Firefox Configuration Guide for Privacy Freaks and Performance Buffs

See the revision history at the end of this document for a list of changes.


Many of us are aware of the immense threats to our privacy and security posed by a plethora of technology corporations and governments, both of which often go to great lengths to monitor our communications and web browsing habits. Governments not only spy on each other, but on the citizenry as well and they leverage the services of many mega-corporations to do so, including Google, Facebook, Verizon, Comcast, Amdocs and countless others, many of which most of us have probably never heard of. While this data may be used for relatively benign purposes, such as displaying ads in our web browser, all too often the intentions are far more sinister and invasive. Much of what Edward Snowden has brought to the table is not new at all, but it seems the information has been presented in such a way as to have a dramatic effect upon many of us, prompting those who value their privacy to find ways to mitigate these threats. The goal of this guide to help the reader to thwart some of the efforts to track and profile us as we make our way through the World Wide Web.

For many of us, our web browser is the primary interface we use to explore the digital world and it is therefore necessary for any privacy conscious individual to consider what information our web browsers are sending and receiving and how that information can be used to track our on-line activities and profile us. Only then can we take action to circumvent some of these threats.

Contrary to the statements made in The Mozilla Manifesto, it is my opinion that the non-profit, multi-million dollar Mozilla Foundation is hardly concerned with the privacy of its software audience, particularly when considering its flagship product, the Firefox web browser. This is readily apparent when one considers the array of ethically challenged multinationals which Mozilla has chosen to partner with, including Google, Yahoo, Microsoft, Telefónica, LG Electronics, Sony, Verizon, Cisco and others. Even the Firefox Pocket service is tied to a 3rd party company and it seems more “features” are being added with each iteration of the browser. Google Chrome is no better — it is actually worse in some ways — and Internet Explorer is not worth the effort required to express an opinion.

That being said, i think Firefox is still a good product in many ways and certainly one of the most versatile and customizable web browsers on the planet. Because it is open source and wide open to customization, i believe the Gecko family of browsers are good candidates for those who wish to reduce their exposure to privacy and security threats. The folks behind the Tor project seem to think so as well since Firefox is included in the Tor Browser Bundle.

This guide covers primarily the configuration of Firefox and the add-ons we will be using and ends there. For additional privacy you may wish to consider using a VPN. Personally i use and recommend AirVPN due to their privacy policy, ethics, price and the fact that they run a lot of servers all around the world and don’t restrict any protocol, including BitTorrent traffic.


This guide is intended for those who are somewhat technically inclined and who wish to reduce threats to their privacy while enhancing browser security and performance. We will attempt to accomplish these goals while maintaining a reasonably carefree web browsing experience. This guide is not intended as a complete solution for those whose well-being depends on anonymity (whistle-blowers, etc.) or who require secure methods of transmitting data (journalists, etc.), though it may be a worthy supplement to more specific information. This guide is, a), a work in progress and b), not authoritative since i do not claim to be an authority on Firefox, Internet security or digital privacy. There are simply too many technologies, options and attack vectors for me to comprehend in something as incredibly complex as the modern web browser.

Though this guide is centered around Firefox, it should also be useful to users of other Gecko-based programs, including the SeaMonkey and Iceweasel browsers as well as the Mozilla Thunderbird email client.

The Mozilla Firefox browser is based on the Gecko layout engine and, as with any mainstream browser, it is a very complex beast consisting of millions of lines of code and hundreds of configuration options, many of which are interlinked and some of which are rather obscure. Change a few settings without knowing what you’re doing and things can quickly break down. Poorly coded add-ons can compound the problem, especially when they conflict with one another. This guide attempts to provide useful information for accomplishing our goals in an efficient manner with a minimal dependency on 3rd party add-ons.

There is a large selection of Firefox add-ons for tweaking privacy and security, some of the most popular of which are Adblock Plus and it’s derivatives, NoScript, Flashblock, Ghostery, Web of Trust, BetterPrivacy, Lightbeam, Disconnect, Self-Destructing Cookies, Cookies Manager+, Request Policy, Policeman, Bluhell Firewall, RefControl, Smart Referer, HTTPS Everywhere and many others. With some possible exceptions, we won’t be using any of these and yet will retain most of the important functionality of all of them with just two add-ons along with editing many of our Firefox preferences.

A bit of a trade-off should be expected any time we fiddle with our browser settings insomuch as some websites will cease to function properly until the settings for the affected sites are adjusted. Anyone who has used a content filter such as NoScript will understand that certain resources must be allowed for many websites to function in a way that is acceptable to us. As with NoScript however, the process of allowing these resources with the add-ons suggested herein usually requires little more than a mouse click or two and a page refresh. Furthermore, once we have visited all of our favorite websites and made the necessary changes to our configuration, our workload will be greatly reduced. Nevertheless, you should be prepared to put a little more effort into your web browsing experience in general and expect the occasional hard-case which will require more fiddling than usual to get a particular site to function properly. The pay-off however is a cleaner, faster web that is less able to track and profile you.


AMO: The Mozilla add-ons website.

Browser fingerprinting: A method whereby a web server attempts to uniquely identify your browser using various methods, including information contained in the HTTP headers, information collected with scripting languages such as JavaScript, querying cached data, enumerating installed plug-ins, languages and more. For more information, see A Primer on Information Theory and Privacy.

Browser storage (web storage: cache, cookies, etc.): The modern web browser is a far more sophisticated tool than most people probably realize. In addition to HTTP cookies and web caching, a web server can store data using local and session storage, indexedDB storage, window.name storage and Etag cache storage. If you are concerned about preserving your inherent right to privacy, you have far more to worry about than so-called “cookies”.

Crapware: For the purpose of this document, crapware is considered to be code that is included in a browser or browser extension which is not relevant to the functionality users expect from main program. The term crapware encompasses adware, tracking mechanisms and malicious code. Crapware is often added to browser extensions (add-ons) by a marketing company or solo developer for the purpose of monetizing the extension. Crapware can present a significant threat to user privacy and browser security.

CSS: Cascading Style Sheets are used to format and beautify website content. CSS presents no risk to privacy or security so far as i am aware since it is used only to apply visual styling to HTML elements.

Domain / Sub-domain / Hostname: For the purposes of this document, a domain name and a hostname are treated the same. Both specify a human-friendly name for a website, such as example.com. A 1st party domain is whatever website you are currently viewing, such as example.com, while a 3rd party domain could be a web server which supplies content to the 1st party domain. For example, the web page http://example.com/video may include a video that is provided by youtube.com, making youtube.com a 3rd party domain. A sub-domain is a separate part of the main domain. For example, sub.example.com is a part of example.com.

TLD: A Top Level Domain. For instance, com is the top level domain in example.com.

HTTP/HTTPS: Hypertext Transfer Protocol and Hypertext Transfer Protocol Secure are protocols used for sending and receiving data across the internet. For HTTP, an unsecured, unencrypted connection to the remote resource is established, while a secure, encrypted connection is established with HTTPS. One reason you should be concerned with unencrypted connections is the fact that it is possible for anyone between your computer and the site you are visiting, including your ISP (Internet Service Provider), to eavesdrop and learn exactly what you are looking at.

JavaScript: A powerful programming language that is used to run code within the browser. Although JavaScript is used by many websites for legitimate reasons, it can also be used maliciously to perform a wide variety of attacks against the browser and your privacy.

UI: A User Interface, also known as a Graphic User Interface, is the graphical portion of a program usually containing various controls, such as buttons, check-boxes and other widgets, which allow you to interact with the underlying code. UI’s are often referred to as “windows”.

Web server: For the purpose of this document, a web server is a computer that is connected to the internet which hosts (serves) one or more websites.


Getting Firefox

There are several flavors of Firefox other than the mainstream release, including the Firefox ESR (Extended Support Release) build which is usually an older version that does not contain the latest features, but may be more stable. If you’re running Linux, you may already have Iceweasel installed, which is nearly identical to Mozilla Firefox. Another option is the Firefox Developer Edition which, though i have not tested it with the configuration outlined in this guide, should work fine. Another option is Cyberfox from 8pecxstudios, though, again, i have not tested it with the configuration outlined in this guide. Cyberfox may be more privacy-centric than many other versions in that several phone-home features have apparently been gutted, including telemetry, health reporting and possibly the Google “Safe Browsing” feature and so-on. One caveat with Cyberfox is that, like Pale Moon, it uses a different format for some of the profile files which requires using a tool to convert your current Firefox profile should you want to import your data. As for the many other custom builds of Firefox, a lot of them are not worthwhile and can/will cause problems due to bugs, add-on incompatibilities, etc., Pale Moon included.

Firefox post install cleanup

After installing Firefox you may wish to delete or disable any unnecessary plug-ins and search engine configuration files.

If using pcxFirefox, be aware that it is packaged with the Windows Media plug-in. I would suggest deleting or disabling this plug-in if you do not require it. For windows, the plug-in file, np-mswmp.dll, is located in the folder C:\Program Files (x86)\Mozilla Firefox\browser\plug-ins or C:\Program Files\Mozilla Firefox\browser\plug-ins. Linux users can remove Firefox plug-ins from their package manager, though threats resulting from plug-ins may be less problematic in a Linux environment.

The search engine configuration files are located in the \Mozilla Firefox\browser\searchplugins folder. I suggest reading my guide, Opting out of the Firefox / Google / Yahoo partnership, for information regarding how Mozilla generates a large portion of its massive revenue stream with the included search engines and what you can do to opt out of this affiliate scheme if you so choose. If you already have your preferred search engines installed in your profile \searchplugins folder, then you can simply delete these files. For quickly adding a search engine to the search bar, try the Add to Search Bar add-on, or visit the Mycroft Project website where you can download piles of preconfigured search plug-ins, though you should check the code carefully to ensure tracking methods are not included.

If you have already run Firefox, you may notice that it has installed the OpenH264 Video Codec plug-in by Cisco Systems without asking you. Currently this plug-in seems to be used only for the WebRTC feature. If you do not use these features and do not want the browser to load this plug-in, you can delete the \gmp-gmpopenh264 folder in your profile directory along with the all of its contents. To prevent re-installation, make sure the configuration preference media.gmp-gmpopenh264.enabled is set to false in the user.js file below before the browser is restarted.

The necessary (and not so necessary) add-ons

This guide depends heavily upon the following add-ons:

  • uMatrix: You can think of uMatrix as a browser firewall which can block requests to 1st and 3rd party domains entirely, or for specific resources such as JavaScript, images, CSS, plug-ins, frames and more. uMatrix works with Firefox, Chrome and Opera and is available on AMO.
  • uBlock Origin: uBlock Origin, by the same developer of uMatrix, is a powerful content filter which shares some of the same functionality of uMatrix, but is better suited to blocking ads. uBlock can use the same filter lists as the Adblock Plus variants for blocking ads, as well as many more which they cannot. There are currently two versions available; the original by Raymond Hill which has been renamed to uBlock Origin, and a fork by Chris Aljoudi which retains the original name, uBlock. I would highly recommend using uBlock Origin since it offers features not found in Chris’s build, as well as for other reasons.

The following add-ons are optional, but recommended:

  • Decentraleyes: Decentraleyes helps protect privacy and speeds-up page rendering by loading several common JavaScript resources locally rather than fetching them from a Content Delivery Network (CDN) server. If you use this add-on, you will need to whitelist several domains in uMatrix. The list can be found here. After adding the domains, be sure that no block rules exist for the same domains.
  • Clean Links: helps to protect user privacy by striping tracking/garbage parameters from URLs, such as those used by Google Analytics (utm_source, etc.).
  • BetterPrivacy: i would suggest using this only if you are using the Adobe Flash Player plug-in. If you do not want to use the Flash plug-in, you can try the EmbedUpdater add-on which will convert videos embedded in 3rd party websites to use the HTML5 player instead of Flash. Most 1st pary sites, such as YouTube, already make use of the HTML5 player.

The following add-ons are completely optional:

  • NoScript Security Suite: since uMatrix will be used to block scripts, this functionality is not required from NoScript, though it may add a bit more protection in terms of cross-site request forgeries, click hijacking and possibly other areas. If you use NoScript, you should either disable global script blocking if you want uMatrix to handle scripts or, alternatively, allow NoScript to handle scripts and don’t enable the global script block rule in uMatrix.
  • Cookie Controller: apparently handles cookies, local and session storage, though in a manual and granular way that appears to require significant user interaction.

For more possibilities regarding add-ons, see my article Firefox Extensions: My Picks.

If you’re running Windows and want to unpack an add-on to have a look at the code, you can use 7-Zip. I believe the built-in Windows archive utility can unpack .xpi files also, though you may have to change the extension to .zip.

The user.js file

We will be changing many Firefox preferences and it is highly recommended to create a user.js file to store your custom preferences rather than editing the default prefs.js file or using the about:config editor. If you’re running Windows i would suggest using a quality text/code editor such as Notepad++ or PSPad for editing configuration files.

You will need to create the user.js file in your Firefox profile directory if it does not already exist. In Windows you can locate this directory quickly by pressing the Windows key + R and entering %APPDATA%\Firefox\Profiles. Linux users should find it in their /home/[user]/.mozilla/firefox/ directory. In a sub-folder of the Profiles folder you will find all your profile files, including your prefs.js file, and it is here that you want to create the user.js file. Make sure you enable the display of file extensions in Windows Explorer and then check that the file you created actually has a .js extension and not a .js.txt extension. If you already have a user.js file, you will want to be sure to address any preferences which may be duplicated here in order to avoid unexpected results.

