Firefox Configuration Guide for Privacy Freaks and Performance Buffs

Firefox logo

Project moved to Codeberg

The Firefox Configuration Guide for Privacy Freaks and Performance Buffs has been moved to Codeberg however you can still leave comments and suggestions here if you wish.

A note regarding user comments

When reading the user comments on this page, keep in mind that this guide has been around since 2015 and, given the dynamic nature of the web and Firefox, some of the information in comments, including information provided by myself, may be obsolete or entirely wrong. Nevertheless i decided to retain all comments because... nostalgia. If you have any questions, ask.

498 thoughts on “Firefox Configuration Guide for Privacy Freaks and Performance Buffs”

  1. Appreciate the changelog and one question:

    One of the changelog notes is “Corrected an error with pref ‘layout.css.devPixelsPerPx’ where the value was an integer instead of a string – this caused all prefs following it to be ignored”

    Is that a general issue where any time a pref is improperly set (wrong values, wrong type of values, typo in name, or the setting no longer exists in the version of FF you’re using), everything that follows it are ignored, or is this a unique instance of a problem?

    Also, if a user.js is changed and FF is launched without a message error, does that mean the entire user.js is working properly? Does it mean all settings that are set are valid or does it simply mean the general format of a setting was correct? In other words, if I add a setting that no longer existed in the current version, would it invalidate the entire user.js (and prevent FF from starting) or would it still add that setting but have no effect on the browser?

    1. Is that a general issue where any time a pref is improperly set (wrong values, wrong type of values, typo in name, or the setting no longer exists in the version of FF you’re using), everything that follows it are ignored, or is this a unique instance of a problem?

      from A brief guide to Mozilla preferences (emphasis added):

      If the application encounters any error during loading of a default pref file, the application will issue a warning that a configuration file has failed to load and then quit. This allows system administrators to know quickly if there is a configuration error in the installation. If the application encounters an error when loading user pref files, the application will issue a warning but will continue running.

      so this isn’t really helpful to me because it doesn’t tell me whether the rest of the preferences will load after an error is encountered, however my experience is that they will not – how prefs are loaded is also in question; is it from the top down, bottom up, alphabetical or reverse alphabetical (the latter seems to be the case)

      so when i gave the pref in question an incorrect value (a string instead of an integer), i noticed another pref that wasn’t being loaded and which came after the former, so i assumed that once FF chokes on a bad pref, it stops loading everything after it, but now i don’t know what “after” is; after, as in top down, alpha order, etc.?

      further complicating the issue is that i am not seeing any error in the browser console when i give a bad value to a pref in user.js, or give a bad pref name

      it’s either kind of stupid that the browser works this way, or i am missing something

      and no, i do not believe this is an issue with this particular pref (layout.css.devPixelsPerPx) – it seems to be global as i understand it, but i’m not really sure

      Also, if a user.js is changed and FF is launched without a message error, does that mean the entire user.js is working properly?

      apparently not from what i can tell

      if you can find any answers, please post back

      thanks for your comment

      1. FF starts > it loads the contents of user.js into memory, and then applies them IN ORDER (as written, and at the end I can show why I know this is the case) to the prefs.js – either overwriting or adding (it does not remove). Any errors in the user.js that cause an abort of subsequent entries, will not affect anything already in the user.js (eg, if you made a typo error in it today, previous entries are still in your prefs.js).

        Some things that cause user.js “aborts” – syntax errors for sure. That’s it. It still writes the values to prefs.js

        Where it falls over is the next stage. FF has started, parsed user.js into prefs.js, and now will parse prefs.js for custom settings (as dsplayed in about:config and used by the browser as the actual settings). If your prefs.js has the wrong variable, FF will ignore it (it still fully parses the prefs.js). FF internally knows all the preferences and their data types and defaults – this is how you can right click and set to default, and why you cannot enter a wrong data type). But any value read from prefs.js will always show as “custom” in about:config, even if it is the default value.

        eg: the arkenfox user.js v0.8 has an variable error for the three plugins in section 1806 (this is fixed in v.10 which lands in a day or so, there is no v.09). They are meant to be strings, not integers
        was – user_pref(“plugin.scan.Acrobat”, 99999);
        now – user_pref(“plugin.scan.Acrobat”, “99999”);
        Try it. Set it as an integer, and then look in prefs.js. Then look in about:config. This is from memory, and I always set all my prefs from about:config at the same time I incorporate them into the arkenfox user.js (I am the author), so I never picked up on it not being applied.
        ^^ PS: you will need to fix these three errors in your copy.
        user_pref(“plugin.scan.Acrobat”, 99999);
        user_pref(“plugin.scan.Quicktime”, 99999);
        user_pref(“plugin.scan.WindowsMediaPlayer”, 99999);

        “bad name pref” – all preferences are treated as unique, case sensitive. So if you added a pref “12bytes” and another one called “12Bytes”, you would have two pref entries. FF allows custom prefs (extensions use them).

