Firefox Configuration Guide for Privacy Freaks and Performance Buffs


See the revision history at the end for a list of changes.

Before embarking on this journey into the bowels of Firefox, you may want to first read, Tor verses a VPN – Which is right for you?. If you choose to use the Tor Browser, you need not digest this guide.


The following video will provide an overview of one aspect of what it is we're up against and why i wrote the Firefox configuration guides. I encourage everyone to view it, especially if you're one of the many people who aren't worried about surveillance because you 'have nothing to hide'.

Video: Prof Shoshana Zuboff on surveillance capitalism

This guide is long, boring, dry, tedious and somewhat technical, so if you don't feel comfortable digesting it, try the The Firefox Privacy Guide For Dummies! instead, however be aware that it doesn't offer the same degree of protection.

To understand my personal position regarding the ethical nature of the Mozilla Foundation, read The Mozilla Monster.

WARNING: This guide is not for use with the Tor browser. Configuring the Tor browser as outlined in this guide may/will result in potentially serious risks to your privacy.

Though this guide is centered around the Firefox web browser, users of other browsers, email clients and Mozilla products may find it useful. If you are interested in hardening the Thunderbird email client, see The Thunderbird Privacy Guide for Dummies!.

Many of us are aware of the immense threats to our on-line privacy and security posed by various technology companies, governments and malicious hackers, any of which may go to great lengths to monitor our electronic communications. Governments and their "intelligence" apparatuses not only spy on each other, but on the citizenry as well and they leverage the services of various companies to do so, including Microsoft, Google, Facebook, Verizon, Comcast, Amdocs and many, many others. While the data corporations collect may be used for relatively benign purposes such as targeted advertising, the intentions are often far more sinister. Governments present a whole new level of threat. Much of what Edward Snowden has brought to light is not new, but it seems Snowden has presented the information in a way that has captured the attention of a broader range of the public, prompting many to seek ways to mitigate such threats.

While the primary goal of this guide is to help the reader thwart some of the more obvious efforts to track and profile us as we surf the web, as well as increase browser security and performance, understand that i am not an expert in computer security or privacy and there are surely many more variables and vectors for attack than i am aware of. While there are many known methods that can be used to compromise our digital well being, how many more are there of which we know nothing? Or what about techniques that most of us never consider? For example, even if you are a knowledgeable, technically proficient and privacy conscious individual who uses open hardware devices running secure, open source software and on a security enhanced operating system, and even if you connect to the internet only through Tor, you may still be at risk of being tracked because, disregarding everything else, your unique writing style can be used to identify you. It is not this level of sophistication that i will attempt to address here however. My goal is to share what i have learned over the years as a casual web surfer and computer user who has a hobbyist-grade interest in computer security and digital privacy. Having said that, i believe -- and please correct me if i'm wrong -- this guide is currently one of the more comprehensive of its kind in that it addresses many aspects of the Firefox web browser including configuration, extensions and optimizations. If you want to go further than this guide can carry you, see the resources section at the end which include the fine article, Improve Your Privacy in the Age of Mass Surveillance. I would also highly recommend using a VPN to help prevent spying by your ISP and other bad actors. That One Privacy Site is a good resource for choosing a VPN, as is TorrentFreak which publishes annual reports regarding many of the popular VPN service providers. Their 2018 report is here.

As with any modern and mainstream web browser, Mozilla Firefox is a highly complex beast consisting of millions of lines of code and hundreds of configuration options, many of which are interlinked, hidden, or undocumented. In at least soma ceases we have reached the point where our web browsers exceed the complexity and size of entire computer operating systems and things can go down the toilet really fast if one starts messing around with their settings willy-nilly. Poorly coded browser extensions are an additional weak point that can compound the problem. Here we will attempt to accomplish our goals in an efficient manner with a minimal number of carefully chosen browser extensions.

A trade-off must be expected when we tighten security and privacy insomuch as some websites will cease to function as we expect until the settings for those specific sites are adjusted. Anyone who has used a content filter such as uBlock, NoScript or Request Policy will understand that certain resources must be allowed for a given website to function in an acceptable way. Similar to NoScript however, the process of allowing required resources for a particular website usually consists of a few mouse clicks followed by a page refresh and once we have made these adjustments our workload will be greatly reduced. Nevertheless, be prepared to put a little more effort into your web surfing activities at the start and expect the occasional hard-case where more fiddling than usual will be required to get a particular site to work. The pay-off will be a much cleaner and faster web that is less able to track, profile and fingerprint you, as well as a Firefox that is more resistant to attack.

A note regarding user comments

When reading the user comments on this page, keep in mind that this guide has been around since 2015 and, given the very dynamic nature of the web and web browsers, some of the information in the comments, including information provided by myself, may no longer be applicable and, in some cases, entirely wrong. Nevertheless i decided to retain all comments because... nostalgia. If you have any questions, ask. I usually provide answers within a few hours or so.


Add-on/extension: I use these terms interchangeably. A web browser add-on or extension is a piece of software, typically developed by a 3rd party, that extends the capability of the browser. Web extensions, which leverage the WebExtension API (Application Programming Interface), have replaced the older legacy (XUL/XPCOM) extensions beginning with Firefox version 57. The newer API is essentially the same as used by Google Chrome and some other web browsers. The WebExtension API is severely limited compared to the older API and while this is a plus with regard to browser security and stability, it also strictly limits what extensions are able to do.

AMO: Addons.Mozilla.Org - the Mozilla Add-ons website.

Crapware/malware: I consider crapware/malware to be software that contains code which is not relevant to the functionality users expect. As such, the term crapware, or malware, refers largely to adware, tracking code and any other malicious code with regard to web browser extensions. Crapware is often added to browser extensions by a company or solo developer who wishes to monetize their work and often takes the form of profiling users and selling the data collected by the extension to a marketing company, however much worse is possible.

CDN: A Content Delivery Network is a service that hosts reusable content, such as graphics and libraries which developers can leverage to make building web platforms easier. CDNs often present a threat to our privacy by tracking our web activities. They are a formidable threat because a single CDN service may be used by many millions of websites and therefore its tracking capabilities can be used to track browsers across domains. The use of CDNs is so prolific today that many websites will not function without them and so blocking them is hardly an option.

CSS: Cascading Style Sheets are used primarily to apply visual styling to HTML elements, thus making web pages look pretty, however the capability of CSS has been expanded well beyond its original specifications to the point where it can now be used for nefarious purposes.

Domain/subdomain/TLD: In the example '', 'example' is the root domain, 'sub' is a subdomain of the root domain and 'com' is the TLD, or Top Level Domain. You can think of root domains and subdomains as sort of different containers which are used to separate content for a single website. For example, let's assume is focused primarily on information about kittens, but they also might have a web store where they sell paper bags. In order to keep the store content separate, they may host the store on the subdomain ''.

Fingerprinting: Web developers can employ many techniques in an attempt to identify your computer which can then be used to track your on-line activities and target you for various reasons. Your hardware, web browser and other environment variables all contribute to your uniqueness. This data may be gleaned from such things as querying the browsers capabilities, its cache, its viewport dimensions, what add-ons or plugins you have installed, your display resolution, your locale, your operating system, what fonts are installed and how they are rendered, the Canvas API and much more. This information can be obtained using various techniques, including through HTTP header data and JavaScript and it is often used for the purpose of profiling you and tracking your web activities. For further information, see A Primer on Information Theory and Privacy and Panopticlick. See also the explanation for 'tracking' and 'web storage' below.

HTTP/HTTPS: Hypertext Transfer Protocol and Hypertext Transfer Protocol Secure are communication protocols used by computers to transmit data over the internet. For HTTP an insecure, unencrypted connection is established between your web browser and the website you're visiting. This is dangerous because such a connection is vulnerable to ISP (Internet Service Provider) snooping and man-in-the-middle attacks. An HTTPS connection on the other hand offers a more secure connection because the data you send and receive is encrypted. Some web servers simply do not support HTTPS however and for this reason, as well as others, i would strongly suggest using a VPN.

JavaScript (JS): A powerful programming language used by many websites to run code locally on your computer. Although JavaScript is used by many websites for legitimate reasons, such as to make them interactive, it can be, and often is, used maliciously to perform a wide variety of attacks against the browser and our privacy. Many browser fingerprinting and tracking techniques depend on JavaScript and because JS is so widespread and used for so many things, it is enabled by default in every mainstream web browser.

Tracking: Once a unique identity for the browser has been established through fingerprinting, it is then possible to track your web browsing activities both within the same domain and across domains. See also the explanation for 'web storage'.

Web fonts/remote fonts: These are font packages typically hosted by a 3rd party, such as Google, which a web developer may use to specify how text is displayed on a website. Web fonts present a few problems regarding browser tracking and, potentially, security.

Web server: For the purpose of this document, a web server is a computer that is connected to the internet which hosts (serves) one or more websites.

Web storage: In addition to HTTP cookies and object caching, most/all mainstream web browsers also allow a web server to store data locally using several other storage methods including local and session storage, indexedDB storage, storage, Etag cache storage, Local Shared Objects storage, Service Workers, offline storage, HTTP Strict Transport Security storage and other methods. Stored data for Firefox may consume up to 50% of your free disk space. If you are concerned about protecting your privacy, trust me, you have far more to worry about than the simple text cookies of yesteryear which in theory, but not always in practice, could be read only by the domain that set them.


Code editor

You will need a decent code editor with syntax highlighting to edit Firefox's configuration files. Linux users should have something suitable installed by default, however if you're running Windows i might suggest Notepad++ or PSPad, the latter being the simpler of the two.

Unhide file extensions

If Windows is using you, the geniuses at Microsoft have taken it upon themselves to hide file extensions from the user. You will need to un-do that.