Automatic updates

Regarding automatic add-on updates, i would suggest disabling this feature and checking for updates manually on a regular basis, reading the change logs and privacy policies carefully. The problem with automatic add-on updates is that a developer can, at any time, partner with, or sell their work to a 3rd party which often results in adding code to monetize the add-on at the cost of your privacy. Examples of some very popular extensions which contain such crapware are Abduction, a screen capture utility; Quick Locale Switcher, a language switcher; FasterFox Lite, a largely useless utility which claims to speed-up Firefox; BlockSite, a content blocker; Google’s Search By Image, a reverse image search utility and many others. Not all of these extensions contained crapware when they were first developed, which is why i strongly suggest disabling automatic updates and reading the change logs and privacy policies carefully each time an add-on is updated.

For peace of mind, you can also search your prefs.js file for all instances of “http” and check what the URLs are used for. If you want to disable the functionality you can simply add the preference to your user.js file and replace the URL with “”, or localhost (, or you could point the URL to localhost in your HOSTS file (C:\Windows\System32\drivers\etc\HOSTS). Here is an example of a Windows HOSTS file which will redirect safebrowsing.google.com to your local machine, meaning it the request will never leave your computer:    safebrowsing.google.com

Browser object caching

Browser caching is a disk intensive activity. If you intend to store web cache data, i would suggest storing it in system RAM rather than on your hard drive if you have enough memory available. Even 50 or 100 megabytes of space can help disk workload for websites which you visit repeatedly. In addition to minimizing hard drive wear and tear, your web browser will be able to render revisited pages faster. The settings in the CACHE section of our user.js file below will accomplish this, so if you do not want to store the web cache in RAM, you will need to edit the respective settings accordingly. Note that Firefox requires cache size values to be in kilobytes (KB).

user.js contents

IMPORTANT: Because i the user.js in this guide is updated frequently and i wish to avoid the hassle of editing these settings for public consumption each time i update it, the settings below are a direct copy of my personal settings. You should therefore review these settings carefully as it is very likely that you will want to change, remove or comment out some of them. To comment out a line, prefix it with a double forward slash and then make sure the preference is set to its default value in Firefox about:config (or prefs.js) by right-clicking it and selecting ‘Reset’.

In the user.js file below, you will notice the presense of a bogus preference (12bytes.org-user-js-settings) at the end of each section. This preference is used solely for troubleshooting and is essentially ignored by Firefox. Firefox reads the user.js file from the top down and if it encounters a syntax error it will cease reading the remainder of the preferences in the file. To be sure the entire file was read successfully, we can simply check the value of the 12bytes.org-user-js-settings preference in about:config and if it is ‘load success‘, then we know there were no syntax errors in the file. This should be done each time you edit your user.js file.

Copy the following to your user.js file:

    title:      Firefox/Gecko Configuration Guide for Privacy Freaks and Performance Buffs
    author:     12bytes.org
    web:        http://12bytes.org/articles/tech/firefox-gecko-config-for-privacy-freaks-and-and-performance-buffs
    notes:      - based on Firefox v49
                - synchronized with Pants config 0.08, 04 Jan 2016
        (history previous to Apr., 2016 was not recorded)
            * added/edited some settings descriptions, fixed some typo's
            * updated formatting
            * added pref 'network.jar.open-unsafe-types'
            * added pref 'gecko.buildID'
            * added pref 'loop.logDomains'
            * changed value of 'browser.newtabpage.directory.source'
            * spelling corrections
            * added pref 'media.block-play-until-visible'
            * added pref 'media.getusermedia.agc_enabled'
        12-MAY-2016 (a)
            * added pref 'network.dnsCacheExpiration'
        12-MAY-2016 (b)
            * added better description for pref 'network.dnsCacheExpiration'
            * corrected error with pref 'layout.css.devPixelsPerPx' - value is a string, not an integer
            * set 'browser.fixup.hide_user_pass' back to its default value
            * added 'network.http.redirection-limit'
            * fixed "plugin.scan.*" values so they are strings instead of integers
            * added new prefs (cfg.*-settings-loaded) at the end of each section for troubleshooting
            * changed the troubleshooting preference name to '12bytes.org-user-js-settings' and added different values to indicate where the loading stopped - thanks to 'Pants'
            * removed 'browser.zoom.full'
            * added 'mousewheel.with_shift.action' preference and set it to '0' to disable moving forward/back in history when the mouse wheel is scrolled while the Shift key is pressed
            * added missing troubleshooting preference (12bytes.org-user-js-settings)
            * added missing 'privacy.sanitize.sanitizeOnShutdown' preference - the 'privacy.clearOnShutdown.[s]' preferences will not work without this
            * removed duplicate preferences - thanks to 'Osine' - more here: http://12bytes.org/articles/tech/firefoxgecko-configuration-guide-for-privacy-and-performance-buffs/comment-page-2#comment-490
            * added 'devtools.toolbox.zoomValue'
            * changed value of 'browser.newtab.url' to 'about:logo'
            * commented out 'media.autoplay.enabled' pref and updated description
            * set value to blank ("") for pref 'browser.newtab.url'
            * corrected an error where the troubleshooting pref (12bytes.org-user-js-settings) was located after each section instead of before
            * added more instances of the troubleshooting pref (12bytes.org-user-js-settings)
            * corrected value type of 'devtools.toolbox.zoomValue' pref - it should have been a string, not an integer
            * removed pref 'browser.safebrowsing.provider.google.appRepURL' - depreciated
            * removed Firefox Hello prefs (Hello was removed in v49) 'loop.enabled', 'loop.logDomains', 'loop.server'
            * misc. minor edits

    primary resources:
      About:config entries - MozillaZine Knowledge Base (http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries)
      About:config - MozillaZine Knowledge Base (http://kb.mozillazine.org/About:config)
      A comprehensive list of Firefox privacy and security settings by Martin Brinkmann (http://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/)
      Tor Project (https://www.torproject.org/)

//// === BUG FIXES === ////

user_pref("12bytes.org-user-js-settings", "syntax error @ BUG FIXES");

    --- sluggish/hanging tabs, text selection ---
    check these preferences if you experience sluggish tab switching, sluggish text highlighting when dragging cursor, etc.. one method that may fix this i to disable hardware acceleration (options > advanced > general), but thi can result in choppy full-screen video, choppy scrolling, as well as othe graphic anomalies. layers.offmainthreadcomposition.enabled = false was  fix, but now causes YouTube videos to shrink in size and become non-resizable as of v37. the gfx.direct2d.use1_1 = false pref is not a complete cure in my case, but does seems to help. you can search about:config for "direct2d" for related prefs
//user_pref("layers.offmainthreadcomposition.enabled", false);  // [boolean] whether to enable a new rendering feature in v33+ - setting to false fixes hanging tabs, but can cause video display issues
//user_pref("gfx.direct2d.use1_1", true);                       // [boolean] may be a replacement for layers.offmainthreadcomposition.enabled to avoid tab hanging/slow keyboard input - this also avoids icon and other display corruption
    --- smooth scroll stuttering ---
    enabling either of these options may reduce graphics performance by using Direct3D 9 or OpenGL for rendering, but can solve problems with stuttering while scrolling a document when smooth scrolling (general.smoothScroll)
//user_pref("layers.prefer-opengl", false); // [boolean] use OpenGL instead of Direct3D for rendering - setting to true can cause display issues in how the whole Firefox UI is rendered
//user_pref("layers.prefer-d3d9", true);    // [boolean] use Direct3D 9 instead of 10 for rendering - breaks Firefox 40

//// === LINUX SPECIFIC === ////

user_pref("12bytes.org-user-js-settings", "syntax error @ LINUX SPECIFIC");

    these settings are specific to Linux Mint, but should be fine for any Debian based distro which uses the APT (Advanced Package Tool) package manager
user_pref("network.protocol-handler.app.apt", "/usr/bin/apturl");       // [string] path to APT URL handler
user_pref("network.protocol-handler.app.apt+http", "/usr/bin/apturl");  // [string] path to APT URL handler
user_pref("network.protocol-handler.warn-external.apt", true);
user_pref("network.protocol-handler.warn-external.apt+http", true);

//// === CACHE === ////

user_pref("12bytes.org-user-js-settings", "syntax error @ CACHE");

user_pref("browser.sessionhistory.max_total_viewers", 5);   // [integer] how many pages to store in memory - used when moving back/forward in history - -1=auto-determine based on available memory
    these settings will disable disk caching and store all cached objects in RAM - recommended as long as you don't mind the cache getting dumped at reboot or when Firefox is restarted
user_pref("browser.cache.disk.enable", false);                 // [boolean] whether to use the hard disk for cache - set to false to force everything to RAM
user_pref("browser.cache.disk_cache_ssl", false);              // [boolean] whether to cache documents viewed over a secure connection (https)
//user_pref("browser.cache.memory.capacity", 256000);          // [integer] alloted RAM capacity in KB for both memory and disk cache in RAM - 256000 = 250 MB
user_pref("browser.cache.memory.enable", true);                // [boolean] whether to enable memory cache
user_pref("browser.sessionstore.privacy_level", 2);            // [integer] 0=Store all extra session data, 1=Store extra session data for non-HTTPS sites, 2=Never store extra session data - contents of forms, scrollbar positions, cookies, and POST data
user_pref("browser.sessionstore.privacy_level_deferred", 2);   // [integer] presumably same as above except for non-focused tabs
    clear objects on shutdown and set preferences for manual history deletion
user_pref("privacy.cpd.cache", true);                          // [boolean] whether to preselect the option to clear browser cache when manually clearing history
user_pref("privacy.cpd.cookies", true);                        // [boolean] whether to preselect the option to clear cookies when manually clearing history
user_pref("privacy.cpd.downloads", true);                      // [boolean] whether to preselect the option to clear download history when manually clearing history
//user_pref("privacy.cpd.formdata", true);                     // [boolean] whether to preselect the option to clear form data when manually clearing history
//user_pref("privacy.cpd.history", true);                      // [boolean] whether to preselect the option to clear history data when manually clearing history
user_pref("privacy.cpd.offlineApps", true);                    // [boolean] whether to preselect the option to clear off-line website data when manually clearing history
//user_pref("privacy.cpd.passwords", true);                    // [boolean] whether to preselect the option to clear log-on passwords when manually clearing history
//user_pref("privacy.cpd.sessions", true);                     // [boolean] whether to preselect the option to clear active logins when manually clearing history
//user_pref("privacy.cpd.siteSettings", true);                 // [boolean] whether to preselect the option to clear site-specific settings when manually clearing history
user_pref("privacy.clearOnShutdown.cache", true);              // [boolean] whether to clear browser cache on shutdown
user_pref("privacy.clearOnShutdown.cookies", true);            // [boolean] whether to clear cookies on shutdown
user_pref("privacy.clearOnShutdown.downloads", true);          // [boolean] whether to clear download history on shutdown
//user_pref("privacy.clearOnShutdown.formdata", true);         // [boolean] whether to clear form data on shutdown
//user_pref("privacy.clearOnShutdown.history", true);          // [boolean] whether to history data on shutdown
user_pref("privacy.clearOnShutdown.offlineApps", true);        // [boolean] whether to clear off-line website data on shutdown
//user_pref("privacy.clearOnShutdown.passwords", true);        // [boolean] whether to clear log-on passwords on shutdown
//user_pref("privacy.clearOnShutdown.sessions", true);         // [boolean] whether to clear active logins on shutdown
//user_pref("privacy.clearOnShutdown.siteSettings", true);     // [boolean] whether to clear site-specific settings on shutdown
user_pref("privacy.sanitize.sanitizeOnShutdown", true);           // [boolean] whether to enable the 'privacy.clearOnShutdown.[s]' options

//// === UPDATING === ////

user_pref("12bytes.org-user-js-settings", "syntax error @ UPDATING");

    --- program updates ---
    i suggest to disallow any automatic updating - you should always read th change logs and then decide what to do since features may have been added that you absolutely do not want, or features removed that you do want. if yo choose to use an old build, i would suggest using the ESR releases https://www.mozilla.org/en-US/firefox/organizations/faq/
user_pref("app.update.enabled", false);                             // [boolean] whether to enable browser auto-updating
user_pref("app.update.auto", false);                                // [boolean] auto-install updates - app.update.enabled must be enabled
user_pref("app.update.disable_button.showUpdateHistory", false);    // [boolean] apparently enables showing update history, though it may not be implemented as of v37
user_pref("app.update.service.enabled", false);                     // [boolean] whether to enable the background service that installs updates - possibly Linux specific
user_pref("app.update.showInstalledUI", true);                      // [boolean] whether to display a notice after an update is applied
user_pref("app.update.silent", false);                              // [boolean] whether to show update prompt - Dependant upon app.update.enabled
user_pref("app.update.staging.enabled", false);                     // [boolean] presumably whether to allow background downloading of updates
    --- extension updates ---
    i suggest to disallow any automatic updating for extensions and manually check for updates on a regular basis, reading the change logs carefully. th problem with automatic updates for extensions is that a developer can sell  popular extension to a marketing company that will add code to track use browsing habits, display ads, etc.. consider using Extension Defender t help guard against this and download extensions only from AMO
user_pref("extensions.update.autoUpdateDefault", false);    // [boolean] whether to auto-install extension updates
user_pref("extensions.update.enabled", false);              // [boolean] whether to auto-check for extension updates
user_pref("extensions.blocklist.url", "");                  // [string] url from which to download list of blocked extensions
    --- plugin updates ---
    if you disable plugin update checking and have plugins instaled, be sure t manually check for plugin updates on a regular basis. personally i do no have any plugins installed - most video/embedded content, including PDFs for the popular sites can be viewed natively in Firefox without plugins
user_pref("media.gmp-manager.url", "");                                             // [string] OpenH.264 plugin update URL - set to blank to disable update checking
user_pref("plugins.update.notifyUser", false);                                      // [boolean] whether to check for plugin updates - this may not cover the OpenH264 plugin
user_pref("plugins.update.url", "https://www.mozilla.org/%LOCALE%/plugincheck/");   // [string] remove utm tracking params from plugin update check URL - if "" you can't check for updates manually
    --- misc. updates ---
user_pref("browser.aboutHomeSnippets.updateUrl", "");  // [string] update URL for updating content in about:home page
//user_pref("browser.startup.homepage_override.mstone", "ignore");      // [string] used to display browser update information - may want to uncomment this if using a proxy for anonymity
user_pref("browser.microsummary.updateGenerators", false);              // [boolean] whether to auto-update bookmark microsummaries
user_pref("browser.search.update", false);                              // [boolean] whether to auto-update search plugins - probably want to disable this if using custom edited search plugins in \searchplugins folder
user_pref("lightweightThemes.update.enabled", false);                   // [boolean] whether to auto-update Personas (themes)

