--- Begin Message ---
Package: firefox-esr
Version: 52.2.0esr-1
Severity: normal
Hi.
Since the upgrade to 52, the order of tabs cannot be changed anymore
when the TabMixPlus extension is active.
Not sure if this is an issue in FF or TMP, though.
Cheers,
Chris.
-- Package-specific info:
-- Extensions information
Name: Adblock Plus
Location: /usr/share/xul-ext/adblock-plus
Package: xul-ext-adblock-plus
Status: enabled
Name: Application Update Service Helper
Location: ${PROFILE_EXTENSIONS}/aushel...@mozilla.org.xpi
Status: enabled
Name: Certificate Patrol
Location: /usr/share/xul-ext/certificatepatrol
Package: xul-ext-certificatepatrol
Status: user-disabled
Name: Classic Theme Restorer
Location: /usr/share/xul-ext/classic-theme-restorer
Package: xul-ext-classic-theme-restorer
Status: user-disabled
Name: Cookie Monster
Location: /usr/share/xul-ext/cookie-monster
Package: xul-ext-cookie-monster
Status: enabled
Name: Default theme
Location:
/usr/lib/firefox-esr/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}.xpi
Package: firefox-esr
Status: enabled
Name: DownThemAll!
Location: /usr/share/xul-ext/downthemall
Package: xul-ext-downthemall
Status: enabled
Name: Firebug
Location: /usr/share/xul-ext/firebug
Package: xul-ext-firebug
Status: user-disabled
Name: FirePath
Location: /usr/share/xul-ext/firexpath
Package: xul-ext-firexpath
Status: enabled
Name: Flashblock
Location: /usr/share/xul-ext/flashblock
Package: xul-ext-flashblock
Status: enabled
Name: FoxyProxy Standard
Location: /usr/share/xul-ext/foxyproxy-standard
Package: xul-ext-foxyproxy-standard
Status: enabled
Name: HTTPS Everywhere
Location: /usr/share/xul-ext/https-everywhere
Package: xul-ext-https-everywhere
Status: enabled
Name: Lightbeam
Location: /usr/share/xul-ext/lightbeam
Package: xul-ext-lightbeam
Status: enabled
Name: Live HTTP headers(Fixed By Danyial.com)
Location: /usr/share/xul-ext/livehttpheaders
Package: xul-ext-livehttpheaders
Status: enabled
Name: Multi-process staged rollout
Location: ${PROFILE_EXTENSIONS}/e10sroll...@mozilla.org.xpi
Status: enabled
Name: NoScript
Location: /usr/share/xul-ext/noscript
Package: xul-ext-noscript
Status: enabled
Name: Pocket
Location: ${PROFILE_EXTENSIONS}/fire...@getpocket.com.xpi
Status: enabled
Name: SearchLoad Options
Location: /usr/share/xul-ext/searchload-options
Package: xul-ext-searchload-options
Status: enabled
Name: Status-4-Evar
Location: /usr/share/xul-ext/status4evar
Package: xul-ext-status4evar
Status: enabled
Name: Tab Mix Plus
Location: /usr/share/xul-ext/tabmixplus
Package: xul-ext-tabmixplus
Status: enabled
Name: User Agent Switcher
Location: /usr/share/xul-ext/useragentswitcher
Package: xul-ext-useragentswitcher
Status: enabled
Name: Web Compat
Location: ${PROFILE_EXTENSIONS}/webcom...@mozilla.org.xpi
Status: enabled
Name: Web Developer
Location: /usr/share/xul-ext/webdeveloper
Package: xul-ext-webdeveloper
Status: enabled
Name: Y U no validate
Location: /usr/share/xul-ext/y-u-no-validate
Package: xul-ext-y-u-no-validate
Status: enabled
-- Plugins information
Name: Shockwave Flash
Location: /usr/lib/gnash/libgnashplugin.so
Package: browser-plugin-gnash
Status: enabled
-- Addons package information
ii browser-plugin 0.8.11~git20 amd64 GNU Shockwave Flash (SWF) player
ii firefox-esr 52.2.0esr-1 amd64 Mozilla Firefox web browser - Ext
