HOWTO Disable HTML5 Video Autoplay in Firefox

media.autoplay.enabled = false [default true]

Does not work until Firefox 41:

  • 1242713media.autoplay.enabled=false does not prevent videos on youtube to autostart; In Bugzilla of Mozilla; 2016-01-25→current.; still open.
    tl;dr → describes Firefox 42, on Linux.
  • 659285Extend media.autoplay.enabled to provide a way to disable untrusted play() invocations; In Bugzilla of Mozilla; 2011-04-24→2016-01-25; resolved as fixed.

Fetch API of HTML5


  • Fetch bodies are read “at most once.”
  • Fetch responses may use streams, some day.
    … to deliver data to the applicatino “as it arrives.”
  • <quote cite=”ref“>Along with the transition to streams, Fetch will eventually have the ability to abort running fetch()es and some way to report the progress of a fetch. These are provided by XHR, but are a little tricky to fit in the Promise-based nature of the Fetch API.</quote>




Via: article

fetch("/data.json").then(function(res) {
  // res instanceof Response == true.
  if (res.ok) {
    res.json().then(function(data) {
  } else {
    console.log("Looks like the response wasn't perfect, got status", res.status);
}, function(e) {
  console.log("Fetch failed!", e);
fetch("", {
  method: "POST",
  headers: {
    "Content-Type": "application/x-www-form-urlencoded"
  body: "firstName=Nikhil&favColor=blue&password=easytoguess"
}).then(function(res) {
  if (res.ok) {
    alert("Perfect! Your settings are saved.");
  } else if (res.status == 401) {
    alert("Oops! You are not authorized.");
}, function(e) {
  alert("Error submitting form!");

Opportunistic Encryption in Firefox 37

(Mozilla); Opportunistic Encryption For Firefox; In His Blog entitled Bits Up!; 2015-03-27.


  • Firefox 37
  • Opportunistic Encryption (OE)
  • HTTP/2
  • (response header) Alt-Svc: h2=":443" or spdy/3.1
  • Requirements
    • HTTP/2
    • <quote>OE is not available with HTTP/1 servers because that protocol does not carry the scheme as part of each transaction which is a necessary ingredient for the Alt-Svc approach.</quote>
  • Recipe
    1. <quote>Install a TLS based h2 or SPDY server on a separate port. 443 is a good choice :) . You can use a self-signed certificate if you like because OE is not authenticated.
    2. Add a response header Alt-Svc: h2=":443" or Alt-Svc: spdy/3.1=":443" if you are using a SPDY-enabled server like nginx.</quote>
  • draft-ietf-httpbis-alt-svc-04HTTP Alternative Services; M. Nottingham (Akamai), P. McManus (Mozilla), J. Reschke (greenbytes); Internet Draft; IETF; 2014-10-27, expires: 2015-04-30.


From: draft-ietf-httpbis-alt-svc-04

9.4. Tracking Clients Using Alternative Services

   The Alt-Used header field (Section 5) provides a server with one
   additional bit of information that can be used to correlate requests.

   Clients concerned by the additional fingerprinting can choose to
   ignore alternative service advertisements.

   In a browser, any alternative service information MUST be removed
   when origin-specific data is cleared (for instance, when cookies are

Firefox Tiles







  • 290×180
  • 142×70 =

This preference can be set to anything that returns JSON, setting this to an empty JSON object will disable Tiles from showing and fetching new Tiles. With the change below a new user would only see empty Tiles and Firefox could no longer fetch new Tiles. =   data:application/json,{} =

This is the tile reporting interface back to the Mozilla mother ship. Changing or disabling this pref maywill prevent Firefox from being able to report metrics on Tiles. Setting this to nothing will disable the ping.

