Ben Markson

As @VistaLover says, it's a user style. I'm using an older version (2.0.7) of the Stylish extension – before it was 'compromised' with data-collection crap – Stylus is its more up to date fork that works with the latest FF. @namespace url(http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul); @-moz-document url-prefix('chrome://browser/content/browser.xul') { .tab-label[pinned] { width: 0 !important; margin-left: 0 !important; margin-right: 0 !important; padding-left: 0 !important; padding-right: 0 !important; } .tab-content { white-space: nowrap !important; overflow: hidden !important; text-overflow: ellipsis !important; } } Ben.

I think @VistaLover and @dmiranda are spot on. Which is: Fade out tab label on overflow instead of ellipsis... although I'm not entirely sure why that is useful. It is Tab Mix Plus that has been broken. Installing the latest https://addons.palemoon.org/addon/tab-mix-plus/ Pale Moon/Basilisk 0.5.8.4 version doesn't help. Which is a shame because TMP is a nice add-on. For the moment I've sort of fixed things with this... .tab-label[pinned] { width: 0 !important; margin-left: 0 !important; margin-right: 0 !important; padding-left: 0 !important; padding-right: 0 !important; } .tab-content { white-space: nowrap !important; overflow: hidden !important; text-overflow: ellipsis !important; } ...but it's by no means perfect especially if you start opening lots of tabs. Ben.

basilisk52-g4.8.win32-git-20230304-3219d2d-uxp-33981efb4-xpmod.7z I think the tab pining has gone a bit wonky. When a tab is pinned it is displaying its tab label text. The pinned tab is using .tab-label with white-space: nowrap; instead of .tab-label[pinned] with width and margins set to zero. The changes appear in tabbrowser.css Ben.

For a long time now I've used this as my default User Agent... Mozilla/5.0 (Windows NT 10.0; Win32; x86; rv:109.0) Gecko/20100101 Firefox/109.0 (where I keep the FF version number inline with the latest FF release) I feel this helps more than it hinders with compatibility – rarely I use a more specific UA for a website that is capable of being backwards compatible with older browsers. I also feel that this makes my browser appear less unusual. I don't think it is a good idea to advertise that I'm using either XP or an older browser on the internet. I also occasionally use this... Mozilla/5.0 Windows This sometimes seems to negate any website 'decisions' based on UA and instead gives something more generic (and therefore compatible). Ben.

I'm just going to throw this out there with no warranties. For YouTube I've been using a script that replaces the video with its embed version. I originally did this to combat the constantly changing way adverts seem to get delivered but I think it also provides a less resource intensive experience when viewing the video. It's a little clunky. YouTube is extraordinarily aggressive with the way it starts a new video which led me to using the setInterval which waits for the video container to arrive properly before injecting the iframe with the embed. // ==UserScript== // @name Replace Youtube Video // @namespace BenMarkason // @version 1.0 // @description Replaces youtube video with embed video // @author Ben Markson // @include https://www.youtube.com/* // @grant none // @run-at document-start // ==/UserScript== if (location.href.includes('/embed/') == false) { document.addEventListener('DOMContentLoaded', function () { console.log('Blocking Redirect'); window.ytInitialData.onResponseReceivedEndpoints = null; }); t = setInterval(function() { eli = document.getElementById("player-container-outer"); if (eli == null) { console.log('Waiting...'); elj = document.getElementById("movie_player"); if (elj != null) {elj.remove();} return false; } console.log('Element is ready'); clearInterval(t); if (eli.hasChildNodes()) {eli.removeChild(eli.children[0]);} YTiD = location.href.split(/(vi\/|v%3D|v=|\/v\/|youtu\.be\/|\/embed\/)/)[2].split(/[^0-9a-z_\-]/i)[0]; height = getComputedStyle(document.querySelector('.ytd-watch-flexy')).getPropertyValue('--ytd-watch-flexy-min-player-height'); iframe = document.createElement("iframe"); iframe.type = "text/html"; iframe.width = '100%'; iframe.height = height; iframe.src = 'https://www.youtube.com/embed/' + YTiD; iframe.setAttribute("frameborder", "0"); iframe.setAttribute("allowfullscreen", "true"); eli.appendChild(iframe); }, 100); } It has a small annoyance. If you select a new video from the right-hand bar, the page will change but the embedded video will not. To update the embedded video you will need to refresh the page. Someone more skilled at JavaScript may be able to do a better job. Ben.

