horlogeskynet / thunderbird-user.js Goto Github PK

Hey,
A few lines are missing an ending semicolon. I think the produced user.js remains incomplete because of this.

At least these have this issue:

user_pref("mail.instrumentation.postUrl", "")
user_pref("mail.instrumentation.askUser", false)
user_pref("mail.instrumentation.userOptedIn", false)

[deleted]

hello again :)

i have some comments/questions regarding various prefs...

sec. 2701 (ETP) is currently missing from user.js, however it seems there are several prefs that are set as if ETP were present

network.cookie.cookieBehavior - should this be uncomented and set to '2'? do other prefs in section 7016 need to be revisited also?

privacy.firstparty.isolate - same as above - shouldn't this be true until ETP arrives?

calendar.timezone.local - given the calendar is now integrated and essentially useless without a correct time, and guessing that a lot of people do/will use it, i think this should be set to default

"mail.biff.alert.* - is there a reason (privacy-wise) to override user choice with these prefs?

"privacy.resistFingerprinting", true - this messes up dates/times and a few other things - given that TB is primarily a mail client, and ought to be used only for mail, and given calendar integration, i think this should be set to false

when acct. auto config is disabled, as it is in user.js, you can't create a new mail acct. because the 'advanced config' button is disabled in the wizard

the solution is to enable offline mode and then run the new acct. wizard

is there a way around this? because this could be a serious problem for users

Describe the bug

Hello!

/* 5002: disable memory cache
 * capacity: -1=determine dynamically (default), 0=none, n=memory capacity in kibibytes ***/
user_pref("browser.cache.memory.enable", false);
user_pref("browser.cache.memory.capacity", 0);

Those 2 prefs prevent me from downloading any attachment; I have to comment them out.

Expected behavior
The thunderbird-user.js file shouldn't prevent me from downloading an attachment.

Environment

• Thunderbird version used: at least from Thunderbird 91.2 up to 102.2.0
• thunderbird user.js template version used: version 91.2; the problem remains using the Thunderbird 102 ESR version #24
• Operating system and version: Arch Linux 5.19.6

Checklist

• I can confirm the bug is due to thunderbird user.js template and not an overridden preference nor an add-on ;
• I have searched for [SETUP-*] tags and read them up ;
• I have searched the GitHub project (issues and Wiki) for my issue.

Problem

Clicking Links always results in a window, asking if I really want to open that link.
This is quite useless combined with cleaned HTML, as I wont click on any embedded image-links.

Cant find the entry

I checked
browser.link.open_newwindow", 3,
but switching it to "0" does not change the behavior. (is "3" a bug? Comment says "Thunderbird only supports 0")

what causes that popup, do you know that?

Hi,
Not an issue, but a question. I see that the development of the user.js follows the ESR release calendar.
However, from experience (if any), how well does the user.js behave with beta versions of Thunderbird? Currently and another little while, ESR is 91.1, while beta is 10X (102 right now). This would be good to know before adopting the user.js.
Thanks!
Dem

• 0302a: disable auto-INSTALLING Firefox updates
• 1223: enforce strict pinning (has warning tag, but there's no note in readme about warning tags)
• 6001: Disable autoconfiguration
• 6007: Address book collection
  • add setup tag, comment out, or leave as is?
• 6105: Check spelling before sending
• 6107: Send email in plaintext unless expressly overidden.
• 6108: Downgrade email to plaintext by default
• 6111: Prefer to view as plaintext or html
• 6112: Inline attachments

First of all, thanks for the effort to provide a user.js for Thunderbird.

The objective mentions that the browser components are disabled as much as possible. And while I can understand that a separation from the browser should be achieved here, I wonder what Thunderbird actually uses the browser functions for. Apart from calling the addon management, links are passed directly to the external browser, aren't they?

And the second question: What does Thunderbird use the browser.cache.x settings for? That doesn't pertain to caching or keeping emails ready, does it?

before i dig into this, does anyone know offhand why none of the options in 'View -> Message Body As' are selected with this user.js?

according to my understanding, if you set mailnews.display.html_as to, for instance, '1', then the 'View -> Message Body As' option should be set to 'Plain Text', however none of the options are selected

the mailnews.display.html_as pref value seems to work fine, i'm just curious why the value isn't reflected in the UI option - there must be another pref at play here

re: 4.1 Extensions

• Lightening - no longer needed since calendar integration
• Enigmail - no longer needed since PGP integration - i believe this is the case for Windows also???

Hi,
Since I use TB for professional purposes, I have a professional signature that includes a logo that is pulled from my website. In TB's settings, I therefore go to Privacy & Security > Mail content (with the "allow..." checkbox unchecked) > Exception, and I add the relevant exception.
The problem is that this exception gets flushed on close. Since I cannot seem to find anything pref directly relating to this, I get this is a consequence of sanitize on close.
Is there a way to keep those exceptions despite sanitizing on close? Most of what I find in the user.js seems to relate to cookies, etc., things for browsing from TB (web content), but not really mail content.
Any idea of what could help here?
Thanks!
Dem.

