Firefox Configuration Guide for Privacy Freaks and Performance Buffs

See the revision history at the end of this document for a list of changes.


Many of us are aware of the immense threats to our privacy and security posed by a plethora of technology corporations, governments and malicious hackers, some of which often go to great lengths to monitor our communications and web browsing habits. Governments and their “intelligence” apparatuses not only spy on each other, but on the citizenry as well and they leverage the services of many mega-corporations to do so, including Google, Facebook, Verizon, Comcast, Amdocs and countless others, many of which most of us have probably never heard of. While this data may be used for relatively benign purposes, such as displaying ads in our web browser, all too often the intentions are far more sinister and invasive. Much of what Edward Snowden has brought to the table is not new at all, but it seems the information has been presented in a way that has captured the attention of much of the public, prompting those who value their privacy to seek ways to mitigate the threats. The goal of this guide is to help the reader to thwart some of the efforts to track and profile us as we surf our way around the World Wide Web.

For many of us, our web browser is the primary interface we use to explore the digital world and it is therefore necessary for any privacy conscious individual to consider what information our web browsers are sending and receiving and how that information can be used to track our on-line activities and profile us. Only then can we take action to circumvent some of these threats.

Contrary to the statements made in The Mozilla Manifesto, it is my opinion that the non-profit, multi-million dollar Mozilla Foundation is hardly concerned with the privacy of its software audience, particularly when considering its flagship product, the Firefox web browser. This is readily apparent when one considers the array of ethically challenged multinationals which Mozilla has chosen to hop in bed with, including Google, Yahoo, Microsoft, Telefónica, LG Electronics, Sony, Verizon, Cisco and others. Even the now defunct Firefox Pocket service was tied to a 3rd party company and it seems more “features” are being added with each iteration of the browser. Google Chrome is no better and Internet Explorer isn’t worth the effort required to express an opinion.

That being said, i think Firefox is still a good product in many ways and it is certainly one of the most hackable mainstream web browsers going. Because it is open source and wide open to customization, i believe the Gecko family of browsers are good candidates for those who wish to reduce their exposure to privacy and security threats. The folks behind the Tor Project seem to think so as well since Firefox is included in their Tor Browser Bundle, though i suspect possibly not for much longer.

This guide covers primarily the configuration of Firefox and the add-ons we will be employing and ends there. For additional privacy you may wish to consider using a VPN. Personally i use and recommend AirVPN due to their privacy policy, ethics, price, great service and the fact that they run a lot of servers all around the world and do not restrict any protocol, including BitTorrent traffic.


This guide is intended for those who are somewhat technically inclined, or are at least willing to learn, and who wish to reduce the threats to their privacy while enhancing browser security and performance. We will attempt to accomplish these goals while maintaining a reasonably carefree web browsing experience which means there will be some trade-offs between security and privacy for ease of use, but you can always adjust to suit your particular needs. This guide is not intended as a complete solution for those whose well-being depends on anonymity (whistle-blowers, etc.) or who require secure methods of transmitting data (journalists, etc.), though it may be a worthy supplement to more specific information. This guide is, a), a work in progress and b), not authoritative since i do not claim to be an authority on Firefox, Internet security or digital privacy. There are simply too many technologies, options and attack vectors for me to comprehend in something as incredibly complex as the modern web browser.

Though this guide is centered around Firefox, it should also be useful to users of other Gecko-based programs, including the SeaMonkey and Iceweasel browsers, as well as the Mozilla Thunderbird email client.

The Mozilla Firefox browser is based on the Gecko layout engine and, as with any mainstream browser, it is a very complex beast consisting of millions of lines of code and hundreds of configuration options, many of which are interlinked, obscure, or even completely hidden. Change a few settings without knowing what you’re doing and things can go south pretty quick. Poorly coded add-ons can compound the problem, especially when they conflict with one another. Here we will attempt to accomplish our goals in an efficient manner with a minimal dependency upon 3rd party add-ons.

There is a huge selection of Firefox add-ons for tweaking privacy and security, some of the most popular of which are Adblock Plus and it’s derivatives, NoScript, Flashblock, Ghostery, Web of Trust, BetterPrivacy, Lightbeam, Disconnect, Self-Destructing Cookies, Cookies Manager+, Request Policy, Policeman, Bluhell Firewall, RefControl, Smart Referer, HTTPS Everywhere and many, many others. With some possible exceptions, we won’t be using any of these, yet will retain most of the important functionality of most of them with just two add-ons along with a plethora of changes to our Firefox configuration.

A bit of a trade-off should be expected as we tighten up on security and privacy insomuch as some websites will cease to function properly until the settings for the affected sites are adjusted. Anyone who has used a content filter such as NoScript will understand that certain resources must be allowed for many websites to function in a way that is acceptable to us. As with NoScript however, the process of allowing these resources with the add-ons suggested herein, usually requires little more than a mouse click or two and a page refresh. Furthermore, once we have visited all of our favorite websites and made the necessary adjustments, our workload will be greatly reduced. Nevertheless, you should be prepared to put a little more effort into your web browsing experience in general and expect the occasional hard-case which will require more fiddling than usual to get a particular site to function properly. The pay-off however is a much cleaner, faster web that is less able to track and profile us as well as a hardened browser that is more resistant to attack.


AMO: The Mozilla add-ons website.

Browser fingerprinting: A method whereby a web server attempts to uniquely identify your browser using various methods, including information contained in the HTTP headers, information collected with JavaScript, querying cached data, enumerating installed plug-ins and languages and more. For more information, see A Primer on Information Theory and Privacy.

Browser storage (web storage: cache, cookies, etc.): The modern web browser is a far more sophisticated tool than most people probably realize. In addition to HTTP cookies and web caching, a web server can store data using local and session storage, indexedDB storage, window.name storage and Etag cache storage. If you are concerned about preserving your inherent right to privacy, you have far more to worry about than so-called “cookies” which were once just simple text files.

Crapware: For the purpose of this document, crapware is considered to be code that is included in a browser or browser extension which is not relevant to the functionality users expect from main program. The term crapware encompasses adware, tracking mechanisms and malicious code. Crapware is often added to browser extensions (add-ons) by a marketing company or solo developer for the purpose of monetizing the extension. Crapware can present a significant threat to user privacy and browser security.

CDN: A Content Delivery Network is a service that often hosts reusable content, such as graphics and scripts, which website authors can leverage to make pages load faster.

CSS: Cascading Style Sheets are used to format and beautify website content. CSS itself presents no risk to privacy or security so far as i am aware since it is used only to apply visual styling to HTML elements, however it can be used for nefarious purposes when combined with a scripting language such as JavaScript.

Domain / Sub-domain / Hostname: For the purposes of this document a domain name and a hostname are interchangeable, both being human-friendly names for a website, such as example.com. A 1st party domain is the website you are currently viewing, (12bytes.org at the moment) while a 3rd party domain could be a web server which supplies content to the 1st party domain. For example, the web page http://example.com/video may include a video that is provided by youtube.com, making youtube.com a 3rd party domain. A sub-domain is a separate part of the main domain. For example, sub.example.com is a sub-domain of example.com.

TLD: Top Level Domain. For example, com is the top level domain in example.com.

HTTP/HTTPS: Hypertext Transfer Protocol and Hypertext Transfer Protocol Secure are protocols used for sending and receiving data across the Internet. For HTTP, an unsecured, unencrypted connection to the server is established, while a secure, encrypted connection is used with HTTPS. One reason you should be concerned with unencrypted connections is the fact that it is possible for anyone between your computer and the site you are visiting, including your ISP (Internet Service Provider), to eavesdrop on your traffic and discover exactly where you are going and what you are looking at. While browser extensions like HTTPS Everywhere will attempt to encrypt your connection whenever possible, some web servers simply do not offer HTTPS. For this reason i will again point out the advantage of using a VPN.

JavaScript (JS): A powerful programming language that is used to run code within the browser. Although JavaScript is used by many websites for legitimate reasons, it can also be used maliciously to perform a wide variety of attacks against the browser and your privacy.

UI/GUI: A User Interface, also known as a Graphic User Interface, is the graphical portion of a program usually containing various controls, such as buttons, check-boxes and other widgets which allow you to interact with the underlying code. UI’s are often referred to as “windows”.

Web server: For the purpose of this document, a web server is a computer that is connected to the Internet which hosts (serves) one or more websites.


Getting Firefox

There are several flavors of Firefox other than the mainstream release, including the Firefox ESR (Extended Support Release) version which is usually an older version that may not contain the latest features, but may be more stable. If you’re running Linux, you may already have Iceweasel installed, which is nearly identical to Mozilla Firefox. Another option is the Firefox Developer Edition which, though i have not tested it with the configuration outlined in this guide, should work fine. Another option is Cyberfox from 8pecxstudios, though, again, i have not tested it with the configuration outlined in this guide. Cyberfox may be more privacy-centric than other versions in that several phone-home features have apparently been gutted, including telemetry, health reporting and possibly the Google “Safe Browsing” feature. One caveat with Cyberfox is that, like Pale Moon, it uses a different format for some of the profile files which requires using a tool to convert your current Firefox profile should you want to import your data. As for the many other custom builds of Firefox, a lot of them are not worthwhile and can/will cause problems due to bugs, add-on incompatibilities, etc.. The last time i tried Pale Moon i ran into some problems as well, though that was long ago and so the issues i had may not be issues any longer so feel free to try it.