        Syntax. I made a silly syntax error when I added a new pref. I forgot to add the closing quotes to the pref name. It happened to be a string and my IDE syntax highlighting/colors didn’t really make the sollitary comma stand out:
        user_pref(“prefname, “stringvalue”) // wrong
        user_pref(“prefname”, “stringvalue”) // right

        I had a hell of a time tracking it down. So what I did was add a custom preference at the start, and modify it at each major section, and again at the very end.

        // START: internal custom pref to test for errors
        user_pref(“pants.testing”, 100);
        /*** 0100: STARTUP ***/

        user_pref(“pants.testing”, 200);
        /*** 0200: GEOLOCATION ***/

        // END: internal custom pref to test for errors
        user_pref(“pants.testing”, 9999);

        You get the idea. I could simply check in about:config as to where roughly where the code has stopped being parsed by searching for pants – trust me, it works in order as per written. And the only reason I could pinpoint it, was because it was a syntax error, not a data type mismatch.

        Hope this helps clears things up.

        1. wow, thanks much for your comments and your work :)

          so user.js gets parsed from the top – that’s what i originally thought, but something i read threw me off – anyway, good to know, and your bogus prefs which you use to see whether the file is read completely is a great idea – thanks for sharing!

          1. I think you’ve misunderstood the nature of the custom pref for syntax error checking. It’s a SINGLE pref, not one per section. You set it at the start, modify it’s values throughout the script, and then set a final value at the end.

            Make the first line of your user.js

            user_pref(“00-user.js-canary”, “canary dead due to syntax error in user.js”);

            and make the last line

            user_pref(“00-user.js-canary”, “canary lives — user.js was read to the end”);

            The first line will always be read; the last line will override the first line if and only if all the syntax in your user.js is ok.

            1. got it – that’s much better than what i had done – i just updated the file again

              by the way, you mentioned you had a problem finding a syntax error you had once made – in addition to your canary pref, which i think is great for the average end user, you can also use a regular expression to find syntax errors in your editor, perhaps something like:

              ^user_pref\("\S+", ([a-zA-Z0-9]+|"\S*")\);

              my editor (Kate on Linux) will highlight all matches which makes it easy to spot the bad pref

              i’m sure that can be improved but i’m not an expert with RegEx

  2. @12bytes – get ready. The new version 10 lands in the next 24 hours (Martin has the files, but he may be hungover after the Germany vs Italy game!). He will post a new article, and the original landing page will be updated, as will the ZIP for download which contains extra stuff – you mentioned the changelog – it is always in the download zip file, along with the html versions for local use, with linkified sources (over 200 of them) to open in new tabs. The downloaded html files are way easier to read, as I have colored the numbers, prefs, header titles, used pre tags to preserve spaces, and so on. There are approximately 90 new prefs added, and a lot of prefs have been confirmed as deprecated and hidden (and tagged as such).

    Enjoy :)

    PS: This article is linked at the top in the Thanks section.

    1. oh great – now i really have my work cut out for me!

      i’ll have to see if enough of your prefs agree with my choices and, if so, i can quit publishing my config :)

      thanks Pants – i’m sure a lot of people appreciate your work – also thanks for the link back

  3. Thanks a lot for sharing your user.js with great explanations!

    FYI there are a few duplicate values:
    //user_pref(“gfx.downloadable_fonts.enabled”, true);
    //user_pref(“gfx.downloadable_fonts.enabled”, false);

    user_pref(“browser.aboutHomeSnippets.updateUrl”, “”);
    user_pref(“browser.aboutHomeSnippets.updateUrl”, “”);

    user_pref(“browser.newtab.preload”, false);
    user_pref(“browser.newtab.preload”, false);

    user_pref(“full-screen-api.warning.timeout”, 0);
    user_pref(“full-screen-api.warning.timeout”, 0);

    user_pref(“media.gmp-gmpopenh264.enabled”, false);
    user_pref(“media.gmp-gmpopenh264.enabled”, false);

    user_pref(“media.gmp-manager.url”, “”);
    user_pref(“media.gmp-manager.url”, “”);

    user_pref(“startup.homepage_welcome_url”, “about:about”);
    user_pref(“startup.homepage_welcome_url”, “”);

