[tomrittervg]

(n.b. I own these features in Firefox)

There are three levels of protection:

- ETP Standard (see [0] for the latest improvements we rolled out)

- ETP Strict (we're working on things in Bugs 2036879 specifically this issue, 2037260, and more generally 2036786)

- Resist Fingerprinting (RFP)

These levels are something akin to "Wash your hands after using the subway", "Wear a mask on the subway", and "Wear a level B hazmat suit on the subway".

"people already expect sites to break, so why holding back?" - because the breakage is so severe, and people _don't_ associate that breakage with the setting they made. There are bug reports all over the internet proving it, here are some examples [01-4]. The protections we deploy in ETP Standard and Strict are calibrated to provide as much protections as possible while keeping the internet usable, and we're working fulltime on improving them.

[0] https://www.firefox.com/en-US/firefox/151.0/releasenotes/#no... [1] https://old.reddit.com/r/firefox/comments/fy6l1z/youtube_bor... [2] https://necromuralist.github.io/posts/mozilla-madness-resist... [3] https://support.mozilla.org/en-US/questions/1212634 [4] https://support.mozilla.org/en-US/questions/1322787

[croes]

I see three:

Standard

Strict

Custom

To me custom is something I define between Standard and Strict and not the next level after Strict. Strict already mentions that sites can break, so I'm pretty sure people associate the setting with breakage.

> Stronger protection, but may cause some sites or content to break.

Additionally Strict says :

Firefox blocks the following:

Social media trackers

Cross-site cookies in all windows

Tracking content in all windows

Cryptominers

Known and suspected fingerprinters

It's confusing if Known and suspected fingerprinters doesn't include resist fingerprinting. resist fingerprinting isn't even an option in Custom so how do ordinary users know where to set that option. You know, those users you say won't associate the Strict setting with breaking pages depite the fact that it clearly says so. Some kind of Schrödinger's user? Too dumb to understand the warning, but smart enough to know special settings?

You may avoid unnecessary bug reports that way but maybe only because users don't recognice that they are tracked per fingerprinting. It's not like websites would tell them.

Feels like Mozilla traded their time for my privacy.

[sterlind]

first off, thank you for your service.

second, would it be possible to make RFP appear as an extension like uBO, where it suggests sites to allow-list, or hints that the page might be broken and asks if you want to disable RFP?

I'm more tech savvy than the average user, admittedly, but I've learned this pattern for uBO.

[tomrittervg]

For a time RFP - by itself - could be enabled by web extensions. (It might still be possible, I don't recall if we removed it.) But it's a footgun because it became even easier for people to enable it by accident.

I can point you at a few things you could do if you wanted to pursue this:

1) We have a dev extension https://github.com/mozilla-extensions/fingerprinting-protect... that lets you enable/disable individual fingerprinting protections. We use to debug why something is broken.

2) granularOverrides allows you to enable/disable individual protections for a given website.

If you wanted this, you could go read https://docs.google.com/document/d/1FywogzvkWupoUoz4PcCp9nNd... ; then made an extension that made it easy to edit granular overrides (you couldn't directly set the preference, but you could produce the json you could copy/paste into the pref). You could do stuff with lists if you want. (Somewhere there was a FF fork that had a pretty impressive granularoverride list itself...) You'll be in this awkward spot where you don't have all the permissions to do what you want to do directly, but you can get yourself about.... 40 - 60% of the way there?

I would like to find a way to support power users while not making the problem worse (In https://ritter.vg/blog-telemetry.html I describe that the 'confused users think FF is broken' problem got so bad management wanted to just disable RFP entirely, but I was able to show that these users are a very vocal minority and the problem is not as bad as it seems) while also not giving myself a maintenance burden but... maybe there a path forward where this dev extension - that can do things normal extensions can't - could potentially get more functionality...?