Enhancing privacy in sailfish-browser

Hello everyone,

I created this topic to make a few suggestions and to see if other users have similar needs. Please feel free to comment and give your own suggestions, if they are somehow related to the theme of this post.

I included just the features I feel are in line with Jolla’s privacy-oriented way of thinking. After all, privacy is one of main philosophies in Sailfish OS and the browser might be one of the most used apps, so it makes sense to enhance its privacy if possible.

I don’t know if it is considered appropriate to ask for several new features at once, but here we go:

1.) Option to "Delete browser data on close"

In Firefox this setting is located in Settings → Privacy & Security → History → Use custom settings for history. I feel it’s a bit of unnecessary work for users to to delete the browser history (except Bookmarks) every now and then by themselves. User should be given the power to choose, which types of data they want to be deleted on close.

2.) Option to "Never remember history"

In Firefox this setting is located in Settings → Privacy & Security → History. Otherwise, pretty much same arguments than in the request nr. 1.

If the user doesn’t need / want to save any browsing data, it might make more sense to use the privacy mode all the time, which takes us to the next suggestion:

3.) Option to "Open private tab by default"

I don’t want to use the normal mode and because of that, it takes 4 taps to open the browser. (Browser-icon → Tab-icon → Private tab → New private tab) I think this part is pretty self-explanatory.

4.) Total cookie protection

Like that Mozilla’s briefing states, cookies are the most used method for tracking users. Sailfish users need to have some way to “fight back”.

5.) Option to "Enable HTTPS-only mode"

I like the fact that the browser shows the red warning sign in the address bar when using http connection, but it would be good to have a way to block http connections that are vulnerable to man-in-the-middle attacks.

6.) Enable RFP

Citation taken from Librewolf feature page: “RFP is considered the best in class anti-fingerprinting solution, and its goal is to make users look the same and cover as many metrics as possible, in an effort to block fingerprinting techniques.”

7.) Option to "Disable autoplay"

This is more of an annoyance than an actual threat to privacy, unless you are in public transport and your volume is set to maximum.

8. Option to “turn WebRTC off”

Am I mistaken in thinking that most of these can be enabled by using about:config and/ or a custom user.js file?

I think you’re right, but it’s not that many UI elements for an ‘extended’ settings page? Personally, I’d be fine with about:config, but the changes I made there, recently, I had to put into user .local/share/org.sailfishos/browser/.mozilla/prefs.js

Slightly off-topic. In Harmattan (Nokia N9), qzmozembed was born to provide an embedding for Gecko (Firefox’s engine) and therefore a lightweight alternative to Fennec/Firefox: Cutefox.

This was cool. But eventually, when development resources became more scarce and browsers grew in complexity, Cutefox couldn’t catch up and it became a bit useless as it was only able to render very simple websites.

Not the case in SFOS right now, as sailfish-browser is quite close to desktop Firefox in basic functionality.

However, it might still be worth considering to try to port/patch Firefox to run in SFOS (as opposed to running Firefox Mobile for Android via emulation)? This would give a lot of functionality for free, like all new functions @tuplasuhveli enumerated, and once done it’d be relatively easy to stay up-to-date. The only major stumbling block is that it’s a GTK+ application.

I used about:config and enabled browser.privatebrowsing.autostart, but it had no effect. Similarly, I enabled privacy.clearOnShutdown.cache & privacy.sanitize.sanitizeOnShutdown, but browser data is still there after restart. Was someone able to put these settings into practice?

I stopped trying there, but it seems like HTTPS-only mode can be achieved using about:config and enabling dom.security.https_only_mode, but it has a slight fallback: when entering a http page and tapping “Accept the Risk and Continue to Site”-button, nothing happens and I can’t enter the http page.

The custom user.js file is a whole new world to me, but I will take a look into it later on. Quick search took me to pyllyukko’s ( ) GitHub page. Would this be a good starting point?