    1. Actually, if you reset all the loop.* values to default, and comment them out in your user.js, then they all disappear. But there are still a bunch in code (you can see them via DXR). However, Hello has been removed from Firefox core. It is obsolete. It is nowhere to be found in a FF49

    1. not sure i’m going to put that in the user.js, but i will add a note about it – thanks for mentioning it

      update: actually i take that back – i’m going to leave Electrolysis out of the mix because it is probably likely that it will be rolled to all users shortly – for those that want to enable it manually, see Electrolysis on the moz wiki

  4. The OP suggests AirVPN, but according to this thatoneprivacysite it is being followed by 14 eyes, which is not great !!! … The way I see it NordVPN in Panama seems a better option, according to that source, at least. What do you guys think?

    1. It is, until you check the speed box which is a crippling 5% compared to AirVPN 90% (as a european, let me tell you, it is basically 99% for us). Also, they make the usual false claim about safety, which does not exactly make them seem trustworthier.

      1. 10x for pointing that out. Well, AirVPN’s 10% for int’l is not great cos the world does NOT revolve around US, though many think so. And the 1.5% of NordVPN int’l are a disgrace!!!

        1. Nope, I live in France but I’m not connected to french servers. NordVPN isn’t concerned by the fourteen eyes (Panama), not expensive at all ($48 per year), OpenVPN…
          The download speed is really good for WiFi but it’s low for 4G (about 10 times lower I’d say) but it’s still enough to browse and watch HD videos. As for me, it is only a problem when downloading big files (apks like SuperSwiftkey, audio podcasts or custom roms for my Android device).
          It’s a serious battery drain but that’s not related to NordVPN AFAIK. Do not keep your mobile data always enabled!

          Finally, the support is far from perfect (basic and useless answers most of the time – specific to NordVPN? I don’t think so :-)) and the current Android app is disappointing (additional battery drain due to a bad implementation of Google’s firebase).

    2. thanks for linking to That One Privacy Site – i’ve never seen that before and they did a great job with that spreadsheet

      regarding AirVPN, at least it is not in one of the 5-eyes countries, but yeah, i suppose being in the 14-eyes countries is not ideal – i’m going to have a good look at that data

    3. More than happy to have mentioned this! @Atomic might have a point, though! I’ll dig deeper into it! 10x guys! Keep the discussion going, as that’s one way of staying aware and informed of the info/privacy rape that is happening nowadays!

      1. if you haven’t read TOPS review of Air, here it is – in the ‘final thoughts’ area he says:

        Final thoughts: AirVPN is certainly an above average service with lots to like. However, they aren’t perfect and there is a lot that is questionable to me as well. I know you’re probably sick of it by now, but – FILE GENERATOR (VPN Companies, DO THIS MORE). US speeds were amazing, but international speeds were only so-so. I have to ding them for their choice of marketing tactics – especially because I think they would be in a good position to abandon such a shady strategy and survive on their own merits with some adjustments. It’s really hard for me to take a privacy centric service seriously when they engage in tactics that abuse the trust of their potential customers – as I’ve mentioned in my “guide to choosing a VPN“. They could also be better from a privacy standpoint, as they are based in a fourteen eyes country and don’t have the most clear logging policy when it comes to the finer details. Support was fairly quick (less than 24 hours to respond), but pretty basic in their response, but they granted my refund request super fast, within a couple of hours with no questions asked.

        In the end, AirVPN is an above average service for a reasonable price – I just wish they would show they were more serious about trust and transparency in this industry. They are in a position to stand on their own two feet with a couple of adjustments and shouldn’t need to rely on bottom feeders to promote them.

        unfortunately he does not date the review

      2. Yeah, don’t know what to say. If TOPS is to be trusted then though slightly shady Air seems to be a better option than Nord, cos Nord appears to be too slow on the int’l stage…

        1. if you use the filters for the detailed spreadsheet and filter out the 5 and 9 eyes countries and require no logging for the more important logs, it’s pretty sad how few services are left – BlackVPN & Trust.Zone and maybe a few others depending on how you set the filters

          1. Tough choice, at least for me … The way I see it – AirVPN isn’t really a good option. After filtering out logging, as u suggested, it does indeed come down to BlackVPN, Trust.Zone, and NordVPN, but Nord seems slow, compared to BlackVPN. Trust.Zone’s speeds are not shown in the TOPS comparison, and Black’s US 56.91%, EU 16.03% (if this can be trusted) seem ok . Wonder what @Osine (on NordVPN) thinks about this :)

            1. Based on my own tests with NordVPN (this is the average of 4 tests made with OpenSignal app and with my 4G connection – as previously said, WiFi speed is really better):
              – ping +34% (58.5ms with NordVPN / 43.5ms without)
              – download -86% (7.97 Mbps with NordVPN / 57.43 Mbps without)
              – upload -56% (4.54 Mbps with NordVPN / 10.38 without)

              Each ‘best’ VPN has pros and cons. TOPS did help me to avoid the worse VPN services but it was also very tough to choose the final VPN.
              I don’t know if they do respect my privacy but I do know that my ISP doesn’t :-)

              I’ll probably try more VPN services when my annual subscription will be terminated. I only tested PIA and Air for now and the speedtests gave me similar results.