Other Preferences

about:config for the newtab cluster

Preference Name Status Type Value
browser.newtab.preload default boolean true
browser.newtab.url default string about:newtab
browser.newtabpage.blocked user set string …JSON blob…
browser.newtabpage.columns default integer 3
browser.newtabpage.enabled default boolean true
browser.newtabpage.pinned user set string …JSON blob…
browser.newtabpage.rows default integer 3
browser.newtabpage.storageVersion default integer 1



$ curl --location --verbose
* About to connect() to port 443 (#0)
*   Trying
* Connected to ( port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_DHE_RSA_WITH_AES_128_CBC_SHA
* Server certificate:
* 	subject: CN=*,O=Mozilla Foundation,L=Mountain View,ST=CA,C=US
* 	start date: Apr 08 00:00:00 2014 GMT
* 	expire date: Oct 26 12:00:00 2016 GMT
* 	common name: *
* 	issuer: CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US
> GET /v2/links/fetch/en-US HTTP/1.1
> User-Agent: curl/7.29.0
> Host:
> Accept: */*
&lt HTTP/1.1 303 SEE OTHER
< Content-Type: text/html; charset=utf-8
< Date: Thu, 26 Mar 2015 14:02:03 GMT
< Location:
< Content-Length: 405
< Connection: keep-alive
* Ignoring the response-body
* Connection #0 to host left intact
* Issue another request to this URL: ''
* About to connect() to port 443 (#1)
*   Trying
* Connected to ( port 443 (#1)
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA>
* Server certificate:
* 	subject: CN=*,O=", Inc.",L=Seattle,ST=Washington,C=US
* 	start date: Feb 19 00:00:00 2015 GMT
* 	expire date: Oct 19 23:59:59 2015 GMT
* 	common name: *
* 	issuer: CN=VeriSign Class 3 Secure Server CA - G3,OU=Terms of use at (c)10,OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
> GET /desktop/US/en-US.eb4cb64172c72f108cbb2301b958ecf3c9895373.json HTTP/1.1
> User-Agent: curl/7.29.0
> Host:
> Accept: */*
< HTTP/1.1 200 OK
< Content-Type: application/json
< Content-Length: 3909
< Connection: keep-alive
< Date: Tue, 24 Mar 2015 17:43:48 GMT
< Content-Disposition: inline
< Cache-Control: public, max-age=31536000
< Last-Modified: Tue, 24 Mar 2015 00:30:12 GMT
< ETag: "a90166163cf89dd1e2d6c2591b18a988"
< Accept-Ranges: bytes
< Server: AmazonS3
< Age: 159496
< X-Cache: Hit from cloudfront
< Via: 1.1 (CloudFront)
< X-Amz-Cf-Id: ZjFMeI8aQEwExP2f9Xp4LFPW09Gqo87vJBW3BSue79xeYOHbTgi_nw==
{"en-US": [{"bgColor": "", "directoryId": 498, "enhancedImageURI": "", "imageURI": "", "title": "Mozilla Community", "type": "affiliate", "url": ""}, {"bgColor": "#ffffff", "directoryId": 499, "enhancedImageURI": "", "imageURI": "", "title": "Firefox for Android", "type": "affiliate", "url": ""}, {"bgColor": "", "directoryId": 701, "enhancedImageURI": "", "imageURI": "", "title": "TurboTax", "type": "sponsored", "url": ""}, {"bgColor": "", "directoryId": 500, "enhancedImageURI": "", "imageURI": "", "title": "Mozilla Manifesto", "type": "affiliate", "url": ""}, {"bgColor": "", "directoryId": 502, "enhancedImageURI": "", "imageURI": "", "title": "Customize Firefox", "type": "affiliate", "url": ""}, {"bgColor": "#fff", "directoryId": 690, "imageURI": "", "title": "Mozilla Developer Network", "type": "affiliate", "url": ""}, {"bgColor": "", "directoryId": 504, "enhancedImageURI": "", "imageURI": "", "title": "Firefox Marketplace", "type": "affiliate", "url": ""}, {"bgColor": "#3fb58e", "directoryId": 505, "enhancedImageURI": "", "imageURI": "", "title": "Mozilla Webmaker", "type": "affiliate", "url": ""}, {"bgColor": "", "directoryId": 506, "enhancedImageURI": "", "imageURI": "", "title": "Firefox Sync", "type": "affiliate", "url": ""}, {"bgColor": "", "directoryId": 507, "enhancedImageURI": "", "imageURI": "", "title": "Privacy Principles", "type": "affiliate", "url": ""}]}
 * Connection #1 to host left intact