I think the: browser.sessionstore.restore_on_demand preference is supposed to control this behaviour. It defaults to 'true' which should defer loading until the individual tab is selected. Ben.

If it is only a CSS problem then it should be possible to tweak it using the likes of Stylish (or Stylus). This sort of thing... @namespace url(http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul); @-moz-document url-prefix('chrome://uBlock0/content/dashboard.html') { html, body { padding-top: 35px !important; position: sticky !important; } #dashboard-nav { position: absolute !important; } } ...I don't use uBlock Origin either so I haven't tested this. Ben.

For me the post pictures have disappeared too. I have a fix for that: var eli = document.getElementsByClassName("ipsImage"); for(var i = 0, li = eli.length; i < li; i++) { eli[i].src = eli[i].getAttribute('data-src'); } The reply box can be restored using this: .ipsJS_show { display: block !important; } ...but it doesn't restore the javascript so it still won't work. Ben.

While I wish I'd never started this, but to answer my own post, I think the reason for the error is that Mozilla... · removed <!ENTITY prefWindow.titleWin "Options"> from chrome://browser/locale/preferences/preferences.dtd" · added <!ENTITY preferencesCmd2.label "Options"> to chrome://browser/locale/browser.dtd Presumably, at some point, the forks followed suit. A more interesting solution might have been to do the add but not the remove. Who knows, this may help someone else. Anyway, I guess that's it as I am now 'ineligible'. Ben.

I routinely refresh my Serpent52 profile (which I don't maintain) with my FF52 profile (which I do maintain) – hey, none of us are playing by the 'riles' here! I understand the risks. I have always avoided the Death-by-a-Thousand-Tweaks (some rational, some idealogical) rabbit hole that Pale Moon seems to represent. I am also deeply suspicious of the newer incarnations of older extensions. There has been so much bad faith with how some extensions were abused (Stylish, for example) that I prefer the ones that were created in a more 'honest' time. While I accept your premise it's all way too complicated already and I suspect some people still use FF52 for that very reason. Ben.

I think that's a bit simplistic. <dialog> ... </dialog> is a pretty fundamental XUL construct so I'm pretty sure that there's something happening beyond a compatibility problem with the dialog entity. I still use it in my own extensions. Here is options.xul in all its glory! <?xml version="1.0"?> <!DOCTYPE prefwindow [ <!ENTITY % greasemonkeyDTD SYSTEM "chrome://greasemonkey/locale/greasemonkey.dtd"> <!ENTITY % preferencesDTD SYSTEM "chrome://browser/locale/preferences/preferences.dtd"> %greasemonkeyDTD; %preferencesDTD; ]> <?xml-stylesheet href="chrome://global/skin/global.css" type="text/css"?> <?xml-stylesheet href="chrome://greasemonkey/skin/bindings.css" type="text/css"?> <?xml-stylesheet href="chrome://greasemonkey/skin/options.css" type="text/css"?> <dialog title="Greasemonkey - &prefWindow.titleWin;" xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul" buttons="accept,cancel" flex="1" id="greasemonkey-options-dialog" persist="screenX screenY" onload="GM_loadOptions()" ondialogaccept="GM_saveOptions()" ondialogcancel="close()" > <script type="application/x-javascript" src="chrome://greasemonkey/content/options.js" /> <dialogheader title="Greasemonkey" description="&prefWindow.titleWin;"/> <vbox flex="1"> <groupbox> <caption label="&prefWindow.titleWin;" /> <checkbox id="secure-update" label="&RequireSecureUpdates;" /> <checkbox id="submit-stats" label="&SubmitStats;" /> <checkbox id="check-sync" label="&EnableFirefoxSync;" /> </groupbox> <groupbox> <caption label="&options.editor;" /> <hbox> <button oncommand="GM_util.setEditor(1)" label="&options.defaultEditor;" flex="1"/> <button oncommand="GM_util.setEditor(0)" label="&options.browseForEditor;" flex="1"/> </hbox> </groupbox> <groupbox flex="2"> <caption label="&options.globalExcludes;" /> <cludes id="globalExcludes" flex="1" /> </groupbox> <groupbox flex="1"> <caption label="&options.newScript.template;" /> <checkbox id="newScript-removeUnused" label="&options.newScript.removeUnused;" /> <textbox id="newScript-template" multiline="true" rows="5" flex="1" wrap="off" /> </groupbox> </vbox> </dialog> Ben.

