Can someone please tell me what triggers the addition of hosts to the permissions database?



As far as I can see dom.mozPermissionSettings.enabled is set to false by default and I didn't touch that setting.
BTW, I'm neither Twitter nor Facebook user.
Neither did I set up any site specific permission under "tools\privacy\permissions\".

I can delete those entries but after using K-Meleon for a while, different hosts (last time I deleted 17 entries) are populating the permissions database.
What is the criteria for those hosts to be automatically added to the database?

If you mean the sts/subd and sts/use permissions, are automatically added and, if I recall correctly, were by http headers telling that the domain must use ever secure access and at what levels of the domain.

How is it possible that they add even you "don't visit" them?

Easy. Do you know those "Like", "Tweets" and other widgets you see on the sites?

Most of them are iframes to Facebook, Twitter and other sites, so you are actually going to those sites and they set that permissions.

Those premissions being added to permissions.sqlite bugged me, but after serveral searches are harmless. Just a way to set sites to how visit them.

Harmless but it's crazy seeing them being added continuously.

Permissions is beyond cookies and others that was in the past.

Here it is explained:
https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security

EDIT: By the way, the above pref you told above, I don't know what it is for. Nor related to this.



Edited 1 time(s). Last edit at 10/15/2014 10:41PM by JohnHell.

Many thanks for the explanation!

I suspected those permissions to be harmless, otherwise I would have set only read access to the file.
I was just curious about the criteria used for being added to the db.
As for connecting to servers through iframes, yes I knew and basically also block those iframes. For the time being, I do only an exception with K-Meleon so I can better test the browser. My remark about not being Fedbook and Twatter user was rather sarcastic since I was nerved because of those apparently misterious entries.

BTW, K-Meleon with blocked iframes:

Don't forget also scripts calls. Another method to set HSTS or cookies.

When the browser requests scripts from those sites from a third party site, you are calling their servers, and in the HTTP headers also come cookies and HSTS.

Not necessarily an iframe, thinking about it... We are caught with every step



Edited 1 time(s). Last edit at 10/16/2014 01:38AM by JohnHell.

naruman's versions e.g. 74b4+1 contain ExExceptions. A manager/editor for permissions.sqlite. See https://addons.mozilla.org/en-US/firefox/addon/exexceptions/?src=api for more info.




Since noticed that You were not able to influence it much by setting a pref.

Quote
ExExceptions HP
Supported types

Cookie, Install, Image, Popup, Script, Document, Dtd, Object,
ObjectSubRequest, Ping, Refresh, Stylesheet, Subdocument, Xbl,
XmlHttpRequest.

* Firefox's blocking function does not support some of these types.

p.s. I am afraid I wanted to tranlate the addon to German but I haven't yet.

Kannst du ja tun - du könntest es dann besser nutzen.



Edited 1 time(s). Last edit at 10/16/2014 03:05AM by guenter.

But this one won't avoid to set HSTS permissions. It is just a permissions.sqlite editor but more friendly than Sqlite manager.

The only way to avoid is to set in the hosts file the domains you don't like to "knock knock" to.

Quote
JohnHell
But this one won't avoid to set HSTS permissions. It is just a permissions.sqlite editor but more friendly than Sqlite manager.

The only way to avoid is to set in the hosts file the domains you don't like to "knock knock" to.

There seems to be an missunderstanding about the purpose of permissions.sqlite.

I might be oudated though.

http://kb.mozillazine.org/Cookies

Quote
Mozillazine
permissions.sqlite hostperm.1

Holds preferences about which sites you allow or prohibit to set cookies, to display images, to open popup windows and to initiate extensions installation.

ExExceptions seems to be a dedicated permissions manager for the file permissions.sqlite. It decides what type of file/object a given page is permitted to load. It edits what was in hostperm.1 file of old. It extends Firefox capabilies a little to a few new file types. Not more.


This is AFAIK not conected with SSL or SLT which was much discussed here in the last two days.

For what HSTS seems to be: http://stackoverflow.com/questions/14609347/how-does-firefox-implement-hsts-in-detail or https://wiki.mozilla.org/Privacy/Features/HSTS_Preload_List

And I do not think I know what permissions.sqlite has to do with HTTP Strict-Transport-Security permissions. HSTS permissions AFAIK allow sites to specify that they should be accessed via a secure connection only...

