Firefox `policies.json`

As Clover gets older I’m starting to assess which digital tools are appropriate for them to use; fortunately, a web browser is still a ways off. I currently don’t have a browser to recommend, for my kid, or for any user, really. I mainly use Firefox, but I customize it so much I can’t recommend it without a user’s manual, and that doesn’t make any sense.

And what I mostly configure Firefox to do is not sell me out, which is is constantly trying to do. Like, it’s ridiculous. But it’s also the only browser that loads the limited interactive sites I use, such as Discourse sites or Wikipedia projects, sites that are important to me.

And so I now turn my attention to a the policies.json file that may be used to configure many settings for Firefox, including disabling a huge amount of “features” that we all probably want to go away.

You can read about it at Customizing Firefox Using policies.json | Firefox for Enterprise Help, but it will point you to the Github repo for documentation:

I have a few profiles in mind for policies.json usage:

  • Me
  • Clover
  • kiosk computer, as used at events or by volunteers
  • public access (labs, libraries, etc.)
  • community computers

By that last one I mean: a policies file I could install on computers I refurbish/setup for community members needing a computer. It makes no sense to enable a person to become enthralled by Google as soon as they need to look something up.

This topic will contain a setting-by-setting reflection on the policies.

1 Like

3rdparty

Allow WebExtensions to configure policy. For more information, see Adding policy support to your extension.

That link go to a document detailing, “… how to add enterprise policy support to your extension to allow enterprises to preconfigure settings in your extension.”

Which amounts to formatting the data in a way that the extension may read from local storage, via this policy. Neat! (I don’t generally use web extensions, so it sounds interesting in theory…)

Policy format:

{
  "policies": {
    "3rdparty": {
      "Extensions": {
        "YOUR_EXTENSION_ID": {
          "STRING": "value",
          "BOOLEAN": true,
          "INTEGER": 10
        }
      }
    }
  }
}

AllowedDomainsForApps

Define domains allowed to access Google Workspace.

This policy is based on the Chrome policy of the same name.

If this policy is enabled, users can only access Google Workspace using accounts from the specified domains. If you want to allow Gmail, you can add consumer_accounts to the list.

I didn’t quite understand this, so I read that link, where it explains:

Setting the policy turns on Chrome’s restricted sign-in feature in Google Workspace and prevents users from changing this setting. Users can only access Google tools using accounts from the specified domains (to allow gmail or googlemail accounts, add consumer_accounts to the list of domains). This setting prevents users from signing in and adding a Secondary Account on a managed device that requires Google authentication, if that account doesn’t belong to one of the explicitly allowed domains.

Leaving this setting empty or unset means users can access Google Workspace with any account.

The policy format:

{
  "policies": {
    "AllowedDomainsForApps": "managedfirefox.com,example.com"
  }
}

I don’t use nor endorse Google Apps, so I’ll likely not set it. Potentially useful for a workforce where you don’t want folks setting up what is essentially a company Google device with their personal Google accounts. Kinda funny it’s in Firefox, perhaps for feature parity?

:woman_shrugging:

AppAutoUpdate

Enable or disable automatic application update.

If set to true, application updates are installed without user approval within Firefox. The operating system might still require approval.

If set to false, application updates are downloaded but the user can choose when to install the update.

If you have disabled updates via DisableAppUpdate, this policy has no effect.

{
  "policies": {
    "AppAutoUpdate": true | false
  }
}

This policy will depend on how the app is being upgraded on the device. For personal use I install Firefox via Flatpak, which has it’s own update mechanism; in such cases I might set DisableAppUpdate. Actually, for most cases where a policies.json is set, one probably wants the user to not mess around with updates (because it’s a different part of system admin, whereas the browser is for… browsing).

AppUpdateURL

Change the URL for application update if you are providing Firefox updates from a custom update server.

{
  "policies": {
    "AppUpdateURL": "https://yoursite.com"
  }
}

Huh, that’s kinda interesting… I wonder if one can package Firefox to include these policies installed? Probably not worth it, except in large deployments (many machines).

AllowedDomainsForApps isn’t listed alphabetically… so I changed it and sent a patch:

Authentication

Configure sites that support integrated authentication.

See Integrated authentication for more information.

PrivateBrowsing enables integrated authentication in private browsing.

{
  "policies": {
    "Authentication": {
      "SPNEGO": ["mydomain.com", "https://myotherdomain.com"],
      "Delegated": ["mydomain.com", "https://myotherdomain.com"],
      "NTLM": ["mydomain.com", "https://myotherdomain.com"],
      "AllowNonFQDN": {
        "SPNEGO": true | false,
        "NTLM": true | false
      },
      "AllowProxies": {
        "SPNEGO": true | false,
        "NTLM": true | false
      },
      "Locked": true | false,
      "PrivateBrowsing": true | false
    }
  }
}

Here is the doc at that link:

This document provides an overview of Mozilla’s support for integrated authentication. This entails support for the the Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) internet standard (RFC 2478) to negotiate either Kerberos, NTLM, or other authentication protocols supported by the operating system. SPNEGO is commonly referred to as the “negotiate” authentication protocol.

Mozilla does not have its own internal implementation of SPNEGO. Instead, it leverages system libraries that provide SPNEGO; SSPI on Microsoft Windows, and GSS-API on Linux, Mac OSX, and other UNIX-like systems.

The Mozilla implementation of SPNEGO can be found under {{ Source(“extensions/auth/”) }}. It used to live in extensions/negotiateauth.

Mozilla also supports raw NTLM authentication using an internal implementation (based on the documentation provided by Eric Glass) that supports NTLMv1/LMv1 and NTLM2 Session Key modes. As of Mozilla 1.7, there is no support for NTLMv2/LMv2. This is mainly due to the fact that NTLMSSP does not provide a means to negotiate use of NTLMv2/LMv2.

Flow Diagram

The diagram below shows how various components interact.

Configuration

By default, Mozilla rejects all SPNEGO challenges from a web server. This is to protect the user from the possibility of DNS-spoofing being used to stage a man-in-the-middle exploit (see {{ Bug(17578) }} for more info). Moreover, with Windows clients NTLM may be negotiated as the authentication protocol. So, it is paramount that the browser does not freely exchange NTLM user credentials with any server that requests them. The NTLM response includes a hash of the user’s logon credentials. On older versions of Windows this hash is computed using a relatively weak algorithm (see Hertel for more info on NTLM authentication).

Mozilla currently supports a whitelist of sites that are permitted to engage in SPNEGO authentication with the browser. This list is intended to be configured by an IT department prior to distributing Mozilla to end-users.

The preferences are:

pref(“network.negotiate-auth.trusted-uris”, site-list); pref(“network.negotiate-auth.delegation-uris”, site-list); pref(“network.automatic-ntlm-auth.trusted-uris”, site-list);

where, site-list is a comma-separated list of URL prefixes or domains of the form:

site-list = “mydomain.com, https://myotherdomain.com

network.negotiate-auth.trusted-uris lists the sites that are permitted to engage in SPNEGO authentication with the browser, and network.negotiate-auth.delegation-uris lists the sites for which the browser may delegate user authorization to the server. network.automatic-ntlm-auth.trusted-uris lists the trusted sites to use NTLM authentification.