Serpent v52.9.0 (2022-08-05) (32-bit) I'm not sure how significant this is but when I go into the Add-ons Manager options for Greasemonkey 3.17 it throws this error: XML Parsing Error: undefined entity Location: chrome://greasemonkey/content/options.xul Line Number 13, Column 1: <dialog ^ I don't see anything odd in options.xul and it works fine under the original FF52. I also get a storage/default/moz-extension+++ folder created in the Serpent profile for the Greasemonkey extension. Again this doesn't happen under the original FF52. This is using identical profiles. Ben.

Okay, my solution is a bit weird. Its not working was down to my User Agent setting. By default I override my XP UA to Windows 10 running the latest Firefox – this keeps sites from telling me how 'out of date' everything is. When things don't work out on a particular site I try setting the UA to simply: Mozilla/5.0 Windows – because the UA doesn't match anything the site's code recognises this sometimes seems to have the effect of bypassing all of the UA tomfoolery. For Virus Total I'd already done that for the Original FF52 but was still running as Windows 10 under Serpent. Changing the Serpent UA to: Mozilla/5.0 Windows, fixed the problem – that is in addition to using palefill-1.17.xpi. So, mystery solved. Sorry for the misleading report. Ben.

FWIW... palefill-1.17.xpi fixes original FF52 but it doesn't fix Serpent v52.9.0 (2022-07-15) (32-bit) From Serpent: 11:46:10.968 window.controllers is deprecated. Do not use it for UA detection. gui 11:46:11.696 Shell timeout main.b3a5f442b60154dd25de.js:15:534011 11:46:12.531 WARNING: Unhandled promise rejection. Reason: TypeError: o.setQuery is not a function unhandledrejection { target: Window ? gui, isTrusted: false, srcElement: Window ? gui, currentTarget: Window ? gui, eventPhase: 2, bubbles: false, cancelable: true, defaultPrevented: false, composed: false, timeStamp: 2898, cancelBubble: false } gui:35:156 11:46:12.537 WARNING: Unhandled promise rejection. Reason: TypeError: o.setQuery is not a function unhandledrejection { target: Window ? gui, isTrusted: false, srcElement: Window ? gui, currentTarget: Window ? gui, eventPhase: 2, bubbles: false, cancelable: true, defaultPrevented: false, composed: false, timeStamp: 2898, cancelBubble: false } gui:35:230 11:46:12.541 TypeError: [Unknown global error]: "o.setQuery is not a function" main.b3a5f442b60154dd25de.js:15:534011 Stack trace: value/<@https://www.virustotal.com/gui/main.b3a5f442b60154dd25de.js:15:584232 callReaction@https://www.virustotal.com/gui/polyfills/core-js.743054a088626b13bb851b7d26724fb5.js:9:13867 notify/<@https://www.virustotal.com/gui/polyfills/core-js.743054a088626b13bb851b7d26724fb5.js:9:14103 11:46:12.988 App did not load (Unsupported app) gui:35:169 11:46:12.989 Error: Unsupported app main.b3a5f442b60154dd25de.js:15:534011 Stack trace: r</r.exports/b<@https://www.virustotal.com/gui/polyfills/core-js.743054a088626b13bb851b7d26724fb5.js:7:25457 Error@https://www.virustotal.com/gui/polyfills/core-js.743054a088626b13bb851b7d26724fb5.js:7:24006 supportedAppTimeout<@https://www.virustotal.com/gui/:35:293 11:46:12.999 Error: core-js.743054a088626b13bb851b7d26724fb5.js:7:25457 Ben.