Getting Firefox

Though i recommend using the stable release version of Firefox, there are other versions such as the ESR (Extended Support Release), however it is usually an older version. There is also a Developer Edition which includes the very latest features (and bugs). While there are many 3rd party forks of Firefox, including Waterfox, Cyberfox, Pale Moon (or Basilisk from the same developer), etc., i do not recommend using any of them. The small development teams for these 3rd party builds often lag far behind regarding security patches and they can be buggy and incompatible with the latest add-ons (Pale Moon doesn't support the newer Web Extensions at all). While some forks may be more privacy-centric out of the box, we can accomplish essentially the same degree of privacy or better with the official Mozilla release version.

The user.js file

The user.js file is typically where your personal Firefox preferences are best kept, however in our case we will be using a preconfigured one and then storing our personal preferences in a user-overrides.js file which will be appended to user.js using a script.

The user.js file we will use is a result of a formidable effort by 'pants' and the rest of the 'arkenfox/user.js' crew and contributors. Their work became rather popular when it was published as A comprehensive list of Firefox privacy and security settings by Martin Brinkmann on The project has since moved GitHub, but don't download anything yet.

Firefox post install cleanup

After installing Firefox, and before you make any changes, back-up your current profile. If you don't know where it is, enter about:profiles in the address bar and click the 'Open Directory' button in the 'Root Directory' row. The easiest way to backup your profile is to select your profile folder under the /firefox directory and press Ctrl+C to copy the folder, then Ctrl+V to paste it in the same place but with a different name. I might suggest keeping the original name and just appending -bak to the copy. From this point on, all changes should be made to your original profile, leaving your backup profile untouched in case something explodes. Next, delete everything from your original profile, keeping only your bookmarks and whatever else you need. See the article Profiles - Where Firefox stores your bookmarks, passwords and other user data if you need help with what data is stored in which file/folder.

System add-ons

Packaged with Firefox are a bunch of system add-ons which are installed without your consent and they are essentially hidden (they are not listed in about:addons). Some of these add-ons have been and may currently be used for controversial purposes such as collecting data about how users interact with search engines, the browser, etc.. Typically i remove all of them, however you may want to keep some them after researching what they do and whether they preserve your privacy. On Linux these add-ons may be found at /usr/lib/firefox/browser/features and for Windows in \Program Files (x86)\Firefox\browser\features or \Program Files\Firefox\browser\features . You can delete them in Linux using the terminal:

cd /usr/lib/firefox/browser/features
sudo rm *.xpi

These system add-ons will be reinstalled each time Firefox is upgraded. On Windows you can apparently use CCleaner to disable them. If you're running Linux with the pacman package manager (Arch, Manjaro), you can prevent their re-installation by editing the pacman configuration file, pacman.conf. Note that this will not work using Pamac, the GUI package manager, until this bug is addressed. In my case i find it easier to just bookmark the /features folder in my file manager and run the command above each time i update Firefox.

Search engines

I recommend readingFirefox Search Engine Cautions and Recommendations which offers information about how Mozilla monetizes Firefox with the included search engine plugins and what can be done to opt out of this affiliate scheme should you so choose.

Required and suggested add-ons and settings

Following are the add-ons required for this guide and their recommended settings. All of the add-ons listed here are of the WebExtension variety, meaning most should work with Firefox versions 57 to 59 and all should work with versions 60 and up. Download and configure each add-on as you go through the list. Each of these add-ons is important so don't skip any of them with the possible exception of uMatrix.

CanvasBlocker by kkapsner

Note: I consider this add-on to be optional since Firefox, along with the 'arkenfox' user.js, largely negates the need for CanvasBlocker. Personally i no longer use it.

Description: Helps to prevent browser fingerprinting through the JavaScript Canvas APIs.

Settings: Following are the most important settings. Others are optional.

General tab:

  • Expert mode: enabled
  • Block mode: fake
  • Faking
    • Random number generator: non-persistent
  • Notifications
    • Show notification icon: enabled

API tab:

  • Canvas API
    • Protected part of the canvas API: readout
    • Protected API features: all options enabled
  • Audio API
    • Protect audio API: enabled
    • Protected API features: all options enabled
  • History API
    • Protected API features: all options enabled
  • Window API
    • Protect window API: enabled
    • Protected API features: all options enabled
  • DOMRect API
    • Protect DOMRect API: enabled
    • Protected API features: all options enabled

Misc tab:

  • Logging level: error

ClearURLs by Kevin R.

Description: Strips many tracking and other (mostly) unnecessary parameters from hyperlinks, such as the utm_* tracking parameters used by Google Analytics. Unlike other similar extensions, ClearURLs uses a remotely updated list from GitLab and requires little or no interaction.

Settings: Following are the most important settings. Others are optional.

  • Allow domain blocking: if you are not using any of the major ad filtering lists in uBlock, then enable this
  • Skip URLs on local hosts
  • Prevent tracking injection over history API
  • Filters ETag headers from requests

'Block hyperlink auditing' can be left disabled as long as is enabled in your user.js or user-overrides.js.

Cookie AutoDelete by CAD Team

Note: While this add-on is optional when using the 'arkenfox' user.js, i highly recommended using it since it provides more granular control over web storage and results in less website breakage while still protecting privacy.

There's basically two policies for handling web storage; 'default deny' and 'default allow'. Personally i much prefer and suggest using the 'default allow' method along with CAD. Note that privacy.clearOnShutdown.cookies must be set to 'false' if you want to save web storage across sessions (it's set to 'true' in the 'arkenfox' user.js). You can either use my user-overrides.js in which this preference already exists, or create your own and add this preference to it in order to override the user.js setting.

If you do not use CAD and do not want websites to store data locally ('default deny' policy), you can alter the settings in [SECTION 2700]: PERSISTENT STORAGE of the 'arkenfox' user.js by copying the ones you want to change to your user-overrides.js and changing the values there. Again, i advise using CAD, but the choice is yours.

If you then want to save storage data for a website while using the 'default deny' policy, such as your log-on credentials or search engine settings, you will need to edit the permissions for each website for which you want to keep this data. There's two easy ways to access site permissions; you can right click within the page to open a context menu, then click the 'View Page Info' menu item, or you can click the padlock icon in the address bar, then the right-facing arrow, then 'More information'. Either way, click the 'Permissions' icon in the window that opens and scroll down until you see the 'Set Cookies' item. Finally, deselect 'Use Default' and select the 'Allow' option to keep your settings for the website after Firefox is restarted. Note that, unlike CAD, you won't have an option as to exactly what kind of storage you want to keep (you cannot differentiate between cookies and localStorage for instance).

Description: Upon domain leave (tab closure) CAD can automatically remove web storage per-host including cookies, cache, workers, indexedDB storage and plugin storage.


  • Enable all options on the 'Automatic Cleaning Options' section of the 'CAD Options' tab
  • Enable all options on the 'Other Browsing Data Cleanup Options' section of the 'CAD Options' tab
  • All other settings are optional

CSS Exfil Protection by Mike Gualtieri

Description: Helps to prevent attackers from exploiting Cascading Style Sheets (CSS) vulnerabilities.

Settings: None.

LocalCDN by nobody42

Note: This add-on is optional. Firefox with the 'arkenfox' user.js largely negates the need for LocalCDN. This add-on will speed-up page loading, so you may want to use it anyway, however it can break websites on rare occasions in which case the HTML filter option will need to be enabled, or LocalCDN can be disabled for the site.

Description: Helps to prevent tracking and speeds-up page loading by using local copies of common JavaScript libraries rather than fetching them from a CDN.

Settings: Following are the most important settings. Others are optional.

  • Display injection counts on icon
  • Disable link prefetching
  • Strip metadata from allowed requests

Enabling the option to 'Block requests for missing resources' will further decrease threats to privacy, however this will break more websites and so the choice is yours.

Privacy-Oriented Origin Policy (POOP) by claustromaniac

Description: Helps to protect privacy by manipulating Cross-Origin Resource Sharing (CORS) requests.

Settings: I would recommend setting the 'Global mode' to 'aggressive' and enabling the 'Exclude root domain matches' option. If you not are using uMatrix, enable the 'Spoof cross-origin Referer' option. You can also add the following to the 'Exclusions area: * *
* *

Skip Redirect by Sebastian Blask

Description: Skips link redirections such as used by Google, AMO and many other companies and websites, thus helping to prevent tracking. Redirects are intermediate links, such as '' or short links, that forward the browser to the final destination.

Settings: The default settings are sufficient. You will likely have to whitelist sites that no longer work properly which Skip Redirect makes easy to do since you can copy the last skipped URL by right-clicking its toolbar icon and then adding that URL or domain to the blacklist.

uBlock Origin (uBO)

Description: uBlock Origin is an excellent ad/content blocker that can use the same filter lists as Adblock Plus as well as many more. Make sure you use the original uBlock Origin by Raymond Hill and no other. If you choose not to use uMatrix, it is important that you enable advanced mode in uBO and learn how to use its dynamic filtering capabilities.

Settings: If you decide to use both uBlock Origin and uMatrix as suggested, the former will be used primarily for its static filtering capability (the filter lists for ads, tracking, malware, etc.) while the latter will be used primarily for its dynamic filtering capability (JS, cookies, frames, etc). To set up uBO, see the uBlock Origin Suggested Settings Guide. and use the settings in the 'Advanced guide settings' column.

uMatrix (uM)

Description: By the same developer as uBlock Origin, uMatrix is also a powerful content blocker that provides more granular control over web requests than uBlock does. Using uMatrix is somewhat optional, however if you choose not to use it then it is important that you enable advanced mode in uBlock Origin and learn how to use its dynamic filtering capabilities.


Firefox Configuration Guide for Privacy Freaks and Performance BuffsOnce uMatrix is installed, click the toolbar button and then the title bar of the pop-up to open the Dashboard.

Following are the settings i recommend enabling.

Settings, Convenience:

  • Show the number of blocked resources on the icon
  • Hide placeholder of blacklisted elements
  • Spoof <noscript> tags when 1st-party scripts are blocked

I would not suggest enabling the option to 'Hide placeholder of blocked elements' since being able to see a blank area in a web page will provide a visual indication that something was blocked.