 [{"bgColor": "",
   "directoryId": 498,
   "enhancedImageURI": "",
   "imageURI": "",
   "title": "Mozilla Community",
   "type": "affiliate",
   "url": ""},
  {"bgColor": "#ffffff",
   "directoryId": 499,
   "enhancedImageURI": "",
   "imageURI": "",
   "title": "Firefox for Android",
   "type": "affiliate",
   "url": ""},
  {"bgColor": "",
   "directoryId": 701,
   "enhancedImageURI": "",
   "imageURI": "",
   "title": "TurboTax",
   "type": "sponsored",
   "url": ""},
  {"bgColor": "",
   "directoryId": 500,
   "enhancedImageURI": "",
   "imageURI": "",
   "title": "Mozilla Manifesto",
   "type": "affiliate",
   "url": ""},
  {"bgColor": "",
   "directoryId": 502,
   "enhancedImageURI": "",
   "imageURI": "",
   "title": "Customize Firefox",
   "type": "affiliate",
   "url": ""},
  {"bgColor": "#fff",
   "directoryId": 690,
   "imageURI": "",
   "title": "Mozilla Developer Network",
   "type": "affiliate",
   "url": ""},
  {"bgColor": "",
   "directoryId": 504,
   "enhancedImageURI": "",
   "imageURI": "",
   "title": "Firefox Marketplace",
   "type": "affiliate",
   "url": ""},
  {"bgColor": "#3fb58e",
   "directoryId": 505,
   "enhancedImageURI": "",
   "imageURI": "",
   "title": "Mozilla Webmaker",
   "type": "affiliate",
   "url": ""},
  {"bgColor": "",
   "directoryId": 506,
   "enhancedImageURI": "",
   "imageURI": "",
   "title": "Firefox Sync",
   "type": "affiliate",
   "url": ""},
  {"bgColor": "",
   "directoryId": 507,
   "enhancedImageURI": "",
   "imageURI": "",
   "title": "Privacy Principles",
   "type": "affiliate",
   "url": ""}]}


bgColor directoryId title type url enhancedImageURI imageURI
498 Mozilla Community affiliate
#ffffff 499 Firefox for Android affiliate
701 TurboTax sponsored
500 Mozilla Manifesto affiliate
502 Customize Firefox affiliate
#fff 690 Mozilla Developer Network affiliate (empty)
504 Firefox Marketplace affiliate
#3fb58e 505 Mozilla Webmaker affiliate
506 Firefox Sync affiliate
507 Privacy Principles affiliate


Indeed there is an advertisement in there., It’s a native advertisement, perhaps you can spot it?

enhancedImageURI imageURI
enhancedImageURI imageURI
enhancedImageURI imageURI
enhancedImageURI imageURI
enhancedImageURI imageURI
(empty) imageURI
enhancedImageURI imageURI
enhancedImageURI imageURI
enhancedImageURI imageURI
enhancedImageURI imageURI

Google Mail “no longer supports” Thunderbird (or other IMAP clients)

Seems that at some point in there Google ceased to provide direct support for IMAP clients. Upon enrolling a new Thunderbird for Google mail, I vailed to be ab le to set up the account. In my gmail stream I get the notice declaring that to allow Thunderbird, I have to accept the bargin that my account t is no longer protected by modern security standards, whatver they may be.

Google’s Documentation

Application-Application-Specific Password Required

Allowing less secure apps to access your account

My client isn’t accepting my username and password

Application-Application-Specific Password Required

Spamness for Thunderbird (requires a folder rebuild)

Spamntess for Thunderbird: (sometimes) Does. Not. Work.  But if it did, it would be great!