If you wish to use non-fully-qualified entries of the form mydomain.com in the above preferences for NTLM and SPNEGO authentication, you will also need to set the preferences network.automatic-ntlm-auth.allow-non-fqdn and network.negotiate-auth.allow-non-fqdn (respectively) to true.

Original Document Information

  • Author(s): Darin Fisher
  • Last Updated Date: December 27, 2005
  • Copyright Information: Portions of this content are © 1998–2007 by individual mozilla.org contributors; content available under a Creative Commons license | Details.

Meaning unless one is using the “Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) internet standard (RFC 2478)”, this setting is irrelevant.

I’m not sure at this point if a default should be provided, or omitted. I’ll investigate in time.

AutoLaunchProtocolsFromOrigins

Define a list of external protocols that can be used from listed origins without prompting the user. The origin is the scheme plus the hostname.

The syntax of this policy is exactly the same as the Chrome AutoLaunchProtocolsFromOrigins policy except that you can only use valid origins (not just hostnames). This also means that you cannot specify an asterisk for all origins.

The schema is:

{
 "items": {
  "properties": {
   "allowed_origins": {
    "items": {
     "type": "string"
    },
    "type": "array"
   },
   "protocol": {
    "type": "string"
   }
  },
  "required": [
   "protocol",
   "allowed_origins"
  ],
  "type": "object"
 },
 "type": "array"
}
{
  "policies": {
    "AutoLaunchProtocolsFromOrigins": [{
      "protocol": "zoommtg",
      "allowed_origins": [
        "https://somesite.zoom.us"
      ]
    }]
  }
}

:thinking:

I’ve got some thoughts on this, but I’m still developing them. At any rate, the primary way I see these being used online is to launch websites or applications for specific protocol prefixes. I’m fond of apt, but mostly see folks referring to steam. We’ll get there…

BackgroundAppUpdate

Enable or disable automatic application update in the background, when the application is not running.

If set to true, application updates may be installed (without user approval) in the background, even when the application is not running. The operating system might still require approval.

If set to false, the application will not try to install updates when the application is not running.

If you have disabled updates via DisableAppUpdate or disabled automatic updates via AppAutoUpdate, this policy has no effect.

Compatibility: Firefox 90 (Windows only)

{
  "policies": {
    "BlockAboutAddons": true | false
  }
}

So far I hadn’t been including “Compatibility”, presuming it was the earliest version of Firefox that supported a given policy, and any policy in the list would be current. However, this is a Windows-only policy. And because I don’t use Windows personally, I don’t know how it works.

What is the preferred ways to keep software updated in Windows?

BlockAboutAddons

Block access to the Add-ons Manager (about:addons).

Compatibility: Firefox 60, Firefox ESR 60
CCK2 Equivalent: disableAddonsManager
Preferences Affected: N/A

{
  "policies": {
    "BlockAboutConfig": true | false
  }
}

This is accessed from the URL about:addons (I wonder if that link will work, I think they stopped rendering some time ago…).

Here’s what it looks like for me, today:

Interestingly, language packs are included…

For most policy deployments I think the use case excludes end-users managing addons, so this should be true, to block access.

Fortunately, there are ways to manage Extensions via policies, so we’ll address the use-cases and check how it actually works when we get there. I hope that shows a reasonable path to providing language support in a public lab scenario, as well as being able to configure some parts, as necessary.

BlockAboutConfig

Block access to about:config.

Compatibility: Firefox 60, Firefox ESR 60
CCK2 Equivalent: disableAboutConfig
Preferences Affected: N/A

{
  "policies": {
    "BlockAboutConfig": true | false
  }
}

When accessing about:config I get this cautionary message:

Proceed with Caution

Changing advanced configuration preferences can impact Firefox performance or security.

Warn me when I attempt to access these preferences

Accepting the risks exposes a settings registry for Firefox.

Basically, the ability to access config depends on whether the computer is public or private. For public computers it doesn’t make much sense to expose config; hopefully everything needing to be customized can be done with policies.json. :slight_smile:

For private computers, it makes sense to expose the config settings, so the user may configure their user-agent as desired.

BlockAboutProfiles

Block access to About Profiles (about:profiles).

Compatibility: Firefox 60, Firefox ESR 60
CCK2 Equivalent: disableAboutProfiles
Preferences Affected: N/A

{
  "policies": {
    "BlockAboutProfiles": true | false
  }
}

Going to about:profiles shows a management space for profiles:

This page helps you to manage your profiles. Each profile is a separate world which contains separate history, bookmarks, settings and add-ons.

Profiles seem handy for personal computers. Public computers likely benefit from blocking access.

For public computers, the ability to force resetting the profile when Firefox is closed would be handy. We’ll see if we stumble upon that policy.

BlockAboutSupport

Block access to Troubleshooting Information (about:support).

Compatibility: Firefox 60, Firefox ESR 60
CCK2 Equivalent: disableAboutSupport
Preferences Affected: N/A

{
  "policies": {
    "BlockAboutSupport": true | false
  }
}

Huh, this is interesting. Going to about:support shows a very long page, and Firefox will not take a screenshot of about: pages, apparently:

But as the button says, I may copy it:

Application Basics

Name Firefox
Version 95.0.2
Build ID 20211218203254
Distribution ID mozilla-flatpak
Update Channel release
User Agent Mozilla/5.0 (X11; Linux x86_64; rv:95.0) Gecko/20100101 Firefox/95.0
OS Linux 5.10.0-9-amd64 #1 SMP Debian 5.10.70-1 (2021-09-30)
OS Theme Adwaita / Adwaita
Multiprocess Windows 2/2
Fission Windows 2/2 Enabled by phased rollout
Remote Processes 7
Enterprise Policies Active
Google Location Service Key Found
Google Safebrowsing Key Found
Mozilla Location Service Key Found
Safe Mode false

Crash Reports for the Last 3 Days

Report ID Submitted

Firefox Features

Name Version ID
DoH Roll-Out 2.0.0 doh-rollout@mozilla.org
Firefox Screenshots 39.0.1 screenshots@mozilla.org
Form Autofill 1.0.1 formautofill@mozilla.org
Picture-In-Picture 1.0.0 pictureinpicture@mozilla.org
Proxy Failover 1.0.2 proxy-failover@mozilla.com
Reset Search Defaults 2.1.0 reset-search-defaults@mozilla.com
Web Compatibility Interventions 28.0.1buildid20211210.021657 webcompat@mozilla.org
WebCompat Reporter 1.4.2 webcompat-reporter@mozilla.org

Remote Features

bug-1690367-rollout-moving-webrtc-networking-functionality-into-i-release-87-100 active
bug-1693420-rollout-sponsored-top-sites-rollout-release-84-100 active
bug-1732206-rollout-fission-release-rollout-release-94-95 active