//// === SECURITY / PRIVACY, GENERAL === ////

    Data Reporting
user_pref("12bytes.org-user-js-settings", "syntax error @ SECURITY / PRIVACY, GENERAL - Data Reporting");

user_pref("datareporting.healthreport.about.reportUrl", "");           // [string] URL to which the browser health report is sent
user_pref("datareporting.healthreport.about.reportUrlUnified", "");    // [string] about:healthreport URL
user_pref("datareporting.healthreport.documentServerURI", "");         // [string] URL of healthreport server
user_pref("datareporting.healthreport.service.enabled", false);        // [boolean] disable Mozilla health report service which collects various browser data and sends it home
user_pref("datareporting.healthreport.uploadEnabled", false);          // [boolean] disable uploading health reports to Mozilla
user_pref("datareporting.policy.dataSubmissionEnabled", false);        // [boolean] whether to enable data report submission
user_pref("datareporting.policy.dataSubmissionEnabled.v2", false);     // [boolean] whether to enable data report submission
user_pref("12bytes.org-user-js-settings", "syntax error @ SECURITY / PRIVACY, GENERAL - SSL");

user_pref("security.fileuri.strict_origin_policy", true);            // [boolean] whether to limit local file ability to access files above the directory in which the file resides
user_pref("security.mixed_content.block_active_content", true);      // [boolean] whether to block mixed active (other than images, etc.) content from a non-secure source when viewing an encrypted page (https)
//user_pref("security.mixed_content.block_display_content", false);  // [boolean] whether to block mixed non-active (images, etc.) content from a non-secure source when viewing an encrypted page (https)
//user_pref("security.OCSP.enabled", 1);                             // [integer] how to validate ssl certs (uses OCSP, a 3rd party service): 0=disable, 1=validate only certificates that specify an OCSP service URL, 2=enable and use values in security.OCSP.URL and security.OCSP.signingCA for validation
user_pref("security.ssl.errorReporting.automatic", false);           // [boolean] whether to send SSL error reports without asking the user
user_pref("security.ssl.errorReporting.enabled", false);             // [boolean] whether to enable SSL error reporting
user_pref("security.ssl.errorReporting.url", "");                    // [string] URL to which SSL errors are reported
    Telemetry data is sent to Mozilla and includes information about the build of the browser, various benchmark values, the installed extensions, and information about the computer system
user_pref("12bytes.org-user-js-settings", "syntax error @ SECURITY / PRIVACY, GENERAL - Telemetry");

user_pref("toolkit.telemetry.archive.enabled", false);  // [boolean] whether local archiving of telemetry pings is enabled or not - depends on toolkit.telemetry.unified
user_pref("toolkit.telemetry.cachedClientID", "");      // [string] unique telemetry ID
user_pref("toolkit.telemetry.enabled", false);          // [boolean] disable pop-up asking for feedback since v8
user_pref("toolkit.telemetry.prompted", 2);
user_pref("toolkit.telemetry.rejected", true);
user_pref("toolkit.telemetry.unified", false);          // [boolean] controls unified behavior - if enabled will record basic data and will send additional pings
user_pref("toolkit.telemetry.unifiedIsOptIn", true);    // [boolean] makes telemetry opt-in even when "toolkit.telemetry.enabled" is true
user_pref("12bytes.org-user-js-settings", "syntax error @ SECURITY / PRIVACY, GENERAL - Geolocation");

user_pref("browser.search.geoip.url", "");           // [string] disable contacting Mozilla to set the default search engine
//user_pref("geo.enabled", false);                   // [boolean] whether to enable geo-location - not strictly necessary to disable since user should be prompted before location data is allowed to be sent
//user_pref("geo.wifi.uri", "");
user_pref("geo.wifi.logging.enabled", false);
user_pref("12bytes.org-user-js-settings", "syntax error @ SECURITY / PRIVACY, GENERAL - WebGL");

user_pref("pdfjs.enableWebGL", false);
user_pref("webgl.disabled", true);                // [boolean] whether to enable WebGL - potential security risk - can also be blocked with NoScript
user_pref("webgl.disable-extensions", true);
user_pref("webgl.min_capability_mode", true);
user_pref("12bytes.org-user-js-settings", "syntax error @ SECURITY / PRIVACY, GENERAL - WebRTC");

user_pref("media.gmp-gmpopenh264.enabled", false);                 // [boolean] whether to enable the OpenH264 plugin - appears to be used only for Firefox WebRTC as of v37
user_pref("media.peerconnection.enabled", false);                  // [boolean] whether to enable WebRTC - Real-Time Communications between peers for voice, video, file and desktop sharing, etc. - potential security/privacy risk - WebRTC can be controlled with HTTP UserAgaent cleaner
user_pref("media.peerconnection.ice.default_address_only", true);
user_pref("media.peerconnection.identity.timeout", 1);
user_pref("media.peerconnection.turn.disable", true);
user_pref("media.peerconnection.video.enabled", false);
    EME (Adobe "Primetime Content Decryption Module" DRM)
user_pref("12bytes.org-user-js-settings", "syntax error @ SECURITY / PRIVACY, GENERAL - EME");

user_pref("browser.eme.ui.enabled", false);
user_pref("media.gmp-eme-adobe.enabled", false);
user_pref("media.eme.enabled", false);
user_pref("media.eme.apiVisible", false);
user_pref("12bytes.org-user-js-settings", "syntax error @ SECURITY / PRIVACY, GENERAL - Media");

user_pref("camera.control.autofocus_moving_callback.enabled", false);
user_pref("camera.control.face_detection.enabled", false);
user_pref("media.getusermedia.screensharing.allowed_domains", "");
user_pref("media.getusermedia.screensharing.enabled", false);          // [boolean] whether to enable screen sharing - should not be strictly necessary to disallow this as user should be prompted before the connection is allowed
user_pref("media.navigator.enabled", false);                           // [boolean] unsure, but it is part of WebRTC - see: media.peerconnection.enabled
user_pref("media.video_stats.enabled", false);
user_pref("media.webspeech.recognition.enable", false);                // [boolean] unknown, sounds like a potential privacy threat
user_pref("media.getusermedia.agc_enabled", true);                     // [boolean] whether to enable Automatic Gain Control for audio
user_pref("12bytes.org-user-js-settings", "syntax error @ SECURITY / PRIVACY, GENERAL - Misc");

user_pref("beacon.enabled", false);                                // [boolean] whether to send additional analytics to web servers
user_pref("breakpad.reportURL", "");
//user_pref("browser.display.use_document_fonts", 0);              // [integer] whether to allow web pages to use their own fonts - allowing this (1) is a privacy issue because of browser fingerprinting, however not allowing (0) this will make a lot of sites quite ugly (garbled characters)
user_pref("browser.helperApps.deleteTempFileOnExit", true);
//user_pref("browser.history.allowPopState", false);               // [boolean] whether to allow web sites to manipulate browser history - 'false' breaks some web sites when navigating within them, such as YouTube
//user_pref("browser.history.allowPushState", false);              // [boolean] whether to allow HTML5 web sites to add entries to the browser history - 'false' breaks some web sites when navigating within them, such as YouTube
user_pref("browser.history.allowReplaceState", false);             // [boolean] whether to allow HTML5 web sites to replace entries in the browser history
user_pref("browser.selfsupport.url", "");                          // [string] disable Mozilla pop-up asking for feedback - introduced in v37
user_pref("browser.send_pings", false);                            // [boolean] whether to allow HTML5 ping tracking when clicking a link
user_pref("browser.send_pings.require_same_host", true);           // [boolean] whether to require the same host if sending pings
user_pref("browser.urlbar.unifiedcomplete", false);
user_pref("device.sensors.enabled", false);
user_pref("experiments.activeExperiment", false);
user_pref("experiments.enabled", false);
user_pref("experiments.manifest.uri", "");
user_pref("experiments.supported", false);
user_pref("gecko.buildID", 20100101);                               // [string] browser build ID - value taken ToR browser
user_pref("general.useragent.compatMode.firefox", false);           // [boolean] whether to append a special compatibility token to the user-agent string - could potentially be used for fingerprinting and should not be necessary for average user
//user_pref("general.useragent.override", "");                      // [string] HTTP User-Agent string - should be set randomly with something like uMatrix
user_pref("privacy.donottrackheader.enabled", false);               // [boolean] whether to enable the "do not track" header - essentially useless
user_pref("privacy.trackingprotection.enabled", false);             // [boolean] whether to enable tracking protection (see: browser.polaris.enabled) - not needed if using other means, such as uBlock - when enabled, a new icon in address bar will appear when a site is being blocked, allowing to disable per domain - note that enabling this allows the download of a list from Mozilla
user_pref("browser.trackingprotection.gethashURL", "");
user_pref("browser.trackingprotection.getupdateURL", "");
user_pref("privacy.trackingprotection.pbmode.enabled", false);
user_pref("signon.autofillForms", false);                           // [boolean] Whether to allow the password manager to auto-fill log-on forms - potential security risk - if false, the password will still be set after the user name is manually entered, which can usually be done quickly from a drop-down list

//// === SAFE BROWSING === ////

user_pref("12bytes.org-user-js-settings", "syntax error @ SAFE BROWSING");

    --- Mozilla/Google Safe Browsing ---
    i would recommend disabling safe browsing entirely and using a good, no-log, no-redirect DNS server, such as FreeDNS (https://freedns.zone/), DNS.WATCH (https://dns.watch/), CensurfriDNS (https://blog.censurfridns.dk/), etc., in combination with uBlock and its anti-malware filter lists to mitigate the threat of domains hosting malware
user_pref("browser.safebrowsing.downloads.enabled", false);         // [boolean] unknown, but since we're not using Google "Safe Browsing" feature, lets' make sure it's dead
user_pref("browser.safebrowsing.downloads.remote.enabled", false);  // [boolean] unknown, but since we're not using Google "Safe Browsing" feature, lets' make sure it's dead
user_pref("browser.safebrowsing.enabled", false);                   // [boolean] whether to compare URLs against a blacklist or submit URLs to a third party to determine whether a site is legitimate
user_pref("browser.safebrowsing.malware.enabled", false);           // [boolean] whether to download data about malware and use it to screen downloads
user_pref("browser.safebrowsing.remoteLookups", false);             // [boolean] whether to consult a third-party provider to determine whether a site is safe - if false, it will fall back to the local urlclassifier2.sqlite file - dependent upon whether browser.safebrowsing.enabled is enabled
user_pref("browser.safebrowsing.reportMalwareMistakeURL", "");      // [string] destination for the "This isn't an attack site" button after ignoring the warning
user_pref("browser.safebrowsing.reportPhishMistakeURL", "");        // [string] destination for the "This isn't a web forgery" button after ignoring the warning
user_pref("browser.safebrowsing.reportPhishURL", "");               // [string] destination for the "Help | Report Web Forgery" menu item
    FF43+ safebrowsing URL's
user_pref("browser.safebrowsing.provider.google.gethashURL", "");   // [string] server endpoint for completions of malware and phishing lists
user_pref("browser.safebrowsing.provider.google.reportURL", "");    // [string] possibly unused
user_pref("browser.safebrowsing.provider.google.updateURL", "");    // [string] server endpoint for malware and phishing list updates
user_pref("browser.safebrowsing.provider.mozilla.gethashURL", "");  // [string] server endpoint for completions
user_pref("browser.safebrowsing.provider.mozilla.updateURL", "");   // [string] server endpoint for downloading list updates

//// === SOCIAL NETWORKING === ////

user_pref("12bytes.org-user-js-settings", "syntax error @ SOCIAL NETWORKING");

user_pref("social.directories", "");
user_pref("social.enabled", false);                       // [boolean] whether to enable social networking features
user_pref("social.remote-install.enabled", false);        // [boolean] unknown, sounds scary o_O
user_pref("social.share.activationPanelEnabled", false);
user_pref("social.shareDirectory", "");
user_pref("social.toast-notifications.enabled", false);
user_pref("social.whitelist", "");                        // [string] URL of white-listed social service providers

//// === DOWNLOAD === ////

user_pref("12bytes.org-user-js-settings", "syntax error @ DOWNLOAD");

user_pref("browser.download.folderList", 2);
user_pref("browser.download.hide_plugins_without_extensions", false);   // [boolean] whether to hide mime types in prefs > applications tab that are not associated with a plugin
user_pref("browser.download.manager.addToRecentDocs", false);           // [boolean] whether to add downloaded files to Windows Recent Documents menu
user_pref("browser.download.manager.scanWhenDone", false);              // [boolean] whether to scan downloads with system A/V and whether to apply Windows security policy checks - if set to false, make sure to manually scan downloads!
user_pref("browser.download.useDownloadDir", false);                    // [boolean] whether to use the default location when downloading file - recommended to set to false

//// === SEARCH === ////

user_pref("12bytes.org-user-js-settings", "syntax error @ SEARCH");

user_pref("browser.search.param.yahoo-fr", "");         // [string] remove tracking parameter
user_pref("browser.search.param.yahoo-fr-ja", "");      // [string] remove tracking parameter
user_pref("browser.search.suggest.enabled", false);     // [boolean] whether to enable search suggestions for search bar
user_pref("keyword.enabled", false);                    // [boolean] whether to allow searching from the address bar - !!! potential security/privacy issue since your search query can be stored by the search engine !!!