Is your feature request related to a problem? Please describe.
There are some settings that are just plain unnessecary, I havent gone through all, but having them with a user.js means they are forced and cant be changed.

List the concerned preferences

user_pref("mail.SpellCheckBeforeSend", true); //should be optional
user_pref("mail.html_compose", false); //can be changed in GUI, its just a "no HTML killswitch" for paranoid people
user_pref("mail.default_send_format", 0); //defaults to plain text, only changes if you use formatting, best experience
user_pref("mail.inline_attachments", true); //where is the problem? In sanitized HTML no images are really shown anyways

Describe alternatives you've considered
changing these settings manually with sed

Checklist

• I know thunderbird user.js is a template and personal preferences should be stored elsewhere ;
• The change I want to propose should globally improve the usability / ( privacy + security + anti-fingerprinting ) ratio ;
• I agree that subsequent modifications to my change scope may occur in the future.

README.md...

404: https://codeberg.org/12bytes.org/thunderbird-user.js-supplement
new: https://codeberg.org/12bytes/thunderbird-user.js-supplement

or you could link here which may be preferable...
https://12bytes.org/articles/tech/thunderbird-user-overrides-js-supplement-for-the-horlogeskynet-user-js/

• date: 28 August 2021
• version: v78.0

line 1115 missing comment close...

/* 2802: enable Thunderbird to clear items on shutdown (see 2803)

therefore 1116 is not read ( user_pref("privacy.sanitize.sanitizeOnShutdown", true); )

re: t-bird v68

user_pref("beacon.enabled", false);  // whether to send additional analytics to web servers
user_pref("canvas.capturestream.enabled", false);  // whether to allow Canvas video capture
user_pref("dom.storage.enabled", false); //  whether to enable DOM storage
user_pref("general.useragent.compatMode.firefox", true);  // whether to limit sending extra user-agent data
user_pref("mail.cloud_files.enabled", false); // whether to enable cloud storage functionality - for storing large attachments in the cloud apparently
user_pref("messenger.startup.action", 0); // whether to enable chat on startup
user_pref("pref.privacy.disable_button.view_cookies", false);  // whether to disable the 'Show Cookies' button
user_pref("security.mixed_content.block_object_subrequest", true); // whether to block unencrypted requests from Flash on encrypted pages
user_pref("security.warn_entering_weak", true); // whether to warn when a website uses weak security
user_pref("security.warn_viewing_mixed", true); // whether to warn when a website contains both secure and insecure content

I finally took the time and did it.

A small script changing the settings I would like to change, and also dealing with the problem of automating the updates of this script.

https://github.com/trytomakeyouprivate/Arkenbird-softening

Describe the bug

The toolbar looks extremely weird on macOS after installing user.js

Expected behavior
The toolbar looks normal

Screenshots

Environment

• Thunderbird version used (X.Y.Z) : 91.8.0
• thunderbird user.js template version used (X.Y or commit SHA) : 78.1
• Operating system and version : macOS Monterey

Checklist

• I can confirm the bug is due to thunderbird user.js template and not an overridden preference nor an add-on ;
• I have searched for [SETUP-*] tags and read them up ;
• I have searched the GitHub project (issues and Wiki) for my issue.

Hi! Thank you for great work! I would like to suggest few changes:

1. Add the following lines to remove Content-Language and Accept-Language headers - to improve privacy protection:
   user_pref("mail.suppress_content_language", true);
   user_pref("network.trr.send_accept-language_headers", false);

2. Add the explanation to
   user_pref("privacy.resistFingerprinting", true);
   that if this property is set to true, the user-agent override will not work

3. Add the explanation to
   user_pref("general.useragent.override", "");
   that empty value can break OAuth2 login to Microsoft Exchange

4. Add the following line:
   user_pref("mail.compose.other.header", "header1,header2");
   This creates custom headers, which values can be set in compose window. Then they will be added to the headers of sent message.

Hello,

Describe the bug
Not really a bug I guess, but I would like to add a Yahoo account to a Thunderbird profile with thunderbird-user.js & user.js-overrides from 12bytes.org.

After configuration of the account in TB, a webpage pops up displaying Yahoo's login screen (OAuth2). It first asks for the email address (pre-filled field), then I click "Next" and it displays the following error message within the page "Oops, something went wrong".

The URL of this page is of the following format (portions with braces are actually replacing some tokens in original URL): https://login.yahoo.net/account/challenge/recaptcha/recaptcha-script?src=oauth&client_id={clientIDToken}--&redirect_uri=http%3A%2F%2Flocalhost&done=https%3A%2F%2Fapi.login.yahoo.com%2Foauth2%2Fauthorize%3F.scrumb%3D0%26client_id%3D{clientIDToken}--%26redirect_uri%3Dhttp%253A%252F%252Flocalhost%26response_type%3Dcode%26scope%3Dmail-w&sessionIndex=QQ--&acrumb={smallToken}&display=login&authMechanism=primary&lang=en-US&siteKey={siteKeyToken}&recaptchaLang=en&recaptchaDomain=www.google.com

It looks like a ReCaptcha issue, also I've tried what is advised at the top of this thread :

privacy.resistFingerprinting - false
privacy.firstparty.isolate.restrict_opener_access - false
privacy.firstparty.isolate - false
dom.targetBlankNoOpener.enabled - false
dom.webaudio.enabled - true
and google.com/recaptcha & gstatic.com/recaptcha 3rd party stuff whitelisted in extensions
also google likes 3rd party cookies for their services to run
also don't mess with windows.name (script, CanvasBlocker: whitelist it)

More precisely I set the 5 first prefs as indicated, and authorized all cookies (not sure what are extensions' whitelist and window.name referring to). But no success.