A note regarding the option 'Spoof <noscript> tags when 1st-party scripts are blocked': Enabling this setting is optional as there are advantages either way. If you enable it, then some websites will present a notification that you have disabled JavaScript (which we will certainly do) and this can be beneficial, especially to those who are new to blocking JS. On the other hand, some content for some websites that would normally be available with JS disabled will not be available if this option is enabled. For example, if you browse my photo pages with both JavaScript and this this option disabled, the images will not be displayed, however if you enable 'Spoof <noscript> tags when 1st-party scripts are blocked' the images will be displayed, even with JavaScript disabled.

If you enable this option and have trouble with a site (you receive a notice that JS id disabled which you want to avoid, or you are forwarded to another page/domain that tells you to enable JS, etc.), you can always add an exception to the 'My rules' tab in the settings. For example, to disable this option for which (stupidly) refuses to display any content when this option is enabled, add the following:

noscript-spoof: false

Settings, Privacy:

It is unnecessary to enable the 'Block all hyperlink auditing attempts' setting as this is covered by the 'arkenfox' user.js.

If you enable (set to 'true') the Firefox preference then it is unnecessary to enable the 'Strict HTTPS: forbid mixed content'. As with all custom preferences not covered by the 'arkenfox' user.js, or those you wish to modify, this preference should be added to your user-overrides.js.

Settings, My Rules:

Optionally, on the 'My rules' tab, you can add the following to the 'Temporary rules' pane, then save and commit your change:

no-workers: * true

This directive disables JavaScript web workers globally (1st and 3rd party). Workers can then be enabled per-domain from the uMatrix dashboard (the 3 dot icon).

Note that web workers depend on JavaScript being enabled. Also note that blocking workers with uM may be problematic in that, if they were blocked by Firefox prefs instead, the web page may fall back to one that doesn't depend on workers whereas if they are blocked in uM then the page may just break without falling back. The reason i prefer the latter is because toggling the uM workers option per domain is possible and easy, whereas toggling the Firefox preference setting is global and not as easy.

Settings, Assets:

As long as you're using uBlock Origin to control static filtering (the filter lists) you should disable everything in the 'Hosts files' section of the 'Assets' tab, purge the caches and save your changes. It is better to use uBlock Origin to control static filtering (ads and such) since it offers many more options by default, plus the hosts filters are more likely to break website functionality.

Also on the 'Assets' tab, you can enable the 'Ruleset recipes for English websites​​​​​​​' option. On the uM toolbar pop-up you will notice a puzzle piece icon which you can use to quickly import a rule-set for resources used by the page you're visiting if it uses a 3rd party resource and if someone has created a rule-set for that resource. For example, if you visit a page with an embedded YouTube video, you can import the rule-set for YouTube instead of configuring the filters manually. You might want to switch to the global scope before doing this so that embedded YouTube videos will play on all websites.

Settings, My Rules

If you're using the LocalCDN add-on you need to add some rules to the 'My Rules' tab in the uMatrix Dashboard. You will find the rules in the preferences area of LocalCDN. There are rules different rules for uBlock and uMatrix, so be sure to copy the correct ones and paste them on a new, blank line in the 'My Rules' tab of uM. When adding the rules, be sure to remove any conflicting rules for the same domains if you have any (you won't if you're starting fresh). If you are allowing CSS globally (for all hosts) in uM, there are several CSS specific rules from LocalCDN that you can optionally delete from the uM 'My Rules' tab. To display them, filter the list using css allow , then delete all the rules except the * * css allow rule which will likely be the first rule. Don't forget to save and commit the changes.

If you're using uBlock Origin in addition to uMatrix, you need not add the rules for uBlock as long as advanced mode/dynamic filtering is not enabled.

Additional add-ons

For more possibilities regarding add-ons, see Firefox Extensions: My Picks.

Automatic add-on updates

The tl;dr version is: Do NOT enable automatic add-on updates. The longer version follows...

Regarding automatic add-on updates, which is enabled by default in Firefox, this function is disabled in the 'arkenfox' user.js file and i would strongly suggest keeping it disabled. Automatic checking for updates is fine and this is enabled in the 'arkenfox' user.js, but we do not want Firefox to update add-ons without our explicit consent. The problem here is that developers may, at any time, and without notice, monetize their add-on or sell their work to an unethical 3rd party and this often results in compromising your privacy. Examples of some currently or formerly popular add-ons which contain(ed) such crapware are Abduction, a screen capture utility; Quick Locale Switcher, a language switcher; FasterFox Lite, a largely useless utility which claims to speed-up Firefox but doesn't; BlockSite, a content blocker; Stylish, a very popular utility for changing the appearance of websites, and many, many others. Not all of these extensions contained crapware when they were first introduced which is why i strongly suggest keeping automatic add-on updates disabled and carefully reviewing the change logs, permissions and privacy policies each time an add-on update is available. For more about Firefox add-ons, see Firefox Extensions – My Picks.

Firefox configuration

This guide depends heavily on the 'arkenfox' user.js configuration file which alters hundreds of important Firefox preferences related to privacy and security, thus you need not worry about manually configuring anything from the Preferences menu of Firefox other than a search setting which we'll get to. If you choose to not use the 'arkenfox' user.js, then your job is likely to be considerably more difficult assuming your goals are similar. Still, you may find it helpful to refer to the 'arkenfox' user.js should you choose to start from scratch.

Search bar on navigation bar

I would suggest adding the search bar to the navigation bar and using it instead of the address bar for searching the web. Not only might you find it more convenient, but there are potential privacy concerns when searching from the address bar. To accomplish this, open the Firefox Preferences page, click the Search item on the left, then enable the option 'Add search bar in toolbar'.

Firefox profile in RAM

With the wide adoption of speedy Solid State Drives (SSDs), the concept of sticking the Firefox profile in RAM for performance reasons may seem obsolete, however there are still benefits in doing so. If you don't want to disable disk caching, web storage and cookies globally, and thus break a lot of websites in the process, there will be substantial read and write activity for your storage media. Placing your Firefox profile in RAM will alleviate much of this, however doing so can be risky should a catastrophic failure occur, such as a power failure which could result in data loss or corruption. Fortunately there are ways to minimize this risk. If you use Windows you're on your own since i don't, suffice to say that there exists Windows compatible software that can manage RAM disks and backup your profile to your storage media. 'Bushdoctor' provides a method in a comment left on this article. Those using most any flavor of Linux have access to a very spiffy utility called Profile-sync-daemon (PSD) which is designed specifically for this task and it works with quite a few browsers. Check your package manager to see if it's available in your repository. To get PSD working, run man psd in a terminal or consult the guide on the Arch wiki. Setting it up was very easy in my case and it has worked flawlessly and transparently ever since.


Note that Firefox stores its web cache in a location other than the profile directory. On Linux it's kept at /home/[user]/.cache/mozilla/firefox/ . Normally you would have to deal with web cache separately if you wanted to store it in RAM also, however since disk caching is completely disabled in the 'arkenfox' user.js (cache is stored in memory) and the cache is dumped when you exit Firefox, you need not worry about it. If you're thinking it would be more efficient to keep the browser cache instead of having to re-download objects for the websites you visit frequently, you're right, however doing so can compromise your privacy. We won't exactly be dumping all of the browser cache either since we're using the LocalCDN add-on.

Configuration files

Keep the following hierarchy in mind as you read this section. When Firefox starts:

  1. prefs.js is read by Firefox
  2. user.js is read by Firefox - all preferences in the user.js file are copied to the prefs.js file and any preferences that are duplicated in both files are overridden by those in user.js - prefs.js is then used to generate what you see in about:config
  3. user-overrides.js is never read by Firefox but these preferences are appended to the 'arkenfox' user.js with a script (preferred) or by manual copying - if using the 'arkenfox' user.js this is the only file you should edit and it is where all your custom preferences should be placed - this may defy conventional knowledge, so let me be clear:

If you are going to use the 'arkenfox' user.js file then you should never edit it, (nor the prefs.js file that Firefox creates) nor should you change important settings from about:config unless you're only testing something. All of your custom preferences should be placed in your user-overrides.js file and then appended to the 'arkenfox' user.js using their updater script.

One reason for this is because the 'arkenfox' user.js file is quite a large and is updated fairly frequently, so if you edit it and then update it, all your custom changes will be lost, whereas if you copy the preferences you want to alter from the 'arkenfox' user.js to your user-overrides.js and change the values there, then updating the 'arkenfox' user.js one will be a lot less painful. On the other hand, should you choose to not use the 'arkenfox' user.js, then you should add your changes to your own user.js instead of using my user-overrides.js and you can ignore everything stated here about the user-overrides.js. Either way, never edit the prefs.js file directly or by way of about:config unless you're just testing something.

If you do not have a general understanding of the the user.js file, you may want to read this on the 'arkenfox' wiki. You should also poke around elsewhere in the wiki for detailed information on using and maintaining their user.js file.

Obtaining and maintaining the user preferences files

In your profile folder, delete or rename your existing user.js file if you have one. You can transfer any needed settings later if they are not already covered in the 'arkenfox' one. Next, i might suggest downloading my user-overrides.js file. Go to the at my repository and download the user-overrides.js file to your Firefox profile directory. The easiest way to get the file without messing up the formatting is to view the raw file, then press Ctrl+S to save it. Next, open the file for editing using your code editor and follow the instructions within.

Next we want the 'arkenfox' user.js file from the arkenfox/user.js/arkenfox/user.js GitHub repository but you need not download it directly. Instead, grab their (Linux) or updater.bat (Windows) script by clicking the file name, then clicking the 'Raw' button in the new page and pressing Ctrl+S to save the file to your Firefox profile directory. Use the same method to get a copy of their (Linux) or prefsCleaner.bat (Windows) and place it in your Firefox profile directory. The prefsCleaner script will reset any depreciated, removed, or inactive preferences and it's important that you do this. If you're running Linux, don't forget to make the files executable. Next, run the updater script to fetch the 'arkenfox' user.js and append the contents of your user-overrides.js to it. In Linux run ./ in a terminal and follow the prompts. If you have given the file the executable flag and still get an error, try grabbing a new copy being careful to use the method i described earlier.