But as I said: I might be oudated.

Which would meen that these permissions are stored in that file permissions.sqlite too?



Edited 1 time(s). Last edit at 10/16/2014 02:49PM by guenter.

I'll resume all in one thing:

use the sqlite manager extension.

Why I talk about HSTS. Have a look to the tables inside permissions.sqlite and you'll understand. I'm not mixing things with the POODLE (TLS/SSL problem).

You could see this in a very easy way in the past current versions in Seamonkey with the included Data Manager.

In some ways, the add-on link you provided is similar to the Data Manager. But yours is easier to manage permissions.


EDIT: just to clear it. Yogi asked where the hosts were being added from to permissions.sqlite. HSTS is one of the permissions is being automatically added.

This has nothing to do with SSL/TLS but with HTTP headers and automatic permissions feature in Gecko for secure access to sites aka HSTS.



Edited 2 time(s). Last edit at 10/16/2014 04:44PM by JohnHell.

Quote
guenter
There seems to be an missunderstanding

No doubt Guenter there is a missunderstanding.
I will try to make JohnHell's statement even more understandable by simplifying it: "But this one won't avoid to set permissions by K-Meleon on its own"

As far as I can see, the only way to stop K-Meleon (or Firefox for this matter) to set permissions on its own, is to cripple this functionality.
However, I wouldn't recommend anybody to cripple this functionality because it is aimed as a security feature.
Checking with FirefoxESR. It seems that in private browsing mode FF doesn't add entries on its own to rhe permissions DB.

As for ExExceptions, many thanks but:
Basically I don't set permissions for sites. Neither in Opera (Presto) nor in K-Meleon. I deny most of the time everything like cookies, scripting, active content, iFrames or local storage.
When needed I prefer to switch on the fly settings. It's a matter of a single click. For the very few sites that don't work without cookies I open a private tab before toggling cookies on. As soon as I close the tab, the cookies are gone. K-Meleon doesn't have yet the option for private tabs/windows but as far as I can see it will come soon.

Quote
JohnHell
EDIT: just to clear it. Yogi asked where the hosts were being added from to permissions.sqlite. HSTS is one of the permissions is being automatically added.

Yes. Hosts are added to permissions.sqlite. With their respective rights.

But HSTS consists of several things. So I have not understood You.

A newly created HSTS rule should be in that file.

As it is: Mozillazine does not mention any HSTS rules in permissions.sqlite.
I said at the first place that my current info might be outdated.

p.s. And not all HSTS rules seem to be there.

HSTS includes also a preset list that is passed on to the browser from Mozilla. It was originally based on a list by Google.

http://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security

Quote
Wikipedia
Firefox since version 4; with Firefox 17, Mozilla integrates a list of websites supporting HSTS.

permissions.sqlite is not in the default folder that creates new profiles.

I took the time last night to actually google in detail. However I have not been able to find where the list was stored on a Windows Mozilla GRE browser. Only a howtoo on a Mac. And the guy used a tool to look into assebled code, HeX Editor.


Yogy: Why not put the 17 odd sites that constantly reappear via their inframes and buttons in the data file and allow nothing? That is not much data.

naruman also put a Policies Manager (Screenshot shows default rule set)



and ExExceptions for a list based approach into his version to test extensions that upgrade security.

Addons like NoScript will also help with that sort of work.
It can also blacklist sites to do nothing.



Edited 2 time(s). Last edit at 10/17/2014 05:19AM by guenter.

Mozillazine is not up to date nowadays, even being a wiki.

I don't know you, but when I search for an explanation for new features I end very often in the developer pages of Mozilla :/

About updates and predefined lists :-? I don't think K-meleon auto-updates it or it has a predefined one. At least in a fresh profile it only has the permission addons.mozilla.org with install type permissions and probably was added by Dorian.

I don't think it is hardcoded in K-meleon aside the above, but I may be wrong, of course. Only Dorian must know.

The nearest to this hardcoded is in the preference xpinstall.whitelist.add from the omni.ja\defaults\pref\services-sync.js

This is my point of view You may be right. I don't know, I admit

This subject was elucidated and is for now ad acta for me.
Once again, thanks for help.

What I can tell for sure is that I had entries in the permissions DB which for sure were not hardcoded/preload. They were added automatically during surfing the web. From now on I will collect those entries (at least those I have no use for) and will feed my HOSTS file with them.