Environment

• Thunderbird version used (X.Y.Z) : 102.7.1
• thunderbird user.js template version used (X.Y or commit SHA) : 102.1
• Operating system and version : Linux Mint 21

Additional context
This happens on a freshly created TB profile with thunderbird-user.js and user.js-overrides applied using arkenfox's updater.sh (in which I modified the update URL so that it points to this repo and not arkenfox's) and prefsCleaner.js

Checklist

• I can confirm the bug is due to thunderbird user.js template and not an overridden preference nor an add-on ;
• I have searched for [SETUP-*] tags and read them up ;
• I have searched the GitHub project (issues and Wiki) for my issue.

I have no idea how this happened, but it occured after loading the user.js.

All I did was comment out lines.

I tried deleting global-messages-db.sqlite and enabling javascript, did not help...

Okay it helped to reboot into troubleshoot mode, disable addons, close again and relaunch. Weird, was probably an addon.

• date: 28 August 2021
• version: v78.0

user_pref("mail.collect_addressbook", "");
user_pref("mail.collect_email_address_outgoing", false);

don't know that i agree with these - my thinking is...

• first off it's redundant - i don't see the need for the first pref if the latter is used
• that prefs which are easily available in the UI generally shouldn't be added to user.js since it removes user choice and could result in unexpected behavior if user didn't diff the files (updater.js -c on linux, i don't know about wintendo)
• privacy-wise this solves nothing in a multi-user env. unless it's a fresh profile - collected addresses still exist and are still accessible

I am going through the file and wonder if many even apply, often because Thunderbird doesnt have those features or doesnt even interact with websites apart addons.thunderbird.net

user_pref("browser.fixup.alternate.enabled", false); // [DEFAULT: false FF104+]
user_pref("browser.search.suggest.enabled", false);
user_pref("browser.formfill.enable", false);
user_pref("layout.css.visited_links_enabled", false);
user_pref("signon.autofillForms", false);
user_pref("signon.formlessCapture.enabled", false);
user_pref("browser.cache.disk.enable", false);
user_pref("browser.privatebrowsing.forceMediaMemoryCache", true); // [FF75+user_pref("media.gmp-provider.enabled", false);]
user_pref("media.memory_cache_max_size", 65536);
user_pref("browser.sessionstore.privacy_level", 2);
user_pref("security.family_safety.mode", 0);
user_pref("network.http.referer.XOriginTrimmingPolicy", 2);
user_pref("media.peerconnection.ice.default_address_only", true);
user_pref("media.peerconnection.ice.no_host", true);
user_pref("media.gmp-provider.enabled", false);
user_pref("dom.disable_window_move_resize", true);
user_pref("accessibility.force_disabled", 1); // ????? Why? If those are enabled they should, if not they will not try I suppose
user_pref("permissions.delegation.enabled", false);
user_pref("privacy.partition.serviceWorkers", true); // [DEFAULT: true FF105+] // instead disable them if not by default
user_pref("privacy.sanitize.sanitizeOnShutdown", true); // does nothing on Thunderbird?
user_pref("privacy.clearOnShutdown.cache", true);     // [DEFAULT: true]
user_pref("privacy.clearOnShutdown.downloads", true); // [DEFAULT: true]
user_pref("privacy.clearOnShutdown.formdata", true);  // [DEFAULT: true]
user_pref("privacy.clearOnShutdown.history", true);   // [DEFAULT: true]
user_pref("privacy.clearOnShutdown.sessions", true);  // [DEFAULT: true] // same?
user_pref("privacy.clearOnShutdown.cookies", true); // Cookies
user_pref("privacy.clearOnShutdown.offlineApps", true); // Site Data // same, TB only has "accept cookies" and "remember websites"
user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF]
user_pref("browser.display.use_system_colors", false); // [DEFAULT: false NON-WINDOWS]
everything with autofill and passwords
user_pref("full-screen-api.enabled", false);

Maybe I missed something, or maybe Thunderbird can indeed open more than one website.

