12Bytes.org

Both Firefox configuration guides were updated with more information regarding the downloading of the user.js and user-overrides.js configuration files, thanks to a commenter who was thoughtful enough to share a problem they had.

More importantly, the user-overrides.js file was updated again. The latest changes are as follows…

* added a regular expression example that can help find syntax errors
* misc. minor comment edits
* added missing tags to some safe browsing prefs
* added more safe browsing prefs
* removed the [SUGG] tag – suggested values are now indicated with ‘!’
* removed unnecessary [SET] tags
* added some missing tags
* added ‘privacy.clearOnShutdown.sessions’ pref
* removed some redundant prefs that were set the same in user.js
* edited some pref comments

The Firefox Extensions – My Picks article was updated. Here’s the latest changes:

• removed Cookie AutoDelete
• removed Awesome RSS (broken at the moment)
• removed Linkificator – all of these text linkify add-ons seem to have problems
• removed YouTube Feeds
• removed ‘Clean image links’ code for Header Editor
• replaced Smart HTTPS with HTTPZ
• replaced Dark Reader with Dark Background and Light Text
• replaced Neat URL with ClearURLs
• added Disable Tab Detach
• edited the Header Editor section for removing ETag headers
• misc. cleanup and polishing

The removal of Cookie AutoDelete marks the end (i hope) of the ‘cookie’ storage cleaners, none of which were able to remove all data stored for a domain because of a shortcoming in the WebExtension API. Instead i have been experimenting with containers and what Mozilla calls First Party Isolation (FPI – more here), a privacy feature which was apparently ported over from the Tor project under the name Cross-Origin Identifier Unlinkability. With FPI enabled via the preferences privacy.firstparty.isolate (and privacy.firstparty.isolate.restrict_opener_access), the data for each domain visited is kept in separate containers isolated from each other which is great for privacy.

Lastly i would like to make special mention of the addition of the HTTPZ extension by ‘claustromaniac‘, one of the many contributors to the ghacks-user.js project. This slick little add-on simply redirects http requests to https and it works completely transparently with no options or whitelists to fool with. It doesn’t even have a toolbar icon. HTTPZ will automatically fall back to http as needed and i have yet to find a case where a page load failed because of it. By the way, ‘claustromaniac’ is the same cat that gave us POOP just a little bit ago, another nice privacy related extension, and rumor has it… well, let’s just wait and see :)

Both the user-overrides.js and the Firefox Privacy Guide For Dummies! have been updated, but there’s not actually any super important changes to the guide. Here’s the change log:

• clarified a lot of stuff that may not have been clarified clearly enough
• eliminated the ‘relaxed_user-overrides.js’ file – the user-overrides.js is now used for both the advanced and dummy guides
• updated the user-overrides.js file
• lots of minor edits, corrections

So the biggest change is that i’m using the same user-overrides.js for both guides which saves me some hassle and causes the users more hassle! Actually it might just take a bit more time to sift through he file, though the better documentation should make things easier. This is the 64r4 version of this config, meaning it’s the 4th revision for Firefox 64.

user-overrides.js

My user-overrides.js for Firefox was heavily updated. If you’re new to all this, this file is intended to be appended to the ‘ghacks’ user.js which is then read by Firefox. The ‘ghacks’ file greatly enhances Firefox security and privacy, but it is not a complete solution, thus why i (and others) have written a couple of guides which cover a much wider scope, details below.

Firefox Configuration Guide for Privacy Freaks and Performance Buffs

The ‘Firefox Configuration Guide for Privacy Freaks and Performance Buffs‘ was also heavily updated. Currently the guide in a state of flux as i attempt to finalize how to make more efficient use of the Firefox ‘container’ feature and what add-on(s) offer the best options for working with containers.

Containers, if you are not aware, better isolate websites from one another which is great for privacy. Depending on how they are configured, each container can hold most of the data stored by Firefox for each website/domain in separate ‘boxes’ that are isolated from one another. This is similar to First Party Isolation (FPI) which can be toggled with the ‘privacy.firstparty.isolate’ preference (currently disabled by default up to Firefox v64). Containers become even more like FPI when you use the Temporary Containers (TC) add-on which has the ability to automatically create empty containers for every domain you visit and then trash them after you leave, something FPI doesn’t do. This solves the problem which every storage/cookie cleaner currently faces in that none can clear all storage (IndexedDB for one) on a per-domain basis because of shortcomings with the WebExtension API.