Quote
JohnHell
Mozillazine is not up to date nowadays, even being a wiki.

I don't know you, but when I search for an explanation for new features I end very often in the developer pages of Mozilla :/

About updates and predefined lists :-? I don't think K-meleon auto-updates it or it has a predefined one. At least in a fresh profile it only has the permission addons.mozilla.org with install type permissions and probably was added by Dorian.

I don't think it is hardcoded in K-meleon aside the above, but I may be wrong, of course. Only Dorian must know.

You are right. I meanwhile installed the Addon and went to chrome://sqlitemanager/content/sqlitemanager.xul I was out off date again.

BTW. I wonder whether Yogy has tried to set permission for facebook & co to Zero (or was it 2 for block?) and controlled with HTTPLiveheaders or HTTPFox whether that blocks contact?

Mozillazine is out of date again too.
Yes I also often end up on dev pages or bug number pages.

No, I think the list is updated when the browser is. That how it reads to me.
The list is always somewhere in the GRE unless there is an option to turn it off during build.

Turning off would show in about:buildconfig unless Dorian edited something manually or patched the GRE.


While I looked for sqlitemanager I also searched for other Addons with a string "block facebook".

There are several and I looked into the codes of one that blocks the beacon and the like button. I have not inspected more yet.

fbbeaconblocker@codeismightier.com.xpi. It works with a regular expession. It would be interesting to find out whether this approach could work for K-Meleon and could be extended to the other pages Yogy does not want.

I wonder whether the regular expression is compatible with BlUHell Firewaqll's.
That add blocker has regualar espressions in a comma separated list. If all is compatible we could use that code combination.

The core of the beacon blocker consist of two java scripts, one of which is not refenced anywhere, and a XUL file.

fbbeaconblocker.js is hoocked to each page with a simple browser_overlay.xul:

<?xml version="1.0" encoding="UTF-8"?>

<overlay id="fbbeaconblocker-overlay"
xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">;

<script type="application/x-javascript"
src="chrome://fbbeaconblocker/content/fbbeaconblocker.js"/>

</overlay>

fbbeaconblocker.js begin code:

// Code for blocking based on BlockSite
// Observer for HTTP - block all requests to .*\\.facebook.com/beacon/.*
// and http://www.facebook.com/sharer.php

var FbBeaconBlockerObserver =
{
observe: function(aSubject, aTopic, aData)
{
if(aTopic != 'http-on-modify-request')
{
return;
}

aSubject.QueryInterface(Components.interfaces.nsIHttpChannel);

var urlRegExp = new RegExp("http(?:|s)://(.*\\.)?facebook\\.com/(beacon/.*|sharer.*)");
var match = urlRegExp.exec(aSubject.URI.spec);
if(match != null)
{
aSubject.loadFlags = Components.interfaces.nsICachingChannel.LOAD_ONLY_FROM_CACHE;
aSubject.cancel(Components.results.NS_ERROR_FAILURE);
}
},

QueryInterface: function(iid)
{
if (!iid.equals(Components.interfaces.nsISupports) &&
!iid.equals(Components.interfaces.nsIObserver))
{
throw Components.results.NS_ERROR_NO_INTERFACE;
}
return this;
}
};



// Add our observer
var observerService = Components.classes["@mozilla.org/observer-service;1"].getService(Components.interfaces.nsIObserverService);
observerService.addObserver(FbBeaconBlockerObserver, "http-on-modify-request", false);

// Remove observer when current window closes
window.addEventListener("unload", function()
{
observerService.removeObserver(FbBeaconBlockerObserver, "http-on-modify-request");
}, false);



Edited 1 time(s). Last edit at 10/17/2014 03:48PM by guenter.

I know it is annoying, but only want to point again that they are harmless.

True is that if you "don't visit" (directly) a site is annoying seeing how they are being added; but them added has the benefit of force browser to use SSL and don't fallback to plain text or start the connection with the domain in SSL instead plain text when you don't type the https prefix.

By the way, I tried to add a permission with sqlite manager and didn't let... maybe because K-meleon is openned. Doesn't happen with other profile sqlite files :-?

From now, SSL==TLS I have to get used to it

I have had to resort to using WScript from OnQuit event and having a "wait" period to allow KM to finish writing and release the files in order to do any work on most of the files in my profile.