It probably doesnt harm to set these not even applying settings, but they should be removed anyways.

several of the changes i'm proposing are because we aren't using TB as a web browser

/* 1211: control when to use OCSP fetching (to confirm current validity of certificates)

• 0=disabled, 1=enabled (default), 2=enabled for EV certificates only
• OCSP (non-stapled) leaks information about the sites you visit to the CA (cert authority)
• It's a trade-off between security (checking) and privacy (leaking info to the CA)
• [NOTE] This pref only controls OCSP fetching and does not affect OCSP stapling
• [1] https://en.wikipedia.org/wiki/Ocsp ***/
  user_pref("security.OCSP.enabled", 0);
  ? change to 1

/* 1403: disable icon fonts (glyphs) and local fallback rendering

• [1] https://bugzilla.mozilla.org/789788
• [2] https://trac.torproject.org/projects/tor/ticket/8455 ***/
  // user_pref("gfx.downloadable_fonts.enabled", false); // [FF41+]
  // user_pref("gfx.downloadable_fonts.fallback_delay", -1);
  ? uncomment

/* 1405: disable WOFF2 (Web Open Font Format) [FF35+] ***/
// user_pref("gfx.downloadable_fonts.woff2.enabled", false);
? uncomment

/* 1601: ALL: control when images/links send a referer

• 0=never, 1=send only when links are clicked, 2=for links and images (default) ***/
  // user_pref("network.http.sendRefererHeader", 2); // [DEFAULT: 2]
  ? uncomment, set 0

/* 1606: ALL: set the default Referrer Policy [FF59+]

• 0=no-referer, 1=same-origin, 2=strict-origin-when-cross-origin, 3=no-referrer-when-downgrade
• [NOTE] This is only a default, it can be overridden by a site-controlled Referrer Policy
• [1] https://www.w3.org/TR/referrer-policy/
• [2] https://developer.mozilla.org/docs/Web/HTTP/Headers/Referrer-Policy
• [3] https://blog.mozilla.org/security/2018/01/31/preventing-data-leaks-by-stripping-path-information-in-http-referrers/ ***/
  // user_pref("network.http.referer.defaultPolicy", 3); // [DEFAULT: 3]
  // user_pref("network.http.referer.defaultPolicy.pbmode", 2); // [DEFAULT: 2]
  ? uncomment, set 0

/* 2212: limit events that can cause a popup [SETUP-WEB]

• default is "change click dblclick auxclick mouseup pointerup notificationclick reset submit touchend contextmenu"
• [1] http://kb.mozillazine.org/Dom.popup_allowed_events ***/
  user_pref("dom.popup_allowed_events", "click dblclick");
  ? set ""

/*** [SECTION 2500]: HARDWARE FINGERPRINTING ***/
? enable all these prefs

/* 2662: disable webextension restrictions on certain mozilla domains (also see 4503) [FF60+]

• [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/
  // user_pref("extensions.webextensions.restrictedDomains", "");
  ? uncomment

2701: disable 3rd-party cookies and site-data [SETUP-WEB]
? "3rd-party" should be removed

/* 2710: disable DOM (Document Object Model) Storage

• [WARNING] This will break a LOT of sites' functionality AND extensions!
• You are better off using an extension for more granular control ***/
  // user_pref("dom.storage.enabled", false);
  ? uncomment

/* 2750: disable Storage API [FF51+]

• The API gives sites the ability to find out how much space they can use, how much
• they are already using, and even control whether or not they need to be alerted
• before the user agent disposes of site data in order to make room for other things.
• [1] https://developer.mozilla.org/docs/Web/API/StorageManager
• [2] https://developer.mozilla.org/docs/Web/API/Storage_API
• [3] https://blog.mozilla.org/l10n/2017/03/07/firefox-l10n-report-aurora-54/ ***/
  // user_pref("dom.storageManager.enabled", false);
  ? uncomment

/* 6206: Disable calendar integration ***/
user_pref("mail.calendar-integration.opt-out", false);
? what does this do exactly? disable cal integration, or enable/disable a prompt for integration?
see: https://bugzilla.mozilla.org/show_bug.cgi?id=1130852

Was wondering if there's anything in place to apply changes (using a user-overrides.js) like there is in ghacks.

Don't mind editing the user.js manually but I like doing it this way.

It would be pretty easy to make the script load other scripts. That way we could split it up, as I think it mixes up thread models a lot.

a main script loading the modules (you can comment out the lines)

• general
• stay anonymous
• no html and images
• ...

best example is

• time zone
• dictionary
• time settings
• convert sender time to UTC

this does not make sense for many people, but instead would break workflows. Imagine Thunderbird in a company.

hi!

ref: github.com/HorlogeSkynet/thunderbird-user.js/wiki/1.1-Overview

https://12bytes.org/articles/tech/the-thunderbird-privacy-guide-for-dummies/
can be changed to:
https://12bytes.org/the-thunderbird-privacy-guide-for-dummies/

Hi,
So I made the jump and started using the user.js with a few overrides. I still have a few settings to fix, but, even after looking around, I cannot seem to find the triggers responsible.
1/ Using the user.js has added a bar at the very top of the window ("Inbox - Unified folders), as shown in the picture below. From memory, that bar was not there before and the various tabs were right next to the traffic lights buttons, not under. Is this right? Can this be changed?