Firefox post install cleanup

Some browsers that are based on Firefox may have some extensions, plug-ins and/or search engines preinstalled. Take care to check for this and uninstall or disable any extras that you don’t want. The search engine configuration files are located in the \Mozilla Firefox\browser\searchplugins folder. I suggest reading my guide, Opting out of the Firefox / Google / Yahoo partnership, for information about how Mozilla monetizes Firefox with the included search engines and what you can do to opt out of this affiliate scheme if you so choose.

If you have already run Firefox, you may notice that it has installed the OpenH264 Video Codec plug-in by Cisco Systems without asking you. Currently this plug-in seems to be used only for the WebRTC feature. If you do not use these features and do not want the browser to load this plug-in, you can delete the \gmp-gmpopenh264 folder in your profile directory along with the all of its contents. To prevent re-installation, make sure the configuration preferences media.gmp-gmpopenh264.enabled and media.gmp-gmpopenh264.autoupdate are both set to false (they already are in the user.js file linked to below) before the browser is restarted.

Browser object caching

Browser caching is a disk intensive activity. If you intend to store cache data, i would suggest storing it in system RAM rather than on your hard drive if you have enough memory available. Even 50 or 100 megabytes of space can help reduce disk workload for websites which you visit often. In addition to minimizing hard drive wear and tear, your web browser will be able to render revisited pages faster as long the resources for the site are still cached. The settings in Pants/ghacks user.js file will accomplish this, so if you do not want to store web cache in RAM, you will need to change these settings accordingly. Note that Firefox requires cache size values to be in kilobytes where 1024 KB = 1 MB.

The user.js file

The primary user.js file we will be using is a result of allot of effort by ‘Pants’ whose work became rather popular when it was published under the title, A comprehensive list of Firefox privacy and security settings by Martin Brinkmann at ghacks.net. Pants’ work is also published on GitHub which is where we will be getting it from.

Make sure to download the version which corresponds to the major version of Firefox you are using, so if your Firefox version is 51.0.1 for example (51 being the major version), then download version v51 of the user.js file.

Whether you want to use my user.js file in addition to Pants’ one is entirely optional. My user.js file depends entirely upon the Pants/Ghacks user.js file above and is intended to be appended to his, not replace it. Some of my preferences are original and some are copies of his where i changed the values to suit my own needs. In the latter case i tend to be slightly more relaxed with my privacy and security settings in return for a less problematic web surfing experience. My user.js also contains preferences to enable smooth, dynamic scrolling when using a mouse wheel.

Pants and i both follow a similar versioning scheme except i add a revision number after the major version number, so where his version might be v51, mine would be v51r1 if it is the first revision, v51r2 for the second revision and so on. You will want the latest revision that corresponds to the major version of Firefox that you’re running. How to combine the two files will be discussed later so just save them for now.

The necessary (and not so necessary) add-ons

This guide depends heavily upon the following add-ons:

  • uMatrix: You can think of uMatrix as a browser firewall which can block requests to 1st and 3rd party resources such as JavaScript, images, CSS, plug-ins, frames and more. uMatrix works with Firefox, Chrome and Opera and is available on AMO.
  • uBlock Origin: uBlock Origin, by the same developer of uMatrix, is a powerful content filter which works similarly to uMatrix but is tailored to blocking ads. These two excellent extensions compliment each other nicely when they are configured properly. uBlock can use the same filter lists as Adblock Plus for blocking ads, as well as many more which it cannot. There are currently two versions available; the original by Raymond Hill which has been renamed to uBlock Origin, and a fork by Chris Aljoudi which you do not want to use. uBlock Origin is an active project that offers features not found in Chris’ build, which appears to be dead anyway.

The following add-ons are optional, but recommended:

  • Decentraleyes: this add-on helps protect privacy and speeds-up page rendering by loading several common JavaScript resources locally rather than fetching them from a CDN. If you use this add-on, you will need to whitelist several domains in uMatrix. When adding the list of domains, be sure that no block rules exist for the same domains.
  • Load from Cache: similar to, but not the same as Decentraleyes, Load from Cache forces the browser to reuse cached data instead of downloading it again. The two work well together.
  • Clean Links: helps to protect user privacy by striping tracking/garbage parameters from URLs, such as those used by Google Analytics (utm_source, etc.). Unfortunately this add-on was removed from AMO due to an apparent issue with e10s support, but the developer has stated that they may submit a different build to AMO in the future. In the mean time you can get the add-on at GitHub or wait until it is back on AMO.
  • BetterPrivacy: install this if you are using the Adobe Flash Player plug-in. If you do not use the Flash plug-in, and i suggest you don’t (you can still watch many/most videos), you can try the EmbedUpdater add-on which will convert the code used to embed video in 3rd party websites so that the HTML5 player is used instead of Flash. Most 1st party sites, such as YouTube, already make use of the HTML5 player.

The following add-ons are completely optional:

  • NoScript Security Suite: since uMatrix will be used to block scripts, this functionality is not required from NoScript, though it may add a bit more protection in terms of cross-site request forgeries, click hijacking and possibly other areas. If you use NoScript, i would recommend disabling global script blocking and use uMatrix to handle scripts, though you could do it the other way around if you wanted.
  • Cookie Controller: apparently handles cookies, local and session storage, though in a manual and granular way that appears to require significant user interaction. I much prefer to handle browser storage with uMatrix.

For more possibilities regarding add-ons, see my article Firefox Extensions: My Picks.

If you’re running Windows and want to unpack an add-on to have a look at the code, you can use 7-Zip. I believe the built-in Windows archive utility can unpack .xpi files also, though you may have to add the .zip extension.

Automatic add-on updates

Regarding automatic add-on updates, they are disabled in the user.js files that are linked to below and i would highly suggest keeping them disabled and checking for updates manually on a regular basis. The problem with automatic add-on updates is that developers may, at any time and without warning, partner with or sell their work to a 3rd party which often results in adding code to monetize the add-on at the cost of your privacy. Examples of some very popular extensions which contain such crapware are Abduction, a screen capture utility, Quick Locale Switcher, a language switcher, FasterFox Lite, a largely useless utility which claims to speed-up Firefox, BlockSite, a content blocker, Google’s Search By Image, a reverse image search utility, and many others. Not all of these extensions contained crapware when they were first developed which is why i strongly suggest keeping automatic add-on updates disabled and reading the change logs and privacy policies carefully each time an update is available. The downside to this is that you need to remember to check for updates manually, perhaps once daily.

For peace of mind, you can also search your prefs.js file for all instances of “http” and check what the URLs are used for. If you want to disable the functionality you can simply add the preference to your user.js file and replace the URL with “”, or localhost, or you could point the URL to localhost in your HOSTS file.

Backup your current profile

Before you make any changes, be sure to back-up your current Firefox profile (click here to find it if you don’t already know). The easiest way to do this is to simply to select the profile folder inside the /Firefox/ folder, press Ctrl+C to copy it, then Ctrl+V to paste it in the same place with a different name. I might suggest keeping the original name and just appending .bak to the copy. Next, delete your current user.js file if you have one in your profile folder, but keep the one in your backup profile.

Editing the user.js file

If you do not have a comprehensive understanding of the the user.js file that is used by Firefox, i highly suggest reading this wiki article at GitHub.

We will be changing many Firefox preferences and storing them in a custom user.js file. You should always use this file to add, remove or change settings that you want to keep across sessions instead of editing the prefs.js file or using about:config. If you’re running Windows i would suggest using a quality text/code editor that has syntax highlighting such as Notepad++ or PSPad (the latter being a little simpler to use) for editing code. Linux users will likely already have something suitable installed, like Kate.

Build your new user.js file by starting with the Pants/ghacks file and then, if you want to use my settings also (it’s fine if you don’t), simply append the code from my user.js to his. If you already have a user.js file, you will want to be sure to address any preferences which may be duplicated in your new user.js file in order to avoid unexpected results.


Please read through this section in its entirety before making any changes in order to gain an understanding of exactly what we will be doing and how to revert those changes should it be necessary.

Because my user.js file is updated frequently and i wish to avoid the hassle of editing these settings for public consumption each time i update it, the settings in it are a direct copy of both Pants’ and my personal settings. You should therefore read all of the comments and review each of these settings carefully as it is very likely that you will want to change some of them. See below for my advice on how to edit the existing settings, as well as adding your own.

In the user.js file(s) you downloaded, you will notice the presence of a bogus preferences, “_user.js.parrot“, that Pants and i insert at the beginning of each section of our preferences. Firefox reads the user.js file from the top down and, if it encounters a syntax error, it will ignore everything following that error. Not good! To make it easy to discover whether Firefox loaded all of the preferences, these bogus preferences, which Firefox essentially ignores, are used for troubleshooting (this will be explained later).