It is possible to install the POSReady patches without using the registry hack - I have never applied the registry change and have installed all of the POSReady KBs. It's worth mentioning that you can extract an XP kb file using its /x switch ... kb4019276.exe /x:"c:\kb4019276". To apply the patch you can simply execute update.exe in the update folder. It is that update.exe that you need to replace and the update_SP3QFE.inf that needs changing. I have a version of a modified update.exe but I don't think it is allowed to post hacked Microsoft files. There is a how to mod your own starting here (I never did this, I downloaded my version many years ago): https://msfn.org/board/topic/171814-posready-2009-updates-ported-to-windows-xp-sp3-enu/page/4/#comment-1078363 I have always done it this way (starting from before the registry hack was known). Ben.

Maybe I'm not understanding something but I don't have any problems using the VirusTotal website... https://www.virustotal.com takes me to https://www.virustotal.com/gui/home/upload Ben.

And another add-on that allows you to edit mozlz4 files (like search.json.mozlz4) is this one... https://addons.mozilla.org/en-GB/firefox/addon/mozlz4-edit/versions/ I have... https://addons.mozilla.org/firefox/downloads/file/3304367/mozlz4_edit-4.1.2-an+fx.xpi ,,,installed under ff52.9 Ben.

Is it a permissions thing? There's a nice guide here: http://johnsonyip.com/how-to-unlock-windows-registry-permissions-tuturials.htm Ben.

I'm not sure that you are right. The thing about the app password is that it does not give full control over your account (that is only possible using the 2FA login which is separate) and you do not need to activate the less secure sign-in thing for it to work. But, yes, as usual with Google's self-serving choreographed approach it's less than clear what works - I'm not even convinced that Google know how their stuff works. This covers it pretty well: https://old.reddit.com/r/GMail/comments/t6hhfj/you_may_lose_access_to_some_of_your_thirdparty/ Ben.

This is the solution: https://devanswers.co/create-application-specific-password-gmail but... for this to work you need to first switch on 2FA: https://devanswers.co/enable-2-step-verification-google-account/ ...which is a pain. Ben.

So, to preserve CloudFlare's security model I have to compromise my security. Gee thanks. Perhaps Proxomitron could eventually broadcast either a generic fingerprint, or a randomly changing fingerprint. I don't like cookie solutions. I routinely remove all cookies and always remove them on browser exit. Still, the cookie thing is interesting. Proxomitron can spoof cookies on the fly. What does one of these hCaptcha accessibility cookies look like? A Proxomitron cookie need never expire. Ben.

Could anyone confirm that going to https://support.cloudflare.com triggers Cloudflare's "We are checking your browser..." protection? For me this happens if I have Proxomitron set to intercept SSL traffic whereas if I have it disabled then there is no challenge and I arrive on the support page. Toggling off the various filters makes no difference. This is the Proxomitron log: +++GET 129+++ CONNECT / HTTP/1.1 User-Agent: Null Proxy-Connection: keep-alive Connection: keep-alive Host: support.cloudflare.com:443 Accept-encoding: gzip, deflate +++SSL:GET 129+++ SSL cipher TLSv1.2 AES128-SHA (128 bits) GET / HTTP/1.1 Host: support.cloudflare.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win32; x86; rv:95.0) Gecko/20100101 Firefox/95.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-GB,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Upgrade-Insecure-Requests: 1 Connection: keep-alive +++SSL:RESP 129+++ SSL cipher TLSv1.2 ECDHE-ECDSA-AES128-GCM-SHA256 (128 bits) HTTP/1.1 403 Forbidden <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< This? Date: Fri, 04 Feb 2022 08:45:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close CF-Chl-Bypass: 1 Permissions-Policy: accelerometer=(),autoplay=(),camera=(),clipboard-read=(),clipboard-write=(),fullscreen=(),geolocation=(),gyroscope=(),hid=(),interest-cohort=(),magnetometer=(),microphone=(),payment=(),publickey-credentials-get=(),screen-wake-lock=(),serial=(),sync-xhr=(),usb=() X-Frame-Options: SAMEORIGIN Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct" Set-Cookie: __cf_bm=7Wd9iXmUM6O9FLtNg1102WA2zB_B6bMvEKvSqdvTC8w-1643964353-0-Ac/NnwpZFJXCz6eB88NDbRLuIl2IIQCQKxI+ph9PnbjYui80g3jMHOUFU2tElecV2MNwfnG7lGjD1sbZOxgE8oVsYrJjQCps+vOAdmgk10n2; path=/; domain=.support.cloudflare.com; HttpOnly; Secure; SameSite=None Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Vkv8KqrFthnDwqvoKTvFsQ5L12aV%2BYmKmwtzWGUJhn1Wju5AFDR%2B3XlN%2FEvxKIjxVQshPKxr1u71LDmD5vfuEa2ycPb5UxZYNzHZ4KxC7CV5Jmu2qwjgPvJgtOM4ZZ31O%2B4oZctk3FY%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Vary: Accept-Encoding Server: cloudflare CF-RAY: 6d82a01bcccd3613-MAN Content-Encoding: gzip alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400 +++CLOSE 129+++ Obviously I can't produce the same log without Proxomitron intercepting SSL traffic but I'm pretty sure it's that HTTP/1.1 403 Forbidden that's the problem. But why does it occur? It appears that the way Proxomitron connects to a web site is different to the way the browser connects and Cloudflare is seeing the difference as some kind of attack. Ben.