2/ I have a picture included in the signature of my emails for some accounts. This picture is no longer loaded. In all fairness, that's not very surprising, but I would like to re-allow that. I have tried resetting the parameters 9211 through 9217 (also in an effort to move back to HTML messages, for instance when responding to an message with HTML), but to no avail. I also tried 9233, but that didn't work either. Any idea which switch is responsible for this? Also interested in the plain text/HTML one (the idea being that is I respond to an HTML message, the response should be HTML, so as not to break the layout).
Thanks in advance!
Dem

dummy here ... i don't know how to do a pull request

i stole updater.sh (for Linux only) from the 'ghacks' repo and made some changes so it can work for either FF or TB

this ain't my expertise, so someone would have to check it - also search for [fix]

also, instead of the user having to comment/uncomment the variables in the beginning, it would be great if someone could add the necessary code so the script knows what's being updated without user input

#!/usr/bin/env bash

# !!! search for [fix] !!!

## ghacks-user.js updater for macOS and Linux

## version: 1.3a
## based on 'ghacks' updater.sh v2.5 for Firefox
## original author: Pat Johnson (@overdodactyl)
## additional contributors: @earthlng, @ema-pe, @claustromaniac
## adapted for Thunderbird by @atomGit

## DON'T GO HIGHER THAN VERSION x.9 !! ( because of ASCII comparison in update_updater() )

## recent changes
# fix URLs to reflect change in ownership of thunderbird-user.js code repository
# changed value of variable 'COMPARE' to 'false' to match original updater.sh

readonly CURRDIR=$(pwd)

sfp=$(readlink -f "${BASH_SOURCE[0]}" 2>/dev/null || greadlink -f "${BASH_SOURCE[0]}" 2>/dev/null)
if [ -z "$sfp" ]; then sfp=${BASH_SOURCE[0]}; fi
readonly SCRIPT_DIR=$(dirname "${sfp}")

#########################
#    Base variables     #
#########################

## Uncomment the group of variables below to update user.js for Firefox
# APPNAME='Firefox'
# MAINTAINER='@Thorin-Oakenpants and @earthlng'
# USERJS='https://raw.githubusercontent.com/ghacksuserjs/ghacks-user.js/master/user.js'
# UPDATERJS='https://raw.githubusercontent.com/ghacksuserjs/ghacks-user.js/master/updater.sh'
# DOCS='https://github.com/ghacksuserjs/ghacks-user.js/wiki'

## Uncomment the group of variables below to update user.js for Thunderbird
APPNAME='Thunderbird'
MAINTAINER='HorlogeSkynet'
USERJS='https://raw.githubusercontent.com/HorlogeSkynet/thunderbird-user.js/master/user.js'
UPDATERJS='https://raw.githubusercontent.com/HorlogeSkynet/thunderbird-user.js/master/updater.js'
DOCS='https://github.com/HorlogeSkynet/thunderbird-user.js/wiki'

# Stop editing here

# Colors used for printing
RED='\033[0;31m'
# BLUE='\033[0;34m'
# BBLUE='\033[1;34m'
GREEN='\033[0;32m'
ORANGE='\033[0;33m'
CYAN='\033[0;36m'
NC='\033[0m' # No Color

# Argument defaults
UPDATE='check'
CONFIRM='yes'
OVERRIDE='user-overrides.js'
BACKUP='multiple'
COMPARE=false
SKIPOVERRIDE=false
VIEW=false
PROFILE_PATH=false
ESR=false

# Download method priority: curl -> wget
DOWNLOAD_METHOD=''
if [[ $(command -v 'curl') ]]; then
  DOWNLOAD_METHOD='curl'
elif [[ $(command -v 'wget') ]]; then
  DOWNLOAD_METHOD='wget'
else
  echo -e "${RED}This script requires curl or wget.\nProcess aborted${NC}"
  exit 0
fi

show_banner () {
  echo -e "${GREEN}\n"
  echo '############################################################################'
  echo '####'
  echo "####   ghacks user.js for ${APPNAME}"
  echo "####   Hardening the Privacy and Security Settings of ${APPNAME}"
  echo "####   Maintained by ${MAINTAINER}"
  echo '####   Updater for macOS and Linux by @overdodactyl'
  echo '####   Documentation for this script is available here:'
  echo "####   ${DOCS}"
  echo '####'
  echo '############################################################################'
  echo -e "${NC}\n"
}

