I've got a patch which I just put up for initial feedback, but thought I should discuss the approach here too.
It combines the allowlist-in-a-pref from Paul and the general approach of Gijs. Specifically:
- There's a "allowlist" which is stored in a preference, so can be changed by the user. However, this preference itself is not synced, so the user must make adjustments to this preference manually on each device.
- The blocklist is consulted first, and the allowlist next.
- The default for the allowlist is such that all preferences we setup to sync by default are allowed.
So what's in these lists?
- The blocklist has the allowlist preference, plus "browser.safebrowsing." and "browser.remote." - I added the latter because Gijs mentioned it in comment 2, although I couldn't find any "browser.remote." preferences?
Note also that this means removing the following preferences:
so not only are these prefs no longer synced by default, they simply can not be synced. Some sites recommend setting these prefs to false for privacy reasons. However, I think it's easy to make a case that they should be blocklisted.
- While creating the allowlist I ended up deleting a few preference which don't seem to be used these days, along with
xpinstall.whitelist.required due to potential harm. These deletions are:
which results in the following allowlist:
which is a bit longer than ideal and what Gijs offered, but reducing it any further means also preventing the syncing of preferences which we sync by default now, which I'm a little reluctant to do without concrete harm being identified so we avoid annoying our users any more than we must. However, it's all obviously on the table for discussion.
Could also do with a follow-up that allows syncing privacy.resistFingerprinting.* to turn it on, but doesn't allow syncing to turn it off, though how we'd implement that, I dunno.
TBH I'm really not that bothered by that - it doesn't seem likely someone would attempt to use what we are fixing here simply to enable fingerprinting.
Note that there's a few synced-by-default things that I'm deliberately not including (some
xpinstall.whitelist.required, for one)
As above, I left the existing
security prefs, but didn't allowlist the entire
The patch is a little larger than it needs to be because I chose to console.warn() when there's a pref that would have been synced before this patch but no longer is - users who haven't enabled custom prefs will never see this warning and users who have might appreciate an indication of what's going on.