Package: iceweasel Severity: wishlist Dear maintainer(s).
Unfortunately Mozilla puts more and more questionably stuff into Firefox, where things like CDM[0] are only the tip of the iceberg. I've seen that you already override several settings via debian/browser.js.in. Would you please consider to add the following (or parts of them) to the list: 1) media.gmp-provider.enabled = false AFAIU, GMP is anyway just for 3rd party plugins that implement EMEs or CDMs. Since both isn't desired in Debian, it would make sense to completely disable it, even if right now the only one is OpenH264, which is already disabled. Additionally one could set media.gmp-manager.certs.1.issuerName, media.gmp-manager.certs.2.issuerName and media.gmp-manager.url, to invalid values that cannot be used, e.g. Using a non-existent CA DN like "CN=Debian,O=Debian" and a URL like "https://invalid/"; 2) media.eme.enabled = false and media.eme.apiVisible = false Same reason as above in (1). Debian doesn't want EME/CDM and even though there is no CDM for the Linux Firefox, why not disabling it already. Similarly, media.gmp-eme-adobe.enabled = false, as soon as it would hit Linux Firefox. 3) browser.pocket.enabled = false Yet another disturbing thing from Mozilla, the integration of Pocket. Searching google for it seems to return more pages where people want to disable this for security and or privacy reasons than sites that other results. Especially since nothing properly warns the user about potential implications, and since this is yet another specific proprietary server that Mozilla pushes for whatever reasons, it should probably be disabled per default in Debian. There's e.g. https://gist.github.com/haasn/69e19fc2fe0e25f3cff5 which collects all kinds of further privacy/security related settings that may be worth looking at. Some of course are probably too invasive and would break many sites, but some should be definitely considered: 4) dom.battery.enabled = false There's really no reason every, a website should be allowed to know my charging status (WTF Mozilla). Other on the site mentioned above, especially "GeoLocation / Beacon", "Social media integration", "Device tracking/statistics", "Stat tracking / telemetry" and especially also "Link pre-fetching", seem to be quite concerning as well; a privacy nightmare, so to say. btw: Do you have any idea when Mozilla pulls the trigger and Adobe CDM hits Linux Firefox as well? Thanks for you consideration, Philippe. [0] AFAIK, this isn't part of the Linux port yet, is it?