Remote Processes

Type Count
Privileged About 1
Extension 1
Isolated Web Content 2
Preallocated 3

Add-ons

Name Type Version Enabled ID
Add-ons Search Detection extension 2.0.0 true addons-search-detection@mozilla.com
Amazon.com extension 1.3 true amazondotcom@search.mozilla.org
Bing extension 1.3 true bing@search.mozilla.org
DuckDuckGo extension 1.1 true ddg@search.mozilla.org
eBay extension 1.3 true ebay@search.mozilla.org
Google extension 1.1 true google@search.mozilla.org
Wikipedia (en) extension 1.1 true wikipedia@search.mozilla.org
English (CA) Language Pack locale 95.0.2buildid20211218.203254 true langpack-en-CA@firefox.mozilla.org
English (GB) Language Pack locale 95.0.2buildid20211218.203254 true langpack-en-GB@firefox.mozilla.org

Graphics

Features
Compositing WebRender
Asynchronous Pan/Zoom wheel input enabled; scrollbar drag enabled; keyboard enabled; autoscroll enabled; smooth pinch-zoom enabled
WebGL 1 Driver WSI Info EGL_VENDOR: Mesa Project EGL_VERSION: 1.5 EGL_EXTENSIONS: EGL_ANDROID_blob_cache EGL_ANDROID_native_fence_sync EGL_CHROMIUM_sync_control EGL_EXT_buffer_age EGL_EXT_create_context_robustness EGL_EXT_image_dma_buf_import EGL_EXT_image_dma_buf_import_modifiers EGL_EXT_swap_buffers_with_damage EGL_IMG_context_priority EGL_KHR_cl_event2 EGL_KHR_config_attribs EGL_KHR_create_context EGL_KHR_create_context_no_error EGL_KHR_fence_sync EGL_KHR_get_all_proc_addresses EGL_KHR_gl_colorspace EGL_KHR_gl_renderbuffer_image EGL_KHR_gl_texture_2D_image EGL_KHR_gl_texture_3D_image EGL_KHR_gl_texture_cubemap_image EGL_KHR_image EGL_KHR_image_base EGL_KHR_image_pixmap EGL_KHR_no_config_context EGL_KHR_reusable_sync EGL_KHR_surfaceless_context EGL_KHR_swap_buffers_with_damage EGL_EXT_pixel_format_float EGL_KHR_wait_sync EGL_MESA_configless_context EGL_MESA_drm_image EGL_MESA_image_dma_buf_export EGL_MESA_query_driver EGL_NOK_texture_from_pixmap EGL_WL_bind_wayland_display EGL_EXTENSIONS(nullptr): EGL_EXT_device_base EGL_EXT_device_enumeration EGL_EXT_device_query EGL_EXT_platform_base EGL_KHR_client_get_all_proc_addresses EGL_EXT_client_extensions EGL_KHR_debug EGL_EXT_platform_device EGL_EXT_platform_wayland EGL_KHR_platform_wayland EGL_EXT_platform_x11 EGL_KHR_platform_x11 EGL_MESA_platform_xcb EGL_MESA_platform_gbm EGL_KHR_platform_gbm EGL_MESA_platform_surfaceless IsWebglOutOfProcessEnabled: 0
WebGL 1 Driver Renderer Intel – Mesa Intel(R) UHD Graphics (CML GT2)
WebGL 1 Driver Version 4.6 (Compatibility Profile) Mesa 21.3.1 (git-9da08702b0)
WebGL 1 Driver Extensions GL_ARB_multisample GL_EXT_abgr GL_EXT_bgra GL_EXT_blend_color GL_EXT_blend_minmax GL_EXT_blend_subtract GL_EXT_copy_texture GL_EXT_subtexture GL_EXT_texture_object GL_EXT_vertex_array GL_EXT_compiled_vertex_array GL_EXT_texture GL_EXT_texture3D GL_IBM_rasterpos_clip GL_ARB_point_parameters GL_EXT_draw_range_elements GL_EXT_packed_pixels GL_EXT_point_parameters GL_EXT_rescale_normal GL_EXT_separate_specular_color GL_EXT_texture_edge_clamp GL_SGIS_generate_mipmap GL_SGIS_texture_border_clamp GL_SGIS_texture_edge_clamp GL_SGIS_texture_lod GL_ARB_framebuffer_sRGB GL_ARB_multitexture GL_EXT_framebuffer_sRGB GL_IBM_multimode_draw_arrays GL_IBM_texture_mirrored_repeat GL_3DFX_texture_compression_FXT1 GL_ARB_texture_cube_map GL_ARB_texture_env_add GL_ARB_transpose_matrix GL_EXT_blend_func_separate GL_EXT_fog_coord GL_EXT_multi_draw_arrays GL_EXT_secondary_color GL_EXT_texture_env_add GL_EXT_texture_filter_anisotropic GL_EXT_texture_lod_bias GL_INGR_blend_func_separate GL_NV_blend_square GL_NV_light_max_exponent GL_NV_texgen_reflection GL_NV_texture_env_combine4 GL_S3_s3tc GL_SUN_multi_draw_arrays GL_ARB_texture_border_clamp GL_ARB_texture_compression GL_EXT_framebuffer_object GL_EXT_texture_compression_s3tc GL_EXT_texture_env_combine GL_EXT_texture_env_dot3 GL_MESA_window_pos GL_NV_packed_depth_stencil GL_NV_texture_rectangle GL_ARB_depth_texture GL_ARB_occlusion_query GL_ARB_shadow GL_ARB_texture_env_combine GL_ARB_texture_env_crossbar GL_ARB_texture_env_dot3 GL_ARB_texture_mirrored_repeat GL_ARB_window_pos GL_ATI_fragment_shader GL_EXT_stencil_two_side GL_EXT_texture_cube_map GL_NV_copy_depth_to_color GL_NV_depth_clamp GL_NV_fog_distance GL_NV_half_float GL_APPLE_packed_pixels GL_ARB_draw_buffers GL_ARB_fragment_program GL_ARB_fragment_shader GL_ARB_shader_objects GL_ARB_vertex_program GL_ARB_vertex_shader GL_ATI_draw_buffers GL_ATI_texture_env_combine3 GL_ATI_texture_float GL_EXT_shadow_funcs GL_EXT_stencil_wrap GL_MESA_pack_invert GL_NV_primitive_restart GL_ARB_depth_clamp GL_ARB_fragment_program_shadow GL_ARB_half_float_pixel GL_ARB_occlusion_query2 GL_ARB_point_sprite GL_ARB_shading_language_100 GL_ARB_sync GL_ARB_texture_non_power_of_two GL_ARB_vertex_buffer_object GL_ATI_blend_equation_separate GL_EXT_blend_equation_separate GL_OES_read_format GL_ARB_color_buffer_float GL_ARB_pixel_buffer_object GL_ARB_texture_compression_rgtc GL_ARB_texture_float GL_ARB_texture_rectangle GL_EXT_packed_float GL_EXT_pixel_buffer_object GL_EXT_texture_compression_dxt1 GL_EXT_texture_compression_rgtc GL_EXT_texture_rectangle GL_EXT_texture_sRGB