#########################
#      Arguments        #
#########################

usage() {
  echo -e "${GREEN}\nUsage: $0 [-h] [-p PROFILE] [-u] [-d] [-s] [-n] [-b] [-c] [-v] [-r] [-e] [-o OVERRIDE]\n${NC}" 1>&2  # Echo usage string to standard error
  echo 'Optional Arguments:'
  echo -e "\t-h,\t\t Show this help message and exit."
  echo -e "\t-p PROFILE,\t Path to your ${APPNAME} profile (if different than the dir of this script)"
  echo -e "\t\t\t IMPORTANT: if the path include spaces, wrap the entire argument in quotes."
  echo -e "\t-l, \t\t Choose your ${APPNAME} profile from a list"
  echo -e "\t-u,\t\t Update updater.sh and execute silently.  Do not seek confirmation."
  echo -e "\t-d,\t\t Do not look for updates to updater.sh."
  echo -e "\t-s,\t\t Silently update user.js.  Do not seek confirmation."
  echo -e "\t-b,\t\t Only keep one backup of each file."
  echo -e "\t-c,\t\t Create a diff file comparing old and new user.js within userjs_diffs. "
  echo -e "\t-o OVERRIDE,\t Filename or path to overrides file (if different than user-overrides.js)."
  echo -e "\t\t\t If used with -p, paths should be relative to PROFILE or absolute paths"
  echo -e "\t\t\t If given a directory, all files inside will be appended recursively."
  echo -e "\t\t\t You can pass multiple files or directories by passing a comma separated list."
  echo -e "\t\t\t\t Note: If a directory is given, only files inside ending in the extension .js are appended"
  echo -e "\t\t\t\t IMPORTANT: do not add spaces between files/paths.  Ex: -o file1.js,file2.js,dir1"
  echo -e "\t\t\t\t IMPORTANT: if any files/paths include spaces, wrap the entire argument in quotes."
  echo -e "\t\t\t\t\t Ex: -o \"override folder\" "
  echo -e "\t-n,\t\t Do not append any overrides, even if user-overrides.js exists."
  echo -e "\t-v,\t\t Open the resulting user.js file."
  echo -e "\t-r,\t\t Only download user.js to a temporary file and open it."
  echo -e "\t-e,\t\t Activate ESR related preferences."
  echo -e
  echo 'Deprecated Arguments (they still work for now):'
  echo -e "\t-donotupdate,\t Use instead -d"
  echo -e "\t-update,\t Use instead -u"
  echo -e
  exit 1
}

legacy_argument () {
  echo -e "${ORANGE}\nWarning: command line arguments have changed."
  echo -e "$1 has been deprecated and may not work in the future.\n"
  echo -e "Please view the new options using the -h argument.${NC}"
}

#########################
#     File Handling     #
#########################

# Download files
download_file () {
  declare -r url=$1
  declare -r tf=$(mktemp)
  local dlcmd=''

  if [ $DOWNLOAD_METHOD = 'curl' ]; then
    dlcmd="curl -o $tf"
  else
    dlcmd="wget -O $tf"
  fi

  $dlcmd "${url}" &>/dev/null && echo "$tf" || echo '' # return the temp-filename (or empty string on error)
}

open_file () { #expects one argument: file_path
  if [ "$(uname)" == 'Darwin' ]; then
    open "$1"
  elif [ "$(expr substr $(uname -s) 1 5)" == "Linux" ]; then
    xdg-open "$1"
  else
    echo -e "${RED}Error: Sorry, opening files is not supported for your OS.${NC}"
  fi
}

readIniFile () { # expects one argument: absolute path of profiles.ini
  declare -r inifile="$1"
  declare -r tfile=$(mktemp)

  if [ $(grep '^\[Profile' "$inifile" | wc -l) == "1" ]; then ### only 1 profile found
    grep '^\[Profile' -A 4 "$inifile" | grep -v '^\[Profile' > $tfile
  else
    grep -E -v '^\[General\]|^StartWithLastProfile=|^IsRelative=' "$inifile"
    echo ''
    read -p 'Select the profile number ( 0 for Profile0, 1 for Profile1, etc ) : ' -r
    echo -e "\n"
    if [[ $REPLY =~ ^(0|[1-9][0-9]*)$ ]]; then
      grep '^\[Profile'${REPLY} -A 4 "$inifile" | grep -v '^\[Profile'${REPLY} > $tfile
      if [[ "$?" != "0" ]]; then
        echo "Profile${REPLY} does not exist!" && exit 1
      fi
    else
      echo "Invalid selection!" && exit 1
    fi
  fi

  declare -r profpath=$(grep '^Path=' $tfile)
  declare -r pathisrel=$(grep '^IsRelative=' $tfile)

  rm "$tfile"

  # update global variable
  if [[ ${pathisrel#*=} == "1" ]]; then
    PROFILE_PATH="$(dirname "$inifile")/${profpath#*=}"
  else
    PROFILE_PATH="${profpath#*=}"
  fi
}

getProfilePath () {
  declare -r f1=~/Library/Application\ Support/Firefox/profiles.ini
  declare -r f2=~/.mozilla/firefox/profiles.ini
  # [fix] check Mac paths for t-bird
  declare -r f3=~/Library/Application\ Support/Thunderbird/profiles.ini
  declare -r f4=~/Library/Thunderbird/Profiles/profiles.ini
  declare -r f5=~/.mozilla/thunderbird/profiles.ini

  if [ "$PROFILE_PATH" = false ]; then
    PROFILE_PATH="$SCRIPT_DIR"
  elif [ "$PROFILE_PATH" = 'list' ]; then
    local ini=''
    if [[ -f "$f1" ]]; then
      ini="$f1"
    elif [[ -f "$f2" ]]; then
      ini="$f2"
    elif [[ -f "$f3" ]]; then
      ini="$f3"
    elif [[ -f "$f4" ]]; then
      ini="$f4"
    elif [[ -f "$f5" ]]; then
      ini="$f5"
    else
      echo -e "${RED}Error: Sorry, -l is not supported for your OS${NC}"
      exit 1
    fi
    readIniFile "$ini" # updates PROFILE_PATH or exits on error
  #else
    # PROFILE_PATH already set by user with -p
  fi
}