Quote
guenter
BTW. I wonder whether Yogy has tried to set permission for facebook & co to Zero (or was it 2 for block?)

Nope.
It wouldn't have made sense for me even to try making permissions for facebook & co in K-Meleon.
If I want to block something, I do it with my dedicated filtering proxy or with Windows HOSTS file. This way it gets blocked for every client on my system.
Besides, it weren't the entries per se which bugged me but the fact that I didn't know why they have been added automatically by the browser to the permissions DB.

Quote
guenter
and controlled with HTTPLiveheaders or HTTPFox whether that blocks contact?

Nope.
I have only deleted the (by then) misterious entries and some of them kept comming back in the DB.

BTW, I have never used HTTPLiveheaders or HTTPFox.
My filtering proxy (Proxomitron) can also show/log HTTP headers. For more complex tasks I fire up a dedicated sniffer. Besides, I could have also looked at active connections with TaskInfo, the only security relevant software I have installed on my system.

Quote
guenter
It would be interesting to find out whether this approach could work for K-Meleon and could be extended to the other pages Yogy does not want.

That's kind but really no need to do it for Yogi.
I have no clue about programming and I'm no IT expert but at least I can still handle myself pages I don't want and prefer to do so outside the browser.
But who knows, maybe in future whith HTML6? Filters based on HTTP headers are already in trouble with Google's SPDY.
Otherwise facebook & co might be essential for other users and I wonder which facebook user gives a damn shit about privacy anyway.

Quote
Yogi
That's kind but really no need to do it for Yogi.
I have no clue about programming and I'm no IT expert but at least I can still handle myself pages I don't want and prefer to do so outside the browser.
But who knows, maybe in future whith HTML6? Filters based on HTTP headers are already in trouble with Google's SPDY.
Otherwise facebook & co might be essential for other users and I wonder which facebook user gives a damn shit about privacy anyway.

I don't think so. Soon or later the headers have to be decompressed or decrypted to manage them with the browsers.

That's the reason add-ons as httpliveheaders (I never used it) or httpfox(FF)/httpmonitor(KM) works (can inspect headers) even with SSL/TLS connections.

In fact, we are already using SPDY now as K-meleon 74, probably with Google services, if we use them, and still possible to see HTTP dialog. But I don't know how to catch when SPDY is actually being used or not :-?

P.S.: I was able to edit permissions.sqlite. It was that I was giving an id to the entry that caused problems.

The manual add of HSTS permissions works too, that is what I was trying to test.

Quote
JohnHell
I don't think so. Soon or later the headers have to be decompressed or decrypted to manage them with the browsers.

Are you aware of a decent filtering proxy that can handle compressed headers?
I have tested with SPDY enabled/disabled but didn't notice any difference in speed on sites I visit regularly.

As far as I understand SPDY is a push protocol. It can be used to send data to the browser without being requested first.
The real blessing might come with HTTP/2.

Quote
JohnHell
In fact, we are already using SPDY now as K-meleon 74, probably with Google services, if we use them, and still possible to see HTTP dialog. But I don't know how to catch when SPDY is actually being used or not :-?

I know, except we turned off those settings. I find it weird that there are no references to SPDY settings neither references&from=Browser.urlbar.search.timeout" rel="nofollow" >here nor here.

AFAIK Chrome has an option to see if SPDY is in use. I have never tested Chrome.

Quote
Yogi
Are you aware of a decent filtering proxy that can handle compressed headers?

Nop. No idea, sorry :/

Quote
Yogi


That's kind but really no need to do it for Yogi.


Otherwise facebook & co might be essential for other users and I wonder which facebook user gives a damn shit about privacy anyway.

Your are the cause (Anlass) but not the deeper reason - I am afraid.

It is facebook and co. What You noticed (inframe, button) can be used to track users. Me too.
And that in turn is my deeper reason. That makes me currious and togehter we have 3 times bigger chances to stumble upon something that can close such leaks.

But I am mostly looking for a solution for concerns of my own.

Flash can be used to read out a fonts list when flash is on. (also works with Java).
Plugins list can be read out when Javascript is on.

Together with Your IP both can be used to fingerprint not You but Your machine.

Now the modern internet is useless when You constantly switch these off.