              1. Thanks for your reply! I assume you mean this – ? Out of PIA and Air, Air is the better option cos ppl working at PIA are using Air, but the problem with Air remains – being followed by 14 eyes is not great at all. So for me it is either Nord or Trust.Zone, and based on the better speed (at least according to TOPS) I’d go with Trust.Zone. But yeah, you are right .. there are always some pros and cons – always trade-offs. For better or worse, there prolly isn’t 1 best option.

                1. […] being followed by 14 eyes is not great at all.

                  probably not, but from what i’m seeing the 14-eyes countries are not as bad as the 9-eyes countries and the 9-eyes countries are not as bad as the 5-eyes countries – what that translates to in terms of risks to privacy, i don’t know, but it might be worth factoring in what you use the www for – if you’re a whistle-blower or journalist with sensitive information, then the no-eyes countries might be the best choice, but if you’re just doing ‘regular things’, whatever that means, then it may be less important

                  given the lack of options and the performance of Air thus far, i’m thinking i’ll stick with them for now

                2. Yeah, that’s the app I used.
                  BTW BlackVPN offers a free trial of 3 days. The problem is that the Android app is not working since Satursday… Not a good point to start a relationship :-)

                  FYI I’ve just installed Trust.Zone for a free trial. I’m connected to a french server so the speed should be (theorically) better than yesterday (dutch server):
                  – ping 47.8ms (better than NordVPN)
                  – dl 6.2 Mbps (lower than NordVPN)
                  – up 7.6 Mbs (higher than NordVPN)
                  (average of 4 tests with OpenSignal app and same place as yesterday)

                  1. I suppose you use OpenSignal cos by Ookla and their app are not very privacy-friendly. I have to admit, though – the permissions OpenSignal app asks for make no sense and I don’t like that. Ookla’s apps asks somehow for permissions which are slightly less privacy-intrusive but in general I don’t trust big firms like Ookla. So I’m not happy with either 1 of those apps. If I gotta be honest, best bet IMO is to ditch any app or Flash-based test and only test on html5 sites – thus no app is needed and no Flash is needed. One such is but it doesn’t always work great on mobile and on desktop.

                    What’s your go-to speed test method, guys?

                    1. On my Android phone, I restrict app permissions thanks to XPrivacy and a hosts file (mass surveillance, tracking, ads…) so I guess I’m using OpenSignal safely.
                      IP Pro is an open source app but it requires Play Services (

                      Thanks for your links (including the one mentioned by 12Bytes). However, they uses Google analytics & ads, Amazon servers… Not sure if it’s really better than OpenSignal on my Nexus 5.

  5. – does your opinion about Cyberfox still hold? Namely:

    ‘Cyberfox may be more privacy-centric than many other versions in that several phone-home features have apparently been gutted, including telemetry, health reporting and possibly the Google “Safe Browsing” feature and so-on’.

    Testing it out now. Used to run Pale Moon till now, cos FF is sometimes a bit sluggish compared to PM and, as outlined in the OP, is somewhat a spy-central. Maybe the same goes for PM and Cyberfox, but I just got interested in your quoted words about Cyberfox.

      1. Thank you for the reply and thank you for the whole effort with this site! It’s a huge help to many of us, I can promise you! Corporate greed will make any good organisation, which I believe Mozilla was, sell itself to corporate trolls and clowns like FB, Alphabet, etc. After all, isn’t that what the capitalistic American dream is all about – get rich or die trying …

    1. thanks Pants – i’ve been getting lazy with this project as i really dread going through all the settings again – the ideal thing would be for me to sync with your config and just append my own personal settings – we’ll see

          1. You mean the next version of your work in this whole site?

            not sure what you mean – in addition to my own research, i also i use Pants’ config as a reference

            What version of FF then do your tweaks apply on? Earlier ones than 50?

            mine is for v49 and is synced with Pants’ config v0.08 (this info is in the comments of the config near the top)

            note that when i say “synced”, that doesn’t mean all my setting match his (though most do), only that i have gone through his and considered his settings

            1. 10x for the info! I wasn’t aware of Pants’s config, for which I apologize (mainly to him :))

              And I assume you mean that you have not yet tested whether or not your tweaks work also on ff50 (about which I received an update only just recently), but I assume they do.