#########################
#   Update updater.sh   #
#########################

# Returns the version number of a updater.sh file
get_updater_version () {
  echo $(sed -n '5 s/.*[[:blank:]]\([[:digit:]]*\.[[:digit:]]*\)/\1/p' "$1")
}

# Update updater.sh
# Default: Check for update, if available, ask user if they want to execute it
# Args:
#   -donotupdate: New version will not be looked for and update will not occur
#   -update: Check for update, if available, execute without asking
update_updater () {
  if [ $UPDATE = 'no' ]; then
    return 0 # User signified not to check for updates
  fi

  declare -r tmpfile=$(download_file "${UPDATERJS}")

  if [[ $(get_updater_version "${SCRIPT_DIR}/updater.sh") < $(get_updater_version "${tmpfile}") ]]; then
    if [ $UPDATE = 'check' ]; then
      echo -e "There is a newer version of updater.sh available. ${RED}Update and execute Y/N?${NC}"
      read -p "" -n 1 -r
      echo -e "\n\n"
      if [[ $REPLY =~ ^[Nn]$ ]]; then
        return 0 # Update available, but user chooses not to update
      fi
    fi
  else
    return 0 # No update available
  fi
  mv "${tmpfile}" "${SCRIPT_DIR}/updater.sh"
  chmod u+x "${SCRIPT_DIR}/updater.sh"
  "${SCRIPT_DIR}/updater.sh" "$@" -d
  exit 1
}

#########################
#    Update user.js     #
#########################

# Returns version number of a user.js file
get_userjs_version () {
  if [ -e $1 ]; then
    echo "$(sed -n '4p' "$1")"
  else
    echo "Not detected."
  fi
}

add_override () {
  input=$1
  if [ -f "$input" ]; then
    echo "" >> user.js
    cat "$input" >> user.js
    echo -e "Status: ${GREEN}Override file appended:${NC} ${input}"
  elif [ -d "$input" ]; then
    FSAVEIFS=$IFS
    IFS=$'\n\b' # Set IFS
    FILES="${input}"/*.js
    for f in $FILES
    do
      add_override "$f"
    done
    IFS=$SAVEIFS # restore $IFS
  else
    echo -e "${ORANGE}Warning: Could not find override file:${NC} ${input}"
  fi
}

remove_comments () { # expects 2 arguments: from-file and to-file
  sed -e 's/^[[:space:]]*\/\/.*$//' -e '/^\/\*/,/\*\//d' -e '/^[[:space:]]*$/d' -e 's/);[[:space:]]*\/\/.*/);/' "$1" > "$2"
}

# Applies latest version of user.js and any custom overrides
update_userjs () {
  declare -r newfile=$(download_file "${USERJS}")

  echo 'Please observe the following information:'
  echo -e "\t${APPNAME} profile : ${ORANGE}$(pwd)${NC}"
  echo -e "\tAvailable online   : ${ORANGE}$(get_userjs_version $newfile)${NC}"
  echo -e "\tCurrently using    : ${ORANGE}$(get_userjs_version user.js)\n${NC}\n"

  if [ $CONFIRM = 'yes' ]; then
    echo -e "This script will update to the latest user.js file and append any custom configurations from user-overrides.js. ${ORANGE}Continue Y/N? ${NC}"
    read -p "" -n 1 -r
    echo -e "\n"
    if [[ $REPLY =~ ^[Nn]$ ]]; then
      echo -e "${RED}Process aborted${NC}"
      rm $newfile
      return 1
    fi
  fi

  # Copy a version of user.js to diffs folder for later comparison
  if [ "$COMPARE" = true ]; then
    mkdir -p userjs_diffs
    cp user.js userjs_diffs/past_user.js &>/dev/null
  fi

  # backup user.js
  mkdir -p userjs_backups
  local bakname="userjs_backups/user.js.backup.$(date +"%Y-%m-%d_%H%M")"
  if [ $BACKUP = 'single' ]; then
    bakname='userjs_backups/user.js.backup'
  fi
  cp user.js "$bakname" &>/dev/null

  mv "${newfile}" user.js
  echo -e "Status: ${GREEN}user.js has been backed up and replaced with the latest version!${NC}"

  if [ "$ESR" = true ]; then
    sed -e 's/\/\* \(ESR[0-9]\{2,\}\.x still uses all.*\)/\/\/ \1/' user.js > user.js.tmp && mv user.js.tmp user.js
    echo -e "Status: ${GREEN}ESR related preferences have been activated!${NC}"
  fi

  # apply overrides
  if [ "$SKIPOVERRIDE" = false ]; then
    while IFS=',' read -ra FILE; do
      add_override "$FILE"
    done <<< "$OVERRIDE"
  fi