If you want to make changes to your new user.js file, such as incorporating settings from your old one, or change anything else in it, i highly recommend appending all of your changes to the end of the file in your own custom section instead of editing the settings throughout the file. You will find an example section has already been created at the end of my user.js file for you to place your personal preferences. There is a very good reason why i suggest placing your preferences at the end of the file. Again, these user.js files is updated frequently and therefore it will be vastly easier to simply delete the contents of the old file, with the exception of your personal settings which you appended to the end of it, and copy and paste the contents of the new files above your personal preferences which avoids the headache of having to sift through the entire file trying to remember and edit everything you changed.

Making changes to your user.js file is easy to do. For example, the value for the preference browser.tabs.warnOnClose might be ‘false‘ and you might want to change it to ‘true‘ to have Firefox warn you when you try to close it with multiple tabs still open. The best way to accomplish this is to copy that line of code (user_pref("browser.tabs.warnOnClose", felse);) and paste it at the end of the file in your own personal preferences section where you would then change ‘false‘ to ‘true‘. Having duplicate preferences with different values is not a problem since Firefox will use the value of the last one it reads, thus why you need to place your personal settings at the end of the file and not the beginning.

At this point it is important to read all of the comments and review each of the settings in your new user.js file to be sure each preference is configured the way you want, preferably before you start Firefox. As stated above, any preferences you want to change should be copied to your personal preferences section at the end of the file where you will then make the change to the preference value. Note that if you comment out or delete a setting after having run Firefox, that setting will likely remain active because it will have been copied to the prefs.js file, so if you want to comment out or remove something from your new user.js file, you should do so before starting Firefox. If you delete or comment out a setting after you have run Firefox, simply enter about:config in the Firefox address bar, find the preference, right click it, click ‘Reset’ and restart Firefox. The preference will then be deleted after the browser starts. This only need be done if you remove or comment out a preference and is not necessary when simply changing their values.

Once you are finished editing your new user.js file, simply drop it in your profile folder alongside prefs.js and start Firefox.

Verifying the integrity of your user.js file

This integrity check should be performed every time you edit or update your user.js file.

When you run Firefox for the first time after making any changes to your user.js file, the first thing you should do is check the value of the troubleshooting preference by entering about:config in the address bar and searching for the _user.js.parrot preference. If you are using only the Pants/Ghacks file and have not added anything more to it, then the value should be “No no he's not dead, he's, he's restin'! Remarkable bird, the Norwegian Blue“. If you have appended my user.js to his and have not added anything more to the file, then the value should be “12bytes.org settings loaded” If you have added anything to the file in your personal preferences section at the bottom, and regardless of which user.js you are using, the value should be whatever you set it to, such as “user settings loaded“. An example troubleshooting preference and further instructions are contained in my user.js.

If the value for the troubleshooting preference is not what you expect, then you can use it to quickly determine in which section the syntax error lies. It will not tell you on which line the problem exists, but at least you will know in which section to begin looking. Some common mistakes (at least that i have made) are forgetting to end a line with a semi-colon, forgetting a bracket, a quote character or comma, a typo in user_pref, forgetting to put string values in quotes, or mistakenly putting quotes around integer or boolean values.

Updating the user.js file

If you want to keep up with the latest and greatest version of the user.js files that are published, you might want to the following:

Before updating your user.js, be sure the ones you download correspond to the version of Firefox you are using as described earlier. If you followed my advice and located your personal preferences at the end of the file in your own personal preferences section, then your job should be very easy. All you need to do is:

  1. backup your current profile (might want to dump your old backup if you were happy with the way Firefox was working)
  2. open your current user.js and delete everything above your personal preferences section if you created one
  3. copy everything from the new file(s) and paste it above your personal preferences section, being sure to paste the ghacks code first and then mine above yours
  4. check the change-logs for the new user.js files so you can determine whether you need to change anything in your personal preferences section
  5. start Firefox and check the value for the troubleshooting preference as described in the ‘Verifying the integrity of user.js‘ section

Removing system add-ons

Mozilla forcefully and without consent installs and then essentially hides from the user several so-called “system add-ons”, some of which are used to push browser updates and others which are used specifically to gain an insight as to how you use the default search engine plugins that are packaged with the browser. I would highly suggest disabling or deleting those which you decide present a risk to your privacy. You can learn how to deal with these system add-ons by refering to the Removing the ‘Follow On Search’ system add-on section of the article Firefox Search Engine Cautions and Recommendations.

Sanitizing the default search engine plugins

Every time you preform a search using one of the search engines Mozilla has partnered with, apparently regardless of whether you search using the search bar or the search engine web page directly, Firefox is collecting data about your habits. To circumvent this risk to your privacy, please read the article Firefox Search Engine Cautions and Recommendations.

Add-on configuration

Between the features offered by Firefox, uMatrix and uBlock Origin, we have some overlapping functionality and it is therefore necessary to configure our settings with this in mind. Let’s start with uMatrix since this is probably the most important add-on of them all…


We will be using uMatrix as a browser firewall to block entire domains and specific resources (cookies, CSS, images, plug-in enumeration, JavaScript, XHR, frames and ‘other’ requests) from both 1st and 3rd party domains, while uBlock Origin will handle the advertising, annoyance and malware site blocking.

uMatrix configuration

In the upper-left corner of the uMatrix main interface there is a blue or black block and it is imperative that you understand how it is used. Clicking this block sets the scope of the filter rules. When the block is set to an asterisk with a black background, any filter rules you set will be applied in the global scope. In other words, any filter rules you set will be applied to all websites and not just the one you happen to be visiting. If you select any other scope, then you are working in a local scope and any filter rules you set will be applied only for that scope. For example, if we visit addons.mozilla.org, we will have a choice to apply filtering at the global scope level, or for the subdomain addons.mozilla.org only, or the root domain of mozilla.org which includes all subdomains, including addons.mozilla.org. Just to be perfectly clear, if you set the scope to the root domain — mozilla.org in our example — then any rules you set will be applied to the root domain and all subdomains. In many cases websites still prefix their root domain with “www.” and this is actually a subdomain of the root domain. How you set the scope of uMatrix in such instances depends entirely upon what filtering you want to apply where. For instance you may visit some website, let’s say subdomain.example.com, and you want to allow JS for the subdomain but not the root domain (example.com). In this case you would set the scope to subdomain.example.com. On the other hand, maybe you want to allow JS for the entire domain in which case you would set the scope to the root domain.

uMatrix - Setting the filter scope
Setting the filter scope

IMPORTANT: Always keep in mind the scope you are working within before applying any filter rules.

By default uMatrix allows essentially nothing, so even images and CSS will not be loaded for any website. As a matter of convenience you may want to allow both images and CSS in the global scope so we don’t have to create filter rules for nearly every single site we visit. Other than the scope block, most of the rest of the blocks are divided into an upper and lower half. Clicking the upper half will toggle the whitelisting of a domain or resource by changing its color to green, while clicking the lower half will toggle the blacklisting of a domain or resource, changing its color to red.

To allow CSS and images for all websites by default, set the scope to the global scope and click the top half of the “css” and “image” filter blocks at the very top of the filter rules:

uMatrix Global Scope Rules
Setting filter rules in the global scope

Once you are finished, don’t forget to click the padlock icon to save the changes:

uMatrix - Saving changes
Saving temporary changes to the filter rules

Next, open the uMatrix Dashboard by clicking the black title bar at the top of the main interface and we’ll configure some more settings:

uMatrix Dashboard
Opening the uMatrix Dashboard

Following are my recommended settings for each tab:

Dashboard > Settings > Convenience:

[  ] Color-blind friendly (personal preference)
[x] Collapse placeholder of blocked elements (personal preference)
Text size: [x] Normal [  ] Large (personal preference)

Dashboard > Settings > Privacy:

[x] Delete blocked cookies
[x] Delete non-blocked session cookies 15 minutes after the last time they have been used
[x] Delete local storage content set by blocked hostnames
[x] Clear browser cache every 90 minutes (adjust as necessary)
[x] Spoof HTTP referrer string of third-party requests
[x] Strict HTTPS: forbid mixed content (you may have to disable this if you have trouble with encrypted (HTTPS) sites
[x] Block all hyperlink auditing attempts
[  ] Spoof User-Agent string by randomly picking a new one below every minutes (not recommended – see section 4700 of the ghacks custom user.js file to understand why)

Dashboard > Settings > My rules:

The default rules will suffice unless you are using the Decentraleyes add-on in which case you need to add the filter rules supplied here under where is says “If you’re using uMatrix, […]”. Decentraleyes will not work properly otherwise.

Dashboard > Settings > Hosts files:

No filter sets are enabled here since they are all handled by uBlock Origin. If you choose not to use uBlock, then you should probably enable some or all of these.

With the configuration of our global scope settings for uMatrix complete, you will find that many websites will no longer function or display properly and therefore you will need to configure the local scope settings for these sites. While this may be a nuisance, the up-side is that you will be far better protected against browser tracking, fingerprinting, malware and other attacks and once you have set the rules for your favorite sites, you usually won’t have to fool with them again.

uMatrix usage

Make sure to RTFM (read the f’ing manual) to learn how to properly use uMatrix! And once again, make sure you are aware of what scope you are working in before applying filter rules. Remember: if you have the global scope selected (the upper-left box is an asterisk as shown earlier), then any rules you create will affect all websites, whereas if the scope is set to the current domain or subdomain, then the rules will affect either the entire domain or just a subdomain of the root domain, depending on what scope you have selected.