GL_EXT_texture_shared_exponent GL_ARB_framebuffer_object GL_EXT_framebuffer_blit GL_EXT_framebuffer_multisample GL_EXT_packed_depth_stencil GL_ARB_vertex_array_object GL_ATI_separate_stencil GL_EXT_draw_buffers2 GL_EXT_draw_instanced GL_EXT_gpu_program_parameters GL_EXT_gpu_shader4 GL_EXT_texture_array GL_EXT_texture_integer GL_EXT_texture_sRGB_decode GL_EXT_timer_query GL_OES_EGL_image GL_AMD_performance_monitor GL_EXT_texture_buffer_object GL_AMD_texture_texture4 GL_ARB_copy_buffer GL_ARB_depth_buffer_float GL_ARB_draw_instanced GL_ARB_half_float_vertex GL_ARB_instanced_arrays GL_ARB_map_buffer_range GL_ARB_texture_buffer_object GL_ARB_texture_rg GL_ARB_texture_swizzle GL_ARB_vertex_array_bgra GL_EXT_texture_swizzle GL_EXT_vertex_array_bgra GL_NV_conditional_render GL_AMD_conservative_depth GL_AMD_depth_clamp_separate GL_AMD_draw_buffers_blend GL_AMD_seamless_cubemap_per_texture GL_AMD_shader_stencil_export GL_ARB_ES2_compatibility GL_ARB_blend_func_extended GL_ARB_compatibility GL_ARB_debug_output GL_ARB_draw_buffers_blend GL_ARB_draw_elements_base_vertex GL_ARB_explicit_attrib_location GL_ARB_fragment_coord_conventions GL_ARB_provoking_vertex GL_ARB_sample_shading GL_ARB_sampler_objects GL_ARB_seamless_cube_map GL_ARB_shader_stencil_export GL_ARB_shader_texture_lod GL_ARB_tessellation_shader GL_ARB_texture_buffer_object_rgb32 GL_ARB_texture_cube_map_array GL_ARB_texture_gather GL_ARB_texture_multisample GL_ARB_texture_query_lod GL_ARB_texture_rgb10_a2ui GL_ARB_uniform_buffer_object GL_ARB_vertex_type_2_10_10_10_rev GL_EXT_provoking_vertex GL_EXT_texture_snorm GL_MESA_texture_signed_rgba GL_NV_copy_image GL_NV_texture_barrier GL_ARB_draw_indirect GL_ARB_get_program_binary GL_ARB_gpu_shader5 GL_ARB_gpu_shader_fp64 GL_ARB_robustness GL_ARB_separate_shader_objects GL_ARB_shader_bit_encoding GL_ARB_shader_precision GL_ARB_shader_subroutine GL_ARB_texture_compression_bptc GL_ARB_timer_query GL_ARB_transform_feedback2 GL_ARB_transform_feedback3 GL_ARB_vertex_attrib_64bit GL_ARB_viewport_array GL_EXT_direct_state_access GL_EXT_vertex_attrib_64bit GL_AMD_multi_draw_indirect GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_ARB_base_instance GL_ARB_compressed_texture_pixel_storage GL_ARB_conservative_depth GL_ARB_internalformat_query GL_ARB_map_buffer_alignment GL_ARB_shader_atomic_counters GL_ARB_shader_image_load_store GL_ARB_shading_language_420pack GL_ARB_shading_language_packing GL_ARB_texture_storage GL_ARB_transform_feedback_instanced GL_EXT_framebuffer_multisample_blit_scaled GL_EXT_transform_feedback GL_AMD_query_buffer_object GL_AMD_shader_trinary_minmax GL_AMD_vertex_shader_layer GL_AMD_vertex_shader_viewport_index GL_ARB_ES3_compatibility GL_ARB_arrays_of_arrays GL_ARB_clear_buffer_object GL_ARB_compute_shader GL_ARB_copy_image GL_ARB_explicit_uniform_location GL_ARB_fragment_layer_viewport GL_ARB_framebuffer_no_attachments GL_ARB_invalidate_subdata GL_ARB_multi_draw_indirect GL_ARB_program_interface_query GL_ARB_robust_buffer_access_behavior GL_ARB_shader_image_size GL_ARB_shader_storage_buffer_object GL_ARB_stencil_texturing GL_ARB_texture_buffer_range GL_ARB_texture_query_levels GL_ARB_texture_storage_multisample GL_ARB_texture_view GL_ARB_vertex_attrib_binding GL_KHR_debug GL_KHR_robustness GL_KHR_texture_compression_astc_ldr GL_AMD_pinned_memory GL_ARB_buffer_storage GL_ARB_clear_texture GL_ARB_compute_variable_group_size GL_ARB_enhanced_layouts GL_ARB_indirect_parameters GL_ARB_internalformat_query2 GL_ARB_multi_bind GL_ARB_query_buffer_object GL_ARB_seamless_cubemap_per_texture GL_ARB_shader_draw_parameters GL_ARB_shader_group_vote GL_ARB_shading_language_include GL_ARB_texture_mirror_clamp_to_edge GL_ARB_texture_stencil8 GL_ARB_vertex_type_10f_11f_11f_rev GL_EXT_shader_framebuffer_fetch GL_EXT_shader_integer_mix GL_INTEL_performance_query GL_ARB_ES3_1_compatibility GL_ARB_clip_control GL_ARB_conditional_render_inverted GL_ARB_cull_distance GL_ARB_derivative_control GL_ARB_direct_state_access GL_ARB_get_texture_sub_image GL_ARB_pipeline_statistics_query GL_ARB_shader_texture_image_samples GL_ARB_texture_barrier GL_ARB_transform_feedback_overflow_query GL_EXT_polygon_offset_clamp GL_KHR_blend_equation_advanced GL_KHR_blend_equation_advanced_coherent GL_KHR_context_flush_control GL_KHR_robust_buffer_access_behavior GL_ARB_ES3_2_compatibility GL_ARB_fragment_shader_interlock GL_ARB_gpu_shader_int64 GL_ARB_parallel_shader_compile GL_ARB_post_depth_coverage GL_ARB_shader_atomic_counter_ops GL_ARB_shader_ballot GL_ARB_shader_clock GL_ARB_shader_viewport_layer_array GL_EXT_shader_samples_identical GL_EXT_texture_sRGB_R8 GL_KHR_no_error GL_KHR_texture_compression_astc_sliced_3d GL_NV_fragment_shader_interlock GL_ARB_gl_spirv GL_ARB_spirv_extensions GL_MESA_shader_integer_functions GL_ARB_polygon_offset_clamp GL_ARB_texture_filter_anisotropic GL_EXT_memory_object GL_EXT_memory_object_fd GL_EXT_semaphore GL_EXT_semaphore_fd GL_KHR_parallel_shader_compile GL_EXT_EGL_image_storage GL_EXT_shader_framebuffer_fetch_non_coherent GL_EXT_texture_shadow_lod GL_INTEL_blackhole_render GL_INTEL_shader_atomic_float_minmax GL_INTEL_shader_integer_functions2 GL_MESA_framebuffer_flip_y GL_NV_compute_shader_derivatives GL_EXT_EGL_sync GL_EXT_demote_to_helper_invocation