At this point it is important to go through the entire 'arkenfox' user.js file and read all of the comments and review each of the settings to be sure everything is configured the way you want. As stated above, any preferences you want to change in the user.js file should be copied to your user-overrides.js file in the appropriate section where you will then change their values. Note that if you ever add and then comment out or delete a custom preference in your user-overrides.js which is not contained in the 'arkenfox' user.js, and you have run Firefox after doing so, that setting will remain in the prefs.js file. The safest way to remove such preferences is to open about:config in Firefox and reset them (right-click the preference, click 'Reset').

Over time it is possible that your user-overrides.js file will contain preferences that are obsolete. The 'arkenfox' user.js file contains a list of some of these preferences in the section titled [SECTION 9999]: DEPRECATED / REMOVED / LEGACY / RENAMED and these preferences should be removed from your user-overrides.js file. One very tedious way to do this is to go through the list line by line and see if they are duplicated in your user-overrides.js. An easier way is to use the -c switch (documentation here) when you run the updater script which will output a 'diff' file containing the differences between the old user.js and the new one.

I suggest you run the updater script with the -c switch (Linux only) every time you update the user.js file or make changes to the user-overrides.js file. This will create a "diff" file containing the differences between the old and current versions. You can read more about the updater script here and the cleaner script here.

Verifying the integrity of user.js

IT IS VITAL that you perform two integrity checks whenever the 'arkenfox' user.js file is updated or you have edited the user-overrides.js file if you're using it.

From the 'arkenfox' crew:

In FF60+, not all syntax errors cause parsing to abort i.e. reaching the last debug pref no longer necessarily means that all prefs have been applied. Check the console right after startup for any warnings/error messages related to non-applied prefs.

They reference the article, 'A New Preferences Parser for Firefox' if you're interested in knowing more.

To perform this check, you might want to disable your network connection, then start Firefox and open the Browser Console from the Web Developer toolbox (Ctrl+Shift+J might work) and check for and preferences errors.

The reason it is suggested to disable your network connection is because, in the event there is a problem with an important preference, a network connection may allow data to flow in or out which you wanted to avoid.

Now we will further check the integrity of the user.js file and, by extension, also the user-overrides.js file since the content of the latter was copied to the end of former with the updater script.

You may have noticed a bunch of unusual looking _user.js.parrot preferences in both files. These are used for troubleshooting syntax errors by quickly identifying a specific section in which the error lies. When you run Firefox for the first time after updating the user.js or making changes to your user-overrides.js, check the value of the troubleshooting preference by entering about:config in the address bar and searching for the _user.js.parrot preference (it will likely be the first one listed without having to search). The value should match the very last _user.js.parrot preference value in your user-overrides.js or, if you are not using a user-overrides.js, then it should be the last value in the 'arkenfox' user.js.

If you're using only the 'arkenfox' user.js, the value should be, " SUCCESS: No no he's not dead, he's, he's restin'! ".

If you're also using my user-overrides.js, the value should be "SUCCESS! USER SETTINGS LOADED" .

If the value for the troubleshooting preference is not what you expect, then you can use it to quickly determine in which section of the user.js or user-overrides.js the syntax error lies. While it cannot narrow down the problem to a specific preference or line number, at least you will know where to begin looking.

Updating the user.js and user-overrides.js files

To update the 'arkenfox' user.js file, run the updater script with the -c switch as explained earlier. To update my personal user-overrides.js file, just copy the contents of the new version to your user-overrides.js, then run the updater script with the -c switch. Lastly, run the 'arkenfox' prefsCleaner script with Firefox closed.

The 'arkenfox' user.js is updated fairly frequently and so you'll need to check for updates regularly. There's two ways you can check for updates if you're running Linux and one if you're running Windows, however there's only (easy) way to actually update the user.js and that's by using the 'arkenfox' updater script.

user.js-notify script message (Linux)If you're using a Linux-based OS you can use my script to be automatically notified via a desktop notification when:

  • the 'arkenfox' user.js is updated
  • my user-overrides.js is updated
  • this guide is updated

The idea here is to add the script to your startup programs so it runs each time you log-on to your desktop. Instructions for implementing the script are contained within the script. Open the file with a code/text editor to read the instructions and edit a few options.

To check for a new user.js if you're running Windows, or to actually update the file, exit Firefox and run the 'arkenfox' updater script. If you're running Windows, or if you're running Linux and don't wish to use my script, you should run the updater script every week or so in order to check for a new version. You always want the user.js version that corresponds to the major version of Firefox, so if the updater script says Available online: * version 80-alpha and you're running Firefox version 79.0.1, you'll want to cancel the update because 80 doesn't equal 79.

Each time you run the updater script, be sure to follow it up by running the prefsCleaner script.

To be notified of updates to my user-overrides.js file you can subscribe to the news feed for the Firefox category or watch the front page feed.

HSTS tracking

To understand how HTTP Strict Transport Security (HSTS) works and how it can be used to track browsing history, as well as the implications of disabling it, read How to prevent HSTS tracking in Firefox on the arkenfox website. Setting the preference security.cert_pinning.enforcement_level to ' 0 ' may disable HSTS and Public Key Pinning, however there is a security risk in doing so. If you set the preference to ' 0 ' and experience the error "The server uses key pinning (HPKP) but no trusted certificate chain could be constructed that matches the pinset.", reset the preference. Likewise if you set the preference to ' 2 ' and experience the error "MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE", reset the preference.

DNS over HTTPS (DoH)

In the alleged interest of privacy, Firefox has added code which allows to route all DNS look-ups over HTTPS to a resolver of your choice. Typically DNS queries are routed through your ISP, so while they cannot view your traffic as long as it's encrypted (HTTPS), they can see what websites you visit and this is a serious privacy concern. There are several ways to mitigate this, one of them being to use a VPN that provides DNS services. Another is to enable DoH within Firefox, however this will only protect your browser and not any other programs on your system that connect to the internet. Moreover, there seems to be a lot of controversy regarding DoH, so before you enable this setting you might want to watch the video, Paul Vixie talks about DNS over HTTPS, and read this on Wikipedia, and also the article, Mozilla is becoming evil.

Part of the DoH system in Firefox can be controlled with the preference, network.trr.mode , however it is easier to simply use the Preferences UI to do so (Preferences > General > Network Settings > Connection Settings). The default DNS resolver is Cloudflare, but given what i have read about this company, i would highly suggest not using it. You might want to do some research and locate a privacy-centric DNS resolver to use for DoH should you decide to enable DoH.

If you decide to use my user-overrides.js preferences file, note that it disables DoH by setting network.trr.mode to '0' (i use a VPN that provides DNS). You will need to change that if you want to enable DoH.


Thanks to 'AHappyUser' for reminding me about the policies.json configuration file which can be used to control how Firefox behaves, particularly in enterprise environments. 'AHappyUser' linked to the Controlling Firefox section of the article, Mozilla is becoming evil - be careful with Firefox, which provides a few examples of what can be done with the policies.json file. Note that all of the examples given can be controlled via preferences in your user.js file so there is no need to create the policies.json file, however i mention it because some folks may find it useful. For more information regarding what can and cannot be done with policies.json, see the Mozilla repository on GitHub.

Add-on usage

Cookie AutoDelete (CAD) usage

Cookie AutoDelete is very easy to use, requiring little interaction. Your only interaction with it is likely to be whitelisting or greylisting those websites for which you want to retain their storage (cookies, localStorage, indexedDB storage, etc.), such as a search engine that you want to remember your settings, or a website you want to log on to automatically. If you greylist a domain, it's storage will be retained only for the current session (until the browser is restarted) whereas if you whitelist it, the storage will be retained across sessions.

CAD offers a choice of two host patterns when grey or white listing a domain from its toolbar pop-up. The upper choice is the root domain ( while the lower one is the root domain prepended with an *. which means it includes the root domain as well as all subdomains (,,, etc.).

After white or grey listing a domain, you have the option as to what types of storage you want to keep. In many cases, but not all, keeping only 'cookies' is sufficient if you want to retain log on credentials or settings for a website.

uMatrix usage

!!! SET THE SCOPE, LOCK THE LOCK !!! Keep that in mind as you read this section.

You will likely be spending far more time with uMatrix (uM) than all the other add-ons combined and, being it is one of the most important ones in the pile, it is vital you understand how to use it, so read the wiki because i'm not going to go into great detail here.

When you first install uMatrix, it will allow all 1st party requests by default and we need to sledgehammer that, so load up in a new tab and click the uM toolbar icon to display the main pop-up interface:

Firefox Configuration Guide for Privacy Freaks and Performance Buffs

Because you have read the uMatrik wiki (you did, right?), you already know that YOU MUST REMEMBER TO SET THE SCOPE in which uM operates before making any changes. Failing to do this will threaten your privacy and/or security. You also know that any changes you make are temporary unless you save them. Since we first want to set some basic default filters that affect all websites, we need to change to the global scope:

Firefox Configuration Guide for Privacy Freaks and Performance Buffs

Once we're operating in the global scope, i suggest setting up uMatrix to allow CSS, images and, if you're using Cookie AutoDelete, 1st party cookies, all globally. Optionally you may want to allow 1st party media and/or frames globally.

Firefox Configuration Guide for Privacy Freaks and Performance Buffs

The configuration above will result in the following behavior:

  • 1st party cookies will be allowed globally
  • CSS will be allowed globally, including 3rd party CSS
  • Images will be allowed globally, including 3rd party images
  • 1st party frames will be allowed globally

Unless you only want your changes to be temporary, always remember to click the padlock icon to save them.

Note that in the screenshots that follow, the 1st party cookies block will not always be green as in the one above due to an oversight on my part when i created the screenshots.