              1. yeah, Pants deserves a huge credit for his work and i personally thank him for showing up here and helping me along :)

                and yes again, i have not tested my config with v50 (i’m using v49) though it should work ok – the only issue is there may be some new settings in FF v49 and v50 that are not addressed in my config and, potentially, some settings that may have been renamed

    2. OK, so here’s a slightly newer version (extra stuff added, stuff moved to deprecated). This is basically it until after the FF 51 lands in January/February next year. (expires in 5 more days)
      * date: 21 Nov 2016
      * version: 0.11 BETA : Born to Be Pants
      * “Get your pants runnin’. Head out on the highway. Lookin’ for adventure. And whatever comes our way.”

      Grab this one. The key points for you are 1. under the deprecated section, each release is stated for when the preference was dropped. 2. a lot of preferences as they now turn up, are added with the FF version they first appear.

      eg: if you search for “FF50” (sans quotes), you can easily spot items in 0402, 0410a, 0410c, 0410f, 2661, 2662 and so on. Another item that is cool to search on is “(hidden pref)”, 22 of them (some deprecated). My minions at arkenfox and I went thru a lot of work to check things in DXR and test in nilla portables to get the deprecated and introduced and hidden flags right.

      Unfortunately, the differences between version 8 (jan 2016) and version 10 (august 2016) wasn’t quite as detailed in terms of adding FF version notation for new prefs. So probably the best idea would be to use mine, rip out the items/sections you don’t want, check the settings against yours and change yours if you want, and add in anything I haven’t that you have.

      It actually wouldn’t be that hard if you sorted the lines and did a diff to spot the user_pref lines differences. If you want me to do it, I’m game :) Or you could save it for a new years resolution.

  6. So I’ve read up on NoScrip and uMatrix and saw what this site has to say about both. Thanks for the great work with this site, btw. However, I guess I’ll have to switch from NoScript (which I’m currently on) to uMatrix with the hope that uMatrix will allow what NoScrip does not allow. Unless I’m missing sth here, I don’t see how to make NoScript behave per site or per domain. When it blocks something it blocks it on all sites everywhere and then I individually need to enable/disable items/trackers to get different sites to work correctly. If I disable youtube on a site where youtube has no business to spy on then it is annoying when u visit youtube’s actual site and you then have to re-enable youtube’s domain, later on back having to disable it resulting in an insane infinite loop. If it is part of the Tor bundle then there’s gotta be a setting for this weird behaviour somehow. I saw this also but despite the nice thread title the question I’m asking here remains unsolved even there. Anyone has an idea if NoScript can do it of if I should instead resort to uMatrix, hopefully it can do what I’m suggesting here!

    1. the way i do it is to create a minimum number of uMatrix rules in the global scope to allow embedded YouTube videos everywhere, then some extra rules for

      i think you can create domain specific rules in NS (almost positive), but i think you have to manually enter them somewhere in the UI – i don’t remember where as it’s been a long time since i messed with NS

      1. I thought it must be psbl to manually do it per domain but for all i tried it always worked globally. Well, with uMatrix this is not an issue so far as selecting the working scope as you’ve outlined in your fine tutorial makes perfect sense and seems to apply rules accordingly. Huge thanks for sharing your work!

    1. You just read my mind, didn’t you? What exploit did you use to do that, lol :) Would you believe that just a few hours ago I was thinking to write again about this issue, since me and 12Bytes couldn’t fully get it resolved last time around? And it’s been what … over 20 days since there last was a word on this issue. What a coincidence that u just now decided to follow up on it. :) So … the link by Pants resolves the issue on a global scale for all embedded yt vids. Finally! I though the changes to the global scope presented in 12Byte’s screenshot had the same intent, but somehow for me that didn’t work out. Nevertheless, big thanks to both 12Bytes and Pants.

  7. Hey there, first of all thanks a lot for this, extremely helpful!
    Have you considered putting this guide on github? so that others can contribute and access more easely to your great user.js config file and other things

  8. Heads up: here is pretty much the final v11, including a changelog from v10 (for this 7 day pastebin, yup, it expires, I have added the changelog to the end of the js). Expect a new article from Martin (and of course the original article to be updated) in about a week. Just letting y’all know, so I can get feedback and corrections before Martin publishes (use the original url as in listed the js header section, thanks).