//// === NETWORK === ////

user_pref("12bytes.org-user-js-settings", "syntax error @ NETWORK");

user_pref("browser.casting.enabled", false);              // [boolean] whether to send HTML5 video to other devices on the network
user_pref("gfx.layerscope.enabled", false);
user_pref("network.allow-experiments", false);
user_pref("network.cookie.cookieBehavior", 1);            // [integer] 0=allow all, 1=allow same host, 2=disallow all, 3= allow 3rd party if it has already set a cookie - should use Self Destructing Cookies
user_pref("network.dnsCacheExpiration", 0);               // [intiger] how long to keep DNS entries - set to '0' to disable DNS caching - should probably only do this if you are caching DNS queries using another method, such as at the router or the OS level and, if so, disable DNS prefetching (network.dns.disablePrefetch)
user_pref("network.dns.disablePrefetch", true);           // [boolean] disable nameserver lookups for sites not yet visited
user_pref("network.dns.disablePrefetchFromHTTPS", true);  // [boolean] disable nameserver lookups for secure sites not yet visited
user_pref("network.jar.open-unsafe-types", false);        // [boolean] whether to allow the opening of unsafe Java archives
    --- referrer settings ---
    referrer is best controlled by an add-on, such as uMatrix
//user_pref("network.http.pipelining", true);               // [boolean] whether to attempt to use a single HTP 1.1 connection for multiple requests - can speed up loading or pages, or break them
user_pref("network.http.redirection-limit", 3);             // [integer] how many consecutive HTTP redirects the browser will follow - does not affect JS or META redirects
//user_pref("network.http.referer.spoofSource", false);     // [boolean] false=send real referrer, true=spoof referrer (use target URI as referrer) - this pref should be controlled by other means on a per-site basis, such as uMatrix
//user_pref("network.http.referer.trimmingPolicy", 0);      // [integer] 0=send full URI, 1=scheme+host+port+path, 2=scheme+host+port
//user_pref("network.http.referer.XOriginPolicy", 1);       // [integer] 0=always send, 1=send if base domains match, 2=send if hosts match - network.http.referer.spoofSource and network.http.referer.trimmingPolicy are dependant upon this setting
//user_pref("network.http.sendRefererHeader", 1);           // [integer] 0=never, 1=send when links are clicked 2=send when links or images are clicked - this pref should be controlled by other means on a per-site basis, such as uMatrix
//user_pref("network.http.sendSecureXSiteReferrer", true);  // [boolean] whether to send referrer from a secure site - not sure if this can be controlled by uMatrix
user_pref("network.http.spdy.enabled", false);              // [boolean] SPDY is developed by Google for optimizing HTTP/1 web traffic - will be depreciated in 2016 - possible security issues
user_pref("network.http.spdy.enabled.http2", false);        // [boolean] see network.http.spdy.enabled
user_pref("network.http.spdy.enabled.v3", false);           // [boolean] see network.http.spdy.enabled
user_pref("network.http.spdy.enabled.v3-1", false);         // [boolean] see network.http.spdy.enabled
user_pref("network.http.speculative-parallel-limit", 0);    // [integer] number of connections to make to a server for sites not yet visited (predictive) such as when typing in the search bar, hovering ove links, etc. - max number of current global half open sockets allowable when starting a new speculative connection
user_pref("network.manage-offline-status", false);          // [boolean] whether to auto-detect connectivity and manage the option to work off-line - can be annoying
user_pref("network.predictor.enabled", false);              // [boolean] similar to network.prefetch-next, whether to prefetch resources for sites not yet visited (this was named "network.seer.enabled")
user_pref("network.prefetch-next", false);                  // [boolean] disable prefetching pages not yet visited
user_pref("network.proxy.socks_remote_dns", true);          // [boolean] true=have proxy do DNS lookups, false= do them client side

//// === DOM (JAVASCRIPT) === ////

user_pref("12bytes.org-user-js-settings", "syntax error @ DOM");

user_pref("dom.allow_cut_copy", false);                                     // [boolean] whether to allow JS to manipulate clipboard data (requires user intervention, like clicking a button)
user_pref("dom.allow_scripts_to_close_windows", false);
user_pref("dom.battery.enabled", false);                                    // [boolean] whether to allow JS to access battery info - potential privacy issue
//user_pref("dom.disable_image_src_set", false);                            // [boolean] whether to disable JS ability to change images
user_pref("dom.disable_beforeunload", true);                                // [boolean] whether to disable JS ability to warn user before leaving a domain
user_pref("dom.disable_window_flip", true);                                 // [boolean] whether to disable JS ability to change window z-order
user_pref("dom.disable_window_move_resize", true);                          // [boolean] whether to disable JS ability to move/resize windows
user_pref("dom.disable_window_open_feature.close", true);
user_pref("dom.disable_window_open_feature.directories", true);             // [boolean] whether to disable JS ability to hide bookmarks toolbar
user_pref("dom.disable_window_open_feature.location", true);
user_pref("dom.disable_window_open_feature.menubar", true);                 // [boolean] whether to disable JS ability to hide the menu bar
user_pref("dom.disable_window_open_feature.minimizable", true);             // [boolean] whether to disable JS ability to disable window minimizing
user_pref("dom.disable_window_open_feature.personalbar", true);             // [boolean] whether to disable JS ability to hide the personal tool bar
user_pref("dom.disable_window_open_feature.resizable", true);
user_pref("dom.disable_window_open_feature.scrollbars", true);              // [boolean] whether to disable JS ability to hide scroll bars
user_pref("dom.disable_window_open_feature.status", true);                  // [boolean] whether to disable JS ability to hide the status bar
user_pref("dom.disable_window_open_feature.titlebar", false);               // [boolean] whether to disable JS ability to hide the title bar
user_pref("dom.disable_window_open_feature.toolbar", true);                 // [boolean] whether to disable JS ability to hide the tool bar
user_pref("dom.disable_window_status_change", true);                        // [boolean] whether to disable JS ability to change the status text
user_pref("dom.enable_performance", false);
user_pref("dom.enable_resource_timing", false);
user_pref("dom.enable_user_timing", false);
//user_pref("dom.event.clipboardevents.enabled", false);                    // [boolean] whether to allow JS to monitor/alter copy/paste actions - potential security/privacy risk, however setting to false breaks WordPress TinyMCE editor paste, possibly others
user_pref("dom.event.contextmenu.enabled", false);                          // [boolean] whether JS can alter/hide context menu
user_pref("dom.gamepad.enabled", false);                                    // [boolean] whether to enable the use of a game pad
user_pref("dom.idle-observers-api.enabled", false);                         // [boolean] unsure, but possibly a security risk
//user_pref("dom.indexedDB.enabled", true);                                 // [boolean] whether to allow JS to store data permanently - disabling this can break older extensions and some web sites - can be controlled other ways, such as by uMatrix, Self Destructing Cookies, etc.
user_pref("dom.ipc.plugins.enabled", false);                                // [boolean] whether to allow JS to discover plugins
user_pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false); // [boolean] presumably whether to send plug-in crash reports to Mozilla
user_pref("dom.ipc.plugins.reportCrashURL", false);                         // [boolean] probably whether to send the URL of the website where a plugin crashed
user_pref("dom.netinfo.enabled", false);                                    // [boolean] whether JS can get information about the network/browser connection - Network Information API provides general information about the system's connection type (WiFi, cellar, etc.)
user_pref("dom.network.enabled", false);                                    // [boolean] whether to disable JS ability to determine the type of connection to the network
user_pref("dom.popup_maximum", 5);
user_pref("dom.server-events.enabled", false);                              // [boolean] whether to allow Server-Sent Events from the web server
user_pref("dom.storage.enabled", true);                                     // [boolean] whether to allow DOM storage - this can be controlled in a more granular way with uMatrix, however if no add-on is used to control storage and you are concerned about preserving your privacy, it is recommended to set this to false, though this will break some websites
user_pref("dom.telephony.enabled", false);                                  // [boolean] whether to enable JS internet telephony - no known uses and potential security/privacy threat
user_pref("dom.vibrator.enabled", false);                                   // [boolean] whether to allow JS to shake the screen
user_pref("dom.vr.enabled", false);                                         // [boolean] whether to enable JS to detect virtual reality devices - possible privacy/fingerprinting issue
user_pref("dom.vr.oculus.enabled", false);
user_pref("dom.vr.oculus050.enabled", false);
user_pref("dom.w3c_touch_events.enabled", 0);
user_pref("javascript.options.asmjs", false);


user_pref("12bytes.org-user-js-settings", "syntax error @ WEBSITE APPERANCE/FUNCTIONALITY");

//user_pref("accessibility.blockautorefresh", true);          // [boolean] whether to block and display a dialog when a page auto-refreshes - unfortunately it does not appear possible to block auto-refresh without displaying the annoying alert
user_pref("browser.autofocus", true);                         // [boolean] whether to auto-focus the address bar
user_pref("browser.blink_allowed", false);                    // [boolean] whether to allow blinking elements - typically very annoying
user_pref("browser.display.enable_marquee", false);           // [boolean] whether to allow animated marquee text
//user_pref("full-screen-api.pointer-lock.enabled", false);   // [boolean] locks pointer for web applications like first person view games, etc.
user_pref("full-screen-api.warning.timeout", 0);              // [integer] how long to display the full-screen overlay/warning notice after entering full-screen (such as for video)
user_pref("gfx.color_management.mode", 0);                    // [integer] whether to use embedded ICC color profiles in images to display them (requires a color calibrated monitor and correct color profile) - 0=disable, 1=enable, 2=enabled only on tagged
//user_pref("gfx.downloadable_fonts.enabled", false);         // [boolean] whether to allow downloading of fonts (Google web-fonts, etc.) - too many missing characters on pages with this disabled - better controlled with uBlock on a per-site basis
//user_pref("gfx.font_rendering.opentype_svg.enabled", true); // [boolean] whether to allow SVG inside fonts - at this point i cannot see any reason not to
user_pref("image.animation_mode", "once");                    // [string] how to display animated images: "none"=don't animate, "once"=allow to loop only once, "normal"=allow infinite looping
user_pref("layout.css.devPixelsPerPx", "1.2");                // [string] set the default zoom level for the entire browser and content (def = -1.0)
//user_pref("media.autoplay.enabled", true);                    // [boolean] whether to allow auto-play of embedded media - setting to false can cause some videos to not play at all even after clicking the 'start' button, including 1st and 3rd party Vimeo videos, and may also necesitate having to click the play button twice in other instances
user_pref("media.block-play-until-visible", true);            // [boolean] whether to play media in a tab that does not have focus - note that once it starts playing, changing tabs will not stop it

//// === EXTENSIONS === ////

user_pref("12bytes.org-user-js-settings", "syntax error @ EXTENSIONS");

user_pref("extensions.blocklist.enabled", false);                    // [boolean] whether to download list of black-listed extensions, vulnerable plugins, crash-prone graphic drivers
user_pref("extensions.getAddons.cache.enabled", false);              // [boolean] whether to check daily for extension metadata updates (description, ratings, etc.) when clicking the "more" link on the Add-ons panel - also seems to block remote icons for extensions in the Add-ons panel
user_pref("extensions.webservice.discoverURL", "");  // [string] disable downloading list of featured extensions for displaying in Get Add-ons panel

//// === PLUGINS === ////

user_pref("12bytes.org-user-js-settings", "syntax error @ PLUGINS");

user_pref("media.gmp-provider.enabled", false);                 // [boolean] whether to show the OpenH264 plugin in the plugins UI
user_pref("plugin.default.state", 0);                           // [integer] 0=disabled, 1=ask to activate, 2=active
user_pref("plugin.defaultXpi.state", 0);
user_pref("plugin.sessionPermissionNow.intervalInMinutes", 0);
user_pref("plugins.click_to_play", true);                       // [boolean] whether to block plugin dependent content and make it so user has to click to enable the content
user_pref("plugins.notifyMissingFlash", false);                 // [boolean] whether to notify if Flash is needed but not installed - URL bar will still indicate if Flash is missing
user_pref("security.xpconnect.plugin.unrestricted", false);     // [boolean] whether to allow scripting of plugins by untrusted scripts
    --- plugin scanning ---
    these setting control whether Firefox should scan for 3rd party plugins.  setting these values to a version higher than exists prevents the scan
user_pref("plugin.scan.Acrobat", "99999");                      // [string] whether to scan for Adobe Acrobar Reader
user_pref("plugin.scan.plid.all", false);                       // [boolean] whether to scan the directories specified in the Windows registry for PLIDs - includes: RealPlayer, Next-Generation Java Plug-In, Adobe Flash
user_pref("plugin.scan.Quicktime", "99999");                    // [string] whether to scan for Quicktime plugin
user_pref("plugin.scan.WindowsMediaPlayer", "99999");           // [string] whether to scan for Windows Media Player plugin