Okay, I think I'm there. This post confirms what you have already said and it has a pretty comprehensive explanation of what happens. https://prxbx.com/forums/showthread.php?tid=2331&pid=19523#pid19523 This is also interesting: https://prxbx.com/forums/showthread.php?tid=2331&pid=19530#pid19530 I think this adds a layer of security when it comes to Proxomitron allowing sites using 'bad' certificates by first checking a list of trusted certificate authorities. I've done that without getting any errors. Ben.

The devil sure is in the detail. I've used Proxomitron for many years, albeit not with a huge degree of sophistication. For example, in the early days it was one of the few ways to block ads (I'm proud to have been blocking doubleclick for way more than a decade). Anyway, the issue I've had for a long time is that the filters don't get applied over a secure connection. I was still using Naoko 4.5 (2003-6-1) which I think is the final version produced by the late Scott R. Lemmon. Using your instructions I thought I'd give the whole SSL thing another go. This is using FF52. The creation of proxcert.pem and proxcert_certonly.pem is confusing. When I click the Certificate Generation and Installation button it creates both files (overwriting proxcert.pem previously created by proxcert-MakeCert.bat) so I'm wondering if the proxcert-MakeCert.bat step is redundant? I can get the Use SSLeay/OpenSSL option to work so Proxomitron applies filters on HTTPS pages. I did have to delete certs.pem from the ProxN45j install otherwise Proxomitron throws a challenge for each HTTPS site visited. The HTTPS tab is a bit of a mystery to me and I wish I could find some documentation on this new tab. I can't get the whole 8443 thing to work. I'm not even sure what it is trying to achieve. I can get Proxomitron to listen on 8080 and 8443 but if I tell FF to use 8443 as its SSL Proxy I get Secure Connection Failed messages. Using just 8080 for both the HTTP Proxy and SSL Proxy seems to work okay, so again I'm not sure what I'm trying to achieve. Is the 8443 thing supposed to replace the Use SSLeay/OpenSSL option? __________________________________________________________ I do have a concern about the way Proxomitron establishes a secure connection between itself and a web site while at the same time using a different secure connection using its own certificate with the browser. With Use SSLeay/OPenSSL, if you interrogate the Web Site Identity it will indicate that it is Verified by Proxomitron. View Certificate shows the Proxomitron certificate. Are there any dangers in this? For example, might Proxomitron facilitate a bad web site that the the browser would otherwise block? I did some tests here: https://badssl.com/ and it suggest that it might. I've seen these roll-your-own certificate solutions before and I've seen reports that as a side effect they can compromise security. I seem to remember some antivirus software that hijacked the SSL certificate so that it could virus check the secure traffic only to introduce its own vulnerability. I think they are fine when used in conjunction with, for example, an old email client because you presumably trust your email provider but in this scenario you're trusting the whole of the internet. Oh, and I also have a request. Is it possible that yourself or someone else could publish your zip files some place more easily accessible than Google's Dropbox? This is all interesting stuff, Ben.

: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft Antimalware\Signature Updates] "FallbackOrder"="FileShares" "DefinitionUpdateFileSharesSources"="C:\\MSE" ...redirects MSE to check for updates locally. Ben.