Now load up this post in a new tab. Does it look like something's missing? Sure enough, if we open the uMatrix pop-up interface again, we see (or just in the resource list which should tell you that there must be a YouTube video in that post that is being blocked. It also tells you exactly what was blocked, in this case a single frame:

Firefox Configuration Guide for Privacy Freaks and Performance Buffs

If uMatrix is hiding the subdomains and you don't see, click this little thing in the 'all' row and it will expand the list of domains:

Firefox Configuration Guide for Privacy Freaks and Performance Buffs

In the screenshots above you can see we are operating in the local scope ( You will notice that i allowed all requests for the 1st party domain,, because it's my site and i trust it. You need not do the same and, as a rule of thumb, you should not do the same, nor is it required to get the video to play, at least not on

So we want to get that YouTube video working, but do we want to allow embedded YouTube videos for only, or for all websites? This is what you need to be thinking any time you create filter rules. Since you probably want to allow YouTube videos for all websites, we need to switch uMatrix to the global scope and unblock the blocked frame for either the domain or the domain. Which you choose depends on whether you want to allow the resource for the root domain, including any sub-domain, or only the sub-domain. In this instance i suggest keeping it simple and allowing the frame for the root domain and all subdomains as shown. Make sure you save the change.

Note that any time you allow frames you must reload the page, bypassing browser cache, rather than refresh the page. To reload the page, either hold the Shift key while clicking the reload/refresh icon on the uM toolbar, or use the native Firefox hotkey combo, Ctrl+F5, if the uM pop-up UI is not visible (F5 alone will only refresh the page).

Firefox Configuration Guide for Privacy Freaks and Performance Buffs

Now when we refresh that page, we might expect to see that YouTube video, but we don't. Opening the uM pop-up again and switching to the global scope, we discover that allowing the frame for caused more stuff to show up, this time a script for as well as another for a new domain,

Firefox Configuration Guide for Privacy Freaks and Performance Buffs

Making sure your are working in the global scope, let's unblock scripts for and Make sure to save your changes:

Firefox Configuration Guide for Privacy Freaks and Performance Buffs

Now when you reload the post page, everything should look good. We see the video frame and a nice image. Great. Click the play button and... nothing! Open the uM pop-up once more and we find that we need to allow XHR for the domain. You know what to do, so go ahead and make the change, making sure you're working in the global scope and remembering to save your change afterwards. Refresh the page again and click the play button on the video. It still doesn't work! Again, open the uM pop-up and you'll see another new domain has appeared, this time (in case you didn't know, Google owns YouTube). If is not displayed in the list, hold your Shift button when clicking the reload icon on the uM toolbar in order to force a full page reload and bypass the browser cache. Having to do this is typical when dealing with frames. Again, make sure you're working in the global scope and unblock the XHR requests for and save your changes:

Firefox Configuration Guide for Privacy Freaks and Performance Buffs

Now refresh the page one last time and the video should play. If it does not, you probably messed something up and there's a fair chance it's because you made one or more changes in the wrong scope and tried to correct them. If you messed something up, open the uM Dashboard, click the 'My rules' tab and in the 'Temporary rules' pane, delete all of the rules you created related to YouTube videos and, but be careful not to delete the default rules or the global rules we set up originally. To do this, select the rules and press your delete key, then click the 'Save' and 'Commit' buttons:

Firefox Configuration Guide for Privacy Freaks and Performance Buffs

Once you've deleted those rules and committed the changes to the 'Permanent rules' list, go back to the first step and try again.

De-borking other websites is generally not as time consuming as it was to get embedded YouTube videos to play and is instead usually accomplished with a couple mouse clicks and a page refresh verses a page reload. Just remember to turn to uMatrix first when a website isn't working as expected. If uM is blocking something it will let you know by displaying a badge on the toolbar icon. uBlock Origin will do the same, but it won't usually be the cause of the problem since we offloaded its dynamic filtering to uMatrix by not enabling its advanced mode of operation. Again, make sure you read the uMatrix wiki.

Another way to get a website working quickly is to check if there any user created rule recipes available for the site you're visiting or the resource it wants to load. If there are, that little puzzle-piece icon on the uM pop-up interface will become active and from it you can click a rule-set to import. Make sure you set uM to operate in the scope you want before importing the rule-set and then save the changes if you wish to make them permanent. Also be aware that user created rule-sets may allow more than you want to allow, however you can always adjust as necessary before saving the changes. User rule-sets can be helpful in determining why a site does not function properly. By the way, you could have done this for YouTube videos on instead of letting me drag you through the mud, but it's important that you understand how uMatrix works and how to work with it.

One caveat with uMatrix is that it will break some downloads when right-clicking a link and selecting the 'Save Link As...' context menu item. In some cases an error dialog will be presented that may state "The download cannot be saved because an unknown error occurred.". If you open the uM logger and try the download again, you'll find that uM is blocking something and often this seems to be an 'other' network request ('other' requests are requests that are not associated with a tab). There are a few ways to remedy the situation:

  • temporarily (or permanently) allow the 'other' request from the uM logger tab for the applicable domain and try the download again
  • temporarily (or permanently, but not recommended) allow the 'other' request globally from the uM logger tab or the main UI pop-up
  • drag the link to your desktop

Lastly i want to stress the importance of both the uBlock Origin logger and the uMatrix logger which are invaluable tools for troubleshooting tougher problems. You can get a better understanding of the uM logger by reading the documentation for the uBO logger since it is far more complete as of this writing, though some information is uBO specific.

THE END (lie)

While there are many more things you could do if you're really concerned about protecting your privacy and browser integrity, i hope this guide has been of some use to the technically adept novice or intermediate web surfer at which it is aimed. Understand however that there are threats present in almost all computers which users have little or no control over regardless of what software or operating system is used. Such threats include the Unified Extensible Firmware Interface (UEFI) which has all but replaced the Basic Input/Output System (BIOS) for booting the computer. Intel's Management Engine (IME) and AMD's Secure Processor (SP) / Platform Security Processor (PSP) present a massive threat to security and privacy for virtually everyone using any Intel or AMD powered device.

Lastly, if you are using a proprietary operating system, be it Windows or any other, it is absolutely crucial that you move to a more secure, open source OS such as Linux. The importance of doing so cannot be overstated in my opinion. For more information, read the free book, Free Yourself from Microsoft and the NSA.

I welcome any questions or comments you may have, just please leave them in the comment section so others can benefit (you need not be logged in).

IMPORTANT: If you incorporate suggestions made in this guide, please subscribe to the Firefox category on the subscription page. This article is updated fairly often and it's the best way to stay informed.


I must thank all of the dedicated and skilled people who created, maintain and contribute to the arkenfox/user.js repository, especially Thorin-Oakenpants (aka, 'pants') and earthlng. This guide would never have been as comprehensive as it is without the benefit of that bunch of misfits :) Also i'd like to thank the many people who make privacytoolsIO possible. Their website is an excellent resource for those looking to protect their privacy and security.

Also i thank the many people who have left comments here, many of which have been very helpful in correcting, maintaining and improving this guide.


Further reading on this website

The 'arkenfox' repository on GitHub

Everything else

Revision history

Click to expand...


  • changed wording for the suggested uMatrix settings in the 'Settings, Convenience' section


  • trivial edit


  • updated info for the privacy settings for uMatrix
  • removed HTTPZ add-on and associated info - no longer needed since Firefox v83 as long as is enabled
  • added a note in ClearURLs settings regarding hyperlink auditing
  • minor clarifications, edits


  • minor edits and clarifications in the 'Terminology' section


  • changed recommendation for the use of CAD (i DO recommend it) - see sections 'Cookie AutoDelete by CAD Team' and 'Cookie AutoDelete (CAD) usage'
  • minor edits


  • added info about the script


  • reversed the order of this revision history so the latest changes are at the top - big sloppy kiss to 'Anon' for helping with that


  • added notes to CanvasBlocker, Cookie AutoDelete and LocalCDN stating that they are optional - the reason they are optional are because of settings in the 'arkenfox' user.js, particularly privacy.firstparty.isolate , privacy.resistFingerprinting and the clearing of storage on browser exit - many readers may see this decision as strange, in which case i'd recommend reading the Questions regarding compartmentalization, extensions and uniqueness thread in the 'arkenfox' user.js issues
  • for uMatrix several suggested settings in the "Settings, Privacy" section were removed, these being:
    • Delete blocked cookies
    • Delete non-blocked session cookies minutes after the last time they have been used
    • Delete local storage content set by blocked hostnames
    • Clear browser cache every minutes
    • Strict HTTPS: forbid mixed content
  • added info in the 'Cookie AutoDelete by CAD Team' section instructing how to save storage for a website if not using CAD


  • added info about how to automatically be notified when a new version of the 'arkenfox' user.js is available (Linux only) in the 'Updating the user.js and user-overrides.js files' section
  • minor edits


  • replaced Site Bleacher with Cookie AutoDelete (CAD) - search for "Cookie AutoDelete" to see the edited content
  • minor edits


  • added info about importing rules from LocalCDN to uMatrix - see the paragraph beginning with "If you're using the LocalCDN add-on"
  • added link to article, How to setup uMatrix [a beginners guide] | Step-by-step with pictures
  • added info about having to reload (vs. refresh) a page when allowing frames in uMatrix - see paragraph beginning with "Note that any time you allow frames"


  • minor edit


  • minor edit


  • added a bit more info to the 'THE END' section regarding AMD and Intel backdoors


  • slight change to the uMatrix section regarding the spoof noscript option


  • added information about the uMatrix option 'Spoof <noscript> tags when 1st-party scripts are blocked' and how this can break the displaying of images when the option is disabled.