Sees to work on some folders, but not on others.  Even with the folder rebuild. But, specifically, it isn’t working with inbox where  it is needed the most (because after inbox you have, by definition, refiled the mail so you pretty much know whether it’s spam or not).


Recall that Thunderbird is consciously uncoupling from Mozilla (long live Thunderbird!).
c.f. Thunderbird Reorganizes at the 2014 Toronto Summit; In Their Blog; 2014-11-25.

Firefox blocks Flash v11.202.424 and prior because CVE-2014-9163 (APSB14-27)

Get Flash Player; Adobe


broken Linux and earlier APSB14-27
fixed flash-plugin- Download


  • APSB14-27 Security updates available for Adobe Flash Player


  • 1109795Blocklist Flash versions vulnerable to CVE-2014-9163 ( and below, on linux)


  • CVE-2014-9163 Stack-based buffer overflow in Adobe Flash Player
    before and 14.x and 15.x before on Windows and OS X and before on Linux allows attackers to execute arbitrary code via unspecified vectors, as exploited in the wild in 2014-12.




Flashblock FlashControl
NoScript ScriptBlock, ScriptSafe NotScripts

$ sudo yum update -y flash-plugin
Loaded plugins: auto-update-debuginfo, langpacks, refresh-packagekit
Resolving Dependencies
--> Running transaction check
---> Package flash-plugin.x86_64 0: will be updated
---> Package flash-plugin.x86_64 0: will be an update
--> Finished Dependency Resolution

Dependencies Resolved

Package         Arch      Version                  Repository             Size
flash-plugin    x86_64     adobe-linux-x86_64    6.9 M

Transaction Summary
Upgrade  1 Package

Total download size: 6.9 M
Downloading packages:
No Presto metadata available for adobe-linux-x86_64
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Updating   : flash-plugin-                     1/2
Cleanup    : flash-plugin-                     2/2
Verifying  : flash-plugin-                     1/2
Verifying  : flash-plugin-                     2/2

flash-plugin.x86_64 0:


Pure URL for Firefox removes garbage like ‘utm_source’ from URLs

Pure URL for Firefox


More than the default settings (cut & paste this into) the config settings in about:addons

utm_cid, smprod, smid,it_source,wpmp_tp, utm_hp_ref,mod,tag,mbid, mtid,ncid,utm_cid,utm_source, utm_medium, utm_term, utm_content, utm_campaign, utm_reader, utm_place, ga_source, ga_medium, ga_term, ga_content, ga_campaign, ga_place, yclid, _openstat,, fb_action_ids, fb_action_types, fb_ref, fb_source, action_object_map, action_type_map, action_ref_map,,,,,

Click-to-Play in Mozilla’s Firefox


Via: backfill, backfill

, Mozilla Wiki

; In Mozilla Support

Lightbeam for Firefox



  • Visualizations
    1. Graph
    2. Clock
    3. List
  • Sharing
    • Data stored locally




Via: backfill


Mozilla Persona & Identity Bridges


  • Persona Identity Provider (IdP)
  • Persona Identity Bridge
    • OpenID
    • OAuth
  • Bridges
    • Identity Bridge for Yahoo! Mail.
    • Identity Bridge for Google Mail.
  • Mozilla Identity


You sign into a site with your email address, which is validated as true, correct & yours by the Persona rigging&redirecting.

  • Users can sign into sites with Persona, but the IdP can’t track which sites they sign into.
  • Users can sign into sites with Persona, but Yahoo! can’t track which sites they sign into.
  • Users can sign into sites with Persona, but Google can’t track which sites they sign into.
  • … you get the idea.


Question: Where’s your password?
Answer: held at your email provider


  • You trust your email provider as a holder of a master secret, with a trust level above all others.
  • If your email provider gives up your email password, your accounts are “open.”
  • In this eventuality, it’s unclear what your remedial actions can be.