Any changes you make to the filter rules using the main interface are temporary. To make your changes permanent you must click the lock icon. If you make multiple changes to multiple domains and you click the lock icon, only the changes for the current scope (the domain being visited) will be saved.

Typically when i visit a website that isn’t displaying or working correctly, i open the uMatrix main interface and see what resources the website is using. In the example below, stats.searx.oe5tpo.com is using JS. It is up to me if and at what scope i want to allow JS to run. If i never, or rarely visit this site, and i trust it, then i might temporarily enable JS for the subdomain stats.searx.oe5tpo.com only and refresh the page without ever saving my changes. On the other hand, if this is a site i visit often, i may want to allow JS for the root domain as well, in which case i would enable JS for the root domain by clicking where my mouse cursor appears in the image below, after which i would save my changes by clicking the lock icon.

uMatrix - Filter Scopes
Setting filters for different scopes

Another little trick to using uMatrix is to choose how much information is displayed in the main interface. By default, only root domains are displayed (12bytes.org, 1dmp.io and postimage.org in this instance). If you want to display the subdomains as well so you can make even more granular rules, then find that little drop-down arrow in the “all” cell and click it…

uMatrix - Show root domains only
Showing only the root domains

…and now both the root and subdomains will be displayed:

uMatrix - Show Subdomains
Show the root and subdomains

uBlock Origin

uBlock Origin is a powerful content filter which can be used to prevent the loading of resources, or hide page elements when load blocking is not possible. While uBlock Origin can block in-line, 1st party and 3rd party JavaScript, ads, images, frames and more, we will be using primarily for ad, tracking and malware blocking. uBlock can use all of the same filter lists as Adblock Plus/Edge plus other lists they cannot. It also features a wizard for easy element hiding and a network request logger which is invaluable for troubleshooting when a website does not display and/or function properly.

Because uBlock filters unwanted content, websites will generally load much faster while still retaining all the functionality we require once the rules are configured properly for each site.

uBlock Origin configuration

Once the uBlock icon is on your tool-bar, click it to reveal the main interface, then click the black title-bar at the top to reveal the configuration UI:

uBlock Origin - title-bar
uBlock Origin – title-bar

Following are my recommended settings for uBlock Origin:

uBlock Origin configuration - Settings tab
uBlock Origin configuration – Settings tab

Note that we are not enabling the ‘I am an advanced user’ option since all dynamic filtering will be handled by uMatrix.

uBlock Origin configuration - 3rd-party filters tab
uBlock Origin configuration – 3rd-party filters tab

For the ‘My filters’ tab, i have added a few filters which override any exception filters that may be used in the 3rd party filter lists because i want to be sure they are always blocked:

! override exceptions in existing filter sets - see: https://github.com/chrisaljoudi/uBlock/wiki/Privacy-stuff

The ‘My rules’ tab is empty since we are using uMatrix to create our filtering rules.

The ‘Whitelist’ tab can be left as it is by default.

uBlock Origin usage

We are not using the advanced dynamic blocking features of uBlock Origin since this functionality is being handled by uMatrix. As such, there is basically nothing to configure or adjust after the initial setup, other than possibly disabling uBlock Origin for those websites where you do not want it to run. This is done simply by clicking the big blue power button (this setting will be remembered across browser sessions). Lastly, don’t forget about these important tools:

uBlock main UI - misc. tools
uBlock main UI – misc. tools

The eyedropper will open a wizard for hiding page elements that are not covered by the static filters and the other icon will open the network request log which can be extremely helpful for those occasional hard-cases when a website does not display and/or function properly and you have trouble determining why.

Clean Links configuration

You can enable all of the options, though some will be ignored when running when the Event Delegation Mode is enabled. While i prefer to have Clean Links rewrite and highlight links in real time, the developer has stated that the code for accomplishing this is old and unmaintained, therefore i personally use the Event Delegation Mode.

Securing DNS traffic

The Domain Name System (DNS) is an infrastructure which uses DNS resolvers to convert human-friendly domain names (example.com) to IP addresses ( which are used by the computers that route internet traffic. The problem with DNS is that this traffic is not encrypted or secured and is therefore open to various attacks. To help secure your DNS traffic, please read my guide, Encrypting DNS Traffic (and why you want to).

Testing your configuration

The images below are from the JonDonym IP check website.

The first image is a result of a completely default Firefox release version 39.0 configuration with no add-ons or plug-ins installed.

JonDonym IP Check test - before
JonDonym IP Check test – before

This next image was captured after the configuring Firefox release version 39.0 as outlined in this guide. While the difference may not seem significant, some key changes have been made to help protect our privacy and security (see the list below the image).

JonDonym IP Check test - after
JonDonym IP Check test – after

HTTP header test results:

  • Cookies: Cookies have been blocked
  • Authentication: The sending of authentication data to 3rd party sites has been blocked
  • Cache (E-Tags): Although we remain vulnerable to E-tag cache tracking, the threat has been greatly reduced since we are using uMatrix to clear the browser cache at a regular interval. The only way to completely defeat this tracking technique that i am aware of is to completely disable both the disk and memory cache.
  • HTTP session: No change
  • Referrer: We score poorly here because the IP Check test tool is not aware that we are using uMatrix to spoof the referrer
  • Signature: No change
  • User-Agent: We score poorly here because the IP Check test tool is not aware that we are using uMatrix to randomize the User-Agent string at regular intervals
  • SSL_session_id: n/a (the connection was not encrypted)
  • Language: No change
  • Content types: No change
  • Encoding: No change
  • Do-Not-Track: The DNT header has been enabled, though this is largely useless
  • plug-ins test: These tests were not run because no browser plug-ins were installed

JavaScript test results (disabling JS would alleviate all of the these concerns):

  • JavaScript: We score poorly here because the IP Check test tool is not aware that we are using uMatrix to allow JS on a per-domain basis
  • Tab name: No change
  • Tab history: No change
  • Local storage: Local storage is being deleted by uMatrix after it is no longer needed
  • Screen: No change
  • Screen (usable): No change
  • Browser window: No change
  • Browser bars: No change
  • WebGL: WebGL has been disabled in the user.js configuration file
  • Browser type: No change
  • System: No change
  • Fonts: No change

Following is the uMatrix configuration that was used for the test. All other uMatrix and browser settings are consistent with those suggested earlier:

uMatrix configuration used for IP Check test
uMatrix configuration used for IP Check test

You can run your own tests using these resources:


General: Both uMatrix and uBlock Origin have the ability to log network requests, similar to how a firewall log might work. This can be a great help when troubleshooting website display or functionality issues. On the uMatrix pop-up UI you will notice a tiny ‘window’ icon that can be clicked to reveal the network request log. See the Logger documentation to learn how to use this feature.

Website does not display correctly: uMatrix: Check that content is allowed for the domain, as well as other domains which supply content to it.

Problems making a purchase: Firefox: make sure to allow 1st party cookies. uMatrix: Check that content is allowed for the domain, as well as other domains which supply content to it. If you are forwarded to a payment gateway such as PayPal during the transaction, make sure that content is allowed for the payment gateway domain, as well as other domains which supply content to it.

Firefox add-ons used in this guide

Further reading on 12bytes.org

References and resources

Revision history

Click to expand...


  • first publishing


  • removed all Shim Storage add-on information since this functionality is duplicated in HTTP UserAgent cleaner.
  • almost all of the documentation for HTTP UserAgent cleaner was heavily revised.
  • various other edits and corrections.


  • updated user.js file
  • several other small updates and a few corrections


  • updated user.js file
  • switched uBlock versions since a new fork was created
  • updated uBlock images and documentation
  • added a “Current notices” section
  • misc. other corrections/updates/edits


  • updated and added more information for uBlock
  • updated one HTTP UserAgent cleaner screen-shot
  • misc. other corrections/updates/edits


  • updated HTTP UserAgent cleaner information
  • for HTTP UserAgent cleaner settings, the suggested settings were split into Suggested global setting for casual browsing and Suggested global setting for best protection.