WebGL 1 Extensions ANGLE_instanced_arrays EXT_blend_minmax EXT_color_buffer_half_float EXT_float_blend EXT_frag_depth EXT_shader_texture_lod EXT_sRGB EXT_texture_compression_bptc EXT_texture_compression_rgtc EXT_texture_filter_anisotropic MOZ_debug OES_element_index_uint OES_fbo_render_mipmap OES_standard_derivatives OES_texture_float OES_texture_float_linear OES_texture_half_float OES_texture_half_float_linear OES_vertex_array_object WEBGL_color_buffer_float WEBGL_compressed_texture_astc WEBGL_compressed_texture_etc WEBGL_compressed_texture_s3tc WEBGL_compressed_texture_s3tc_srgb WEBGL_debug_renderer_info WEBGL_debug_shaders WEBGL_depth_texture WEBGL_draw_buffers WEBGL_lose_context
WebGL 2 Driver WSI Info EGL_VENDOR: Mesa Project EGL_VERSION: 1.5 EGL_EXTENSIONS: EGL_ANDROID_blob_cache EGL_ANDROID_native_fence_sync EGL_CHROMIUM_sync_control EGL_EXT_buffer_age EGL_EXT_create_context_robustness EGL_EXT_image_dma_buf_import EGL_EXT_image_dma_buf_import_modifiers EGL_EXT_swap_buffers_with_damage EGL_IMG_context_priority EGL_KHR_cl_event2 EGL_KHR_config_attribs EGL_KHR_create_context EGL_KHR_create_context_no_error EGL_KHR_fence_sync EGL_KHR_get_all_proc_addresses EGL_KHR_gl_colorspace EGL_KHR_gl_renderbuffer_image EGL_KHR_gl_texture_2D_image EGL_KHR_gl_texture_3D_image EGL_KHR_gl_texture_cubemap_image EGL_KHR_image EGL_KHR_image_base EGL_KHR_image_pixmap EGL_KHR_no_config_context EGL_KHR_reusable_sync EGL_KHR_surfaceless_context EGL_KHR_swap_buffers_with_damage EGL_EXT_pixel_format_float EGL_KHR_wait_sync EGL_MESA_configless_context EGL_MESA_drm_image EGL_MESA_image_dma_buf_export EGL_MESA_query_driver EGL_NOK_texture_from_pixmap EGL_WL_bind_wayland_display EGL_EXTENSIONS(nullptr): EGL_EXT_device_base EGL_EXT_device_enumeration EGL_EXT_device_query EGL_EXT_platform_base EGL_KHR_client_get_all_proc_addresses EGL_EXT_client_extensions EGL_KHR_debug EGL_EXT_platform_device EGL_EXT_platform_wayland EGL_KHR_platform_wayland EGL_EXT_platform_x11 EGL_KHR_platform_x11 EGL_MESA_platform_xcb EGL_MESA_platform_gbm EGL_KHR_platform_gbm EGL_MESA_platform_surfaceless IsWebglOutOfProcessEnabled: 0
WebGL 2 Driver Renderer Intel – Mesa Intel(R) UHD Graphics (CML GT2)
WebGL 2 Driver Version 4.6 (Core Profile) Mesa 21.3.1 (git-9da08702b0)
WebGL 2 Driver Extensions GL_3DFX_texture_compression_FXT1 GL_AMD_conservative_depth GL_AMD_depth_clamp_separate GL_AMD_draw_buffers_blend GL_AMD_gpu_shader_int64 GL_AMD_multi_draw_indirect GL_AMD_performance_monitor GL_AMD_pinned_memory GL_AMD_query_buffer_object GL_AMD_seamless_cubemap_per_texture GL_AMD_shader_stencil_export GL_AMD_shader_trinary_minmax GL_AMD_texture_texture4 GL_AMD_vertex_shader_layer GL_AMD_vertex_shader_viewport_index GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_ARB_ES2_compatibility GL_ARB_ES3_1_compatibility GL_ARB_ES3_2_compatibility GL_ARB_ES3_compatibility GL_ARB_arrays_of_arrays GL_ARB_base_instance GL_ARB_blend_func_extended GL_ARB_buffer_storage GL_ARB_clear_buffer_object GL_ARB_clear_texture GL_ARB_clip_control GL_ARB_compressed_texture_pixel_storage GL_ARB_compute_shader GL_ARB_compute_variable_group_size GL_ARB_conditional_render_inverted GL_ARB_conservative_depth GL_ARB_copy_buffer GL_ARB_copy_image GL_ARB_cull_distance GL_ARB_debug_output GL_ARB_depth_buffer_float GL_ARB_depth_clamp GL_ARB_derivative_control GL_ARB_direct_state_access GL_ARB_draw_buffers GL_ARB_draw_buffers_blend GL_ARB_draw_elements_base_vertex GL_ARB_draw_indirect GL_ARB_draw_instanced GL_ARB_enhanced_layouts GL_ARB_explicit_attrib_location GL_ARB_explicit_uniform_location GL_ARB_fragment_coord_conventions GL_ARB_fragment_layer_viewport GL_ARB_fragment_shader GL_ARB_fragment_shader_interlock GL_ARB_framebuffer_no_attachments GL_ARB_framebuffer_object GL_ARB_framebuffer_sRGB GL_ARB_get_program_binary GL_ARB_get_texture_sub_image GL_ARB_gl_spirv GL_ARB_gpu_shader5 GL_ARB_gpu_shader_fp64 GL_ARB_gpu_shader_int64 GL_ARB_half_float_pixel GL_ARB_half_float_vertex GL_ARB_indirect_parameters GL_ARB_instanced_arrays GL_ARB_internalformat_query GL_ARB_internalformat_query2 GL_ARB_invalidate_subdata GL_ARB_map_buffer_alignment GL_ARB_map_buffer_range GL_ARB_multi_bind GL_ARB_multi_draw_indirect GL_ARB_occlusion_query2 GL_ARB_parallel_shader_compile GL_ARB_pipeline_statistics_query GL_ARB_pixel_buffer_object GL_ARB_point_sprite GL_ARB_polygon_offset_clamp GL_ARB_post_depth_coverage GL_ARB_program_interface_query GL_ARB_provoking_vertex GL_ARB_query_buffer_object GL_ARB_robust_buffer_access_behavior GL_ARB_robustness GL_ARB_sample_shading GL_ARB_sampler_objects GL_ARB_seamless_cube_map GL_ARB_seamless_cubemap_per_texture GL_ARB_separate_shader_objects GL_ARB_shader_atomic_counter_ops GL_ARB_shader_atomic_counters GL_ARB_shader_ballot GL_ARB_shader_bit_encoding GL_ARB_shader_clock GL_ARB_shader_draw_parameters GL_ARB_shader_group_vote GL_ARB_shader_image_load_store GL_ARB_shader_image_size GL_ARB_shader_objects