ii xul-ext-adbloc 2.7.3+dfsg-1 all advertisement blocking extension
ii xul-ext-certif 2.0.14-5 all Certificate Monitor for Iceweasel
ii xul-ext-classi 1.5.9-1 all customize the new Firefox interfa
ii xul-ext-cookie 1.3.0.5-1 all manage cookies in a whitelist-bas
ii xul-ext-downth 3.0.7-1 all Firefox extension with advanced d
ii xul-ext-firebu 2.0.17-1 all web development plugin for Firefo
ii xul-ext-firexp 0.9.7.1-3 all extension for Firebug to edit, in
ii xul-ext-flashb 1.5.20-2 all Mozilla extension to block Adobe
ii xul-ext-foxypr 4.5.6-debian all advanced proxy management tool fo
ii xul-ext-https- 5.2.8-1 all extension to force the use of HTT
ii xul-ext-lightb 1.3.1+dfsg-1 all visualize sites that may be track
ii xul-ext-liveht 0.17.1-2 all add information about HTTP header
ii xul-ext-noscri 2.9.0.14-1 all permissions manager for Firefox
ii xul-ext-search 0.8.0-3 all tweak the searchbar's functionali
ii xul-ext-status 2016.10.11.0 all Status bar widgets and progress i
ii xul-ext-tabmix 0.5.0.1-1 all add dozens of new capabilities to
ii xul-ext-userag 0.7.3-3 all Firefox addon that allows the use
ii xul-ext-webdev 1.2.5+repack all web developer extension
ii xul-ext-y-u-no 2013052407-3 all browser extension to make securit
-- System Information:
Debian Release: 9.0
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8),
LANGUAGE=en_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages firefox-esr depends on:
ii debianutils 4.8.1.1
ii fontconfig 2.11.0-6.7+b1
ii libasound2 1.1.3-5
ii libatk1.0-0 2.22.0-1
ii libc6 2.24-11
ii libcairo-gobject2 1.14.8-1
ii libcairo2 1.14.8-1
ii libdbus-1-3 1.10.18-1
ii libdbus-glib-1-2 0.108-2
ii libevent-2.0-5 2.0.21-stable-3
ii libffi6 3.2.1-6
ii libfontconfig1 2.11.0-6.7+b1
ii libfreetype6 2.6.3-3.2
ii libgcc1 1:6.3.0-18
ii libgdk-pixbuf2.0-0 2.36.5-2
ii libglib2.0-0 2.50.3-2
ii libgtk-3-0 3.22.12-1
ii libgtk2.0-0 2.24.31-2
ii libhunspell-1.4-0 1.4.1-2+b2
ii libjsoncpp1 1.7.4-3
ii libpango-1.0-0 1.40.5-1
ii libsqlite3-0 3.16.2-5
ii libstartup-notification0 0.12-4+b2
ii libstdc++6 6.3.0-18
ii libvpx4 1.6.1-3
ii libx11-6 2:1.6.4-3
ii libx11-xcb1 2:1.6.4-3
ii libxcb-shm0 1.12-1
ii libxcb1 1.12-1
ii libxcomposite1 1:0.4.4-2
ii libxdamage1 1:1.1.4-2+b3
ii libxext6 2:1.3.3-1+b2
ii libxfixes3 1:5.0.3-1
ii libxrender1 1:0.9.10-1
ii libxt6 1:1.1.5-1
ii procps 2:3.3.12-3
ii zlib1g 1:1.2.8.dfsg-5
firefox-esr recommends no packages.
Versions of packages firefox-esr suggests:
ii fonts-lmodern 2.004.5-3
ii fonts-stix [otf-stix] 1.1.1-4
ii libcanberra0 0.30-3
ii libgssapi-krb5-2 1.15-1
pn mozplugger <none>
-- Configuration Files:
/etc/firefox-esr/firefox-esr.js changed:
// This is the Debian specific preferences file for Firefox
// You can make any change in here, it is the purpose of this file.
// You can, with this file and all files present in the
// /etc/firefox-esr directory, override any preference you can see in
// about:config.
//
// Note that lockPref is allowed in these preferences files if you
// don't want users to be able to override some preferences.
// Use LANG environment variable to choose locale
pref("intl.locale.matchOS", true);
// Disable default browser checking.
pref("browser.shell.checkDefaultBrowser", false);
// Avoid openh264 being downloaded.
pref("media.gmp-manager.url.override", "data:text/plain,");
// Disable openh264.
