is just used to enforce the starting state by the Toggle Animated GIFs extension. It's insufficient alone.
[9]Automatic Save Folder is no longer be necessary, since using it temporarily toggled a hidden setting to enable remembering the previous save folder on a by-origin basis and that covers all of the uses where I wouldn't have to write my own extension anyway due to the nature of the filter rules I'd want to write.
[10]The Chrome extension API is too crippled to implement this functionality, so I'll need to use an external download manager, an inotify-based sorter for the downloads folder, or both. (In the latter case, possibly with a helper like Downloads Router to translate things like source domains into paths the inotify code can see.)
[11]The author of DownThemAll! wrote a "Fuck you, Mozilla. I'm out" open letter and hasn't given any indication that it was merely drunken frustration.
[12]

By design, the Chrome extension API doesn't give extensions sufficient disk access to implement things like resume, piecewise downloading, and writing to arbitrary filesystem locations, so DTA! can only be replaced by an integration shim for an external download manager:

[13]

Greasemonkey status is tracked in the following bugs and threads:

[14](1, 2) JSONView for Chrome exists as a 3rd-party port, but, because of the same Chrome API limitations, which cripple it, Ben Hollis never produced an official Chrome port and he is no longer working on JSONView for Firefox either.
[15]

NoScript is used only for the following features:

  • Click-to-play for embeddings, audio/video tags, and WebGL
  • Forbid <a ping...>
  • Forbig meta redirections inside <noscript> elements.
  • Forbid XSLT
  • Attempt to fix JavaScript links
  • XSS Filter
  • Automatic Secure Cookies Management
  • ABE (Application Boundaries Enforcer)
  • ClearClick protection
[16]

The author has plans similar to mine with regards to Firefox ESR and responded as follows:

It is possible to port Pure URL to WebExtensions, and I'd like to do it someday. But it requires time, and currently I'm planning to stay on Firefox 52 ESR for 1.5 years at least. So, I don't know when I'll port this extension. Unfortunately, I can't promise that I'll do it before Firefox 57 release.
[17]

Multiple options, none very good:

[18]Add chrome://restart to the bookmarks toolbar for a suitable analogue to restartFox.
[19]

TODO: Investigate suitability of Tab Cookies and, if suitable, contact its author about whether he'd be willing to port it to Firefox and what license it's under (in case I could work on it myself).

The author of Self-Destructing Cookies responded with:

I will not rewrite SDC as a WebExtension. I simply don't have the the time for this; SDC is just a spare time project for me. I'm weary of putting the add-on (as in: the AMO page) up for adoption, since a project with >200k daily users is in danger of being abused if it falls in the wrong hands. I regularly get offers to sell out my users (i.e. monetize their traffic) for substantial amounts of money. I'd rather just wind down the project.
[20]

I remember people wanting to kill off bookmark keywords in the process of unifying the search integration.

TODO: Determine what the current plans are. (Will I have to create fake search engines which don't actually search to preserve my keywords?)

[21]https://chrome.google.com/webstore/detail/tab-counter/feeoiklfggbaibpdhkkngbpkppdmcjal
[22]

Multiple "Toggle Animated GIFs" extensions available:

[23]Tab Wheel Scroll progress is tracked in issue 19 but it's blocked, pending an API, which is bug 1246706
[24]

Multiple withExEditor-like Chrome extensions are available:

[25]Beef Taco is incompatible with Self-Destructing Cookies but may come into use again if the latter is completely impossible to port.
[26](1, 2) DOM Inspector and InspectorWidget are used to inspect XUL in order to produce XUL Userstyles.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment