Few suggestions about thunderbird-user.js HOT 9 CLOSED

OAuth2 was active all the time on Microsoft Exchange. Then I found your user.js, edited it, activated user-agent override, and installed user.js. I did not enable RFP at first, because I was interested in user-agent and in google I read I have to disable RFP to deal with user-agent. To be clear, I made 2 experiments with empty user-agent right now:

This setup breaks login to Microsoft Exchange:
privacy.resistFingerprinting=false
general.useragent.override=""

This setup has no errors:
privacy.resistFingerprinting=true
general.useragent.override=""

My current working setup:
privacy.resistFingerprinting=false
general.useragent.override="Generic"

from thunderbird-user.js.

I checked user-agent in sent messages.

privacy.resistFingerprinting=true makes "Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0"
privacy.resistFingerprinting=false makes "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.9.0"

Not a big difference, but, well, maybe you are right, let the core handle it.

Thank you!

from thunderbird-user.js.

Please see above commits and tell me what you think !
If you're OK, I'll backport 50afdb9 to v78-ESR.

Bye, thanks again ! 🙏

from thunderbird-user.js.

Thank you! I'm happy with those commits. Bye!

from thunderbird-user.js.

Hi! Just for your information. Occasionally I found out some details regarding empty user agent string and Office365:

Microsoft bug in Office 365, introduced around 2019-08-27, where the login page fails with "OpenIdConnect" "ArgumentNullException".

from thunderbird-user.js.

Hi @giving-sesame ! Many thanks for your message, you'll find below my quick review for your suggestions :

1. For mail.suppress_content_language, you are right, from this Tails issue, it seems that it is missing (as well as mail.sanitize_date_header). I'll add them for 91 and 78 ESR. Notes to myself : added in TB 52 and in TB 76.
   For network.trr.send_accept-language_headers, it defaults to false, and even Arkenfox does not specify it. I'd rather leave it alone too here.
2. Actually, documentation (from upstream Arkenfox) indicates that UA is spoofed.
   On the other side, general.useragent.override section documentation ("NON-RFP") already notes that they should (must ?) not be used with RFP.
3. Do you have an external reference for this issue ? A quick Google query didn't bring up any relevant result.
4. OK !

Thanks again, bye 👋

from thunderbird-user.js.

Regarding issue 3:

This is my own experience. My company uses Microsoft Exchange via Office365 server. So in Thunderbird I have Owl addon to access it. Once I looked through the headers and did not like that my user-agent and languages are published there. I think it could be harmful. So I started looking for any solutions. At first I found mail.suppress_content_language and network.trr.send_accept-language_headers parameters. Then - your user.js.

I wanted to avoid publishing user-agent at all, so I left general.useragent.override empty. After starting TB I got error "The page isn't redirecting properly", address outlook.office.com/owa/auth. It took me some time to find the guilty parameter. I set it to "Generic" and everything is fine now.

from thunderbird-user.js.

Thanks again for your fast answer.

Do I have to assume RFP broke your OAuth against Microsoft Exchange ? Or maybe you didn't even enable it at first ?
If I don't misread you, without enabling it and with manually resetted User-Agent (using general.useragent.override) to prevent leakage, it didn't work.

Note : from ESR-78 and ESR-91 sources, it seems this parameter is ignored when RFP is enforced.

Feel free to tell me I misunderstood your experience 🙏

from thunderbird-user.js.

OAuth2 was active all the time on Microsoft Exchange.

Yes ! I was mentioning RFP, and not OAuth 😉

I did not enable RFP at first, because I was interested in user-agent and in google I read I have to disable RFP to deal with user-agent.

Seems legit according to the snippets linked in my previous response !

I made 2 experiments with empty user-agent right now:

Thanks, that's clear and what I had in mind.

So I'll edit the template to add a note about the issue you experienced 👍
However, about :

general.useragent.override="Generic"

I don't think it is a good idea to set your UA to something "unusual".
Indeed your privacy would be improved as you prevent system info leakages, but it has to be leveraged by the fact that you might be alone in this situation.
Also see project (simplified) rationale.

I would encourage you to enable RFP and let Mozilla's core handle User-Agent.

Bye 👋

from thunderbird-user.js.