    * version: 0.11 FINAL BETA REVIEW: The [White?] House of the Rising Pants
    * “My mother was a tailor, she sewed my new blue pants”

    PS: Sorry 12bytes .. more work for ya :)

    1. PS: Sorry 12bytes .. more work for ya :)

      not so sure – i might just switch to your config :)

      one suggestion i might offer however is to insert the loading pref ‘_user.js.parrot’ multiple times, such as before every section to make it easier to figure out what exploded – for example, in my config the first section is ‘BUG FIXES’ and the first pref is user_pref("", "syntax error @ BUG FIXES");, so i can quickly search for ’’ in about:config and find out where exactly something exploded – if everything loaded, the value is "load success"

      or is it possible to use the console to find out exactly which pref failed (as i recall, i don’t think you can)?

      1. Yup, that’s exactrly what I said to you way back there in the comments in June last year ( // ).

        I have 22 sections, so that would be 23 prefs. I don’t mind adding them. The user.js is provided absolutely squeaky clean syntax wise, but of course users are meant to edit it, and it is easy enough to make typos or forget a trailing semi-colon or comma etc. Been there, done that. I want users to edit the js (I say it in the header). And of course it be can a long time between published versions. So I guess, to be consistent, I should set them all up. I added it initially for my own troubleshooting and then left it in for end users to do what they want with. I’ll put it to the VP and see what he says. I think its a good idea to have them preset.

    2. hello mr. Pants :)

      the email address you used to submit comments here – is it a working one? i wrote you an email but didn’t get a reply

      all i wanted to know is this: i’ve switched to using your config because it saves me a lot of work :) i’m just appending some of my prefs at the end of yours – what i wanted to know is if you’re ok with me publishing this config?

      i’m not editing anything in yours, other than commenting out a few prefs for which i want ff to use the default values


    1. ok, should be an update coming soon – i’m going to scrap most of my config and switch to using Pants’ config to which i’ll append some of my personal preferences – i’m testing this new config now – if he’s ok with it, i’ll publish it here

      1. Version 11 was published on Feb 12 ( ) .. the original url is all updated – article content, new download, new v11 dark and light html versions (for easy on the eye scanning and url clickability), and changelog.

        … and … drum roll … it is now githubbed: . The github version already has changes (sigh) .. when will it ever end …

        And YES .. you are more than welcome to use it. I haven’t added a license yet, but it will be a do-as-want-but-leave-author-&-link type deal :)

          1. Sweet! I see you :) … now you can create your own fork, and point to that. No need to use the arkenfox one (ecept for your fork maintenance). You can add your own 5000 section or something, and you can easily pull/import changes from mine into yours and do diff comparisons etc. You’re onto it man.

            1. … now you can create your own fork, …

              um, that idea flew out the other side of my head just about as fast as it flew in :)

              i looked into publishing my earlier user.js on GitHub because someone else mentioned it here in the comments, and it looked to me like a lot of work involving stuff i don’t understand.

              what was you’re experience like? have you pub’d on GH before, or was this your first?

              btw, i just updated the user.js here if you wanted to look at what i did (search for ’12bytes’ in the file)

              thanks again for your work man – you and your contributors have done just an outstanding job :)

  9. Excellent stuff .. I’ll start a new comment so we have more width :) This is just a quick look.

    “you will likely have broken functionality that you wanted, or added functionality you didn’t want.” – I think those are back to front. I think you mean broken stuff you didn’t want.. etc. On a third reading it is still messed up to me. I know what you mean though. No one wants broken functionality – thats what’s throwing me :) Never mind .. its been a long night.

    Suggest that the warning about backing up prefs.js is a second option. The BEST option is to close FF and backup the entire profile folder. The user.js doesn’t just change the prefs.js – it could potentially wipe cookies, history and site preferences etc and other databases – it doesn’t for now, because this is not a super hardened version. Local storage is wiped I think, and indexeddb is off (not sure if that means indexeddb is emptied). Another option is for users to download a portable FF, open it once to populate the profile folder, and then they can test it, and tweak it before they use it on their everyday FF. (I’m in the process in the next week of writing this all up in the readme at github).

    THANK GOD you stressed that uBlock Origin be used – because the js by default has killed all tracking protecting and malware/pups etc stuff. Blocklists still work due to revocations, but otherwise it’s a sitting duck for advert networks.

    Side note: The latest version on github is 51. It has been archived (all archives are zip files and held under releases: ). The user.js will evolve from day to day, and once its all up to date after the next stable, I update the version to 52, change the date, change the “pants” code name (always a song title!!), and create a new release. Clearly the release number matches the FF version. And now users on older versions (from now on) can get the right one to fit. That said, it’s more complicated for ESR users.