//// === TABS === ////

user_pref("12bytes.org-user-js-settings", "syntax error @ TABS");

user_pref("accessibility.tabfocus", 3);                         // [integer] 3: Tab key focuses text fields and all other form elements
user_pref("browser.newtab.url", "");                  // [string] "about:blank"=show a completely blank tab when opening new tabs
user_pref("browser.link.open_newwindow", 1);                    // [integer] controls when a new window/tab should be opened - 1=open links that open in a new window in the current tab, 2=open links that open in a new window in a new window, 3=open links that open in a new window in a new tab in the current window
user_pref("browser.link.open_newwindow.restriction", 0);        // [integer] controls when a new window/tab should be opened - 0=divert all links according to browser.link.open_newwindow, 1=do not divert any links, 2=divert all links according to browser.link.open_newwindow, unless the new window specifies how it should be displayed
user_pref("browser.link.open_newwindow.override.external", 3);  // [integer] open links from external programs in: -1=default, 1=the current tab, 2=a new window, 3=a new tab
user_pref("browser.newtab.preload", false);                     // [boolean] whether to preload new tab content - dependent upon browser.newtab.url
user_pref("browser.newtabpage.directory.ping", "");
user_pref("browser.newtabpage.directory.source", "data:text/plain,{}");
user_pref("browser.newtabpage.enabled", false);
user_pref("browser.newtabpage.enhanced", false);                // [boolean] whether to display marketing junk on new tabs - dependent upon browser.newtab.url
user_pref("browser.newtabpage.introShown", true);
user_pref("browser.sessionhistory.max_entries", 5);             // [integer] tab specific max number of pages that can be traversed when moving forward/backward in history - affects total memory consumption
user_pref("browser.tabs.closeWindowWithLastTab", false);        // [boolean] whether to exit FF when closing last tab
user_pref("browser.tabs.loadDivertedInBackground", true);       // [boolean] cause links opened from external programs to open in a new background tab
user_pref("browser.tabs.loadInBackground", false);              // [boolean] focus new tabs instead of loading them in the background
user_pref("browser.tabs.selectOwnerOnClose", true);             // [boolean] focus the parent tab when a child tab is closed
user_pref("browser.tabs.warnOnClose", false);                   // [boolean] disable warning when closing multiple tabs
user_pref("browser.tabs.warnOnCloseOtherTabs", false);          // [boolean] disable warning when closing other tabs
user_pref("browser.tabs.warnOnOpen", false);                    // [boolean] disable warning when opening too many tabs

//// === MISC === ////

user_pref("12bytes.org-user-js-settings", "syntax error @ MISC");

user_pref("accessibility.typeaheadfind", false);                    // [boolean] whether to open the find bar to search for text as soon as you start typing
user_pref("browser.backspace_action", 2);                           // [integer] keyboard backspace key action: 0=go back, 1=page up, 2=disable
user_pref("browser.feeds.showFirstRunUI", false);
user_pref("browser.fixup.hide_user_pass", true);                    // [boolean] whether to reformat URLs containing log-on credentials
user_pref("browser.fixup.alternate.enabled", false);                // [boolean] whether to auto-correct mistyped URLs - suggested to set to false
user_pref("browser.fullscreen.animate", false);                     // [boolean] whether to animate window when entering full-screen view
user_pref("browser.fullscreen.animateUp", 0);                       // [integer] whether to animate window when entering full-screen view - 0=no toolbar/tab strip animation, 1=animates only first collapse, 2=qnimates each collapse
user_pref("browser.preferences.inContent", false);                  // [boolean] whether to display browser preference in a tab - introduced in v36 - can be controlled with Classic Theme Restorer
user_pref("browser.rights.3.shown", true);
user_pref("browser.shell.checkDefaultBrowser", false);
user_pref("browser.slowStartup.notificationDisabled", true);
user_pref("browser.slowStartup.maxSamples", 0);
user_pref("browser.slowStartup.samples", 0);
user_pref("browser.startup.homepage_override.mstone", "ignore");
user_pref("browser.startup.homepage", "http://12bytes.org");        // [string] page to display when clicking the Home button
user_pref("browser.startup.page", 3);                               // [integer] page to display on startup - 1=home, 2=blank, 3=restore last session
user_pref("browser.triple_click_selects_paragraph", false);         // [boolean] whether to select paragraphs when triple clicked
user_pref("browser.urlbar.clickSelectsAll", true);                  // [boolean] whether clicking the address bar will select the entire address
user_pref("browser.urlbar.doubleClickSelectsAll", false);        // [boolean] whether to select the whole address string when double clicking in the address bar
user_pref("browser.urlbar.filter.javascript", true);                // [boolean] whether to display JavaScript in browser history URLs'
user_pref("browser.urlbar.suggest.searches", false);
user_pref("browser.urlbar.trimURLs", false);                        // [boolean] whether to strip prefix (http://) from URLs in URL bar
user_pref("browser.urlbar.userMadeSearchSuggestionsChoice", true);
user_pref("browser.usedOnWindows10.introURL", "");
user_pref("full-screen-api.warning.delay", 0);
user_pref("general.autoScroll", false);                             // [boolean] Whether to enable auto-scrolling (middle-click on a page to display scroll map)
user_pref("general.warnOnAboutConfig", false);                      // [boolean] whether to display a warning when using about:config
user_pref("layout.spellcheckDefault", 2);                           // [integer] enable spell checker: 0=disable, 1=in multi-line edit controls only, 2=in multi and single line edit controls
user_pref("layout.word_select.eat_space_to_next_word", false);      // [boolean] whether to include spaces after a word when double clicking to select the word
user_pref("layout.word_select.stop_at_punctuation", true);          // [boolean] whether to stop selection at a punctuation when double clicking to select a word
user_pref("middlemouse.contentLoadURL", false);                     // [boolean] whether to load the URL on the clipboard when middle-clicking in the content area of a webpage
user_pref("mousewheel.with_shift.action", 0);                       // [integer] controls what happens when the Shift key is pressed and the mouse wheel is scrolled
user_pref("nglayout.enable_drag_images", false);                    // [boolean] whether images can be dragged - also seems to have an effect on highlighting and dragging text - this feature can be very annoying, especially for website editors/admins
user_pref("reader.enabled", false);                                 // [boolean] whether to enable the Reader View functionality (this pref to be introduced sometime after v38.0.5)

user_pref("reader.parse-on-load.enabled", false);                   // [boolean] presumably whether to build a "Reader View" version of the page when it is loaded
user_pref("startup.homepage_welcome_url", "about:about");           // [string] what content to display when the browser is started with a new profile
user_pref("startup.homepage_override_url", "");
user_pref("ui.submenuDelay", 150);                                  // [integer] delay in ms before a sub-menu of a context menu is displayed
user_pref("view_source.tab", false);                                // [boolean] whether to view web page source code in a tab or a window which offers more options
user_pref("devtools.toolbox.zoomValue", "1.3");                     // [string] font size for the Developers Toolbox

    Pocket (3rd party service)
user_pref("12bytes.org-user-js-settings", "syntax error @ MISC - Pocket");

user_pref("browser.pocket.enabled", false);         // [boolean] whether to enable 3rd party Pocket service for storing/sharing content saved from web pages
user_pref("browser.pocket.api", "");
user_pref("browser.pocket.oAuthConsumerKey", "");
user_pref("browser.pocket.site", "");               // [boolean] site used for 3rd party Pocket service
user_pref("12bytes.org-user-js-settings", "syntax error @ MISC - WebIDE");

user_pref("devtools.devedition.promo.url", "https://www.mozilla.org/firefox/developer/");   // [string] remove UTM tracking params from intro to Firefox Developer edition URL
user_pref("devtools.webide.autoinstallADBHelper", false);
user_pref("devtools.webide.autoinstallFxdtAdapters", false);
user_pref("devtools.debugger.remote-enabled", false);
user_pref("devtools.webide.enabled", false);

//// === SMOOTH SCROLLING === ////

user_pref("12bytes.org-user-js-settings", "syntax error @ SMOOTH SCROLLING");

    --- smooth scrolling tweak ---
    these settings provide silky-smooth scrolling that dynamically adjusts according to mouse wheel speed
user_pref("general.smoothScroll", true);                            // [boolean] enable/disable smooth scrolling
user_pref("general.smoothScroll.lines", true);                      // [boolean] enable/disable smooth line scrolling (up/down arrow/page keys)
user_pref("general.smoothScroll.lines.durationMaxMS", 400);         // [integer] smooth the start/end of line scrolling operations in ms (up/down arrow/page keys)
user_pref("general.smoothScroll.lines.durationMinMS", 200);         // [integer] smooth the start/end of line scrolling operations in ms (up/down arrow/page keys)
user_pref("general.smoothScroll.mouseWheel", true);                 // [boolean] enable/disable smooth scrolling with mouse wheel
user_pref("general.smoothScroll.mouseWheel.durationMaxMS", 600);    // [integer] smooth the start/end of scrolling operations in ms
user_pref("general.smoothScroll.mouseWheel.durationMinMS", 400);    // [integer] smooth the start/end of scrolling operations in ms
user_pref("general.smoothScroll.other", true);                      // [boolean] enable/disable other smooth scrolling (Home/End keys)
user_pref("general.smoothScroll.other.durationMaxMS", 400);         // [integer] smooth the start/end of other scrolling operations in ms
user_pref("general.smoothScroll.other.durationMinMS", 200);         // [integer] smooth the start/end of other scrolling operations in ms
user_pref("general.smoothScroll.pages", true);                      // [boolean] enable/disable page smooth scrolling (PgUp/PgDn keys)
user_pref("general.smoothScroll.pages.durationMaxMS", 400);         // [integer] smooth the start/end of page scrolling operations in ms (PgUp/PgDn keys)
user_pref("general.smoothScroll.pages.durationMinMS", 200);         // [integer] smooth the start/end of page scrolling operations in ms (PgUp/PgDn keys)
user_pref("mousewheel.acceleration.factor", 10);                    // [integer] sets acceleration factor if mouse wheel.acceleration.start > -1
user_pref("mousewheel.acceleration.start", 0);                      // [integer] when to apply mouse wheel.acceleration.factor (after how many scroll clicks of mouse wheel) - value must be greater than -1
user_pref("mousewheel.default.delta_multiplier_y", 85);             // [integer] sets the vertical step size
//user_pref("mousewheel.min_line_scroll_amount", 1);                // [integer] how many lines to scroll with mouse wheel (approx.) - doesn't seem to have any affect

user_pref("12bytes.org-user-js-settings", "load success");

At this point it is important to review each of the settings to be sure they are configured the way you want. For example, if you are into social networking and use the social features of Firefox, you will want to comment out some or all of the social networking preferences or change their values.

Note that if you comment out a line after having run Firefox, that setting will likely remain active because it will have been copied to prefs.js, so if you want to remove something from your user.js file, you should enter the preference name in about:config, right click it, then click reset. The other option is to just change the preference value in user.js and then restart Firefox.

Add-on configuration

Between the features offered by Firefox, uMatrix and uBlock Origin, we have some overlapping functionality and it is therefore necessary to configure our settings with this in mind.


We will be using uMatrix as a browser firewall to block entire domains and specific content (cookies, CSS, images, plug-in enumeration, JavaScript, XHR, frames and ‘other’ requests) from both 1st and 3rd party domains, while uBlock Origin will handle the advertising and malware site blocking.

uMatrix configuration

After installing uMatrix, click the tool bar icon, then click the black title-bar to access the Dashboard:

Click the uMatrix title-bar to access the Dashboard
Click the uMatrix title-bar to access the Dashboard

Following are my recommended setings for each tab:

uMartix configuration - Settings tab
uMartix configuration – Settings tab
uMatrix configuration - Privacy tab
uMatrix configuration – Privacy tab

The content for the My rules tab will be set using the pop-up UI, so we need not worry about this now.

For the Hosts tab, uncheck all of the options since we will be using uBlock Origin to handle our filter lists.

Next, close the Dashboard tab and click the tool bar icon once again to display the pop-up UI.

In order to deter tracking by the web server, i would recommend configuring uMatrix as shown below. To begin, we need to reconfigure the default global settings — the settings that will affect every website we visit. When configuring uMatrix, it is critical to set the proper scope for the filter settings. In the image below, i happen to be visiting github.com, though the website you are currently viewing does not matter. What does matter is the scope in which we are working. Because “github.com” is displayed in the upper left block, all of the rest of the settings will apply only to github.com:

uMatrix configuration - scope selection
uMatrix configuration – scope selection

Since we want to adjust global settings, we need to click the blue block and change the scope to the global scope:

uMatrix configuration - setting the global scope
uMatrix configuration – setting the global scope

The scope block will change to an asterik:

uMatrix configuration - global scope set
uMatrix configuration – global scope set

Other than the scope block, most of the rest of the blocks are divided into an upper and lower half. Clicking the upper half will toggle the whitelisting of a domain or resource, while clicking the lower half will toggle the blacklisting of a domain or resource. What we want to do is globally allow all CSS and images for 1st party domains only and block everything else by default. Click the blocks until your settings match those shown here:

uMatrig configuration - setting global defaults
uMatrig configuration – setting global defaults

When you are finished, don’t forget to click the padlock icon to save the changes:

uMatrix configuration - saving changes
uMatrix configuration – saving changes

The upper part of the pop-up UI should now look like the following:

uMatrix configuration - saving settings
uMatrix configuration – saving settings

While the configuration of our global settings for uMatrix is now complete, the result is that many websites will not function properly and therefore we must configure the settings for each site we visit. While this may be a nuisance, the up-side is that we will be better protected against browser tracking, malware and other attacks.

uMatrix usage

Make sure to read the uMatrix manual to learn how to configure it for each domain you visit. The one very important point i would make is that you note the scope of the matrix before making adjustments to the settings. Remember: if you have the global scope selected (the upper-left box is an asterisk as shown above), then any rules you create will affect all websites, whereas if the scope is set to the current domain being visited, then the rules will affect only that domain.

uBlock Origin

uBlock Origin is a powerful content filter which can be used to prevent the loading of resources, or hide page elements when load blocking is not possible. While uBlock Origin can block in-line, 1st party and 3rd party JavaScript, ads, images, frames and more, we will be using primarily for ad, tracking and malware blocking. uBlock can use all of the same filter lists as Adblock Plus/Edge plus other lists they cannot. It also features a wizard for easy element hiding and a network request logger which is invaluable for troubleshooting when a website does not display and/or function properly.