  • added the video, Prof Shoshana Zuboff on surveillance capitalism



  • added info to the uMatrix usage section about solving a problem regarding uMatrix and file downloads
  • very minor edits


  • removed info about CSP (Content Security Policy) issue since this is fixed in Firefox v77
  • adjusted Canvas Blocker settings to accommodate for absence of CSP issue
  • added the policies.json section
  • added section 'DNS over HTTPS (DoH)'


  • minor clarifications/edits


  • minor clarification in the uMatrix section regarding LocalCDN rules for uBlock Origin


  • removed invalid uM directive: no-workers: 1st-party false - thanks to 'theltalpha' for pointing this out


  • replaced remaining references to Decentraleyes with LocalCDN
  • updated the URL for the uBlock Origin Suggested Settings Guide


  • updated uMatrix settings and information regarding web/service workers (added a directive to allow 1st part workers by default for less breakage)


  • slight edits to the 'Verifying the integrity of user.js' for clarification


  • added the 'A note regarding user comments' section


  • swapped out Decentraleyes for LocalCDN - thanks to commenter 'theltalpha' for reminding me about this


  • removed ETag Stoppa since eTag filtering is now handled by ClearURLs
  • added detail regarding ClearURLs settings


  • minor updates/clarifications


  • minor edits to uBlock, uMatrix and HTTPZ settings


  • added ETag Stoppa
  • added more info regarding browser fingerprinting


  • minor edits


  • updated info for CanvasBlocker


  • minor edit


  • added a note to Canvas Blocker marking it as optional
  • added a note regarding the no-workers: * true setting in uMatrix


  • stuck the uBlock config stuff on its own page


  • moved my user-overrides.js from GitLab to Codeberg code repository


  • updated setup instructions for HTTPZ
  • minor edits


  • very minor edit


  • added note that this guide is not intended to be use with the Tor browser
  • minor edits


  • added a note about enabling the search bar on the navigation bar
  • minor edits


  • moved my Mozilla rant to a separate page
  • added a cryptominer block filter URL to uBlock


  • removed mention of LibreFox (project is currently stalled due to legal nonsense)
  • minor corrections, clarifications and edits



  • minor edits


  • minor edits


  • several clarifications and minor edits


  • removed info about manually cleaning the user-overrides.js file in favor of using the -c switch when running the updater.js/updater.bat script
  • added Site Bleacher to list of required add-ons
  • removed all info regarding containers as well as the Temporary Containers and Firefox Multi-Account Containers add-ons - i prefer to enable privacy.firstparty.isolate (the default in the 'arkenfox' user.js) in combination with Site Bleacher (far less headaches)
  • replaced Neat URL with ClearURLs - while the former is a good extension, i think the latter is even better
  • replaced Smart HTTPS with HTTPZ
  • moved all add-on settings info to the required add-ons section
  • uBlock: added info for globally blocking 3rd party fonts while allowing 1st party fonts
  • misc. edits


  • added instructions for cleaning user-overrides.js of obsolete preferences
  • minor edits


  • added a link to a comment by 'Bushdoctor' who was kind enough to provide information about loading Firefox profiles in RAM for Windows users


  • updated info on HSTS tracking
  • updated info regarding downloading my user-overrides.js file


  • minor polishing


  • clarify information regarding the downloading of the configuration files thanks to a commenter
  • updated user-overrides.js
  • fix minor typo


  • minor edit


  • added some more info regarding HSTS tracking and the SiteSecurityServiceState.txt file based on user feedback - it appears some AV's might have a problem if this file is set to read only
  • added a new resources section specific to the 'arkenfox/user.js' GitHub repo
  • added Temporary Containers (TC) add-on and associated info - this results in several major changes throughout the guide
  • added Firefox Multi-Account Containers add-on and associated info - this is used in conjunction with the TC add-on
  • added 'Using containers' section
  • removed Canvas Blocker add-on - not needed with TC
  • removed Restrict to Domain add-on - not needed with TC
  • removed Don't touch my tabs! add-on - (probably) not needed with TC
  • removed Header Editor - not needed for what we were using it for since the function is handled by TC
  • re-added privacy.firstparty.isolate = false to user-overrides.js
  • edited some uMatrix info regarding its privacy settings to reflect changes as a result of the TC add-on
  • added more info about importing rule-sets for uMatrix
  • moved Smart HTTPS add-on to the required section
  • moved Skip Redirect add-on to the required section
  • removed the suggested add-ons section
  • corrected mistakes and updated info in the section regarding integrity checking of the user.js/user-overrides.js files
  • reworked and updated the entire user-overrides.js file
  • removed mention of the template user-overrides.js file and associated download link - user should use the one provided in my GitLab repo
  • several minor edits/clarifications


  • add notice about newsletter subscribing
  • corrected advice regarding spoofing the referrer which was suggested for both POOP and uM (now it's enabled in uM only)
  • dumped Cookie AutoDelete add-on - not needed when using uM and First Party Isolation, nor are any of these storage cleaning add-ons able to delete IndexedDB storage due to a shortcoming in the WebExt API, which is another reason to enable FPI
  • removed privacy.firstparty.isolate = false in user-overrides.js in order to enable First Party Isolation
  • added Restrict to Domain add-on to toggle privacy.firstparty.isolate (FPI) via toolbar button
  • removed the list of optional add-ons (NoScript and Smart Referrer)
  • minor edits
  • coming up: looks like i may be recommending to disable FPI in the very near future and use the Temporary Containers add-on instead - i'm playing with it now


  • minor clarifications


  • added POOP as a required add-on and accompanying configuration information
  • configuration information for Neat URL was located in the wrong section
  • minor polishing


  • clarified much information regarding the user.js files as well as other parts
  • added more info about browser fingerprinting
  • added more detail regarding system add-ons
  • added a user-overrides.js template
  • updated Header Editor rules download
  • added several more 3rd party resources
  • misc. minor edits


  • added more info to the uMatrix section, particularly about indexedDB storage
  • minor edits


  • added info about HSTS tracking
  • minor edits


  • added info about using the user created rule sets for uMatrix, as well correcting some mistakes and clarifying other uM info
  • polishing


  • add Cookie AutoDelete as a highly recommended add-on and updated configuration information for uMatrix to allow 1st party cookies by default
  • removed information about the Forget Me Not add-on
  • added information about First Party Isolation
  • added rule to uM to prevent web workers
  • added information about the uBO and uM logging functions
  • corrected some mistakes
  • polishing


  • added uMatrix to the add-on pile again
  • added the uMatrix sections of this document
  • removed info about running uBlock in advanced mode since we're using uMatrix for dynamic filtering instead
  • several minor edits
  • polishing


  • lots of clarifications and polishing, added several resources


  • added the section 'Firefox profile in RAM'
  • misc. other minor edits


  • rewrote most of this guide, so if you read it before, read it again :)


  • removed cryptocurrency miner section
  • removed information about the OpenH264 Video Codec plug-in since it seems Firefox is no longer shipping it, at least not on Linux
  • removed the Load from Cache add-on
  • removed some information about uMatrix since uBlock Origin covers most everything uMatrix does and is better suited for removing advertisements, plus it's a much more active project.
  • updated some information
  • note that many more updates will occur in the next days, so i would suggest waiting until they are published before following this guide


  • minor edits


  • added a link to my post about the Firefox add-on, Looking Glass
  • misc. minor edits


  • added to the list of recommended add-ons
  • updated some content to reflect the current state of Firefox and WebExtensions
  • misc. minor edits


  • added more info about IndexDB storage in the "Terminology" and "uMatrix configuration" sections.


  • added section "A special note about cryptocurrency miners"


  • i didn't keep track of all the changes and many were made - you'll have to re-read the guide :)


  • added some add-ons to the recommended section
  • misc. minor edits


  • rewrote and updated much of the content pertaining to uMatrix
  • added section "Removing system add-ons"
  • added section "Sanitizing the default search engine plugins"


  • deleted the GitHub repository which i forked from Pants' 'arkenfox' repository and created a new repository which does not include his code
  • some changes to user.js
  • some major editing of this document mostly in regard to the creation and changes of the GitHub repositories


  • updated user.js to version 51r2 - see the GitHub page for the change-log
  • updated info here regarding the user custom preferences section of user.js


  • published my user.js on GitHub which was forked from Pants' code
  • removed my user.js code from this page and linked to it on the GitHub page instead
  • changed my versioning scheme to match Pants' where the user.js version coincides with the version of Firefox it was developed for, so v51r1 would equate to version 51.x of Firefox and the r1 signifies the revision, in this case the first revision
  • updated user.js to include v51 of Pants' config - no preference changes so far as i know, just added/removed/changed comments
  • updated text in user.js section to account for the new changes
  • changes to comments and troubleshooting preference names and values, other minor changes


  • switched to using Pants' config v0.11 and mostly just appending my settings to the end of his - because this is a major update, no history of changes to individual preferences will be published


  • removed Extension Defender from the list of recommended add-ons since it's home page is gone and the code hasn't been updated in two years
  • updated user.js file


  • removed duplicate preferences in use.js file (see change-log in the file for details)


  • changed the name of the troubleshooting/bogus preference to and added values to indicate the point at which the file stopped loading - a huge thanks to commenter 'Pants' for suggesting the troubleshooting preference and also for suggesting a far better way of implementing it than what i had done (by the way, 'Pants' is the author of the user.js config file used in the 'arkenfox' article, A comprehensive list of Firefox privacy and security settings by Martin Brinkmann, so i'm very glad to have his input here)


  • corrected 'plugin.scan.*' values to be strings
  • added bogus preferences in the user.js file at the end of each section for troubleshooting potential loading problems


  • added some basic information for configuring the Clean Links add-on


  • set 'browser.fixup.hide_user_pass' back to its default value
  • added 'network.http.redirection-limit'


  • corrected an error with pref 'layout.css.devPixelsPerPx' where the value was an integer instead of a string - this caused all prefs following it to be ignored


  • updated user.js file
  • minor grammar/spelling corrections


  • updated user.js file


  • updated guide information
  • updated user.js file and added a revision history to the file


  • updated user.js file contents


  • updated user.js file contents


  • updated user.js file
  • removed pcxFirefox as a suggested 3rd party build since i had display corruption issues with it


  • Minor edits for uMatrix usage text


  • added more info for uMatrix and IP Config test results
  • updated user.js file contents
  • various other edits