GL_ARB_shader_precision GL_ARB_shader_stencil_export GL_ARB_shader_storage_buffer_object GL_ARB_shader_subroutine GL_ARB_shader_texture_image_samples GL_ARB_shader_texture_lod GL_ARB_shader_viewport_layer_array GL_ARB_shading_language_420pack GL_ARB_shading_language_include GL_ARB_shading_language_packing GL_ARB_spirv_extensions GL_ARB_stencil_texturing GL_ARB_sync GL_ARB_tessellation_shader GL_ARB_texture_barrier GL_ARB_texture_buffer_object GL_ARB_texture_buffer_object_rgb32 GL_ARB_texture_buffer_range GL_ARB_texture_compression_bptc GL_ARB_texture_compression_rgtc GL_ARB_texture_cube_map_array GL_ARB_texture_filter_anisotropic GL_ARB_texture_float GL_ARB_texture_gather GL_ARB_texture_mirror_clamp_to_edge GL_ARB_texture_multisample GL_ARB_texture_non_power_of_two GL_ARB_texture_query_levels GL_ARB_texture_query_lod GL_ARB_texture_rectangle GL_ARB_texture_rg GL_ARB_texture_rgb10_a2ui GL_ARB_texture_stencil8 GL_ARB_texture_storage GL_ARB_texture_storage_multisample GL_ARB_texture_swizzle GL_ARB_texture_view GL_ARB_timer_query GL_ARB_transform_feedback2 GL_ARB_transform_feedback3 GL_ARB_transform_feedback_instanced GL_ARB_transform_feedback_overflow_query GL_ARB_uniform_buffer_object GL_ARB_vertex_array_bgra GL_ARB_vertex_array_object GL_ARB_vertex_attrib_64bit GL_ARB_vertex_attrib_binding GL_ARB_vertex_buffer_object GL_ARB_vertex_shader GL_ARB_vertex_type_10f_11f_11f_rev GL_ARB_vertex_type_2_10_10_10_rev GL_ARB_viewport_array GL_ATI_blend_equation_separate GL_ATI_texture_float GL_EXT_EGL_image_storage GL_EXT_EGL_sync GL_EXT_abgr GL_EXT_blend_equation_separate GL_EXT_demote_to_helper_invocation GL_EXT_draw_buffers2 GL_EXT_draw_instanced GL_EXT_framebuffer_blit GL_EXT_framebuffer_multisample GL_EXT_framebuffer_multisample_blit_scaled GL_EXT_framebuffer_object GL_EXT_framebuffer_sRGB GL_EXT_memory_object GL_EXT_memory_object_fd GL_EXT_packed_depth_stencil GL_EXT_packed_float GL_EXT_pixel_buffer_object GL_EXT_polygon_offset_clamp GL_EXT_provoking_vertex GL_EXT_semaphore GL_EXT_semaphore_fd GL_EXT_shader_framebuffer_fetch GL_EXT_shader_framebuffer_fetch_non_coherent GL_EXT_shader_integer_mix GL_EXT_shader_samples_identical GL_EXT_texture_array GL_EXT_texture_compression_dxt1 GL_EXT_texture_compression_rgtc GL_EXT_texture_compression_s3tc GL_EXT_texture_filter_anisotropic GL_EXT_texture_integer GL_EXT_texture_sRGB GL_EXT_texture_sRGB_R8 GL_EXT_texture_sRGB_decode GL_EXT_texture_shadow_lod GL_EXT_texture_shared_exponent GL_EXT_texture_snorm GL_EXT_texture_swizzle GL_EXT_timer_query GL_EXT_transform_feedback GL_EXT_vertex_array_bgra GL_EXT_vertex_attrib_64bit GL_IBM_multimode_draw_arrays GL_INTEL_blackhole_render GL_INTEL_conservative_rasterization GL_INTEL_performance_query GL_INTEL_shader_atomic_float_minmax GL_INTEL_shader_integer_functions2 GL_KHR_blend_equation_advanced GL_KHR_blend_equation_advanced_coherent GL_KHR_context_flush_control GL_KHR_debug GL_KHR_no_error GL_KHR_parallel_shader_compile GL_KHR_robust_buffer_access_behavior GL_KHR_robustness GL_KHR_texture_compression_astc_ldr GL_KHR_texture_compression_astc_sliced_3d GL_MESA_framebuffer_flip_y GL_MESA_pack_invert GL_MESA_shader_integer_functions GL_MESA_texture_signed_rgba GL_NV_compute_shader_derivatives GL_NV_conditional_render GL_NV_copy_image GL_NV_depth_clamp GL_NV_fragment_shader_interlock GL_NV_packed_depth_stencil GL_NV_texture_barrier GL_OES_EGL_image GL_S3_s3tc
WebGL 2 Extensions EXT_color_buffer_float EXT_float_blend EXT_texture_compression_bptc EXT_texture_compression_rgtc EXT_texture_filter_anisotropic MOZ_debug OES_texture_float_linear WEBGL_compressed_texture_astc WEBGL_compressed_texture_etc WEBGL_compressed_texture_s3tc WEBGL_compressed_texture_s3tc_srgb WEBGL_debug_renderer_info WEBGL_debug_shaders WEBGL_lose_context
Window Protocol xwayland
Desktop Environment gnome
Target Frame Rate 60
GPU #1
Active Yes
Description Mesa Intel(R) UHD Graphics (CML GT2)
Vendor ID 0x8086
Device ID 0x9bca
Driver Vendor mesa/iris
Driver Version 21.3.1.0
RAM 0
GPU #2
Diagnostics
AzureCanvasBackend skia
AzureContentBackend skia
AzureFallbackCanvasBackend skia
CMSOutputProfile Empty profile data
Display0 1920x1080 default
DisplayCount 1
Decision Log
HW_COMPOSITING available by default
OPENGL_COMPOSITING available by default
WEBRENDER available by default
WEBRENDER_QUALIFIED available by default
WEBRENDER_COMPOSITOR disabled by default: Disabled by default
blocklisted by env: Blocklisted by gfxInfo
WEBRENDER_PARTIAL available by default
WEBRENDER_SHADER_CACHE disabled by default: Disabled by default
WEBRENDER_OPTIMIZED_SHADERS available by default
WEBRENDER_ANGLE available by default
unavailable by env: OS not supported
WEBRENDER_DCOMP_PRESENT available by default
disabled by user: User disabled via pref
unavailable by env: Requires Windows 10 or later
unavailable by runtime: Requires ANGLE
WEBRENDER_SOFTWARE available by default
WEBGPU disabled by default: Disabled by default
blocked by runtime: WebGPU can only be enabled in nightly
X11_EGL available by default
DMABUF available by default
Crash Guard Disabled Features
Workarounds
Failure Log