    Some of the first lines of v51 have changed and contain the github url, which I think you should add to your user.js for end users – see lines 15+16 here

    You can chop out the apendices and sections 9996 (palemoon) 9997 (deprecated) 9998 (tor uplift stuff not done yet) and 9999 (to investigate crap). Appendices will be made into wikis on github anyway. This will shave 350 lines of unrelated rubbish from the js. Might be debatable leaving in the deprecated, some users may be on older FF versions – but I see that as their problem :)

    And to answer your question – I’ve only ever commented on github before. So far its been a short learning curve (I have some background in coding, but its been over a decade) – git has its quirks. For you it would super EASY. Go to and top right is a Fork button. You click it and it will fork an exact copy of my user.js and license to your own repository. Then you can edit your own copy to match what you have above. As I make changes to my version (add/remove/move lines around), your version gets out of sync (and you don’t have to do anything until you want to). When you want to, you can do a diff/compare and merge over the lines you want, etc. Easy as. This ishow you save yourself a lot of work. Maybe do a fork just prior to your next update

    Anyway, looking good 12bytes :)

    1. “you will likely have broken functionality that you wanted, or added functionality you didn’t want.” – I think those are back to front. I think you mean broken stuff you didn’t want.. etc. On a third reading it is still messed up to me.

      ha! it took me several readings of what you said to figure out what you meant because when i read my sentence, it makes perfect sense to me! i finally figured out what you’re getting at though and you’re absolutely right – that sentence could be interpreted two very different ways

      your versioning – i see you went from v0.11 to v51, next will be 52, etc – is that version scheme intended to coincide with the FF version it was built for? and if not, maybe that would be a good idea? just a thought – i think i might do that, so like for FF 51.0.1, the config version would be 51.0.1r1 where the ‘r’ indicates the release number (1, 2, 3…)

      i saw no edits between 0.11 and 51 other than comments, is that correct (no prefs were changed, added, removed)?

      and you were right about how easy it is to fork – i already did it :)

      you scared me a little bit with this…

      THANK GOD you stressed that uBlock Origin be used – because the js by default has killed all tracking protecting and malware/pups etc stuff. Blocklists still work due to revocations, but otherwise it’s a sitting duck for advert networks.

      are you referring to the vulnerability/privacy issues with JS in general, or to some sort of change in the browser that makes it more vulnerable, which is kind of how it sounded to me?

      thanks again – and i’ll update my webpage tomorrow probably – i will likely remove the user.js code entirely and just link to it on GH

      1. It is easier to just link to your github repository (link to the main page, not the user.js itself, so users can see your readme. This way it’s only one place to edit and maintain. Slightly annoying for an end user perhaps, but so is scrolling in that box. The github page is better.

        Yes, the numbering is so it is in line with FF release numbers. That way I can create releases for each one and archive them and it’s as straight forward as a banana.

        Tracking protection is off, that’s not so bad – but so is safebrowsing (all the stuff in 0410 a to g : malware, malicious sites, etc): which is not a good thing to do a user unless they are aware and use an alternative. Together, with no adblocker, this will increase the chances of a malicious ad payload. So uBlock Origin and get some lists going. That’s all. And obviously NS blocking JS and XSS is good too. I think you have already stressed that this config relies heavily on using uBlock Origin, NS, uMatrix etc. So you have replacements :)

        The fork you did differs from the one published at arkenfox. No pref changes, but I added a warning about an pref that killed a few addons (where the xpi resides outside the default dirs), a new test site, some typo fixes, and all that fiddling with the top 16 lines with version changes, url etc. So if you remove the js from above, and link to the forked one when you have edited it to your liking, then it’s perfect. Because your current fork is identical to mine.

        Don’t bother with minor version numbers. I will only change mine from 51 to 52 to 53 etc, and only just before I archive off a release. And that will be a week or so after each stable lands, after we’ve had time to test and check things.

        I suggest, that after I do each version release, that you then do diff/compare and pull in what you want. Then you pop back here and update the version history: eg DATE: Updated 12bytes.js with arkenfox version 52 prefs for Firefox 52. Rinse and repeat when 53 comes out. As simple as that.

        1. i’m trying to get away from making any changes whatsoever to your config, but i’m running into a problem i haven’t yet found a solution for; for example, for a pref like general.buildID.override which is a hidden pref, and one for which you specify a value, how can i set it back to its default value (which i assume is ‘no’ value) without commenting out your line?