Persona-enabled Websites


At Mozilla


Technical Details

Via backfill



Via: backfill



Install on Fedora / Korora and rpm-based distros (gnome/cinnamon); forum discussion; 2013-05-04 -> 2013-05-15.

Basic Fedora RPM Packaging; forum discussion; 2012-03-31 -> 2012-04-18.

  • Trial Packaging: nightingale-1.11.0-2.fc16.src.rpm
  • Summary of issues
    • Bundled libs
    • Downloading external dependencies during building
    • Downloading BINARY dependencies during building
    • No FHS compliant “make install” target.

Mozilla Firefox Social API in Firefox Facebook Messenger (and others)


Turn Off Facebook ServiceDisable Facebook Service




  • Control Messages
  • Service Works
  • Ambient Notification Control
  • Active Notification Control
  • Page Marks (Recommendations)
  • Link Recommendation Control
  • Messages Sent to Widgets
  • from Firefox 23
    • Share (button)
    • Service Discovery


By Mozilla …


Ahem … surely there’s more of a following for Mozilla’s product offerings than one beat reporter over at AOL (TechCrunch).  But that’s not what the search engines are telling me…




Network Monitor in Firefox 23 & 24

Network Monitor, now in Firefox Beta; In Their Blog; 2013-06-27.
, and (Editor)


Open the tool:

  • menu: Tools => Web Developer => Network
  • keyboard: Ctrl + Alt + Q



Feels like:

  • Absent other clear direction for the evolution of the browser
  • They are “building at the factory” in the features of the popular addons:
    e.g. firebug.

Up next:

  • Request Policy, NoScript, Ghostery, Flash Block, Ad Block Plus, Calomel, Cert Watch, Conspiracy, Flagfox
  • (newer) Cookie Manager, Foundstone.


  • Collusion
  • about:trackers

Via: backfill

Mozilla Prospector is User Personalization Built Into the Browser

Prospector by Mozilla Labs


What is It?

  • Seems to be a concept, a vision.
  • A set of collaborations with publishing businesses.
  • A solicitation of feedback, a call for a vote of confidence in the vision.

Not yet

  • Running code
  • Released feature set
  • An experience
  • Not yet at the wireframe/screen shot stage.


  • Content preferences managed in the browser
  • Content targeting preferences communicated to web servers (e.g. advertisers)
  • Service destinations, e.g. Firefox Marketplace, could recommend based on declared interests.


  • <quote><snip/>we’ve begun testing this concept with volunteer participants<snip/>sharing their interests on their own terms in order to see personalized content, and the results are promising.</quote>
  • <quote>We think this type of offering could bring transparent, effective personalization to users all across the Web in ways we haven’t even thought of yet. What do you think <snip/>? </quote>




Via backfill, backfill, backfill and noted.

Dates for Phasing out MD5-based signatures and 1024-bit moduli | Mozilla

Mozilla; Dates for Phasing out MD5-based signatures and 1024-bit moduli; last updated 2012-09-12 (as seen 2013-01-21).

  • 2013-12-31 – Mozilla will disable or remove all root certificates with RSA key sizes smaller than 2048 bits.
  • Mozilla’s Root Change Process
  • NIST SP 800-57 Recommendation for Key Management; Part 1 (2012-07), Part 2 (2005-08), Part 3(2009-12).
    • minimum key sizes recited inline
  • SP-800-131 DRAFT Recommendation for the Transitioning of Cryptographic Algorithms and Key Sizes SP-800-131A

Thunderbird stops displaying HTML email, maybe after an Enigmail update


  • You typed random characters at Thunderbird because you weren’t watching where the input focus was located
  • You know something has changed in Thunderbird, but you’re unclear what
  • You installed Enigmail
  • Email that you know is available in HTML no longer shows in formatted form
  • Email that contains embedded images does not display the images, just links to the images.


Menu View > Message body as > Original HTML