  • updated information for HTTP UserAgent cleaner
  • updated user.js file
  • minor updates to uBlock information
  • misc. other minor changes


  • updated some HTTP UserAgent cleaner information
  • deleted information for 2 bugs regarding the X-Forward-For setting for HTTP UserAgent cleaner since they were not bugs
  • misc. other minor changes


  • updated information for HTTP UserAgent cleaner, including adding descriptions for the newly added features, Canvas and Fonts on the HTTP tab
  • updated the user.js file
  • updated some definitions of terms used in this document
  • added some more resources


  • updated the information for the Fonts filter on the HTTP tab of HTTP UserAgent cleaner


  • updated HTTP UserAgent cleaner information to match changes in version


  • added Pure URL as a suggested add-on
  • updated contents of the user.js file
  • added and edited some information for HTTP UserAgent cleaner
  • added more resources in the References section


  • updated list of recommended filters for uBlock
  • updated user.js file contents


  • updated user.js file contents
  • updated a few settings recommendations for HTTP UserAgent cleaner


  • minor updates to user.js file contents


  • added information for securing DNS traffic
  • misc. minor updates


  • switched to Raymond Hill’s version of uBlock
  • updated uBlock filter information
  • added Fetch information for new version of HTTP UserAgent cleaner
  • updated user.js file contents
  • misc. minor updates


  • updated uBlock settings to match the current development version (
  • misc. minor updates


  • removed HTTP UserAgent cleaner since it is no longer being developed
  • removed Self Destructing Cookies add-on since its functionality can be handled by uMatrix
  • added uMatrix


  • added more info for uMatrix and IP Config test results
  • updated user.js file contents
  • various other edits


  • Minor edits for uMatrix usage text


  • updated user.js file
  • removed pcxFirefox as a suggested 3rd party build since i had display corruption issues with it


  • updated user.js file contents


  • updated user.js file contents


  • updated guide information
  • updated user.js file and added a revision history to the file


  • updated user.js file


  • updated user.js file
  • minor grammar/spelling corrections


  • corrected an error with pref ‘layout.css.devPixelsPerPx’ where the value was an integer instead of a string – this caused all prefs following it to be ignored


  • set ‘browser.fixup.hide_user_pass’ back to its default value
  • added ‘network.http.redirection-limit’


  • added some basic information for configuring the Clean Links add-on


  • corrected ‘plugin.scan.*’ values to be strings
  • added bogus preferences in the user.js file at the end of each section for troubleshooting potential loading problems


  • changed the name of the troubleshooting/bogus preference to 12bytes.org-user-js-settings and added values to indicate the point at which the file stopped loading – a huge thanks to commenter ‘Pants’ for suggesting the troubleshooting preference and also for suggesting a far better way of implementing it than what i had done (by the way, ‘Pants’ is the author of the user.js config file used in the ghacks article, A comprehensive list of Firefox privacy and security settings by Martin Brinkmann, so i’m very glad to have his input here)


  • removed duplicate preferences in use.js file (see change-log in the file for details)


  • removed Extension Defender from the list of recommended add-ons since it’s home page is gone and the code hasn’t been updated in two years
  • updated user.js file


  • switched to using Pants’ config v0.11 and mostly just appending my settings to the end of his – because this is a major update, no history of changes to individual preferences will be published


  • published my user.js on GitHub which was forked from Pants’ code
  • removed my user.js code from this page and linked to it on the GitHub page instead
  • changed my versioning scheme to match Pants’ where the user.js version coincides with the version of Firefox it was developed for, so v51r1 would equate to version 51.x of Firefox and the r1 signifies the revision, in this case the first revision
  • updated user.js to include v51 of Pants’ config – no preference changes so far as i know, just added/removed/changed comments
  • updated text in user.js section to account for the new changes
  • changes to comments and troubleshooting preference names and values, other minor changes


  • updated user.js to version 51r2 – see the GitHub page for the change-log
  • updated info here regarding the user custom preferences section of user.js


  • deleted the GitHub repository which i forked from Pants’ ghacks repository and created a new repository which does not include his code
  • some changes to user.js
  • some major editing of this document mostly in regard to the creation and changes of the GitHub repositories


  • rewrote and updated much of the content pertaining to umatrix
  • added section “Removing system add-ons”
  • added section “Sanitizing the default search engine plugins”

160 thoughts on “Firefox Configuration Guide for Privacy Freaks and Performance Buffs

  1. First of all thank you and pants for all your efforts, truly appreciate it.
    Secondly I have a small query about user.js, despite enabling Bookmarks in the location bar suggestions in the settings I still don’t get any suggestions in the location bar. Please help me with this.


    1. which version of the user.js are you using and is it mine or Pants’?

      there’s a lot happening at the moment with updates being rolled out, GitHub repo’s being created (both for me and Pants), etc., so you might want to hold off a few days ’till things cool down and then check the revision history here again – i’m about to publish another one very shortly (subscribe to my feed to be notified if you want)

      1. Yours the one posted on 18th on the site, I get history suggestion in the location bar but not the bookmarks. Like you said I’ll wait for things to settle before making changes to my user.js. For now I’ve rolled back my backup profile folder.

        Again thank you for your efforts, cheers.

          1. Yup already started using your user.js, working great so far with no issues. Only issue is firefox is not saving zoom settings per site basis. I’ve lowered zoom setting on few sites but after restart it resets to 100 %. Not a biggie though.


            1. that shouldn’t be because “privacy.clearOnShutdown.siteSettings” is set to “false” – i just tested it and the zoom setting sticks across sessions for me – are you using v51.x of Firefox?

              did you add any code to the file? if so, you should have the “ghacks_user.js.parrot” pref above and below your code at the end of the file and the value should be whatever value you set it to in the last instance of the pref – if you didn’t add any code, then it should be “12bytes.org settings loaded” – check about:config to make sure it’s ok

              1. That was it, at some point while editing user.js I must’ve changed that setting to “true”. All is good now, I have also moved my changes under User Customizations as per your advise in the thread.

                Thanks again.

    2. it is `browser.urlbar.suggest.bookmark` which neither js has set. I have updated the ghacks version to include it (as well as open tabs):

      // 0808: disable urlbar suggestions – PRIVACY (shoulder surfers, forensics/unattended browser)
      // These settings are under Options>Privacy>Location Bar (these require 0806 to be enabled)
      user_pref(“browser.urlbar.suggest.history”, false);
      user_pref(“browser.urlbar.suggest.bookmark”, false);
      user_pref(“browser.urlbar.suggest.openpage”, false);

      Note that it requires 0806 to be enabled. There is also the issue of 0803 which disables the locationbar dropdown by setting it to display zero results.

      1. “Note that it requires 0806 to be enabled” – that’s ambiguous and was aimed at you getting suggestions working – it has nothing to with disabling them as per the preference description (I’ve since fixed the ghacks to be better worded).

        What I meant was if you want to enable suggestions, then 0806 would need to be enabled as well. And 0803 which limits how many items show in the dropdown, the user.js sets it as zero, so you will want to comment it out and reset it in about:config

  2. Excellent stuff .. I’ll start a new comment so we have more width :) This is just a quick look.

    “you will likely have broken functionality that you wanted, or added functionality you didn’t want.” – I think those are back to front. I think you mean broken stuff you didn’t want.. etc. On a third reading it is still messed up to me. I know what you mean though. No one wants broken functionality – thats what’s throwing me :) Never mind .. its been a long night.

    Suggest that the warning about backing up prefs.js is a second option. The BEST option is to close FF and backup the entire profile folder. The user.js doesn’t just change the prefs.js – it could potentially wipe cookies, history and site preferences etc and other databases – it doesn’t for now, because this is not a super hardened version. Local storage is wiped I think, and indexeddb is off (not sure if that means indexeddb is emptied). Another option is for users to download a portable FF, open it once to populate the profile folder, and then they can test it, and tweak it before they use it on their everyday FF. (I’m in the process in the next week of writing this all up in the readme at github).

    THANK GOD you stressed that uBlock Origin be used – because the js by default has killed all tracking protecting and malware/pups etc stuff. Blocklists still work due to revocations, but otherwise it’s a sitting duck for advert networks.

    Side note: The latest version on github is 51. It has been archived (all archives are zip files and held under releases: https://github.com/ghacksuserjs/ghacks-user.js/releases ). The user.js will evolve from day to day, and once its all up to date after the next stable, I update the version to 52, change the date, change the “pants” code name (always a song title!!), and create a new release. Clearly the release number matches the FF version. And now users on older versions (from now on) can get the right one to fit. That said, it’s more complicated for ESR users.

    Some of the first lines of v51 have changed and contain the github url, which I think you should add to your user.js for end users – see lines 15+16 here https://github.com/ghacksuserjs/ghacks-user.js/blob/master/user.js

    You can chop out the apendices and sections 9996 (palemoon) 9997 (deprecated) 9998 (tor uplift stuff not done yet) and 9999 (to investigate crap). Appendices will be made into wikis on github anyway. This will shave 350 lines of unrelated rubbish from the js. Might be debatable leaving in the deprecated, some users may be on older FF versions – but I see that as their problem :)

    And to answer your question – I’ve only ever commented on github before. So far its been a short learning curve (I have some background in coding, but its been over a decade) – git has its quirks. For you it would super EASY. Go to https://github.com/ghacksuserjs/ghacks-user.js and top right is a Fork button. You click it and it will fork an exact copy of my user.js and license to your own repository. Then you can edit your own copy to match what you have above. As I make changes to my version (add/remove/move lines around), your version gets out of sync (and you don’t have to do anything until you want to). When you want to, you can do a diff/compare and merge over the lines you want, etc. Easy as. This ishow you save yourself a lot of work. Maybe do a fork just prior to your next update

    Anyway, looking good 12bytes :)

    1. “you will likely have broken functionality that you wanted, or added functionality you didn’t want.” – I think those are back to front. I think you mean broken stuff you didn’t want.. etc. On a third reading it is still messed up to me.

      ha! it took me several readings of what you said to figure out what you meant because when i read my sentence, it makes perfect sense to me! i finally figured out what you’re getting at though and you’re absolutely right – that sentence could be interpreted two very different ways

      your versioning – i see you went from v0.11 to v51, next will be 52, etc – is that version scheme intended to coincide with the FF version it was built for? and if not, maybe that would be a good idea? just a thought – i think i might do that, so like for FF 51.0.1, the config version would be 51.0.1r1 where the ‘r’ indicates the release number (1, 2, 3…)

      i saw no edits between 0.11 and 51 other than comments, is that correct (no prefs were changed, added, removed)?

      and you were right about how easy it is to fork – i already did it :)

      you scared me a little bit with this…

      THANK GOD you stressed that uBlock Origin be used – because the js by default has killed all tracking protecting and malware/pups etc stuff. Blocklists still work due to revocations, but otherwise it’s a sitting duck for advert networks.

      are you referring to the vulnerability/privacy issues with JS in general, or to some sort of change in the browser that makes it more vulnerable, which is kind of how it sounded to me?

      thanks again – and i’ll update my webpage tomorrow probably – i will likely remove the user.js code entirely and just link to it on GH

      1. It is easier to just link to your github repository (link to the main page, not the user.js itself, so users can see your readme. This way it’s only one place to edit and maintain. Slightly annoying for an end user perhaps, but so is scrolling in that box. The github page is better.