There are problems with containers however. Since most of the stored data in each container is separated from other containers, the browser may have to re-download and store multiple copies of certain resources, such as common JavaScript libraries delivered by a CDN, though in this particular case the Decentraleyes add-on alleviates much of the problem.

Another problem — and one which is currently giving me a headache, backache and side-ache — is when you want to allow a website to store data, such as cookies, so you can save settings for that particular site. Or how about websites like addons.mozilla.org (AMO) which use a completely different domain for the log-on process? If you keep them in separate containers, the log-on fails because site (a) can’t ‘talk’ to site (b).

When using the Temporary Containers add-on and configuring it so that it opens all domains in new disposable containers, these problems become a PITA because TC apparently doesn’t offer any method by which you can assign domains to a permanent container, at least not without a hassle. Even the TC page on AMO indicates that yet another add-on, Firefox Multi-Account Containers (MAC), is required for this seemingly trivial job as described with the AMO site. And even with MAC installed, the process is still pathetically counterintuitive.

And so this is why the advanced Firefox config guide is in a state of flux until i can get all this worked out in such a way so that it’s easier for my readers to use containers. So you may want to hold off on adopting any of the new changes unless you want to have a shot at dealing with containers, but if you do, please let me know if you find more intuitive ways of dealing with them.

Visit the guide to see the full change-log.

The Firefox Privacy Guide For Dummies!

The Firefox Privacy Guide For Dummies! is a new guide aimed at the ‘not so technically inclined’ audience for increasing Firefox security and privacy. It uses a subset of techniques from the advanced guide, as well as some originals, and is written in such a way as to be less boring.

Most of the tech lingo and detailed explanations are absent and the whole container mess is avoided, for now, and, instead, website isolation is accomplished using Firefox’s built-in First Party Isolation.

Since the ‘dummy’ guide was just published, there’s likely going to be some/many mistakes corrected and oversights addressed in the following weeks, after which it will become more solidified. Again i welcome any feedback you may have.

RAM it!

Just a reminder…

Left to their own devices, web browsers are happy to beat the hell out of your storage media by constantly writing and erasing data for the various storage methods they employ. I believe this issue is further amplified with containers which, i suspect, are going to be permanently featured in one or both of my Firefox config guides.

Regardless of whether you use containers or not, i would recommend considering storing your Firefox profile in RAM and creating automatic backups. There are more advantages to doing so than just speed. You’ll find some info in the advanced guide, though it benefits Linux users primarily. With Windows you’re kind of on your own since i don’t use it, but i do remember finding a very good freeware ‘RAM disk’ program that did the job and kept backups.

The Firefox Configuration Guide for Privacy Freaks and Performance Buffs guide has been updated and more updates are coming. My user-overrides.js was overhauled as well (you’ll find a link to it in the guide).

A ‘for dummies’ version of the guide is nearly complete. It’s titled The Firefox Privacy Guide For Dummies! and i had some fun writing it. A new relaxed_user-overrides.js has been created to mesh with the new guide. You can preview that on my GitLab repo.

In a rather important shift, i am no longer disabling First Party Isolation (FPI) in the ‘ghacks’ user.js, but then i started researching more about FPI and i bumped into this. I have been avoiding the Temporary Containers add-on for some time thinking it really didn’t offer much that couldn’t be accomplished with Firefox prefs and add-ons i was already using, however reading that thread on GitHub convinced me to install it and i’m testing it now.

Another change to the (advanced) guide is that i dropped Cookie AutoDelete as it is no longer necessary given other changes that were made. With the temp containers add-on, it becomes even less necessary and i’m not sure FPI is making a lot of sense either so i may again disable it. You may want to stay tuned for the next update before incorporating these recent changes.

Here’s the full change log for the advanced guide:

26-Dec-2018

• add notice about newsletter subscribing
• corrected advice regarding spoofing the referrer which was suggested for both POOP and uM (now it’s enabled in uM only)
• dumped Cookie AutoDelete add-on – not needed when using uM and First Party Isolation, nor are any of these storage cleaning add-ons able to delete IndexedDB storage due to a shortcoming in the WebExt API, which is another reason to enable FPI
• removed privacy.firstparty.isolate = false in user-overrides.js in order to enable First Party Isolation
• added Restrict to Domain add-on to toggle privacy.firstparty.isolate (FPI) via toolbar button
• removed the list of optional add-ons (NoScript and Smart Referrer)
• minor edits
• coming up: looks like i may be recommending to disable FPI in the very near future and use the Temporary Containers add-on instead – i’m playing with it now