  • removed HTTP UserAgent cleaner since it is no longer being developed
  • removed Self Destructing Cookies add-on since its functionality can be handled by uMatrix
  • added uMatrix


  • updated uBlock settings to match the current development version (
  • misc. minor updates


  • switched to Raymond Hill's version of uBlock
  • updated uBlock filter information
  • added Fetch information for new version of HTTP UserAgent cleaner
  • updated user.js file contents
  • misc. minor updates


  • added information for securing DNS traffic
  • misc. minor updates


  • minor updates to user.js file contents


  • updated user.js file contents
  • updated a few settings recommendations for HTTP UserAgent cleaner


  • updated list of recommended filters for uBlock
  • updated user.js file contents


  • added Pure URL as a suggested add-on
  • updated contents of the user.js file
  • added and edited some information for HTTP UserAgent cleaner
  • added more resources in the References section


  • updated HTTP UserAgent cleaner information to match changes in version


  • updated the information for the Fonts filter on the HTTP tab of HTTP UserAgent cleaner


  • updated information for HTTP UserAgent cleaner, including adding descriptions for the newly added features, Canvas and Fonts on the HTTP tab
  • updated the user.js file
  • updated some definitions of terms used in this document
  • added some more resources


  • updated some HTTP UserAgent cleaner information
  • deleted information for 2 bugs regarding the X-Forward-For setting for HTTP UserAgent cleaner since they were not bugs
  • misc. other minor changes


  • updated information for HTTP UserAgent cleaner
  • updated user.js file
  • minor updates to uBlock information
  • misc. other minor changes


  • updated HTTP UserAgent cleaner information
  • for HTTP UserAgent cleaner settings, the suggested settings were split into Suggested global setting for casual browsing and Suggested global setting for best protection.


  • updated and added more information for uBlock
  • updated one HTTP UserAgent cleaner screen-shot
  • misc. other corrections/updates/edits


  • updated user.js file
  • switched uBlock versions since a new fork was created
  • updated uBlock images and documentation
  • added a "Current notices" section
  • misc. other corrections/updates/edits


  • updated user.js file
  • several other small updates and a few corrections


  • removed all Shim Storage add-on information since this functionality is duplicated in HTTP UserAgent cleaner.
  • almost all of the documentation for HTTP UserAgent cleaner was heavily revised.
  • various other edits and corrections.


  • first publishing


Note that both reader and my comments, while they may have been accurate at the time, might be inaccurate today. This is a highly dynamic environment so please verify the accuracy of comment content should you wish to utilize it. Failing that, ask me and i'll give it a crack.

Email me when this content is updated.

Firefox Configuration Guide for Privacy Freaks and Performance Buffs

445 thoughts on “Firefox Configuration Guide for Privacy Freaks and Performance Buffs”

  1. Hallo! In the description of uMatrix you still refer to Decentraleyes and some rules to implement, however, you should now refer to LocalCDN, the necessary rules of which to implement are to be found in that add-on’s settings (as well as the rules for uBlock Origin).

  2. Hello,

    I updated my user.js with the after having downloaded your user-overrides.js. I then ran the . Everything is fine excpet that the built in Firefox screenshot utility disappeared, I can’t see it in the menu when I right-click on a webpage. Is it due to your user-overrides.js ?

    Thank you.

    1. hi Damien – check the pref ‘theltalpha’ referenced – also, if you followed one of my guides, i recommend removing the add-ons that are installed with Firefox, so if you did that then then you can re-install FF to get the screen cap add-on back (your profile/prefs/add-ons will not be affected)

      1. Thank you, it worked. I replaced ‘true’ with ‘false’ as :

        user_pref(“extensions.screenshots.disabled”, false); // [SET] [PRIV=false] disable the screenshots system add-on
        user_pref(“extensions.screenshots.upload-disabled”, false); // [SET] [*PRIV=false] disable screenshots uploading

        in the * USER CUSTOM PREFERENCES , saved, then ran followed by

          1. Hello,
            Could you tell me where I can find a list of all the FF preferences “user_pref(“….” so I can try them, add or withdraw them in your user-override.js file? For example if I wish to have no history at all, etc.
            Thank you.

            1. there is no single resource that lists all the prefs far as i know (not even on any mozilla site) – you can find most, but not all, by entering about:config in the address bar

              reminder: if you want to remove or change a pref in user-overrides.js or user.js, *copy it* to the ‘USER CUSTOM PREFERENCES’ section in the overrides file and change it there

              1. Hi,
                I noticed there is a difference between ‘CHANGE THE VALUE OF A PREFERENCE IN THE ‘GHACKS’ USER.JS OR THE ‘GHACKS’ and ‘RESET/REMOVE/DELETE A CUSTOM PREFERENCE’. In the 1st case I just have run to run the ‘arkenfox’ updater script but in the second case I have to run both the ‘arkenfox’ updater script and prefsCleaner script.
                Am I right?
                Thank you.

                1. that’s correct – the prefs in the overrides file are copied to user.js with the updater script and from there to the prefs.js file by FF when it starts, so if you change the value of a pref in the overrides file, FF will pick this up in user.js, but if you comment out a pref, FF will not know about it and the pref and value will remain in prefs.js, thus you need to run the cleaner script which will delete the pref thereby returning the value to its default setting when FF starts

                  this is why you never delete preferences – if you delete a pref, then the cleaner script won’t see it and therefore it will remain active in prefs.js

                  the other option if you don’t want to run the cleaner script for some reason, is to manually reset the preference in about:config, or delete it in prefs.js, but i don’t recommend doing that

                  btw, once you run the cleaner script, you can then delete any prefs that YOU commented out if you want to keep the overrides and user.js files clean, but i can’t do that with prefs in the ‘DEPRECIATED/REMOVED/RESET’ section of the user-overrides.js because it’s impossible for me to know when, or if, users of my overrides file ran the cleaner script

  3. Hallo! Currently, the “last modified” date says 8 April 2020, but the revision history’s last entry is from 5 April. I am always a little bit nervous to overlook something if this constellation arises. ;-) I want to propose to make an entry into the revision history in any case when the “last modified” date changes, even if it is only a minor/editorial change.

    1. i don’t usually update the revision history for teeny-weenie changes, however your suggestion makes sense and so i will make an attempt to remember to add even the smallest of changes to the revision history :)

  4. Hallo! I noticed on your “My picks” site you already recommend LocalCDN, while in this guide Decentraleyes is still recommended. I just wanted to ask if you are still examining which extension to finally prefer over the other, or if you just forgot to replace it on this site. Thank you in advance for clarification!

    1. i’m aware of it and i’ve already disabled ETag Stoppa, however i don’t yet know if the ClearURLs function is as good/better than Stoppa – i’m trying to find that out and, if it is, then i’ll make the recommendation in the guides

      thanks for letting me know though!

  5. Hello,

    Thank you so much for helping netizens achieve a more secure and private browsing! I followed your Firefox guides and I’m very happy with the results, but I’ve a couple of questions.

    Most of the sites I now visit are missing icons from buttons, as can be seen on this screenshot:
    It doesn’t bother me that much but I was curious what in all the settings and extensions I added is causing it. Is it because I set “gfx.font_rendering.opentype_svg.enabled” to false as the arkenfox user.js recommends, is it uBlock/uMatrix that’s doing it, or is it something else?

    Also, can you remind me what those placeholder symbols on the screenshot were called? I knew the word but cannot remember it and it is driving me nuts. Thanks!

    1. can you remind me what those placeholder symbols on the screenshot were called?

      for the life of me i cannot recall for sure what they are called, but i believe they’re just called web fonts

      when you see ‘Chinese’ looking characters like that, it is usually because a font is being blocked, and no, it is unlikely because you disabled gfx.font_rendering.opentype_svg.enabled

      since you left this comment on the advanced guide, i’ll assume you’re using uBlock without its advanced mode enabled (essentially using it only for ad blocking via the filter lists) – make sure you’re NOT blocking remote fonts with uBO (settings tab) – then make sure you’ve added *$font,3p to the ‘my filters’ tab (not ‘my rules’ tab) – that will allow all fonts, but only those served by the first party (the domain you’re visiting)

      if the font is still blocked, then you’ll need to learn how to use the uBlock logger to find where the font is being served from and allow (if you wish) that domain

      one of the sites for which i allow 3rd party fonts is gitlab – the rule then looks like this…


      if you want to allow 3rd party fonts for yet another domain, this is how you do it…


      if you’re new to all of this and have trouble with stuff breaking using the advanced guide, try the dummy guide, or use my user-overrides.js which relaxes some of the settings in the ‘arkenfox’ user.js

  6. Hi!
    I have a question about user agent. I do not want extension and I try to add “general.useragent.override” and my string, save but didn’t work. It show …Linux… but I put in “Mozilla/5.0 (Windows NT 10.0; rv:68.0) Gecko/20100101 Firefox/68.0” which is IMO better.
    Thank you.

    1. general.useragent.override was depreciated

      if you have privacy.resistFingerprinting (RFP) enabled (and you should if you you don’t), then don’t use any UA spoofing extensions – they will only compromise what RFP already does – go to any UA test site with RFP enabled and you’ll see that the reported UA is fake

      if you’ve followed one of my guides, or the ‘arkenfox’ user.js, be very careful about installing any additional privacy add-ons because you can easily wind up undoing what was already done

      1. Yes, I have enabled. I just compare results of Cliqz and Firefox with arkenfox user.js and all the same extensions from your suggestion and Cliqz is full but Firefox partial protected and diference is User Agent. In Cliqz I have …Windows NT…
        And because that I want to try this change in Firefox.
        Thank you.