So if You guys fall over an addon or other solution that toggles leaking such info - I'd be really interested.



Edited 1 time(s). Last edit at 10/17/2014 10:08PM by guenter.

Quote
guenter
Now the modern internet is useless when You constantly switch these off.

I must be still living in the stone age of internet. None of my regularly visited sites require active content and scripting to be viewed.
Neither my over 200 bookmarked sites. Some of them have also embedded flash objects which work only with flash plugin and scripting enabled. I'm not keen to watch those objects and if I would, 2 clicks taking 2 (max x3 for refreshing the page with flash content) seconds.

Almost all sniffing and junk delivery is done via scripting. Not to mention obfuscated scripts which I block even with JS enabled.
I also block iFrames. iFrames with obfuscated scripts are specially lovely. iFrames can of course be useful too (most of the time they are misused like JS). In this case I can click on the blocked iFrame and open the link or I can disable filtering and refresh the page (x2 clicks). It happens extremely seldom.

BTW, can you give me a link for testing my plugin list via JS? Cyscape.com and Browserspy.dk have failed the test with Opera Presto. The flash plugin is the only third party browser plugin I use and so far only with Opera Presto.
However the test worked with KM. As far as I can see (correct me if I'm wrong) "click to play" doesn't toggle the plugin off/on. So it's no wonder that it worked with KM.

Imagine Guenter you could stop your browser to give any information away, even with scripting and active content enabled!
Wouldn't you have the most unique fingerprint?

Methinks that fingerprinting is overrated. While it is possible but not bulletproof (also your fingerprint might change after each upgrade), it is too expendable for little benefit.
IP numbers, cookies, persistent local storage or the referer header are more convenient for market- and social-analysis making understand us the lemmings/users.
As for our three letter agencies, they don't need fingerprinting, the can simply tap our network.

Regarding your question

What I do for a lick off privacy:
I toggle JavaScript, active content/plugins and cookies via browser. (only browser I have a plugin for active content/flash is Opera Presto).
PersistentLocalStorage is disabled in my browsers.
I block obfuscated JavaScript & iFrames with Proxomitron, a local filtering proxy.
Unwanted servers are blocked either by Proxomitron or by Windows HOSTS file.

Thx Yogy.

No I use pages where I need JS and Flash. Wirtschaft und Börse.
Tickers... Chart Tools...

And if You have alternative writing programm installed like me You have a fairly unique set of fonts - not to mention Sütterlin as an extra font.

The same is true for plugins. Browsers are my hobby - how can I give support without having installed the plugins we talk about so often. While i know to minimise the info given - it is way too much.

And I know it.

Only my IP is missleading - My ISP is a Telecom daughter and IP comes from any place in the northern half of Germany. Hardly ever from my hometown.

I look for a solution that goes almost as far as Your ways and is usable by DAUs.


No luck so far but I keep my eyes peeled.

Quote
guenter
No I use pages where I need JS and Flash. Wirtschaft und Börse.
Tickers... Chart Tools...

I see. Take care of the badger, ... bears and bulls.

Well, since you need scripting and flash for those sites and you visit them probably often, I'm afraid there's not much to do.
My approach won't bring you much benefit if any, in this case.

BTW, my approach with Proxomitron has also a big drawback, namely secure connections.
Filtering secure connections was always a PITA with Proxo. As most Proxo users I have turned it off.
At least there are some workarounds in work (a local proxy chained with Proxo, which decrypts the incoming traffic and passes it over to Proxo).

What I like about Proxo is that it not only blocks iFrames and obfuscated JavaScript but also can be configured to show the blocked object on the page:



Wonder if there is a browser addon for Gecko which can do the same?



Edited 1 time(s). Last edit at 10/20/2014 07:42AM by Yogi.

Quote
JohnHell
Harmless but it's crazy seeing them being added continuously.

Permissions is beyond cookies and others that was in the past.

Here it is explained:
https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security

Lately I came across this:
HTTPS can be set as your super-cookie

Quote

If you want to forget HSTS for a Web site in Firefox without loosing all browsing data you can edit permissions.sqlite

Great.

Quite clever "attack".

But now it is harder because the subdomains flag. If not set, could be done manually. I did by myself for some hosts.