          Don’t bother with minor version numbers. I will only change mine from 51 to 52 to 53 etc, and only just before I archive off a release. And that will be a week or so after each stable lands, after we’ve had time to test and check things.

          my thinking is, what if a serious problem isn’t detected during testing, or there’s something you want to add, or even something more benign, such as misleading info or a typo in a comment – that’s where the 51r1, 51r2, … might come in handy – just sayin’ :)

          as for me, i’m certain i’m far more likely than you to screw something up :) which i may not catch before publishing and therefore i’ll need to correct it and issue a new version, so i’ll be using the version scheme i described (r1, r2 …)

          now, about those troubleshooting prefs and updating – i’m going to strongly advise my users to not change anything in your or my config and, instead, to add their own section at the end of the file, complete with the troubleshooting prefs which use unique values of their choice – this will make updating their configs much easier as all they’ll have to do is delete the entire contents of the file, except for their personal section at the bottom, and paste in the new file from GH – all they’ll then have to do is read the change-log to see what was added/changed/removed and adjust the settings in their own section accordingly rather than parsing through the whole file – that eliminates the biggest headache when updating i think – people won’t have to ‘diff’ or search through the files or anything

          waddya you think about that?

          1. “My” versioning is for releases which are archived zip files, and i’m using 51.0 – i.e with 1 decimal place (if there was a serious cockup). This is a one time snapshot/zip-file. If there was a serious cockup, I could do a 51.1 and add a description to the “release”. Otherwise, the actual user.js is in a constant state of change (I added a pref yesterday, removed things like the list of test sites to a wiki, someone else fixed some minor typos). The master branch “real-time” user.js doesn’t really have a version number (changes are tracked via commit history), I’m just maintaining one (in the header section) for releases. Hope that makes sense.

            Hidden pref resetting: this is slightly messy. The pref you mention is always changing based on your FF build, so there is no default – you will have to comment it out. Don’t be afraid to make your own changes. eg:
            // 12byte override disable this
            // user_pref(“general.buildID.override”, “20100101”); // (hidden pref)
            When YOU do a diff/compare and merge over changes, just ignore the ones you don’t want – your notation will help you remember and is good info

            Otherwise, I agree you should override mine in your own section at the end. Your users should do that as well, as it will be easier for them to maintain their own changes.

            I think the arkenfox version is pretty close to this description: “as private and secure etc as possible with some minor inconveniences, and almost no breakage”. In the future I plan on branching out versions such as “Just add and forget, zero breakage, zero risk to current setup” all the way to “Pants is a bastard super-hardened go-to-hell version”. People can use the multiple profiles. The first for difficult/broken sites, the original for everyday, and the hell version for banking etc

  10. First of all thank you and pants for all your efforts, truly appreciate it.
    Secondly I have a small query about user.js, despite enabling Bookmarks in the location bar suggestions in the settings I still don’t get any suggestions in the location bar. Please help me with this.


    1. which version of the user.js are you using and is it mine or Pants’?

      there’s a lot happening at the moment with updates being rolled out, GitHub repo’s being created (both for me and Pants), etc., so you might want to hold off a few days ’till things cool down and then check the revision history here again – i’m about to publish another one very shortly (subscribe to my feed to be notified if you want)

      1. Yours the one posted on 18th on the site, I get history suggestion in the location bar but not the bookmarks. Like you said I’ll wait for things to settle before making changes to my user.js. For now I’ve rolled back my backup profile folder.

        Again thank you for your efforts, cheers.

    2. it is `browser.urlbar.suggest.bookmark` which neither js has set. I have updated the arkenfox version to include it (as well as open tabs):

      // 0808: disable urlbar suggestions – PRIVACY (shoulder surfers, forensics/unattended browser)
      // These settings are under Options>Privacy>Location Bar (these require 0806 to be enabled)
      user_pref(“browser.urlbar.suggest.history”, false);
      user_pref(“browser.urlbar.suggest.bookmark”, false);
      user_pref(“browser.urlbar.suggest.openpage”, false);

      Note that it requires 0806 to be enabled. There is also the issue of 0803 which disables the locationbar dropdown by setting it to display zero results.

      1. “Note that it requires 0806 to be enabled” – that’s ambiguous and was aimed at you getting suggestions working – it has nothing to with disabling them as per the preference description (I’ve since fixed the arkenfox to be better worded).

        What I meant was if you want to enable suggestions, then 0806 would need to be enabled as well. And 0803 which limits how many items show in the dropdown, the user.js sets it as zero, so you will want to comment it out and reset it in about:config

Leave a Reply

Your email address will not be published. Required fields are marked *