        1. that’s a mistake in my opinion – again, if you go mucking around with things that RFP already covers, you may well end up compromising privacy (raising entropy), not enhancing it

          ideally you want to shoot for what the Tor browser is doing, which is to blend in, not stand out, and by attempting to change the UA you’re headed for trouble because there is more than one way to identify the browser type, version and OS and few, if any, of the so-called UA spoofing add-ons cover all the methods

          RFP already spoofs the UA and, so far as i’m aware, does it correctly, so why would you want to mess with that?

          you didn’t mention what site you’re using to test, so i don’t know what “Cliqz is full but Firefox partial protected” means – that could mean nothing

          1. i need to correct myself …. ONE way to preserve privacy (avoid fingerprinting) is to blend in like the Tor browser attempts to do, but another way is to not worry about being unique – in other words, let the website see that your browser fingerprint is very much unlike anyone else’s, but change that fingerprint every time you visit, thereby making it difficult or impossible to obtain a consistent fingerprint

            this also addresses many of the fingerprinting/privacy test sites that people use where they see that they get a low score – who cares if you get a low score as long as that fingerprint changes each time you visit, right?

            both scenarios are very difficult to obtain however because there’s so damn many ways to fingerprint

  7. I’ve got to ask, now I understand why HTTPZ would be better than HTTPS Everywhere, but what’s the advantage to using Site Bleacher to Cookie Auto-delete? Also I notice you don’t mention Privacy Badger nor Terms of Service; Didn’t Read which are both mentioned on privacytools io, any particular reason? In addition I also found settings for Exclude root domain matches for POOP from the dummies guide that are missing from this one. Lastly you say not to use any versions of uBlock but the official but there’s fork of it that I found interesting called Nano Adblocker which includes an anti-adblock defuser.

    1. CAD, nor any other storage cleaner, other than SB, can remove Indexed DB storage on a timely basis – they remove IDB only on browser start and/or exit – SB removes it dynamically, the caveat being that it removes it globally instead of per-domain

      as for TS;DR, aren’t pretty much all of the ToS agreements crap? and if that’s the case, why is an ext. needed to tell you so?

      as for Privacy Badger, see h … well i’ll be damned – the ‘arkenfox’ user.js fellas did not recommend PB for the longest time (see cached pg.) and in visiting their wiki to provide you a link, i see they now do, sort of – see here – nevertheless, less is sometimes more and with uBO, uM, Decentraleyes, etc., i suspect PB isn’t necessary

      Nano Adblocker i believe is a good ext., however i haven’t really looked in to it and i don’t believe it covers all that uBO does (CSP being one issue) – it looks like it’s actively developed however and more features are planned, but i think it needs more time to bake – as for anti-ad-block filters, they’re available for uBO as well, though i don’t know if they’re as effective

      thanks for mentioning a possible discrepancy regarding POOP – i’ll take a look at the guides and adjust as necessary

      1. I recently got to trying out Nano Adblocker and Defender, I have to say I’m impressed. It actually has all the features as uBlock plus some bonuses like syntax highlighting. Nano Defender is especially robust; sites that would usually detect uBlock don’t see Nano. The only minor caveat is that the Disconnect filter isn’t part of the default group, probably because most browsers have it builtin now. For Privacy Badger, my understanding is it uses a sort of “AI” to detect trackers instead of lists like uBlock or the others. This could be a potential advantage.
        While we’re talking about addons I’ve got some from (these would be more for the My Picks guide, but relevant enough); Mailvelope, which is basically just Enigmail for Firefox, and LessPass and KeePassHttp-Connector for password management. I also personally found Random User-Agent and Chameleon, which mask the user agent, and Bloody Vikings! and Temp Mail – Disposable Temporary Email for disposable email addresses. There was also one other addon that I was temped to try for a while called Honey that offers digital coupons, but I got to thinking what’s the catch? I generally follow the rule if it’s too good to be true it probably is so I’ve refrained from installing it.
        And lastly I’ve got some overrides settings that may be useful (tell me what you think):
        user_pref(“network.http.referer.XOriginTrimmingPolicy”, 2);
        user_pref(“privacy.trackingprotection.fingerprinting.enabled”, true);
        user_pref(“browser.sessionstore.max_tabs_undo”, 0);
        user_pref(“”, true);
        The upper three are from the guide, with the third one being removed recently for unknown reasons (it’s purpose was to disable tab undo for privacy). The fourth one is something new dealing with encrypted sni.

        1. re: Nano Adblocker and Defender – i’ll check these out

          re: Privacy Badger – i never recommended it, nor did ‘arkenfox’ user.js, but i see they’ve changed their stance on it

          re: Random User-Agent and Chameleon – DON’T! if you have enabled RFP (privacy.resistFingerprinting) then my understanding, according to very knowledgeable peeps in the ‘arkenfox’ user.js project, is that a) these UA “spoofing” add-ons do not cover all the ground that needs to be covered and b) they essentially interfere with the built-in RFP protection and can therefore make you look more unique, not less

          > There was also one other addon that I was temped to try for a while called Honey that offers digital coupons, but I got to thinking what’s the catch?

          anything offering “free” anything is almost guaranteed to compromise privacy – i look at 10’s of thousands of people using any one of the “free” VPN add-ons popping up like weeds on AMO and i practically shudder

          re: network.http.referer.XOriginTrimmingPolicy – i leave that up to the ‘arkenfox’ crew

          re: privacy.trackingprotection.fingerprinting.enabled – the default is ‘true’, at least on Linux – i don’t know when this pref appeared, but if it was recently than this could explain why it’s not in the ‘arkenfox’ config (plus i they’ve been doing some housecleaning and may not include some important prefs where the default value is what they want)

          re: browser.sessionstore.max_tabs_undo – setting to ‘0’ is good for privacy

          re: – i didn’t know what it was till i read about it – it looks like a good idea but i wonder why Moz hasn’t yet pulled the trigger and flipped it on after a a year and a half??? the answer may lie in what i read on the ‘arkenfox’ repo – personally i’ll let this up to them to decide

        2. i took a look at Nano Adblocker and i’m not overly impressed – i didn’t know it was virtually identical to uBO, and that’s fine, but i didn’t really like some of things i read

          for one, my first ? was ‘what’s the difference between NA and uBO?’ and i found the dev didn’t want to expand on that for reasons i consider odd

          the other thing is that the dev doesn’t have a lot of time to work on it, so that’s kind of a turn-off

          at the moment NA ‘is 819 commits ahead, 1707 commits behind gorhill:master’ – hmmm…

          Gorhill can be a dick, no doubt, but i think i’ll be sticking with uBO for the time being

          1. I didn’t realize uBO is more maintained, I may actually switch back to it. Either way though, Nano Defender was what mainly impressed me. It’s the companion addon that handles the anti-adblocker scripts. It takes a few more steps to config it for uBO, but like I said I’ve yet to encounter a site that blocks adblockers that it couldn’t diffuse.

  8. Hi

    Thanks a lot for your great effort. It’s some treat tutorials, I’ve used several of your guides on several PC’s by now…

    You don’t need to post this reply on the HP, it’s just for your notice. I was using your guide just now, and ran across a couple of add-ons where the default settings have changed slightly since you last updated this guide. Here is my findings:

    “Prevent tracking injection over history API” is in fact enabled by default.

    The layout of the settings area have changed lately ant the “automatic mode” that you refer to is now called “Fall back to HTTP without warning” and it is enabled by default.

    All options except ‘Block requests for missing resources’ are checked by default.

    uBlock Origin
    “uBlock filters – Experimental” aren’t in the default list anymore

    You have a comment about “…spoofing of the browser User-Agent string…” but this isn’t even an option in uMatrix anymore

  9. I read somewhere on your homepage – I believe that it was in a FAQ somewhere – that you have stopped using Canvas Blocker personally even though you still believe it is a great add-on. As far as I remember, you believed that either FF’s RFP or FPI functionality covered most of what Canvas Blocker does. Have you come any closer to a conclusion on that matter?

    Thanks in advance…

        1. RFP is enabled by default in the ‘arkenfox’ user.js if you’re using that – if you’re not using it, then yes, RFP should absolutely be enabled

          if you’re wondering whether RFP alone is enough to protect privacy, then no, it isn’t

  10. Hi

    I saw you updated the privacy guide for dummies recently-ish so I skimmed through it at saw that you recommend 3 “new” add-ons to “the dummies” that you don’t recommend here – namely ETag Stoppa, Don’t touch my tabs! and Font Fingerprint Defender.

    Can you share your thoughts on why they are not recommended to the privacy buffs?

    Thank you.

    1. i added ETag Stoppa to this guide – i don’t know why it wasn’t added before, other than the possibility that some other extension was dealing with Etags that i later removed, or more likely, this was once covered by a header editor extension or user script – thanks for pointing this out

      Don’t touch my tabs! is not needed with this guide because window.opener is covered by Canvas Blocker

      as for Font Fingerprint Defender, i thought i had already removed it from the dummy guide (i did now) – it’s a very poor solution to font fingerprinting and should not be used

  11. I had to read this guide a few times over the course of a few days to understand *most of it* :)

    What a wonderful piece of work.

    Having implemented these add-ons and user.js rules (arkenfox and your overrides), my add-on for FF stopped working. This is a “new tab/bookmark” type of add-on.

    The usual behaviour is when opening a new tab, the bookmarks load as well. With the rules applied in this article, however, it just keeps the icon loading without loading the page.

    I’ve looked top to bottom in ‘arkenfox’ user.js as well as your user-overrides.js trying different settings, then running updater.bat, but didn’t work.

    Do you happen to know what setting I need to change to get to work?

  12. I am so sorry for many questons but I forgot to ask you about your opinion about Coqz browser. I am using it to with my tweeks and HTTPZ, uBlock and uMatrix and has excelent results.
    Thank you.

    1. if you mean the Cliqz browser, it’s a fork of Firefox and absolutely NOT something i would use – Mozilla partnered with this company a while back and as a result a lot of user data was sent to them – Moz took a lot of well deserved abuse for their stupidity

      1. I am new with Cliqz and for me looks not bad. With some tweekeng and use just uBO and uMatrix and Canvas on Panopticlick is YES for fingerprinting protection (262) and for Firefox 72 wit user.js ad all addons from 12Bytes is Partial (6482). I also compare Cliqz about:config withs user.js settings and there are many the same.

Leave a Reply

Your email address will not be published. Required fields are marked *