pref("media.gmp-gmpopenh264.enabled", false);
// Disable WideVine
pref("media.gmp-widevinecdm.enabled", false);
pref("media.gmp-widevinecdm.visible", false);
// Default to classic view for about:newtab
sticky_pref("browser.newtabpage.enhanced", false);
pref("media.gmp-provider.enabled", false);
pref("media.gmp-manager.certs.1.commonName", "invalid");
pref("media.gmp-manager.certs.1.issuerName",
"CN=scientia.net,O=scientia.net,C=DE");
pref("media.gmp-manager.certs.2.commonName", "invalid");
pref("media.gmp-manager.certs.2.issuerName",
"CN=scientia.net,O=scientia.net,C=DE");
pref("media.gmp-manager.url", "https://invalid.localhost/";);
pref("media.gmp-manager.cert.requireBuiltIn", true);
pref("media.fragmented-mp4.gmp.enabled", false);
pref("media.gmp.insecure.allow", false);
pref("media.eme.enabled", false);
pref("media.eme.apiVisible", false);
pref("media.gmp-eme-adobe.enabled", false);
pref("browser.eme.ui.enabled", false);
pref("pdfjs.disabled", true);
pref("security.ssl.require_safe_negotiation", true);
pref("security.ssl.treat_unsafe_negotiation_as_broken", true);
pref("security.tls.unrestricted_rc4_fallback", false);
pref("security.tls.insecure_fallback_hosts", "");
pref("security.tls.insecure_fallback_hosts.use_static_list", false);
pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false);
pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false);
pref("security.ssl3.rsa_rc4_128_md5", false);
pref("security.ssl3.rsa_rc4_128_sha", false);
pref("security.ssl3.rsa_des_ede3_sha", false);
pref("security.OCSP.enabled", 1);
pref("security.OCSP.require", true);
pref("browser.send_pings", false);
pref("browser.send_pings.max_per_link", 0);
pref("browser.send_pings.require_same_host", true);
pref("media.peerconnection.enabled", false);
pref("media.peerconnection.video.enabled", false);
pref("media.navigator.enabled", false);
pref("media.navigator.permission.disabled", false);
pref("media.navigator.video.enabled", false);
pref("media.getusermedia.browser.enabled", false);
pref("media.getusermedia.audiocapture.enabled", false);
pref("media.getusermedia.screensharing.enabled", false);
pref("media.getusermedia.screensharing.allow_on_old_platforms", false);
pref("media.getusermedia.screensharing.allowed_domains", "invalid.localhost");
pref("media.webspeech.recognition.enable", false);
pref("dom.imagecapture.enabled", false);
pref("canvas.capturestream.enabled", false);
pref("loop.enabled", false);
pref("loop.textChat.enabled", false);
pref("offline-apps.allow_by_default", false);
pref("keyword.enabled", false);
//do not guess URIs
//
//Reason: Privacy, Security
// Guessing the URI may lead the user to a wrong host, which in turn
// could have effects on security.
// For example: Consider a host “software” is available in a safe VPN or
// intranet, where people download trusted software. If such
// an address is completed to for example “software.com”
// because “software” isn’t reachable, it may easily lead
// to a wrong and possibly malicious host.
pref("browser.fixup.alternate.enabled", false);
pref("browser.fixup.hide_user_pass", true);
pref("browser.fixup.alternate.suffix", ".invalid");
pref("experiments.enabled", false);
pref("experiments.supported", false);
pref("network.allow-experiments", false);
pref("extensions.getAddons.cache.enabled", false);
pref("security.mixed_content.block_active_content", false);
pref("security.mixed_content.block_display_content", false);
pref("plugins.click_to_play", true);
pref("dom.event.contextmenu.enabled", false);
pref("network.proxy.socks_remote_dns", true);
pref("app.update.auto", false);
pref("extensions.update.enabled", false);
pref("extensions.update.autoUpdateDefault", false);
pref("full-screen-api.allow-trusted-requests-only", true);
//disable “Pocket”
//
//Reason: Privacy, Security
// Pocket is an inherent privacy leak, security may be compromised for
// example by storing sensitive data in Pocket.
//Note: According to some reports, it may be necessary to additionally remove
// the Pocket icon from Firefox’ toolbars.
pref("browser.pocket.enabled", false);
//disable “Mozilla Pishing And Malware Protection” (which is actually mostly
//“Google Safe Browsing”)
//
//Reason: Privacy, Security
// This may send any visited URI (which includes any pre-fetched URIs) as
// well as meta-data (including hashsums) of any downloaded files to
// “Mozilla and/or its partners”.
// The actual security benefit seems to be disputed by many security
// experts.
//Note: While parts of this is configurable via Firfox’ preferences it seems
// that this “feature” cannot be fully disabled there.
//Note: Apparently there is/was a feature that just downloaded lists of
// suspicious sites/files and matched against these (which would be safe),
// but according two Mozilla’s own documentation this isn’t guaranteed and
// it actually seems that the options therefore have already changed their
// semantics over time. Therefore, it is disabled completely.
pref("browser.safebrowsing.enabled", false);
pref("browser.safebrowsing.malware.enabled", false);
pref("browser.safebrowsing.downloads.enabled", false);
pref("browser.safebrowsing.downloads.remote.enabled", false);
pref("browser.safebrowsing.phishing.enabled", false);
//try to render the “Social API” and social network integration disfunctional
//
//Reason: Privacy, Security
// It shouldn’t be necessary for social networks to have more
// functionality and control over the browser than “normal” websites,
// which makes this quite suspicious from a security and privacy point of
// view.