Because uBlock filters unwanted content, websites will generally load much faster while still retaining all the functionality we require once the rules are configured properly for each site.

uBlock Origin configuration

Once the uBlock icon is on your tool-bar, click it to reveal the pop-up UI, then click the dark colored title-bar at the top to reveal the configuration UI:

uBlock Origin - title-bar
uBlock Origin – title-bar

Folowing are my recommended settings for uBlock Origin:

uBlock Origin configuration - Settings tab
uBlock Origin configuration – Settings tab

Note that we are not enabling the ‘I am an advanced user’ option since all dynamic filtering will be handled by uMatrix.

uBlock Origin configuration - 3rd-party filters tab
uBlock Origin configuration – 3rd-party filters tab

For the ‘My filters’ tab, i have added a few filters which override any exception filters that may be used in the 3rd party filter lists because i want to be sure they are always blocked:

! override exceptions in existing filter sets - see: https://github.com/chrisaljoudi/uBlock/wiki/Privacy-stuff

The ‘My rules’ tab is empty since we are using uMatrix to create our filtering rules.

The ‘Whitelist’ tab can be left as it is by default.

uBlock Origin usage

We are not using the advanced dynamic blocking features of uBlock Origin since this functionality is being handled by uMatrix. As such, there is basically nothing to configure or adjust after the initial setup, other than possibly disabling uBlock Origin for those websites where you do not want it to run. This is done simply by clicking the big blue power button (this setting will be remembered across browser sessions). Lastly, don’t forget about these important tools:

uBlock main UI - misc. tools
uBlock main UI – misc. tools

The eyedropper will open a wizard for hiding page elements that are not covered by the static filters and the other icon will open the network request log which can be extremely helpful for those occasional hard-cases when a website does not display and/or function properly and you have trouble determining why.

Clean Links configuration

You can enable all of the options, though some will be ignored when running when the Event Delegation Mode is enabled. While i prefer to have Clean Links rewrite and highlight links in real time, the developer has stated that the code for accomplishing this is old and unmaintained, therefore i personally use the Event Delegation Mode.

Securing DNS traffic

The Domain Name System (DNS) is an infrastructure which uses DNS resolvers to convert human-friendly domain names (example.com) to IP addresses ( which are used by the computers that route internet traffic. The problem with DNS is that this traffic is not encrypted or secured and is therefore open to various attacks. To help secure your DNS traffic, please read my guide, Encrypting DNS Traffic (and why you want to).

Testing your configuration

The images below are from the JonDonym IP check website.

The first image is a result of a completely default Firefox release version 39.0 configuration with no add-ons or plug-ins installed.

JonDonym IP Check test - before
JonDonym IP Check test – before

This next image was captured after the configuring Firefox release version 39.0 as outlined in this guide. While the difference may not seem significant, some key changes have been made to help protect our privacy and security (see the list below the image).

JonDonym IP Check test - after
JonDonym IP Check test – after

HTTP header test results:

  • Cookies: Cookies have been blocked
  • Authentication: The sending of authentication data to 3rd party sites has been blocked
  • Cache (E-Tags): Although we remain vulnerable to E-tag cache tracking, the threat has been greatly reduced since we are using uMatrix to clear the browser cache at a regular interval. The only way to completely defeat this tracking technique that i am aware of is to completely disable both the disk and memory cache.
  • HTTP session: No change
  • Referrer: We score poorly here because the IP Check test tool is not aware that we are using uMatrix to spoof the referrer
  • Signature: No change
  • User-Agent: We score poorly here because the IP Check test tool is not aware that we are using uMatrix to randomize the User-Agent string at regular intervals
  • SSL_session_id: n/a (the connection was not encrypted)
  • Language: No change
  • Content types: No change
  • Encoding: No change
  • Do-Not-Track: The DNT header has been enabled, though this is largely useless
  • plug-ins test: These tests were not run because no browser plug-ins were installed

JavaScript test results (disabling JS would alleviate all of the these concerns):

  • JavaScript: We score poorly here because the IP Check test tool is not aware that we are using uMatrix to allow JS on a per-domain basis
  • Tab name: No change
  • Tab history: No change
  • Local storage: Local storage is being deleted by uMatrix after it is no longer needed
  • Screen: No change
  • Screen (usable): No change
  • Browser window: No change
  • Browser bars: No change
  • WebGL: WebGL has been disabled in the user.js configuration file
  • Browser type: No change
  • System: No change
  • Fonts: No change

Following is the uMatrix configuration that was used for the test. All other uMatrix and browser settings are consistent with those suggested earlier:

uMatrix configuration used for IP Check test
uMatrix configuration used for IP Check test

You can run your own tests using these resources:


General: Both uMatrix and uBlock Origin have the ability to log network requests, similar to how a firewall log might work. This can be a great help when troubleshooting website display or functionality issues. On the uMatrix pop-up UI you will notice a tiny ‘window’ icon that can be clicked to reveal the network request log. See the Logger documentation to learn how to use this feature.

Website does not display correctly: uMatrix: Check that content is allowed for the domain, as well as other domains which supply content to it.

Problems making a purchase: Firefox: make sure to allow 1st party cookies. uMatrix: Check that content is allowed for the domain, as well as other domains which supply content to it. If you are forwarded to a payment gateway such as PayPal during the transaction, make sure that content is allowed for the payment gateway domain, as well as other domains which supply content to it.

Firefox add-ons used in this guide

Further reading on 12bytes.org

References and resources

Revision history


  • First publishing


  • Removed all Shim Storage add-on information since this functionality is duplicated in HTTP UserAgent cleaner.
  • Almost all of the documentation for HTTP UserAgent cleaner was heavily revised.
  • Various other edits and corrections.


  • Updated user.js file
  • Several other small updates and a few corrections


  • Updated user.js file
  • Switched uBlock versions since a new fork was created
  • Updated uBlock images and documentation
  • Added a “Current notices” section
  • Misc. other corrections/updates/edits


  • Updated and added more information for uBlock
  • Updated one HTTP UserAgent cleaner screen-shot
  • Misc. other corrections/updates/edits


  • Updated HTTP UserAgent cleaner information
  • For HTTP UserAgent cleaner settings, the suggested settings were split into Suggested global setting for casual browsing and Suggested global setting for best protection.


  • Updated information for HTTP UserAgant cleaner
  • Updated user.js file
  • Minor updates to uBlock information
  • Misc. other minor changes


  • Updated some HTTP UserAgent cleaner information
  • Deleted information for 2 bugs regarding the X-Forward-For setting for HTTP UserAgent cleaner since they were not bugs
  • Misc. other minor changes


  • Updated information for HTTP UserAgent cleaner, including adding descriptions for the newly added features, Canvas and Fonts on the HTTP tab
  • Updated the user.js file
  • Updated some definitions of terms used in this document
  • Added some more resources


  • Updated the information for the Fonts filter on the HTTP tab of HTTP UserAgent cleaner


  • Updated HTTP UserAgent cleaner information to match changes in version


  • Added Pure URL as a suggested add-on
  • Updated contents of the user.js file
  • Added and edited some information for HTTP UserAgent cleaner
  • Added more resources in the References section


  • Updated list of recommended filters for uBlock
  • Updated user.js file contents


  • Updated user.js file contents
  • Updated a few settings recommendations for HTTP UserAgent cleaner


  • Minor updates to user.js file contents


  • Added information for securing DNS traffic
  • Misc. minor updates


  • Switched to Raymond Hill’s version of uBlock
  • Updated uBlock filter information
  • Added Fetch information for new version of HTTP UserAgent cleaner
  • Updated user.js file contents
  • Misc. minor updates


  • Updated uBlock settings to match the current development version (
  • Misc. minor updates


  • Removed HTTP UserAgent cleaner since it is no longer being developed
  • Removed Self Destructing Cookies add-on since its functionality can be handled by uMatrix
  • Added uMatrix


  • Added more info for uMatrix and IP Config test results
  • Updated user.js file contents
  • Various other edits


  • Minor edits for uMatrix usage text


  • Updated user.js file contents
  • Removed pcxFirefox as a suggested 3rd party build since i had display corruption issues with it


  • Updated user.js file contents


  • Updated user.js file contents


  • Updated guide information
  • Updated user.js file and added a revision history to the file


  • Updated user.js file


  • Updated user.js file
  • Minor grammar/spelling corrections


  • Corrected an error with pref ‘layout.css.devPixelsPerPx’ where the value was an integer instead of a string – this caused all prefs following it to be ignored


  • Set ‘browser.fixup.hide_user_pass’ back to its default value
  • Added ‘network.http.redirection-limit’


  • Added some basic information for configuring the Clean Links add-on


  • Corrected ‘plugin.scan.*’ values to be strings
  • Added bogus preferences in the user.js file at the end of each section for troubleshooting potential loading problems


  • Changed the name of the troubleshooting/bogus preference to 12bytes.org-user-js-settings and added values to indicate the point at which the file stopped loading – a huge thanks to commenter ‘Pants’ for suggesting the troubleshooting preference and also for suggesting a far better way of implimenting it than what i had done (by the way, ‘Pants’ is the author of the user.js config file used in the ghacks article, A comprehensive list of Firefox privacy and security settings by Martin Brinkmann, so i’m very glad to have his input here)


  • Removed duplicate preferences in use.js file (see changelog in the file for details)


  • Removed Extension Defender from the list of recommended add-ons since it’s home page is gone and the code hasn’t been updated in two years
  • Updated user.js file

102 thoughts on “Firefox Configuration Guide for Privacy Freaks and Performance Buffs

  1. So I’ve read up on NoScrip and uMatrix and saw what this site has to say about both. Thanks for the great work with this site, btw. However, I guess I’ll have to switch from NoScript (which I’m currently on) to uMatrix with the hope that uMatrix will allow what NoScrip does not allow. Unless I’m missing sth here, I don’t see how to make NoScript behave per site or per domain. When it blocks something it blocks it on all sites everywhere and then I individually need to enable/disable items/trackers to get different sites to work correctly. If I disable youtube on a site where youtube has no business to spy on then it is annoying when u visit youtube’s actual site and you then have to re-enable youtube’s domain, later on back having to disable it resulting in an insane infinite loop. If it is part of the Tor bundle then there’s gotta be a setting for this weird behaviour somehow. I saw this also https://support.mozilla.org/en-US/questions/954712 but despite the nice thread title the question I’m asking here remains unsolved even there. Anyone has an idea if NoScript can do it of if I should instead resort to uMatrix, hopefully it can do what I’m suggesting here!

    1. the way i do it is to create a minimum number of uMatrix rules in the global scope to allow embedded YouTube videos everywhere, then some extra rules for youtube.com

      i think you can create domain specific rules in NS (almost positive), but i think you have to manually enter them somewhere in the UI – i don’t remember where as it’s been a long time since i messed with NS

      1. I thought it must be psbl to manually do it per domain but for all i tried it always worked globally. Well, with uMatrix this is not an issue so far as selecting the working scope as you’ve outlined in your fine tutorial makes perfect sense and seems to apply rules accordingly. Huge thanks for sharing your work!

              1. Thank you for that! Took some real digging for me to find this but you provided it straight away, which is awesome.

                1 last question to both Pants and 12Bytes though – so, this tutorial suggests that we should use uMatrix thus no need for NoScript. Is there any general consensus as to which one of the 2 addons is better to use? For all I know, Tor uses NoScript and not uMatrix, but uMatrix seems way easier for me to control per domain rules …

                1. it’s not a matter i’ve researched thoroughly – having said that, NS is a probably the better of the two, but with a narrower scope – for me, uMatrix was necessary because of its wider scope and ease of use and i didn’t want to run another extension with redundant features (primarily script blocking) -also, the fewer extensions, the easier it is to troubleshoot when a site doesn’t work properly

                2. FWIW.. I use NS, uBlockO and uMatrix: NS is set to default deny everything (once I allow a domain, then it is, as you say, allowed on a global scale). uBlock Origin is set to default deny except first party – once I allow a domain there, it is allowed per scope (i.e for that domain only). uMatrix is set for a default (i.e scope *) to block all scripts including first party (I allow all images and css by default). As you already know, here you can allow vertical (type) horizontal (domain) or cellular exceptions per scope for a granular control.

                  NS does offer things that uMatrix doesn’t (don’t ask, I’ve never really delved that deep into it). an uBlockO is a lower footprint great “ad” blocker (with other lists as well), hence why I use it. And uMatrix allows granular control. Hence why I use all three.

                  It’s not that hard to get them to all work together. Maybe its the order in which I installed them, but first I allow a domain in NS, then it will show up in uBlock Origin, then I allow that domain on a narrow scope in uBlockO, and then it turns up in uMatrix where I can allow or deny for that domain as I like. Once you have set up all your regular sites, life is a breeze.

                  If I have sites that are just one off visits, eg if I am researching something, and the site looks an absolute mess in FF (usually no css), then I have secondary browsers for that.

                  You can also easily use the uMatrix rules and write your own as well: chrome://umatrix/content/dashboard.html#user-rules : such as allowing/blocking globally etc

                  tl;dr: NS blocks everything .. then allow thru uBlock Origin in which at least the adverts etc are blocked (uMatrix default allow XSS images) … and then in uMatrix I can fine tune. uBlock Origin also nicely colors domains pale red for you if they’re on the sh*tlist

          1. I did exactly as you screen suggests (the numbers in the green boxes you’ve circled were not exactly the same .. guess that’s normal though) but embedded yt vids are still blocked on various sites. Any idea as to what i’ve done wrong? Yes, I did work in the global workspace.