  # create diff
  if [ "$COMPARE" = true ]; then
    pastuserjs='userjs_diffs/past_user.js'
    past_nocomments='userjs_diffs/past_userjs.txt'
    current_nocomments='userjs_diffs/current_userjs.txt'

    remove_comments $pastuserjs $past_nocomments
    remove_comments user.js $current_nocomments

    diffname="userjs_diffs/diff_$(date +"%Y-%m-%d_%H%M").txt"
    diff=$(diff -w -B -U 0 $past_nocomments $current_nocomments)
    if [ ! -z "$diff" ]; then
      echo "$diff" > "$diffname"
      echo -e "Status: ${GREEN}A diff file was created:${NC} ${PWD}/${diffname}"
    else
      echo -e "Warning: ${ORANGE}Your new user.js file appears to be identical.  No diff file was created.${NC}"
      if [ $BACKUP = 'multiple' ]; then
        rm $bakname &>/dev/null
      fi
    fi
    rm $past_nocomments $current_nocomments $pastuserjs &>/dev/null
  fi

  if [ "$VIEW" = true ]; then open_file "${PWD}/user.js"; fi
}

#########################
#        Execute        #
#########################

if [ $# != 0 ]; then
  readonly legacy_lc=$(echo $1 | tr '[A-Z]' '[a-z]')
  # Display usage if first argument is -help or --help
  if [ $1 = '--help' ] || [ $1 = '-help' ]; then
    usage
  elif [ $legacy_lc = '-donotupdate' ]; then
    UPDATE='no'
    legacy_argument $1
  elif [ $legacy_lc = '-update' ]; then
    UPDATE='yes'
    legacy_argument $1
  else
    while getopts ":hp:ludsno:bcvre" opt; do
      case $opt in
        h)
          usage
          ;;
        p)
          PROFILE_PATH=${OPTARG}
          ;;
        l)
          PROFILE_PATH='list'
          ;;
        u)
          UPDATE='yes'
          ;;
        d)
          UPDATE='no'
          ;;
        s)
          CONFIRM='no'
          ;;
        n)
          SKIPOVERRIDE=true
          ;;
        o)
          OVERRIDE=${OPTARG}
          ;;
        b)
          BACKUP='single'
          ;;
        c)
          COMPARE=true
          ;;
        v)
          VIEW=true
          ;;
        e)
          ESR=true
          ;;
        r)
          tfile=$(download_file "${USERJS}")
          mv $tfile "${tfile}.js"
          echo -e "${ORANGE}Warning: user.js was saved to temporary file ${tfile}.js${NC}"
          open_file "${tfile}.js"
          exit 1
          ;;
        \?)
          echo -e "${RED}\n Error! Invalid option: -$OPTARG${NC}" >&2
          usage
          ;;
        :)
          echo -e "${RED}Error! Option -$OPTARG requires an argument.${NC}" >&2
          exit 1
          ;;
      esac
    done
  fi
fi

show_banner
update_updater $@

getProfilePath # updates PROFILE_PATH or exits on error
cd "$PROFILE_PATH" && update_userjs

cd "$CURRDIR"

/```

</details>

'dom.IntersectionObserver.enabled' 'false' breaks the developer console (console is empty) on Linux

can someone confirm?

TB 78.4.3
OS: Manjaro/Arch

Hi, thank you for providing thunderbird-user.js, it has been very helpful.

I believe there is a documentation error with 9110 (mail.tabs.autoHide). It says "false=Hides the tab bar if there is only one tab." It is the opposite. If true, then the tab bar will be hidden with one tab.

This is related to #21 where there was an extra bar added. If you set this variable to false, the extra bar (with 2+ tabs open) will be removed. This is the default experience.

I'm confused as to why this setting was changed in the first place though, I thought all changes were meant to be related to privacy and security but I don't think this affects any of that.

Describe the bug
Preference network.cookie.lifetimePolicy is duplicated in user.js: indices 2703 and 2801

Expected behavior
I think all the preferences should be single, because if a user modifies only one, he/she would get unexpected behavior

Environment

• thunderbird user.js template version: 102.1

I have modified the use.js before adding it and restarting thunderbird, I commented this line out:

//user_pref("privacy.resistFingerprinting.block_mozAddonManager", false); // [HIDDEN PREF FF57-108]

But when trying to install an addon, instead it asks to download it. I am trying to find the cause of this.

I have the Theory that maybe RFP (which may not be needed if Thunderbird is not opening any websites) makes the store think it is not Thunderbird and thus not allow the install directly.

Or maybe its some mimehandler thing.

I am using the Thunderbird Flatpak on Linux, before adding the user.js Addon installs worked.

this is just an FYI issue
privacy.resistFingerprinting = true

edit -> preferences -> display -> fonts & colors -> colors

text and background color options have no effect on message/preview pane and compose windows (at least not on Linux)

i suspect this problem is by design, but i opened a bug report anyway...
1600074 - 'privacy.resistFingerprinting' breaks preview pane color options

this one just bit me :)

i might suggest removing signon.rememberSignons

if the user doesn't want TB to store passwords, they have that option and not remembering passwords is the default, so i'm thinking there's probably no need for this pref

This should be a small adaption, otherwise Arkenfoxes tooling could be used.

Currently the user.js blocks EVERYTHING, even informational messages, donation appeals etc.

This is very strict and I would also like to include a few example overrides for

• re-enabling crash reports
• re-enabling the usage of your actual language (it is a mail client and this will break lot of use cases)
• re-enabling the addon installer
• re-enabling donation appeals and maybe more