        Yes, the numbering is so it is in line with FF release numbers. That way I can create releases for each one and archive them and it’s as straight forward as a banana.

        Tracking protection is off, that’s not so bad – but so is safebrowsing (all the stuff in 0410 a to g : malware, malicious sites, etc): which is not a good thing to do a user unless they are aware and use an alternative. Together, with no adblocker, this will increase the chances of a malicious ad payload. So uBlock Origin and get some lists going. That’s all. And obviously NS blocking JS and XSS is good too. I think you have already stressed that this config relies heavily on using uBlock Origin, NS, uMatrix etc. So you have replacements :)

        The fork you did differs from the one published at ghacks. No pref changes, but I added a warning about an pref that killed a few addons (where the xpi resides outside the default dirs), a new test site, some typo fixes, and all that fiddling with the top 16 lines with version changes, url etc. So if you remove the js from above, and link to the forked one when you have edited it to your liking, then it’s perfect. Because your current fork is identical to mine.

        Don’t bother with minor version numbers. I will only change mine from 51 to 52 to 53 etc, and only just before I archive off a release. And that will be a week or so after each stable lands, after we’ve had time to test and check things.

        I suggest, that after I do each version release, that you then do diff/compare and pull in what you want. Then you pop back here and update the version history: eg DATE: Updated 12bytes.js with ghacks version 52 prefs for Firefox 52. Rinse and repeat when 53 comes out. As simple as that.

        1. i’m trying to get away from making any changes whatsoever to your config, but i’m running into a problem i haven’t yet found a solution for; for example, for a pref like general.buildID.override which is a hidden pref, and one for which you specify a value, how can i set it back to its default value (which i assume is ‘no’ value) without commenting out your line?

          Don’t bother with minor version numbers. I will only change mine from 51 to 52 to 53 etc, and only just before I archive off a release. And that will be a week or so after each stable lands, after we’ve had time to test and check things.

          my thinking is, what if a serious problem isn’t detected during testing, or there’s something you want to add, or even something more benign, such as misleading info or a typo in a comment – that’s where the 51r1, 51r2, … might come in handy – just sayin’ :)

          as for me, i’m certain i’m far more likely than you to screw something up :) which i may not catch before publishing and therefore i’ll need to correct it and issue a new version, so i’ll be using the version scheme i described (r1, r2 …)

          now, about those troubleshooting prefs and updating – i’m going to strongly advise my users to not change anything in your or my config and, instead, to add their own section at the end of the file, complete with the troubleshooting prefs which use unique values of their choice – this will make updating their configs much easier as all they’ll have to do is delete the entire contents of the file, except for their personal section at the bottom, and paste in the new file from GH – all they’ll then have to do is read the change-log to see what was added/changed/removed and adjust the settings in their own section accordingly rather than parsing through the whole file – that eliminates the biggest headache when updating i think – people won’t have to ‘diff’ or search through the files or anything

          waddya you think about that?

          1. “My” versioning is for releases which are archived zip files, and i’m using 51.0 – i.e with 1 decimal place (if there was a serious cockup). This is a one time snapshot/zip-file. If there was a serious cockup, I could do a 51.1 and add a description to the “release”. Otherwise, the actual user.js is in a constant state of change (I added a pref yesterday, removed things like the list of test sites to a wiki, someone else fixed some minor typos). The master branch “real-time” user.js doesn’t really have a version number (changes are tracked via commit history), I’m just maintaining one (in the header section) for releases. Hope that makes sense.

            Hidden pref resetting: this is slightly messy. The pref you mention is always changing based on your FF build, so there is no default – you will have to comment it out. Don’t be afraid to make your own changes. eg:
            // 12byte override disable this
            // user_pref(“general.buildID.override”, “20100101”); // (hidden pref)
            When YOU do a diff/compare and merge over changes, just ignore the ones you don’t want – your notation will help you remember and is good info

            Otherwise, I agree you should override mine in your own section at the end. Your users should do that as well, as it will be easier for them to maintain their own changes.

            I think the ghacks version is pretty close to this description: “as private and secure etc as possible with some minor inconveniences, and almost no breakage”. In the future I plan on branching out versions such as “Just add and forget, zero breakage, zero risk to current setup” all the way to “Pants is a bastard super-hardened go-to-hell version”. People can use the multiple profiles. The first for difficult/broken sites, the original for everyday, and the hell version for banking etc

    1. ok, should be an update coming soon – i’m going to scrap most of my config and switch to using Pants’ config to which i’ll append some of my personal preferences – i’m testing this new config now – if he’s ok with it, i’ll publish it here

      1. Version 11 was published on Feb 12 ( http://www.ghacks.net/2017/02/12/ghacks-net-firefox-user-js-config-0-11-is-out/ ) .. the original url is all updated – article content, new download, new v11 dark and light html versions (for easy on the eye scanning and url clickability), and changelog.

        … and … drum roll … it is now githubbed: https://github.com/ghacksuserjs/ghacks-user.js . The github version already has changes (sigh) .. when will it ever end …

        And YES .. you are more than welcome to use it. I haven’t added a license yet, but it will be a do-as-want-but-leave-author-&-link type deal :)

          1. Sweet! I see you :) … now you can create your own fork, and point to that. No need to use the ghacks one (ecept for your fork maintenance). You can add your own 5000 section or something, and you can easily pull/import changes from mine into yours and do diff comparisons etc. You’re onto it man.

            1. … now you can create your own fork, …

              um, that idea flew out the other side of my head just about as fast as it flew in :)

              i looked into publishing my earlier user.js on GitHub because someone else mentioned it here in the comments, and it looked to me like a lot of work involving stuff i don’t understand.

              what was you’re experience like? have you pub’d on GH before, or was this your first?

              btw, i just updated the user.js here if you wanted to look at what i did (search for ’12bytes’ in the file)

              thanks again for your work man – you and your contributors have done just an outstanding job :)

  3. Heads up: here is pretty much the final v11, including a changelog from v10 (for this 7 day pastebin, yup, it expires, I have added the changelog to the end of the js). Expect a new article from Martin (and of course the original article to be updated) in about a week. Just letting y’all know, so I can get feedback and corrections before Martin publishes (use the original url as in listed the js header section, thanks).


    * version: 0.11 FINAL BETA REVIEW: The [White?] House of the Rising Pants
    * “My mother was a tailor, she sewed my new blue pants”

    PS: Sorry 12bytes .. more work for ya :)

    1. PS: Sorry 12bytes .. more work for ya :)

      not so sure – i might just switch to your config :)

      one suggestion i might offer however is to insert the loading pref ‘ghacks_user.js.parrot’ multiple times, such as before every section to make it easier to figure out what exploded – for example, in my config the first section is ‘BUG FIXES’ and the first pref is user_pref("12bytes.org-user-js-settings", "syntax error @ BUG FIXES");, so i can quickly search for ’12bytes.org’ in about:config and find out where exactly something exploded – if everything loaded, the value is "load success"

      or is it possible to use the console to find out exactly which pref failed (as i recall, i don’t think you can)?

      1. Yup, that’s exactrly what I said to you way back there in the comments in June last year ( http://12bytes.org/articles/tech/firefoxgecko-configuration-guide-for-privacy-and-performance-buffs#comment-443 ).

        I have 22 sections, so that would be 23 prefs. I don’t mind adding them. The user.js is provided absolutely squeaky clean syntax wise, but of course users are meant to edit it, and it is easy enough to make typos or forget a trailing semi-colon or comma etc. Been there, done that. I want users to edit the js (I say it in the header). And of course it be can a long time between published versions. So I guess, to be consistent, I should set them all up. I added it initially for my own troubleshooting and then left it in for end users to do what they want with. I’ll put it to the VP and see what he says. I think its a good idea to have them preset.