              1. Alright, np! Still 10x! I think I quite got the hang of uM already cos I’m using it to my advantage quite well on all sites so far and everything I want it to block is blocked as desired. The only thing that puzzled me is that I thought the settings for embedded vids you mentioned would actually do exactly as said – globally allow embedded yt vids on various sites, but since that didn’t happen I wasn’t sure what went wrong. Was it cos I didn’t have the exact same numbers as on your screen or sth else … oh well

                1. the numbers don’t matter – first thing you should do is disable (power button on the uM UI) uMatrix and make sure that’s where the problem is and, if it is, then just find out what needs to be allowed to get the video to load

                  1. I DID think they don’t matter, but since I exercised all psbl options I thought eventually they might do. Yes, I did also exercise the option you’re suggesting, just did it in another way. Instead of completely turning off uM I simply allowed the ‘all’ box on the particular domain I was at, within the scope of the site/domain in question (obviously not in the global scope). That then resulted in temporary changes, which can always be reverted from using the back arrow button. The point was that before reverting from those changes I refreshed the page and the embedded yt vids worked. I then did revert from the temp changes to get uM to its default behaviour and embedded yt vids did die …

                    1. ok, you know it’s something with uMatrix then – look carefully at all the filter settings for the domain you’re testing with, as well as google, ytimg and youtube – it should just be a simple matter of trial and error

                    2. yes it is and I did get it to work this way with a simple trial and error … seems I missed the point and idea of your screenshot then … all good! 10x. As I said, though your screen globally allows embedded vids on any and all sites.

                    3. … your screen globally allows embedded vids on any and all sites.

                      yes, because i don’t want to have to mess with uMatrix for every site with embedded videos – whether you want to do the same is up to you

                    4. Yes, and exactly ”because i [also] don’t want to have to mess with uMatrix for every site with embedded videos” I tried your screenshot and as I said it didn’t work. So that’s why I asked what could be wrong. Clearly it’s a prob with uM, cos as I said, once I disable uM the embedded videos work again.

                  2. So perhaps I misunderstood the point of your screenshot as I though it indicated what global scope settings to put in order to have embedded yt vids (on any site) work. If that wasn’t your idea, then clearly I can go under each domain and 1 by 1 start enabling per site to get those embedded yt vids to work. This just misses the point of your screenshot then, but since I didn’t first doubt your screenshot but doubted what I did .. that is what I asked what it could be I did wrong.

    1. thanks Pants – i’ve been getting lazy with this project as i really dread going through all the settings again – the ideal thing would be for me to sync with your config and just append my own personal settings – we’ll see

          1. You mean the next version of your work in this whole site?

            not sure what you mean – in addition to my own research, i also i use Pants’ config as a reference

            What version of FF then do your tweaks apply on? Earlier ones than 50?

            mine is for v49 and is synced with Pants’ config v0.08 (this info is in the comments of the config near the top)

            note that when i say “synced”, that doesn’t mean all my setting match his (though most do), only that i have gone through his and considered his settings

            1. 10x for the info! I wasn’t aware of Pants’s config, for which I apologize (mainly to him :))

              And I assume you mean that you have not yet tested whether or not your tweaks work also on ff50 (about which I received an update only just recently), but I assume they do.

              1. yeah, Pants deserves a huge credit for his work and i personally thank him for showing up here and helping me along :)

                and yes again, i have not tested my config with v50 (i’m using v49) though it should work ok – the only issue is there may be some new settings in FF v49 and v50 that are not addressed in my config and, potentially, some settings that may have been renamed

    2. OK, so here’s a slightly newer version (extra stuff added, stuff moved to deprecated). This is basically it until after the FF 51 lands in January/February next year.
      http://pastebin.com/CmhkK2X7 (expires in 5 more days)
      * date: 21 Nov 2016
      * version: 0.11 BETA : Born to Be Pants
      * “Get your pants runnin’. Head out on the highway. Lookin’ for adventure. And whatever comes our way.”

      Grab this one. The key points for you are 1. under the deprecated section, each release is stated for when the preference was dropped. 2. a lot of preferences as they now turn up, are added with the FF version they first appear.

      eg: if you search for “FF50” (sans quotes), you can easily spot items in 0402, 0410a, 0410c, 0410f, 2661, 2662 and so on. Another item that is cool to search on is “(hidden pref)”, 22 of them (some deprecated). My minions at ghacks and I went thru a lot of work to check things in DXR and test in nilla portables to get the deprecated and introduced and hidden flags right.

      Unfortunately, the differences between version 8 (jan 2016) and version 10 (august 2016) wasn’t quite as detailed in terms of adding FF version notation for new prefs. So probably the best idea would be to use mine, rip out the items/sections you don’t want, check the settings against yours and change yours if you want, and add in anything I haven’t that you have.

      It actually wouldn’t be that hard if you sorted the lines and did a diff to spot the user_pref lines differences. If you want me to do it, I’m game :) Or you could save it for a new years resolution.

  2. @12Bytes.org – does your opinion about Cyberfox still hold? Namely:

    ‘Cyberfox may be more privacy-centric than many other versions in that several phone-home features have apparently been gutted, including telemetry, health reporting and possibly the Google “Safe Browsing” feature and so-on’.

    Testing it out now. Used to run Pale Moon till now, cos FF is sometimes a bit sluggish compared to PM and, as outlined in the OP, is somewhat a spy-central. Maybe the same goes for PM and Cyberfox, but I just got interested in your quoted words about Cyberfox.

      1. Thank you for the reply and thank you for the whole effort with this site! It’s a huge help to many of us, I can promise you! Corporate greed will make any good organisation, which I believe Mozilla was, sell itself to corporate trolls and clowns like FB, Alphabet, etc. After all, isn’t that what the capitalistic American dream is all about – get rich or die trying …

    1. It is, until you check the speed box which is a crippling 5% compared to AirVPN 90% (as a european, let me tell you, it is basically 99% for us). Also, they make the usual false claim about safety, which does not exactly make them seem trustworthier.

      1. 10x for pointing that out. Well, AirVPN’s 10% for int’l is not great cos the world does NOT revolve around US, though many think so. And the 1.5% of NordVPN int’l are a disgrace!!!

        1. Nope, I live in France but I’m not connected to french servers. NordVPN isn’t concerned by the fourteen eyes (Panama), not expensive at all ($48 per year), OpenVPN…
          The download speed is really good for WiFi but it’s low for 4G (about 10 times lower I’d say) but it’s still enough to browse and watch HD videos. As for me, it is only a problem when downloading big files (apks like SuperSwiftkey, audio podcasts or custom roms for my Android device).
          It’s a serious battery drain but that’s not related to NordVPN AFAIK. Do not keep your mobile data always enabled!

          Finally, the support is far from perfect (basic and useless answers most of the time – specific to NordVPN? I don’t think so :-)) and the current Android app is disappointing (additional battery drain due to a bad implementation of Google’s firebase).

    2. thanks for linking to That One Privacy Site – i’ve never seen that before and they did a great job with that spreadsheet

      regarding AirVPN, at least it is not in one of the 5-eyes countries, but yeah, i suppose being in the 14-eyes countries is not ideal – i’m going to have a good look at that data

    3. More than happy to have mentioned this! @Atomic might have a point, though! I’ll dig deeper into it! 10x guys! Keep the discussion going, as that’s one way of staying aware and informed of the info/privacy rape that is happening nowadays!

      1. if you haven’t read TOPS review of Air, here it is – in the ‘final thoughts’ area he says:

        Final thoughts: AirVPN is certainly an above average service with lots to like. However, they aren’t perfect and there is a lot that is questionable to me as well. I know you’re probably sick of it by now, but – FILE GENERATOR (VPN Companies, DO THIS MORE). US speeds were amazing, but international speeds were only so-so. I have to ding them for their choice of marketing tactics – especially because I think they would be in a good position to abandon such a shady strategy and survive on their own merits with some adjustments. It’s really hard for me to take a privacy centric service seriously when they engage in tactics that abuse the trust of their potential customers – as I’ve mentioned in my “guide to choosing a VPN“. They could also be better from a privacy standpoint, as they are based in a fourteen eyes country and don’t have the most clear logging policy when it comes to the finer details. Support was fairly quick (less than 24 hours to respond), but pretty basic in their response, but they granted my refund request super fast, within a couple of hours with no questions asked.

        In the end, AirVPN is an above average service for a reasonable price – I just wish they would show they were more serious about trust and transparency in this industry. They are in a position to stand on their own two feet with a couple of adjustments and shouldn’t need to rely on bottom feeders to promote them.

        unfortunately he does not date the review

      2. Yeah, don’t know what to say. If TOPS is to be trusted then though slightly shady Air seems to be a better option than Nord, cos Nord appears to be too slow on the int’l stage…

        1. if you use the filters for the detailed spreadsheet and filter out the 5 and 9 eyes countries and require no logging for the more important logs, it’s pretty sad how few services are left – BlackVPN & Trust.Zone and maybe a few others depending on how you set the filters

          1. Tough choice, at least for me … The way I see it – AirVPN isn’t really a good option. After filtering out logging, as u suggested, it does indeed come down to BlackVPN, Trust.Zone, and NordVPN, but Nord seems slow, compared to BlackVPN. Trust.Zone’s speeds are not shown in the TOPS comparison, and Black’s US 56.91%, EU 16.03% (if this can be trusted) seem ok . Wonder what @Osine (on NordVPN) thinks about this :)

            1. Based on my own tests with NordVPN (this is the average of 4 tests made with OpenSignal app and with my 4G connection – as previously said, WiFi speed is really better):
              – ping +34% (58.5ms with NordVPN / 43.5ms without)
              – download -86% (7.97 Mbps with NordVPN / 57.43 Mbps without)
              – upload -56% (4.54 Mbps with NordVPN / 10.38 without)

              Each ‘best’ VPN has pros and cons. TOPS did help me to avoid the worse VPN services but it was also very tough to choose the final VPN.
              I don’t know if they do respect my privacy but I do know that my ISP doesn’t :-)

              I’ll probably try more VPN services when my annual subscription will be terminated. I only tested PIA and Air for now and the speedtests gave me similar results.

              1. Thanks for your reply! I assume you mean this – https://play.google.com/store/apps/details?id=com.staircase3.opensignal ? Out of PIA and Air, Air is the better option cos ppl working at PIA are using Air, but the problem with Air remains – being followed by 14 eyes is not great at all. So for me it is either Nord or Trust.Zone, and based on the better speed (at least according to TOPS) I’d go with Trust.Zone. But yeah, you are right .. there are always some pros and cons – always trade-offs. For better or worse, there prolly isn’t 1 best option.

                1. […] being followed by 14 eyes is not great at all.

                  probably not, but from what i’m seeing the 14-eyes countries are not as bad as the 9-eyes countries and the 9-eyes countries are not as bad as the 5-eyes countries – what that translates to in terms of risks to privacy, i don’t know, but it might be worth factoring in what you use the www for – if you’re a whistle-blower or journalist with sensitive information, then the no-eyes countries might be the best choice, but if you’re just doing ‘regular things’, whatever that means, then it may be less important

                  given the lack of options and the performance of Air thus far, i’m thinking i’ll stick with them for now

                2. Yeah, that’s the app I used.
                  BTW BlackVPN offers a free trial of 3 days. The problem is that the Android app is not working since Satursday… Not a good point to start a relationship :-)

                  FYI I’ve just installed Trust.Zone for a free trial. I’m connected to a french server so the speed should be (theorically) better than yesterday (dutch server):
                  – ping 47.8ms (better than NordVPN)
                  – dl 6.2 Mbps (lower than NordVPN)
                  – up 7.6 Mbs (higher than NordVPN)
                  (average of 4 tests with OpenSignal app and same place as yesterday)

                  1. I suppose you use OpenSignal cos Speedtest.net by Ookla and their app are not very privacy-friendly. I have to admit, though – the permissions OpenSignal app asks for make no sense and I don’t like that. Ookla’s apps asks somehow for permissions which are slightly less privacy-intrusive but in general I don’t trust big firms like Ookla. So I’m not happy with either 1 of those apps. If I gotta be honest, best bet IMO is to ditch any app or Flash-based test and only test on html5 sites – thus no app is needed and no Flash is needed. One such is http://www.speedof.me but it doesn’t always work great on mobile and on desktop.

                    What’s your go-to speed test method, guys?

                    1. On my Android phone, I restrict app permissions thanks to XPrivacy and a hosts file (mass surveillance, tracking, ads…) so I guess I’m using OpenSignal safely.
                      IP Pro is an open source app but it requires Play Services (https://play.google.com/store/apps/details?id=com.adamkruger.myipaddressinfo).

                      Thanks for your links (including the one mentioned by 12Bytes). However, they uses Google analytics & ads, Amazon servers… Not sure if it’s really better than OpenSignal on my Nexus 5.

    1. not sure i’m going to put that in the user.js, but i will add a note about it – thanks for mentioning it

      update: actually i take that back – i’m going to leave Electrolysis out of the mix because it is probably likely that it will be rolled to all users shortly – for those that want to enable it manually, see Electrolysis on the moz wiki

    1. Actually, if you reset all the loop.* values to default, and comment them out in your user.js, then they all disappear. But there are still a bunch in code (you can see them via DXR). However, Hello has been removed from Firefox core. It is obsolete. It is nowhere to be found in a FF49

  3. Thanks a lot for sharing your user.js with great explanations!

    FYI there are a few duplicate values:
    //user_pref(“gfx.downloadable_fonts.enabled”, true);
    //user_pref(“gfx.downloadable_fonts.enabled”, false);

    user_pref(“browser.aboutHomeSnippets.updateUrl”, “”);
    user_pref(“browser.aboutHomeSnippets.updateUrl”, “”);

    user_pref(“browser.newtab.preload”, false);
    user_pref(“browser.newtab.preload”, false);

    user_pref(“full-screen-api.warning.timeout”, 0);
    user_pref(“full-screen-api.warning.timeout”, 0);

    user_pref(“media.gmp-gmpopenh264.enabled”, false);
    user_pref(“media.gmp-gmpopenh264.enabled”, false);

    user_pref(“media.gmp-manager.url”, “”);
    user_pref(“media.gmp-manager.url”, “”);

    user_pref(“startup.homepage_welcome_url”, “about:about”);
    user_pref(“startup.homepage_welcome_url”, “”);

  4. @12bytes – get ready. The new version 10 lands in the next 24 hours (Martin has the files, but he may be hungover after the Germany vs Italy game!). He will post a new article, and the original landing page will be updated, as will the ZIP for download which contains extra stuff – you mentioned the changelog – it is always in the download zip file, along with the html versions for local use, with linkified sources (over 200 of them) to open in new tabs. The downloaded html files are way easier to read, as I have colored the numbers, prefs, header titles, used pre tags to preserve spaces, and so on. There are approximately 90 new prefs added, and a lot of prefs have been confirmed as deprecated and hidden (and tagged as such).