Media

Audio Backend pulse-rust
Max Channels 2
Preferred Sample Rate 44100
Roundtrip latency (standard deviation) 50.34ms (4.55)
Output Devices
Name Group Vendor State Preferred Format Channels Rate Latency
Built-in Audio Analog Stereo /devices/pci0000:00/0000:00:1f.3/sound/card0 Intel Corporation Enabled All default: S16LE, support: S16LE S16BE F32LE F32BE 2 default: 44100, support: 1 - 384000 0 - 0
Input Devices
Name Group Vendor State Preferred Format Channels Rate Latency
Monitor of Built-in Audio Analog Stereo /devices/pci0000:00/0000:00:1f.3/sound/card0 Intel Corporation Enabled None default: S16LE, support: S16LE S16BE F32LE F32BE 2 default: 44100, support: 1 - 384000 0 - 0
Built-in Audio Analog Stereo /devices/pci0000:00/0000:00:1f.3/sound/card0 Intel Corporation Enabled All default: S16LE, support: S16LE S16BE F32LE F32BE 2 default: 44100, support: 1 - 384000 0 - 0
Media Capabilities
Enumerate database

Environment Variables

DISPLAY :99.0
MOZ_ASSUME_USER_NS 0
MOZ_CRASHREPORTER_EVENTS_DIRECTORY /home/maiki/.mozilla/firefox/0ffjft3w.default-release/crashes/events
MOZ_CRASHREPORTER_RESTART_ARG_0 /app/lib/firefox/firefox
MOZ_CRASHREPORTER_RESTART_ARG_1
MOZ_CRASHREPORTER_DATA_DIRECTORY /home/maiki/.mozilla/firefox/Crash Reports
MOZ_CRASHREPORTER_PING_DIRECTORY /home/maiki/.mozilla/firefox/Pending Pings
MOZ_CRASHREPORTER_STRINGS_OVERRIDE /app/lib/firefox/browser/crashreporter-override.ini
MOZ_LAUNCHED_CHILD
MOZ_APP_SILENT_START
XRE_PROFILE_PATH
XRE_PROFILE_LOCAL_PATH
XRE_START_OFFLINE
XRE_BINARY_PATH
XRE_RESTARTED_BY_PROFILE_MANAGER

Experimental Features

about:home startup cache (browser.startup.homepage.abouthome_cache.enabled) false
Cookies: SameSite=Lax by default (network.cookie.sameSite.laxByDefault) false
Cookies: SameSite=None requires secure attribute (network.cookie.sameSite.noneRequiresSecure) false
Cookies: Schemeful SameSite (network.cookie.sameSite.schemeful) false
CSS: Cascade Layers (layout.css.cascade-layers.enabled) false
CSS: Constructable Stylesheets (layout.css.constructable-stylesheets.enabled) false
CSS: Masonry Layout (layout.css.grid-template-masonry-value.enabled) false
Developer Tools: Compatibility Panel (devtools.inspector.compatibility.enabled) false
Developer Tools: Execution Context Selector (devtools.webconsole.input.context) false
Developer Tools: Service Worker debugging (devtools.debugger.features.windowless-service-workers) false
Fission (Site Isolation) (fission.autostart) true
Media: JPEG XL (image.jxl.enabled) false
Multiple Picture-in-Picture Support (media.videocontrols.picture-in-picture.allow-multiple) true
Address Bar: show results during IME composition (browser.urlbar.keepPanelOpenDuringImeComposition) false
Web API: WebGPU (dom.webgpu.enabled) false
WebRTC Global Mute Toggles (privacy.webrtc.globalMuteToggles) false
Win32k Lockdown (security.sandbox.content.win32k-disable) false

Remote Experiments

Important Modified Preferences

accessibility.typeaheadfind.flashBar 0
browser.contentblocking.category strict
browser.search.region US
browser.search.suggest.enabled false
browser.sessionstore.upgradeBackup.latestBuildID 20211218203254
browser.startup.homepage about:blank
browser.startup.homepage_override.buildID 20211218203254
browser.startup.homepage_override.mstone 95.0.2
browser.urlbar.placeholderName DuckDuckGo
browser.urlbar.placeholderName.private DuckDuckGo
browser.urlbar.quicksuggest.migrationVersion 1
browser.urlbar.quicksuggest.scenario offline
browser.urlbar.resultGroups {“children”:[{“maxResultCount”:1,“children”:[{“group”:“heuristicTest”},{“group”:“heuristicExtension”},{“group”:"heuristi
browser.urlbar.tabToSearch.onboard.interactionsLeft 1
doh-rollout.balrog-migration-done true
doh-rollout.doneFirstRun true
doh-rollout.home-region US
doh-rollout.skipHeuristicsCheck true
dom.forms.autocomplete.formautofill true
dom.push.userAgentID e648a471b4c94354b366651f3cafa36d
dom.security.https_only_mode true
dom.security.https_only_mode_ever_enabled true
extensions.formautofill.creditCards.enabled false
extensions.formautofill.creditCards.used 2
extensions.lastAppVersion 95.0.2
idle.lastDailyNotification 1640979290
media.gmp-gmpopenh264.abi x86_64-gcc3
media.gmp-gmpopenh264.lastUpdate 1630427837
media.gmp-gmpopenh264.version 1.8.1.1
media.gmp-manager.buildID 20211218203254
media.gmp-manager.lastCheck 1641089544
media.gmp.storage.version.observed 1
network.cookie.cookieBehavior 5
network.http.referer.disallowCrossSiteRelaxingDefault true
network.trr.blocklist_cleanup_done true
places.database.lastMaintenance 1640476875
privacy.annotate_channels.strict_list.enabled true
privacy.donottrackheader.enabled true
privacy.partition.network_state.ocsp_cache true
privacy.purge_trackers.date_in_cookie_database 0
privacy.purge_trackers.last_purge 1640979291230
privacy.sanitize.pending [{“id”:“newtab-container”,“itemsToClear”:[],“options”:{}}]
privacy.trackingprotection.enabled true
privacy.trackingprotection.socialtracking.enabled true
security.remote_settings.crlite_filters.checked 1641092679
security.remote_settings.intermediates.checked 1641092679
security.sandbox.content.tempDirSuffix e8baf55a-8a5f-4b03-9e1b-459c937cb388
services.sync.declinedEngines
services.sync.engine.addresses.available true
signon.rememberSignons false
storage.vacuum.last.index 1
storage.vacuum.last.places.sqlite 1638391774

Important Locked Preferences

fission.autostart.session true

Places Database

Accessibility

Activated false
Prevent Accessibility 0

Library Versions

Expected minimum version Version in use
NSPR 4.32 4.32
NSS 3.72.1 3.72.1
NSSSMIME 3.72.1 3.72.1
NSSSSL 3.72.1 3.72.1
NSSUTIL 3.72.1 3.72.1

Edit: I had to tuncate the data copied to fit in the 32,000 character limit in Discourse; it’s all fairly boring, though. :slight_smile:

I haven’t read through each thing, but I don’t think there is any personal information included. I’ll continue to investigate, but I think that all users of Firefox benefit from having access to this page. :thinking:

Bookmarks

Note: ManagedBookmarks is the new recommended way to add bookmarks. This policy will continue to be supported.

Add bookmarks in either the bookmarks toolbar or menu. Only Title and URL are required. If Placement is not specified, the bookmark will be placed on the toolbar. If Folder is specified, it is automatically created and bookmarks with the same folder name are grouped together.

If you want to clear all bookmarks set with this policy, you can set the value to an empty array ([]). This can be on Windows via the new Bookmarks (JSON) policy available with GPO and Intune.

Compatibility: Firefox 60, Firefox ESR 60
CCK2 Equivalent: bookmarks.toolbar,bookmarks.menu
Preferences Affected: N/A

{
  "policies": {
    "Bookmarks": [
      {
        "Title": "Example",
        "URL": "https://example.com",
        "Favicon": "https://example.com/favicon.ico",
        "Placement": "toolbar" | "menu",
        "Folder": "FolderName"
      }
    ]
  }
}

We’ll check ManagedBookmarks (when we get there) and see how it works. :slight_smile:

CaptivePortal

Enable or disable the detection of captive portals.

Compatibility: Firefox 67, Firefox ESR 60.7
CCK2 Equivalent: N/A
Preferences Affected: network.captive-portal-service.enabled

{
  "policies": {
    "CaptivePortal": true | false
  }
}

These are pages used to login to networks, such as for using a wireless network at a public library.