And the best, the last phrase about Google. LOL. Google, making great things for us ¬¬

Regarding HSTS-cookies, came accidentally about this, sounds interesting but don't have enough time right yet. Do a web search for
SiteSecurityServiceState.txt

Should we precreate this file and set it to readonly to avoid fingerprinting?

My KM1.6 doesn't do that HSTS-stuff anyway, too old, so leave testing to you

A bit offtopic but privacy related, from the german thread:

Quote
Mikk
KM hinterlässt jeweils eine riesenmenge an tpxx000.tmf dateien (können auch etwas abweichend, doch immer so ähnlich heissen) im C:\WINDOWS\TEMP ordner, de nur manuell gelöscht werden können. Interessant ist dabei auch, TotalCommander sieht diese dateien nicht.

Anyone know what those 'mysterious' files are?? Masses in temp-folder, only created by using KM, even after only visiting this forum and about:config!
Somehow I have a vague memory something similar (tmf?? oder other?) was recently mentioned in this forum, and one of you knew it right away, but of course cannot find it anymore. And somehow guess it had to do with flash-thumbnails or such, but not sure at all, and Mikk has banned flash long since from his system. He said for testing he renamed some to jpg, bmp etc. but cannot open anyway, only creates errors.
He gets them with KM1.6+1.7, I never. Am using flash9 for youtube, otherwise block all embeds by flashblock and objects-block (blocks also if js is off)



Edited 2 time(s). Last edit at 12/12/2015 05:59PM by siria.

Google says that this is Tagged Font Metric files and if to switch off an option 'Allow webpages to use their own fonts' (Firefox) - they disappeared.

Also someone said this is Win2k specific problem...

I haven't such files too so cannot say more

Quote
siria
My KM1.6 doesn't do that HSTS-stuff anyway, too old, so leave testing to you

A bit offtopic but privacy related, from the german thread:

Quote
Mikk
KM hinterlässt jeweils eine riesenmenge an tpxx000.tmf dateien (können auch etwas abweichend, doch immer so ähnlich heissen) im C:\WINDOWS\TEMP ordner, de nur manuell gelöscht werden können. Interessant ist dabei auch, TotalCommander sieht diese dateien nicht.

Anyone know what those 'mysterious' files are?? Masses in temp-folder, only created by using KM, even after only visiting this forum and about:config!
Somehow I have a vague memory something similar (tmf?? oder other?) was recently mentioned in this forum, and one of you knew it right away, but of course cannot find it anymore. And somehow guess it had to do with flash-thumbnails or such, but not sure at all, and Mikk has banned flash long since from his system. He said for testing he renamed some to jpg, bmp etc. but cannot open anyway, only creates errors.
He gets them with KM1.6+1.7, I never. Am using flash9 for youtube, otherwise block all embeds by flashblock and objects-block (blocks also if js is off)

You have to volunteer that it is Win 98 and K-Meleon 1.6/1.7 for Mikk.

Readings from a XP where folder is named is 0S2/tmp. No such files created.
Nor in the folder Profiles etc/usr/local settings/temp that corresponds to it in XP.

Neither Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.16pre) Gecko K-Meleon/1.6.0 not Firefox/3.5.15 nor Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.21) Gecko K-Meleon/1.7.0 not Firefox/3.5.15 create anything there when I go here. Neither does any 74 -76 version. Nor does 1.5.x.

So You have to tell users where You go to create these files.


ok googled it. Happens on SF but.

https://bugzilla.mozilla.org/show_bug.cgi?id=475123

This seems a legacy Windows specific problem. They mention Win2000.

See also.

http://forums.mozillazine.org/viewtopic.php?f=38&p=12940511

Possibly in conjunction with certain plugins typically found on legaccy systems.

You have to look whether a plugin is loaded that can use .tmf.

TMF http://www.file-extensions.org/tmf-file-extension

Quote
tmf
The tmf file extension is associated with Corel WordPerfect, a word processing program, developed by Corel Corporation. Corel Word Perfect is part of Corel Word Perfect Office suite.

A tmf file contains tagged font metric data.

See also links at:

https://encrypted.google.com/search?num=20&site=&source=hp&q=firefox+.TMF+files&oq=firefox+.TMF+files&gs_l=hp.3...1842.11090.0.12175.15.14.0.1.1.0.219.2277.1j12j1.14.0...0.0...1c.1.18.hp.qT6hj9PTvew