    Enjoy :)

    PS: This article is linked at the top in the Thanks section.

    1. oh great – now i really have my work cut out for me!

      i’ll have to see if enough of your prefs agree with my choices and, if so, i can quit publishing my config :)

      thanks Pants – i’m sure a lot of people appreciate your work – also thanks for the link back

  5. Appreciate the changelog and one question:

    One of the changelog notes is “Corrected an error with pref ‘layout.css.devPixelsPerPx’ where the value was an integer instead of a string – this caused all prefs following it to be ignored”

    Is that a general issue where any time a pref is improperly set (wrong values, wrong type of values, typo in name, or the setting no longer exists in the version of FF you’re using), everything that follows it are ignored, or is this a unique instance of a problem?

    Also, if a user.js is changed and FF is launched without a message error, does that mean the entire user.js is working properly? Does it mean all settings that are set are valid or does it simply mean the general format of a setting was correct? In other words, if I add a setting that no longer existed in the current version, would it invalidate the entire user.js (and prevent FF from starting) or would it still add that setting but have no effect on the browser?

    1. Is that a general issue where any time a pref is improperly set (wrong values, wrong type of values, typo in name, or the setting no longer exists in the version of FF you’re using), everything that follows it are ignored, or is this a unique instance of a problem?

      from A brief guide to Mozilla preferences (emphasis added):

      If the application encounters any error during loading of a default pref file, the application will issue a warning that a configuration file has failed to load and then quit. This allows system administrators to know quickly if there is a configuration error in the installation. If the application encounters an error when loading user pref files, the application will issue a warning but will continue running.

      so this isn’t really helpful to me because it doesn’t tell me whether the rest of the preferences will load after an error is encountered, however my experience is that they will not – how prefs are loaded is also in question; is it from the top down, bottom up, alphabetical or reverse alphabetical (the latter seems to be the case)

      so when i gave the pref in question an incorrect value (a string instead of an integer), i noticed another pref that wasn’t being loaded and which came after the former, so i assumed that once FF chokes on a bad pref, it stops loading everything after it, but now i don’t know what “after” is; after, as in top down, alpha order, etc.?

      further complicating the issue is that i am not seeing any error in the browser console when i give a bad value to a pref in user.js, or give a bad pref name

      it’s either kind of stupid that the browser works this way, or i am missing something

      and no, i do not believe this is an issue with this particular pref (layout.css.devPixelsPerPx) – it seems to be global as i understand it, but i’m not really sure

      Also, if a user.js is changed and FF is launched without a message error, does that mean the entire user.js is working properly?

      apparently not from what i can tell

      if you can find any answers, please post back

      thanks for your comment

      1. FF starts > it loads the contents of user.js into memory, and then applies them IN ORDER (as written, and at the end I can show why I know this is the case) to the prefs.js – either overwriting or adding (it does not remove). Any errors in the user.js that cause an abort of subsequent entries, will not affect anything already in the user.js (eg, if you made a typo error in it today, previous entries are still in your prefs.js).

        Some things that cause user.js “aborts” – syntax errors for sure. That’s it. It still writes the values to prefs.js

        Where it falls over is the next stage. FF has started, parsed user.js into prefs.js, and now will parse prefs.js for custom settings (as dsplayed in about:config and used by the browser as the actual settings). If your prefs.js has the wrong variable, FF will ignore it (it still fully parses the prefs.js). FF internally knows all the preferences and their data types and defaults – this is how you can right click and set to default, and why you cannot enter a wrong data type). But any value read from prefs.js will always show as “custom” in about:config, even if it is the default value.

        eg: the ghacks user.js v0.8 has an variable error for the three plugins in section 1806 (this is fixed in v.10 which lands in a day or so, there is no v.09). They are meant to be strings, not integers
        was – user_pref(“plugin.scan.Acrobat”, 99999);
        now – user_pref(“plugin.scan.Acrobat”, “99999”);
        Try it. Set it as an integer, and then look in prefs.js. Then look in about:config. This is from memory, and I always set all my prefs from about:config at the same time I incorporate them into the ghacks user.js (I am the author), so I never picked up on it not being applied.
        ^^ PS: you will need to fix these three errors in your copy.
        user_pref(“plugin.scan.Acrobat”, 99999);
        user_pref(“plugin.scan.Quicktime”, 99999);
        user_pref(“plugin.scan.WindowsMediaPlayer”, 99999);

        “bad name pref” – all preferences are treated as unique, case sensitive. So if you added a pref “12bytes” and another one called “12Bytes”, you would have two pref entries. FF allows custom prefs (extensions use them).

        Syntax. I made a silly syntax error when I added a new pref. I forgot to add the closing quotes to the pref name. It happened to be a string and my IDE syntax highlighting/colors didn’t really make the sollitary comma stand out:
        user_pref(“prefname, “stringvalue”) // wrong
        user_pref(“prefname”, “stringvalue”) // right

        I had a hell of a time tracking it down. So what I did was add a custom preference at the start, and modify it at each major section, and again at the very end.

        // START: internal custom pref to test for errors
        user_pref(“pants.testing”, 100);
        /*** 0100: STARTUP ***/

        user_pref(“pants.testing”, 200);
        /*** 0200: GEOLOCATION ***/

        // END: internal custom pref to test for errors
        user_pref(“pants.testing”, 9999);

        You get the idea. I could simply check in about:config as to where roughly where the code has stopped being parsed by searching for pants – trust me, it works in order as per written. And the only reason I could pinpoint it, was because it was a syntax error, not a data type mismatch.

        Hope this helps clears things up.

        1. wow, thanks much for your comments and your work :)

          so user.js gets parsed from the top – that’s what i originally thought, but something i read threw me off – anyway, good to know, and your bogus prefs which you use to see whether the file is read completely is a great idea – thanks for sharing!

          1. I think you’ve misunderstood the nature of the custom pref for syntax error checking. It’s a SINGLE pref, not one per section. You set it at the start, modify it’s values throughout the script, and then set a final value at the end.

            Make the first line of your user.js

            user_pref(“00-user.js-canary”, “canary dead due to syntax error in user.js”);

            and make the last line

            user_pref(“00-user.js-canary”, “canary lives — user.js was read to the end”);

            The first line will always be read; the last line will override the first line if and only if all the syntax in your user.js is ok.

            1. got it – that’s much better than what i had done – i just updated the file again

              by the way, you mentioned you had a problem finding a syntax error you had once made – in addition to your canary pref, which i think is great for the average end user, you can also use a regular expression to find syntax errors in your editor, perhaps something like:

              ^user_pref\("\S+", ([a-zA-Z0-9]+|"\S*")\);

              my editor (Kate on Linux) will highlight all matches which makes it easy to spot the bad pref

              i’m sure that can be improved but i’m not an expert with RegEx

  6. “browser.fixup.hide_user_pass” might preferably set/kept “true” (which is also default value in TBB = Tor Bundle Browser), otherwise the password is sent to the corrected URL, and if that suggested URL is NOT where we want to go, then we certainly don’t want to send our password along.

    True (default): When attempting to fix an entered URL, do not fix an entered password along with it (i.e. do not turn http://user:password@foo into http://user:password@(prefix)foo(suffix) but instead http://user@(prefix)foo(suffix))
    False: Include entered password in fixed URL

    Don’t forget to restrict redicretion to max 2, 20 is way too generous and add-click rogues heaven.

    Further on, network.http.pipelining.* should be set to “false”, it was usefull for 20 years ago or os with old modems when the turnaround was slow, in these days and age with ADSL etc it’s not ncessary and if we want to be “privacy and security freaks” there’s no reason to use pieplining.
    In TBB pipelining is enabled, but for other reasons.

    I didn’t check thoroughly through the prefs, just my 2 cents.

    1. thanks for the comment

      browser.fixup.hide_user_pass – i set this back to its default value as suggested – i think i misunderstood the description of this pref when i originally added it

      network.http.redirection-limit only affects HTTP redirects, not meta or JS, so i’m not convinced on how beneficial lowering it is and have personally found that legit sites sometimes use more than 2 redirects – that said, i did add the pref to the config, but set its value at 3

      network.http.pipelining is commented out by default

  7. You set uMatrix to delete non-blocked session cookies 15 minutes after the last time they have been used. If I’m not mistaken, that means that any site you have logged in on a background tab will automatically log out after 15 minutes if it has not been accessed. Do you simply sign in again every time? For someone who has certain sites (email, reddit, twitter, youtube, etc.) pinned and accessed every few hours or so, this seems like a hassle.

    What’s your setup in terms of cookies management and passwords? I’m considering using Self-Destructing Cookies and KeePass. I’m curious on your reasoning behind whether you use these or not and perhaps specifics if possible (ex. Do you prevent all cookies except certain ones which you’ve whitelisted? Do you manually type in username/password every time you login for every site or do you have Firefox preserve the login state (is this a privacy/security risk assuming you’re the only one using the machine)?

    I’ve read your entire guide as well as some other sites and configured Firefox in as many areas as was covered but left cookies/passwords as well as DNS last because I need to understand more of what experienced people are doing (DNSCrypt is easy to setup, but what about DNSSEC? Not many DNS servers, especially fast or major ones, support both and also don’t log its user’s activities).

    1. hi – thanks for the comment

      actually i have uMatrix set to dump session cookies at 360 minutes (my settings is different than the screen-shot) and, personally, i’ve never had an issue with this – in the description it states “Delete non-blocked session cookies x minutes after the last time they have been used.” – i understand that to mean that, if you are logged on to a site and continue to use the site, the cookies will remain until your activity ceases – all i can say is i’ve never had to re-log on for any site i use, but then i don’t FB, Twitter, etc., however i do use another social network and have remained logged in to it for very long times

      cookie management is handled entirely by my user.js settings and uMatrix – no other add-on is used – this keeps cookie storage to a pretty bare minimum – i had been using Self-Destructing Cookies in the past, but i really see no need for it since it appears that uMatrix can preform essentially the same task of handling various types of browser storage – by default uMatrix is set to not accept cookies (for instance, right now i have less than 10 cookies stored and i’m logged on to 3 sites) – so yes, to answer your question, i whitelist cookies on a per-site basis with uMatrix

      whether it’s smart from a security perspective to use the default Firefox password manager, i really can’t say – i think that really depends on what level of security you require – for example, if i were a journalist or whistle-blower transmitting very sensitive information, i might take a different approach, such as the KeePass-browser bridge – and yes, i am the sole user of this machine

      when i ran Windows i used KeePass, now i use KeePassX on Linux (it’s not as good, but it works) – if you’re wondering whether i use the bridge function to interact with the browser, no, i do not – password storage is handled entirely by the default Firefox functionality – i do however have signon.autofillForms set to false in my user.js which means i have have to actually click in the user name field before the name and password auto-fills

      a note regarding so-called “cookies” – if you read my guide i assume you already know this, but i just want to be sure; there are several types of web storage, of which “cookies” is only one and the term is used rather generically

  8. I would suggest changing the “user_pref(“browser.zoom.full”, false);” to true. For anyone on a “normal” widescreen display, but especially WQHD and beyond this makes the zoom feature all but useless. You can’t zoom Twitter or many bootstrap sites, this one included, to take up more than 1/3 of the space. You can’t zoom Youtube or most buttons break, Viewtube included. Also, you typically want to zoom the pictures, you really do.

    1. i appreciate the suggestion, but i personally prefer ‘browser.zoom.full’ set to ‘false’ – these are my personal preferences which is why i suggest that people go through them and not just copy/paste them

    1. hi john – thanks for the comment

      the config by pyllyukko that you linked to is likely to cause you some headaches – he’s pretty aggressive with his settings and, for example, has disabled hardware acceleration and remembering form and password data, among other often useful things

      having said that, my config may also cause you other problems unless you go through it and set it up to fit your personal situation

      unfortunately, if you’re truly concerned with your web privacy, i don’t think you have much of choice other than to do some reading and learning – what i may do in the future is add another user.js config here which only includes the most basic security/privacy preferences for folks that don’t want to read through all of the settings

  9. That’s fine, I can just download the latest version and diff it with a newer version in the future using a text editor–was hoping you could do that =P

    1. i’d be more descriptive in the change log except i don’t update the file here nearly as often as i make changes locally and i can’t remember all the changes :)

      i thought Brinkmann included a change log with his config, but i just looked and couldn’t find it – his config is very similar to mine as far as privacy and security

  10. Amazing–keep up the good work. Wish I came across this guide earlier, but at least the information covered in this guide can confirm my understanding and justify my configuration.

  11. Hi, great work, thx alot!
    I just recently found those 2 awesome addons uBlock + uMatrix, thanks to the newest version of Ghostery phoning home and not being able to easily disable that!
    Compared to the way you run it, I prefer to have all domain-lists blocked by uMatrix and unchecked in uBlock.
    That way you easily see which domains are blacklisted and they are nicely grouped at the bottom.
    It’s a bit more work to setup initially to check which list contains domains and which are pattern-based but I think it’s worth it.

Leave a Reply

Your email address will not be published. Required fields are marked *