    2. hello mr. Pants :)

      the email address you used to submit comments here – is it a working one? i wrote you an email but didn’t get a reply

      all i wanted to know is this: i’ve switched to using your config because it saves me a lot of work :) i’m just appending some of my prefs at the end of yours – what i wanted to know is if you’re ok with me publishing this config?

      i’m not editing anything in yours, other than commenting out a few prefs for which i want ff to use the default values


  4. Hey there, first of all thanks a lot for this, extremely helpful!
    Have you considered putting this guide on github? so that others can contribute and access more easely to your great user.js config file and other things

    1. hi Grunt – actually, Pants convinced me to publish the user.js on GitHub – it was easier than i thought since i just forked his repo … by the way, i am now using Pants’ settings and just appending a few of my own to the end of his user.js – might want to re-read this section if interested

    1. You just read my mind, didn’t you? What exploit did you use to do that, lol :) Would you believe that just a few hours ago I was thinking to write again about this issue, since me and 12Bytes couldn’t fully get it resolved last time around? And it’s been what … over 20 days since there last was a word on this issue. What a coincidence that u just now decided to follow up on it. :) So … the link by Pants resolves the issue on a global scale for all embedded yt vids. Finally! I though the changes to the global scope presented in 12Byte’s screenshot had the same intent, but somehow for me that didn’t work out. Nevertheless, big thanks to both 12Bytes and Pants.

  5. So I’ve read up on NoScrip and uMatrix and saw what this site has to say about both. Thanks for the great work with this site, btw. However, I guess I’ll have to switch from NoScript (which I’m currently on) to uMatrix with the hope that uMatrix will allow what NoScrip does not allow. Unless I’m missing sth here, I don’t see how to make NoScript behave per site or per domain. When it blocks something it blocks it on all sites everywhere and then I individually need to enable/disable items/trackers to get different sites to work correctly. If I disable youtube on a site where youtube has no business to spy on then it is annoying when u visit youtube’s actual site and you then have to re-enable youtube’s domain, later on back having to disable it resulting in an insane infinite loop. If it is part of the Tor bundle then there’s gotta be a setting for this weird behaviour somehow. I saw this also https://support.mozilla.org/en-US/questions/954712 but despite the nice thread title the question I’m asking here remains unsolved even there. Anyone has an idea if NoScript can do it of if I should instead resort to uMatrix, hopefully it can do what I’m suggesting here!

    1. the way i do it is to create a minimum number of uMatrix rules in the global scope to allow embedded YouTube videos everywhere, then some extra rules for youtube.com

      i think you can create domain specific rules in NS (almost positive), but i think you have to manually enter them somewhere in the UI – i don’t remember where as it’s been a long time since i messed with NS

      1. I thought it must be psbl to manually do it per domain but for all i tried it always worked globally. Well, with uMatrix this is not an issue so far as selecting the working scope as you’ve outlined in your fine tutorial makes perfect sense and seems to apply rules accordingly. Huge thanks for sharing your work!

              1. Thank you for that! Took some real digging for me to find this but you provided it straight away, which is awesome.

                1 last question to both Pants and 12Bytes though – so, this tutorial suggests that we should use uMatrix thus no need for NoScript. Is there any general consensus as to which one of the 2 addons is better to use? For all I know, Tor uses NoScript and not uMatrix, but uMatrix seems way easier for me to control per domain rules …

                1. it’s not a matter i’ve researched thoroughly – having said that, NS is a probably the better of the two, but with a narrower scope – for me, uMatrix was necessary because of its wider scope and ease of use and i didn’t want to run another extension with redundant features (primarily script blocking) -also, the fewer extensions, the easier it is to troubleshoot when a site doesn’t work properly

                2. FWIW.. I use NS, uBlockO and uMatrix: NS is set to default deny everything (once I allow a domain, then it is, as you say, allowed on a global scale). uBlock Origin is set to default deny except first party – once I allow a domain there, it is allowed per scope (i.e for that domain only). uMatrix is set for a default (i.e scope *) to block all scripts including first party (I allow all images and css by default). As you already know, here you can allow vertical (type) horizontal (domain) or cellular exceptions per scope for a granular control.

                  NS does offer things that uMatrix doesn’t (don’t ask, I’ve never really delved that deep into it). an uBlockO is a lower footprint great “ad” blocker (with other lists as well), hence why I use it. And uMatrix allows granular control. Hence why I use all three.

                  It’s not that hard to get them to all work together. Maybe its the order in which I installed them, but first I allow a domain in NS, then it will show up in uBlock Origin, then I allow that domain on a narrow scope in uBlockO, and then it turns up in uMatrix where I can allow or deny for that domain as I like. Once you have set up all your regular sites, life is a breeze.

                  If I have sites that are just one off visits, eg if I am researching something, and the site looks an absolute mess in FF (usually no css), then I have secondary browsers for that.

                  You can also easily use the uMatrix rules and write your own as well: chrome://umatrix/content/dashboard.html#user-rules : such as allowing/blocking globally etc

                  tl;dr: NS blocks everything .. then allow thru uBlock Origin in which at least the adverts etc are blocked (uMatrix default allow XSS images) … and then in uMatrix I can fine tune. uBlock Origin also nicely colors domains pale red for you if they’re on the sh*tlist

          1. I did exactly as you screen suggests (the numbers in the green boxes you’ve circled were not exactly the same .. guess that’s normal though) but embedded yt vids are still blocked on various sites. Any idea as to what i’ve done wrong? Yes, I did work in the global workspace.

              1. Alright, np! Still 10x! I think I quite got the hang of uM already cos I’m using it to my advantage quite well on all sites so far and everything I want it to block is blocked as desired. The only thing that puzzled me is that I thought the settings for embedded vids you mentioned would actually do exactly as said – globally allow embedded yt vids on various sites, but since that didn’t happen I wasn’t sure what went wrong. Was it cos I didn’t have the exact same numbers as on your screen or sth else … oh well

                1. the numbers don’t matter – first thing you should do is disable (power button on the uM UI) uMatrix and make sure that’s where the problem is and, if it is, then just find out what needs to be allowed to get the video to load

                  1. I DID think they don’t matter, but since I exercised all psbl options I thought eventually they might do. Yes, I did also exercise the option you’re suggesting, just did it in another way. Instead of completely turning off uM I simply allowed the ‘all’ box on the particular domain I was at, within the scope of the site/domain in question (obviously not in the global scope). That then resulted in temporary changes, which can always be reverted from using the back arrow button. The point was that before reverting from those changes I refreshed the page and the embedded yt vids worked. I then did revert from the temp changes to get uM to its default behaviour and embedded yt vids did die …

                    1. ok, you know it’s something with uMatrix then – look carefully at all the filter settings for the domain you’re testing with, as well as google, ytimg and youtube – it should just be a simple matter of trial and error

                    2. yes it is and I did get it to work this way with a simple trial and error … seems I missed the point and idea of your screenshot then … all good! 10x. As I said, though your screen globally allows embedded vids on any and all sites.

                    3. … your screen globally allows embedded vids on any and all sites.

                      yes, because i don’t want to have to mess with uMatrix for every site with embedded videos – whether you want to do the same is up to you

                    4. Yes, and exactly ”because i [also] don’t want to have to mess with uMatrix for every site with embedded videos” I tried your screenshot and as I said it didn’t work. So that’s why I asked what could be wrong. Clearly it’s a prob with uM, cos as I said, once I disable uM the embedded videos work again.

                  2. So perhaps I misunderstood the point of your screenshot as I though it indicated what global scope settings to put in order to have embedded yt vids (on any site) work. If that wasn’t your idea, then clearly I can go under each domain and 1 by 1 start enabling per site to get those embedded yt vids to work. This just misses the point of your screenshot then, but since I didn’t first doubt your screenshot but doubted what I did .. that is what I asked what it could be I did wrong.

    1. thanks Pants – i’ve been getting lazy with this project as i really dread going through all the settings again – the ideal thing would be for me to sync with your config and just append my own personal settings – we’ll see

          1. You mean the next version of your work in this whole site?

            not sure what you mean – in addition to my own research, i also i use Pants’ config as a reference

            What version of FF then do your tweaks apply on? Earlier ones than 50?

            mine is for v49 and is synced with Pants’ config v0.08 (this info is in the comments of the config near the top)

            note that when i say “synced”, that doesn’t mean all my setting match his (though most do), only that i have gone through his and considered his settings

            1. 10x for the info! I wasn’t aware of Pants’s config, for which I apologize (mainly to him :))

              And I assume you mean that you have not yet tested whether or not your tweaks work also on ff50 (about which I received an update only just recently), but I assume they do.

              1. yeah, Pants deserves a huge credit for his work and i personally thank him for showing up here and helping me along :)

                and yes again, i have not tested my config with v50 (i’m using v49) though it should work ok – the only issue is there may be some new settings in FF v49 and v50 that are not addressed in my config and, potentially, some settings that may have been renamed

    2. OK, so here’s a slightly newer version (extra stuff added, stuff moved to deprecated). This is basically it until after the FF 51 lands in January/February next year.
      http://pastebin.com/CmhkK2X7 (expires in 5 more days)
      * date: 21 Nov 2016
      * version: 0.11 BETA : Born to Be Pants
      * “Get your pants runnin’. Head out on the highway. Lookin’ for adventure. And whatever comes our way.”

