See this: https://bugzilla.mozilla.org/show_bug.cgi?id=1364261#c43 and this: https://codeberg.org/librewolf/issues/issues/2338#issuecomment-3035635

Let me know if that doesn’t solve it for you!

Yes! And thanks for trying :)

As you do, it will help to know if you also tried Firefox (or other derivative) and if results there are same or different from Konform.

When someone willing to package and test that shows up ;^^

In particular, being on flathub means someone with a github account needs to push it up (sorry i’m done there).

Here is a starting point: https://codeberg.org/konform-browser/flatpak

Happy to iterate on codeberg with anyone who wants to tackle this

That is interesting!

BTW in case you’re not aware, direct links to fedia.io like the one you posted just lead to a loginwall so you probably don’t want to share those publicly. This one via beehaw.org works for everyone, though: https://beehaw.org/post/24563411

Dev here! Thanks for your interest!

Aw. On Artix, it wants to pull in wayland. No thanks.

Hm, I guess you’re just running text mode browser on that machine…? On Arch the wayland package is pulled in as transitive dependency of the gtk3 package. I don’t believe it will actually be loaded at runtime. However, I think that gtk3 might not be a hard dependency at all anymore (it used to be for Firefox in the past so this might be a leftover that konform inherited).

If you’re comfortable with makepkg I could suggest trying the konform-browser-bin AUR package and simply remove gtk3 as dependency from the PKGBUILD, run makepkg -si and fingers crossed that might work. More details in konform-browser/Arch repo, where contributions are also welcome. If you go the source route, see the note about profiling without wayland.

EDIT: OK I took a look and unless Artix is repackaging some core packages, I don’t see a way to make it work on Arch at least: xorg-server depends on libglvnd depends on mesa depends on wayland. Among others. Are you actually able to run an X server at all without having the wayland package installed? Or is thsi for headless use without any graphical environment…? Curious about the use-case! You can also try the binary tarball or just tar -xfing the arch package and invoke the konform binary directly.

Aw. https://gpo.zugaina.org/Search?search=konform no ebuilds on any listed overlays for Gentoo yet.

FWIW, it’s not planned at the moment but here’s the issue currently tracking Gentoo packaging: https://codeberg.org/konform-browser/source/issues/9

Thank you for kind words!

Ah, then the hope is that this curiosity will trigger you to dig into it yourself (for example using the provided tool or taking inspiration from it) so that it starts making sense! I know it’s an unconventional format to refrain from laying out my own opinions and analysis but that’s my thing today. So much “everyone knows” and vapid third-hand takes flying around these days that I think we would do well to actually verify (and pick up related knowledge in the process) rather than take forum comments and blog posts for gospel.

OK, all right, I can try. I guess I can point at one thing in the Mozilla telemetry at the very end, doesn’t that look very fine-grained if you look at the URLs (addresses) listed?

We can tell that many of the actions I took were communicated to the mothership for analysis and product improvement. Is this data really anonymized (or anonymizable)? Is it a reasonable amount for a user that has not opted in? My professional and personal opinion is: It is not.

But! That’s just one isolated example. And an extremely limited view. What about Zen? Chrome, Edge and Safari weren’t included here at all. And it’s not at all looking at what happens for a user who probably cares about this: when you go to settings and disable all the telemetry. See I just said that one thing about Mozilla Telemetry and now I’m going to have to run some new tests and write reports about them for days just to set that record straight!

Maybe I’m odd but I think it’s many (100?) times easier and quicker to gain understanding of the kinds of stuff we’re looking at here by getting hands-on than to communicate it verbally. And I’m concerned with this limited attention span so many people are afflicted with these days, and look at how long this comment is already, no we’re done with me telling you how it is, let’s wrap this one up and get on to the juicy stuff.

There’s an expandable section Basic test environment usage under Testing procedure but I realize now that might be easy to miss…

Anyway, to start it: Install podman, docker-compose (v2) and MITM_BROWSER=firefox-esr podman compose up --build. That should be it.

Then the browser pops up (hopefully), you do your thing, and after you Ctrl+C in the console, it will quit and the proxy will dump the recorded .har file which contains all HTTP and websocket traffic that went through the proxy in cleartext, in JSON format. There’re tools online that can help visualize I think but nothing I can recommend off the bat. Simply cating it to the terminal or opening it in a text editor can be educative. Also playing around with variations of the jq snippets and see if you can come up with questions of your own to answer. Or if anything in my numbers make you scratch your head or say “wait a minute” dig there.

In case you want to take a look at what the thing does before running it (trust me bro), these are the files involved when you run that compose up command:

• entrypoint compose.yml
• imported compose/proxy.compose.yml for mitmproxy
• The browser Containerfile (aka Dockerfile)

Available browser images

What about gwenview?

The author seems to think Mozilla should have protected our privacy by having someone act as the proxy for the request.

On the proxy part, they actually already have that and using it for some other parts:

https://support.mozilla.org/en-US/kb/ohttp-explained

TL;DR: Imagine an HTTPS-over-HTTPS proxy. Try to explain it like something groundbreaking without referencing existing tech. Now you have OHTTP.

https://firefox-source-docs.mozilla.org/browser/components/mozcachedohttp/docs/index.html

https://www.fastly.com/blog/firefox-fastly-take-another-step-toward-security-upgrade

It makes me scratch my head a bit why I’ve never see it enabled for DNS-over-HTTP in default stock Firefox config despite it being supported for years - the endpoints are just not configured. You have to know about it and configure the barely documented URL in about:config for that. Unlike for newtabpage and the FF shopping feature where OHTTP is used by default. Infra costs?