//Note: There once seemed to be options to “fully” disable this which where
// however dropped. This makes the whole “feature” even more suspicious.
pref("social.directories", "https://invalid.localhost/";);
pref("social.whitelist", "https://invalid.localhost/";);
pref("social.shareDirectory", "https://invalid.localhost/";);
pref("social.remote-install.enabled", false);
pref("social.share.activationPanelEnabled", false);
pref("social.toast-notifications.enabled", false);
//disable sensor probing
//
//Reason: Privacy, Security
// It's unclear what this actually exactly does as Mozilla doesn’t
// document it properly.
// However, no “sensor” (which could perhaps even include microphones or
// cameras) information should be read out by a browser.
pref("device.sensors.enabled", false);
//disable camera face detection
//
//Reason: Privacy
// It may be helpful to find and kill Jason Bourne (if he was using
// Firefox) but apart from that there is no reason why a browser should
// ever has access to a camera and thus no reason either why faces should
// be detected.
pref("camera.control.face_detection.enabled", false);
pref("datareporting.healthreport.service.enabled", false);
pref("datareporting.healthreport.uploadEnabled", false);
pref("datareporting.policy.dataSubmissionEnabled", false);
pref("datareporting.policy.dataSubmissionEnabled.v2", false);
pref("toolkit.telemetry.enabled", false);
pref("toolkit.telemetry.unified", false);
pref("toolkit.telemetry.unifiedIsOptIn", true);
pref("toolkit.telemetry.archive.enabled", false);
pref("toolkit.telemetry.server", "https://invalid.localhost/";);
pref("geo.wifi.logging.enabled", false);
pref("security.ssl.errorReporting.automatic", false);
pref("browser.newtabpage.directory.ping", "https://invalid.localhost/";);
pref("browser.newtabpage.directory.source", "https://invalid.localhost/";);
pref("browser.aboutHomeSnippets.updateUrl", "data:text/html,");
pref("extensions.webservice.discoverURL", "data:text/plain,disabled via the
option extensions.webservice.discoverURL");
pref("breakpad.reportURL", "https://invalid.localhost/";);
pref("browser.selfsupport.url", "https://invalid.localhost/";);
pref("media.autoplay.enabled", false);
pref("dom.event.clipboardevents.enabled", false);
pref("dom.battery.enabled", false);
//pref("", false);
//pref("", false);
//TODO:
//privacy.trackingprotection.enabled
//beacon.enabled
//datareporting.*
//security.xpconnect.plugin.unrestricted
//network.dns.get-ttl
//dom.keyboardevent.code.enabled
//browser.search.update
//geo.enabled
//geo.wifi.uri
//security.ssl.enable_false_start
//media.video_stats.enabled
//extensions.blocklist.enabled
//media.gmp.trial-create.enabled
//media.gmp-manager.cert.checkAttributes
//accelerometer.enabled
//signon.schemeUpgrades => das ist VERMUTLICH die option die kontrolliert, dass
ein HTTP Basic Auth password das für eine http url gespeichert wurde auch für
nen https login benutzt wird... aber evtl können wir das eh "on" lassen, da es
evtl. gar kein security problem ist
//sollen wir web assembly deaktivieren? Wenn ja sind das vermutlich relevante
settings
//javascript.options.wasm
//javascript.options.wasm_baselinejit
//network.dns.disablePrefetch
//network.prefetch-next
//network.http.speculative-parallel-limit=0
//network.dnsCacheExpiration
//network.dnsCacheExpirationGracePeriod
//network.http.sendRefererHeader
//network.http.referer.XOriginPolicy
//network.http.referer.spoofSource
//network.http.referer.trimmingPolicy
//pref("network.websocket.max-message-size", 1);
//dom.storage.enabled
//dom.storage.default_quota
//browser.search.suggest.enabled
//webgl.disabled
//webgl.disable-extensions
//security.tls.version.min
//browser.fixup.dns_first_for_single_words
//dom.allow_cut_copy => hidden property, erscheint nicht per default in
about:config obwohl sie da ist
//******************************************************************************
//*** User Settings ***
//******************************************************************************
pref("browser.cache.disk.enable", false);
pref("browser.cache.disk_cache_ssl", false);
pref("browser.urlbar.unifiedcomplete", false);
//configureable via Preferences
pref("privacy.donottrackheader.enabled", true);
//******************************************************************************
//*** Interesting ***
//******************************************************************************
//browser.zoom.siteSpecific
//not needed, because not active due to another setting
//security.ssl.errorReporting.enabled (because of:
security.ssl.errorReporting.automatic)
//******************************************************************************
//*** Locked Prefs ***
//******************************************************************************
// Es gibt wohl nen bug, dass ab dem ersten lock_pref alle anderen gesetzten
Prefs nicht mehr gelesen werden
lock_pref("app.update.enabled", false);
-- no debconf information
--- End Message ---
smime.p7s