      Grab this one. The key points for you are 1. under the deprecated section, each release is stated for when the preference was dropped. 2. a lot of preferences as they now turn up, are added with the FF version they first appear.

      eg: if you search for “FF50” (sans quotes), you can easily spot items in 0402, 0410a, 0410c, 0410f, 2661, 2662 and so on. Another item that is cool to search on is “(hidden pref)”, 22 of them (some deprecated). My minions at ghacks and I went thru a lot of work to check things in DXR and test in nilla portables to get the deprecated and introduced and hidden flags right.

      Unfortunately, the differences between version 8 (jan 2016) and version 10 (august 2016) wasn’t quite as detailed in terms of adding FF version notation for new prefs. So probably the best idea would be to use mine, rip out the items/sections you don’t want, check the settings against yours and change yours if you want, and add in anything I haven’t that you have.

      It actually wouldn’t be that hard if you sorted the lines and did a diff to spot the user_pref lines differences. If you want me to do it, I’m game :) Or you could save it for a new years resolution.

  6. @12Bytes.org – does your opinion about Cyberfox still hold? Namely:

    ‘Cyberfox may be more privacy-centric than many other versions in that several phone-home features have apparently been gutted, including telemetry, health reporting and possibly the Google “Safe Browsing” feature and so-on’.

    Testing it out now. Used to run Pale Moon till now, cos FF is sometimes a bit sluggish compared to PM and, as outlined in the OP, is somewhat a spy-central. Maybe the same goes for PM and Cyberfox, but I just got interested in your quoted words about Cyberfox.

      1. Thank you for the reply and thank you for the whole effort with this site! It’s a huge help to many of us, I can promise you! Corporate greed will make any good organisation, which I believe Mozilla was, sell itself to corporate trolls and clowns like FB, Alphabet, etc. After all, isn’t that what the capitalistic American dream is all about – get rich or die trying …

    1. It is, until you check the speed box which is a crippling 5% compared to AirVPN 90% (as a european, let me tell you, it is basically 99% for us). Also, they make the usual false claim about safety, which does not exactly make them seem trustworthier.

      1. 10x for pointing that out. Well, AirVPN’s 10% for int’l is not great cos the world does NOT revolve around US, though many think so. And the 1.5% of NordVPN int’l are a disgrace!!!

        1. Nope, I live in France but I’m not connected to french servers. NordVPN isn’t concerned by the fourteen eyes (Panama), not expensive at all ($48 per year), OpenVPN…
          The download speed is really good for WiFi but it’s low for 4G (about 10 times lower I’d say) but it’s still enough to browse and watch HD videos. As for me, it is only a problem when downloading big files (apks like SuperSwiftkey, audio podcasts or custom roms for my Android device).
          It’s a serious battery drain but that’s not related to NordVPN AFAIK. Do not keep your mobile data always enabled!

          Finally, the support is far from perfect (basic and useless answers most of the time – specific to NordVPN? I don’t think so :-)) and the current Android app is disappointing (additional battery drain due to a bad implementation of Google’s firebase).

    2. thanks for linking to That One Privacy Site – i’ve never seen that before and they did a great job with that spreadsheet

      regarding AirVPN, at least it is not in one of the 5-eyes countries, but yeah, i suppose being in the 14-eyes countries is not ideal – i’m going to have a good look at that data

    3. More than happy to have mentioned this! @Atomic might have a point, though! I’ll dig deeper into it! 10x guys! Keep the discussion going, as that’s one way of staying aware and informed of the info/privacy rape that is happening nowadays!

      1. if you haven’t read TOPS review of Air, here it is – in the ‘final thoughts’ area he says:

        Final thoughts: AirVPN is certainly an above average service with lots to like. However, they aren’t perfect and there is a lot that is questionable to me as well. I know you’re probably sick of it by now, but – FILE GENERATOR (VPN Companies, DO THIS MORE). US speeds were amazing, but international speeds were only so-so. I have to ding them for their choice of marketing tactics – especially because I think they would be in a good position to abandon such a shady strategy and survive on their own merits with some adjustments. It’s really hard for me to take a privacy centric service seriously when they engage in tactics that abuse the trust of their potential customers – as I’ve mentioned in my “guide to choosing a VPN“. They could also be better from a privacy standpoint, as they are based in a fourteen eyes country and don’t have the most clear logging policy when it comes to the finer details. Support was fairly quick (less than 24 hours to respond), but pretty basic in their response, but they granted my refund request super fast, within a couple of hours with no questions asked.

        In the end, AirVPN is an above average service for a reasonable price – I just wish they would show they were more serious about trust and transparency in this industry. They are in a position to stand on their own two feet with a couple of adjustments and shouldn’t need to rely on bottom feeders to promote them.

        unfortunately he does not date the review

      2. Yeah, don’t know what to say. If TOPS is to be trusted then though slightly shady Air seems to be a better option than Nord, cos Nord appears to be too slow on the int’l stage…

        1. if you use the filters for the detailed spreadsheet and filter out the 5 and 9 eyes countries and require no logging for the more important logs, it’s pretty sad how few services are left – BlackVPN & Trust.Zone and maybe a few others depending on how you set the filters

          1. Tough choice, at least for me … The way I see it – AirVPN isn’t really a good option. After filtering out logging, as u suggested, it does indeed come down to BlackVPN, Trust.Zone, and NordVPN, but Nord seems slow, compared to BlackVPN. Trust.Zone’s speeds are not shown in the TOPS comparison, and Black’s US 56.91%, EU 16.03% (if this can be trusted) seem ok . Wonder what @Osine (on NordVPN) thinks about this :)

            1. Based on my own tests with NordVPN (this is the average of 4 tests made with OpenSignal app and with my 4G connection – as previously said, WiFi speed is really better):
              – ping +34% (58.5ms with NordVPN / 43.5ms without)
              – download -86% (7.97 Mbps with NordVPN / 57.43 Mbps without)
              – upload -56% (4.54 Mbps with NordVPN / 10.38 without)

              Each ‘best’ VPN has pros and cons. TOPS did help me to avoid the worse VPN services but it was also very tough to choose the final VPN.
              I don’t know if they do respect my privacy but I do know that my ISP doesn’t :-)

              I’ll probably try more VPN services when my annual subscription will be terminated. I only tested PIA and Air for now and the speedtests gave me similar results.

              1. Thanks for your reply! I assume you mean this – https://play.google.com/store/apps/details?id=com.staircase3.opensignal ? Out of PIA and Air, Air is the better option cos ppl working at PIA are using Air, but the problem with Air remains – being followed by 14 eyes is not great at all. So for me it is either Nord or Trust.Zone, and based on the better speed (at least according to TOPS) I’d go with Trust.Zone. But yeah, you are right .. there are always some pros and cons – always trade-offs. For better or worse, there prolly isn’t 1 best option.

                1. […] being followed by 14 eyes is not great at all.

                  probably not, but from what i’m seeing the 14-eyes countries are not as bad as the 9-eyes countries and the 9-eyes countries are not as bad as the 5-eyes countries – what that translates to in terms of risks to privacy, i don’t know, but it might be worth factoring in what you use the www for – if you’re a whistle-blower or journalist with sensitive information, then the no-eyes countries might be the best choice, but if you’re just doing ‘regular things’, whatever that means, then it may be less important

                  given the lack of options and the performance of Air thus far, i’m thinking i’ll stick with them for now

                2. Yeah, that’s the app I used.
                  BTW BlackVPN offers a free trial of 3 days. The problem is that the Android app is not working since Satursday… Not a good point to start a relationship :-)

                  FYI I’ve just installed Trust.Zone for a free trial. I’m connected to a french server so the speed should be (theorically) better than yesterday (dutch server):
                  – ping 47.8ms (better than NordVPN)
                  – dl 6.2 Mbps (lower than NordVPN)
                  – up 7.6 Mbs (higher than NordVPN)
                  (average of 4 tests with OpenSignal app and same place as yesterday)

                  1. I suppose you use OpenSignal cos Speedtest.net by Ookla and their app are not very privacy-friendly. I have to admit, though – the permissions OpenSignal app asks for make no sense and I don’t like that. Ookla’s apps asks somehow for permissions which are slightly less privacy-intrusive but in general I don’t trust big firms like Ookla. So I’m not happy with either 1 of those apps. If I gotta be honest, best bet IMO is to ditch any app or Flash-based test and only test on html5 sites – thus no app is needed and no Flash is needed. One such is http://www.speedof.me but it doesn’t always work great on mobile and on desktop.

                    What’s your go-to speed test method, guys?

                    1. On my Android phone, I restrict app permissions thanks to XPrivacy and a hosts file (mass surveillance, tracking, ads…) so I guess I’m using OpenSignal safely.
                      IP Pro is an open source app but it requires Play Services (https://play.google.com/store/apps/details?id=com.adamkruger.myipaddressinfo).

                      Thanks for your links (including the one mentioned by 12Bytes). However, they uses Google analytics & ads, Amazon servers… Not sure if it’s really better than OpenSignal on my Nexus 5.

Leave a Reply

Your email address will not be published. Required fields are marked *