Appreciate the links!

And the option “Always show scrollbars” enabled because I have not found the preference to do it through the configuration file.

The labeling makes it less obvious but that maps to widget.gtk.overlay-scrollbars.enabled=false so also part of Konform upcoming update :) In general I find the quickest way to identify the mapping of a UI configuration and the about:config key is to:

• launch a clean profile
• open about:config
• click Show only modified preferences
• open about:preferences
• change the thing
• tab back. what’s new?

BTW, widget.non-native-theme.enabled is a no-op since the direct GTK integration was removed a while back: https://bugzilla.mozilla.org/show_bug.cgi?id=1726283#c4

You know, I think we should do at least something about those scrollbars¹ too. Not sure how close this is to what you prefer but hopefully a more sane default with more traditional fixed-width scrollbars should be part of next release. In general aiming to keep subjective and aesthetic UI tweaking to a minimum but I think the usability argument supports this one at least until anyone voices a different opinion.

So ty for that suggestion and also thank you for the warm feedback you left on the repo! :3

¹: Not only are they thin; they change the width dynamically when hovered and overlay on top of content. The potential for misclicks is not great.

Oh and I forgot to mention, we have an Arch repo now with prebuilt bin package too. If you add the repo and pacman -Sy konform-browser-bin, then it will upgrade for you on future pacman -Syu when there are new versions published.

For trying out such a new project I guess you might still want to do the more manual route in the beginning but if/when you feel it’s earned your trust now you know <3

Thanks for checking in! Did you try importing the Release PGP Key listed under the release already? ^^ Maybe it’s a bit easy to overlook in the release notes but it’s right above the debian installation. There should be a pinned comment on that on the AUR package pages already.

If you save key to file on disk:

$ gpg --import ./konform-cb-ci.pgp

Then it should show up with that Key fingerprint when doing gpg -k after.

Please let me know still having issues

Someone asked me about donations. There is no way to directly fund the project today (TBD) but if you have cash to spare then:

• Codeberg e.V. providing supportive and enabling infra and a point of collaboration for growing part of FLOSS ecosystem. This isn’t free.
• EFF hopefully doesn’t need an intro here
• noyb.eu
• Tor Project
• The maintainer of some other FLOSS software you care about

Nice, I hope it lives up to expectations!

Oh and one more thing on the overrides: There are a couple of prefs flags that exist in one of Konform/LibreWolf but not the other mostly due to being based on different FF versions - so in case you have some particular override not being effective, I’d first check that it’s not just a case of differences between FF versions 140-147. Not expecting that to come up in practice and setting non-recognized prefs should be harmless, but knowing this might save some head scratching in case you have an extensive overrides config with recent additions.

Looking forward to any feedback you may have <3

Low-effort snark.

Yes! In fact while the browser otherwise has its own branding, it does recognize override config as librewolf.overrides.cfg so you can literally just drop your existing LibreWolf overrides file into ~/.konform and it should pick it up. Figured this would make it smoother for people migrating from LW or switching between the two.

Not personally daily-driving or actively recommending it but I’ve had to look closely at Brave as part of browser security work.

Most of the posts, articles and videos I’ve seen that don’t apply approximately equally to the other big names are mostly backed by arguments like “I don’t approve of BE behavior and BE made Brave therefore Brave bad”, “crypto scammers bad therefore crypto bad and Brave uses crypto therefore Brave bad” or “it’s being promoted by bad people and therefore bad”. I think such arguments are in themselves without merit, should be dismissed and are not sufficient to tell others they shouldn’t use it. Tribalism isn’t healthy. An opinion being widely shared doesn’t make it true. Your trusted influencer being upset doesn’t mean you need to be.

Valid criticisms of Brave and valid reasons for not using the browser exist but that’s rare to see written out but buried deep under the bulk of FUD, groupthink and uninformed meme-takes we find all over the stuff shared on socials. On the privacy and security sides it’s very much a mixed bag. Scrolling through Brave flags I note more than one thing I think we can take inspiration from. For people locked into corpware and limited to what’s on the major app stores, you can certainly do worse. Yet I see little concern-blogging over Copilot 365 .NET Live Edge or Samsung Internet Browser, for example.

Of course I’d personally love if you used Konform Browser (or any other non-chromium browser) instead but I mostly see people bashing Brave for completely confused reasons. Yes there’s bloat and ads and telemetry and problematic trust and outbound networking going on out of the box. Yes they inject their own monetization into the user experience if you blindly click “Next, Next, I agree, Next” and run with defaults. All just like for Firefox these days. And just like Firefox, user configuration exists to improve on much of that while the software license and open source code afford fixing the rest for the willing. The differences I’ve seen when it comes to the browsers are mostly in degrees, not fundamental. Maybe we should have a Brave fork too.

I hope I’m not canceling myself, here…

IronFox: Exists. Currently mostly due to hard thankless work of one or two individuals.

somerandomperson: OK they got this; everyone else stop trying and go home now

I don’t think dismissing the issue so quickly is fair to either the IronFox maintainer, the state of Android web security, or browser diversity. It is also discouraging for anyone else considering exploring this and sharing their work in public. We need more people working on an open and free mobile browser ecosystem, not less.

I mean technically Android is still somehow Linux so ^^. But it does feel funny when the first (and only?) follow-up comment on the Linux community of this Linux software is about needing an Android version instead :p

The more interested people we have checking it out and poking at the code, the higher chance we can ship Android builds Soon^tm. Feel free to swing by and stay tuned ;)

deleted by creator