I’m not sure about this setting, it’s about the detection of captive portals. Reasons to keep it on is for users to easily get online various networks that require captive portals for access. Reasons to not detect them might be so a pre-configured connection is setup, and the user ought to not be notified of potential networks the device is connecting to…

I’m not sure! Why would we turn off captive portal detection?

There are two sections for Certificates, one for ImportEnterpriseRoots and one for Install.

Certificates | ImportEnterpriseRoots

Trust certificates that have been added to the operating system certificate store by a user or administrator.

Note: This policy only works on Windows and macOS. For Linux discussion, see bug 1600509.

See Setting Up Certificate Authorities (CAs) in Firefox | Firefox for Enterprise Help for more detail.

Compatibility: Firefox 60, Firefox ESR 60 (macOS support in Firefox 63, Firefox ESR 68)
CCK2 Equivalent: N/A
Preferences Affected: security.enterprise_roots.enabled

{
  "policies": {
    "Certificates": {
      "ImportEnterpriseRoots": true | false
    }
  }
}

I read the bug reports, and the idea for Linux is to read the system CA store, or install and link your own…

Certificates | Install

Install certificates into the Firefox certificate store. If only a filename is specified, Firefox searches for the file in the following locations:

Windows
    %USERPROFILE%\AppData\Local\Mozilla\Certificates
    %USERPROFILE%\AppData\Roaming\Mozilla\Certificates
macOS
    /Library/Application Support/Mozilla/Certificates
    ~/Library/Application Support/Mozilla/Certificates
Linux
    /usr/lib/mozilla/certificates
    /usr/lib64/mozilla/certificates
    ~/.mozilla/certificates

Starting with Firefox 65, Firefox 60.5 ESR, a fully qualified path can be used, including UNC paths. You should use the native path style for your operating system. We do not support using %USERPROFILE% or other environment variables on Windows.

If you are specifying the path in the policies.json file on Windows, you need to escape your backslashes (\) which means that for UNC paths, you need to escape both (\\). If you use group policy, you only need one backslash.

Certificates are installed using the trust string CT,CT,.

Binary (DER) and ASCII (PEM) certificates are both supported.

Compatibility: Firefox 64, Firefox ESR 64
CCK2 Equivalent: certs.ca
Preferences Affected: N/A

{
  "policies": {
    "Certificates": {
      "Install": ["cert1.der", "/home/username/cert2.pem"]
    }
  }
}

Okay, so installing certificates this way is useful for some cases, but I can’t think of any at the moment. I mean, practically. I don’t know of a public lab or personal user that wants to install certificates. So we’ll say for now: useful if needed.

Cookies

Configure cookie preferences.

Allow is a list of origins (not domains) where cookies are always allowed. You must include http or https.

AllowSession is a list of origins (not domains) where cookies are only allowed for the current session. You must include http or https.

Block is a list of origins (not domains) where cookies are always blocked. You must include http or https.

Behavior sets the default behavior for cookies based on the values below.

BehaviorPrivateBrowsing sets the default behavior for cookies in private browsing based on the values below.

Value Description
accept Accept all cookies
reject-foreign Reject third party cookies
reject Reject all cookies
limit-foreign Reject third party cookies for sites you haven’t visited
reject-tracker Reject cookies for known trackers (default)
reject-tracker-and-partition-foreign Reject cookies for known trackers and partition third-party cookies (Total Cookie Protection) (default for private browsing)

Default (Deprecated) determines whether cookies are accepted at all.

AcceptThirdParty (Deprecated) determines how third-party cookies are handled.

ExpireAtSessionEnd determines when cookies expire.

RejectTracker (Deprecated) only rejects cookies for trackers.

Locked prevents the user from changing cookie preferences.

Compatibility: Firefox 60, Firefox ESR 60 (RejectTracker added in Firefox 63, AllowSession added in Firefox 79/78.1, Behavior added in Firefox 95/91.4)
CCK2 Equivalent: N/A
Preferences Affected: network.cookie.cookieBehavior, network.cookie.cookieBehavior.pbmode, network.cookie.lifetimePolicy

{
  "policies": {
    "Cookies": {
      "Allow": ["http://example.org/"],
      "AllowSession": ["http://example.edu/"],
      "Block": ["http://example.edu/"],
      "Default": true | false,
      "AcceptThirdParty": "always" | "never" | "from-visited",
      "ExpireAtSessionEnd": true | false,
      "RejectTracker": true | false,
      "Locked": true | false,
      "Behavior": "accept" | "reject-foreign" | "reject" | "limit-foreign" | "reject-tracker" | "reject-tracker-and-partition-foreign",
      "BehaviorPrivateBrowsing": "accept" | "reject-foreign" | "reject" | "limit-foreign" | "reject-tracker" | "reject-tracker-and-partition-foreign",
    }
  }
}

Okay, now we’re talking! We’re definitely going to mess with cookies policies, for everyone. And because there are so many options, we’ll return to this and dive into each of those settings, with explanations for different profiles.

I know right now, my personal cookies settings are going to be very restrictive, probably more so than most folks are used to. On the other hand, I don’t suffer foolish websites. :slight_smile:

DefaultDownloadDirectory

Set the default download directory.

You can use ${home} for the native home directory.

Compatibility: Firefox 68, Firefox ESR 68
CCK2 Equivalent: N/A
Preferences Affected: browser.download.dir, browser.download.folderList

policies.json (macOS and Linux)

{
  "policies": {
    "DefaultDownloadDirectory": "${home}/Downloads"
}

policies.json (Windows)

{
  "policies": {
    "DefaultDownloadDirectory": "${home}\\Downloads"
}

Note the different path separators by OS.

For public computers this is useful to set where files will download, such as the Desktop or a special user directory on a network mount.

For personal use I will definitely set this, but I’d prefer it Firefox followed XDG_DOWNLOAD_DIR, but that has never been my experience. Maybe I could try debugging that…

DisableAppUpdate

Turn off application updates within Firefox.

Compatibility: Firefox 60, Firefox ESR 60
CCK2 Equivalent: disableFirefoxUpdates
Preferences Affected: N/A

{
  "policies": {
    "DisableAppUpdate": true | false
  }
}

I believe there are a couple of other places updates are addressed in policies, so after I’ve gone through them all I write up how they work together, and how they ought to be applied.

I personally install Firefox from Flatpak, which I think address a lot of issues for updates, and I’m interested in describing a potential public computer deployment strategy that takes a mutable OS and Flatpak approach. :slight_smile:

DisableBuiltinPDFViewer

Disable the built in PDF viewer. PDF files are downloaded and sent externally.

Compatibility: Firefox 60, Firefox ESR 60
CCK2 Equivalent: disablePDFjs
Preferences Affected: pdfjs.disabled

{
  "policies": {
    "DisableBuiltinPDFViewer": true | false
  }
}

This is very interesting. I haven’t done research, but I imagine this is a useful feature, given how often organizations give people information in PDF. A decade ago all my clients wanted to know if we could turn on this functionality, for any user, rather than download a PDF directly…

For public computers I think there are select scenarios where one wants to disable and send externally; computers are print shops with specialized printer hardware, for instance.

For personal users I suppose it comes down to preference. I don’t view PDFs in the browser, but that’s because I’m used to selecting the context for all downloads…