12bytes Mumble meet every Sat. night!
Coronavirus information & resources
Vaccines - What You Need To Know

Firefox Configuration Guide for Privacy Freaks and Performance Buffs

Tutorial

Project moved to Codeberg

The Firefox Configuration Guide for Privacy Freaks and Performance Buffs has been moved to Codeberg.

A note regarding user comments

When reading the user comments on this page, keep in mind that this guide has been around since 2015 and, given the dynamic nature of the web and Firefox, some of the information in comments, including information provided by myself, may be obsolete or entirely wrong. Nevertheless i decided to retain all comments because... nostalgia. If you have any questions, ask.

490 thoughts on “Firefox Configuration Guide for Privacy Freaks and Performance Buffs”

  1. 1) I can not understand how do i install it user.js-version-checker.sh for linux?

    2)HTTPZ is better than HTTPS Everywhere?you only need one of the two?

    3)when install canvas blocker in the panopticlick result fingerprinting is partial and without canvas blocker add on my result fingerprinting are : has a non-unique fingerprint

    1. re: user.js-version-checker.sh – you’ll need to re-download the script because i changed the name of it (it’s now user.js-notify.sh)

      re-read the instructions here

      how you enable the script to run automatically is up to you

      using this script is not mandatory, but if you don’t use it, just remember to manually check for user.js updates using the ‘arkenfox’ updater script

      re: HTTPZ & HTTPS Everywhere: they both have advantages – personally i much prefer HTTPZ

      re: Canvas Blocker: don’t worry about the result you get from panopticlick – for more on this, read through the ‘arkenfox’ user.js issues here

      personally i no longer use Canvas Blocker since Firefox covers *most* of what CB does (assuming you’re using the ‘arkenfox’ user.js)

      1. Thank you for the answer and the very good job you do for the privacy.where can i watch if a new update comes out?and if it comes out I just pull the user.js file into the mozilla root folder?what i have done so far is to download ghacks user.js to open the folder and put the user.js file in the root profile mozilla folder.

        and I have also put extensions like ublock origin,uMatrix,HTTPS Everywhere,Decentraleues,cookie autodelete,css exfil protection,LocalCdn,privacy oriented,skip redirect,Clear Urls, along with the settings you suggest.
        but i can not watch video on youtube,or,xhamster,or pornhum e.t.c. while I allow various things from umatrix I still can not watch videos from these sites

        1. hi Justin – couple things right off the top…

          * why are you using both LocalCDN and Decentraleyes?
          * the ‘ghacks’ project name is no more – the new name is ‘arkenfox

          > where can i watch if a new update comes out?

          if you’re using a Linux OS, see this – if not, it is explained in this guide how to check for updates to the ‘arkenfox’ user.js using their updater script

          > and if it comes out I just pull the user.js file into the mozilla root folder?

          put the updater script in your Firefox profile folder (where prefs.js and user.js are) and run it

          > but i can not watch video on …

          it seems like this guide might be a bit too technical for you – you may want to follow the ‘dummy’ guide instead

          if you want to stick with this guide, you’ll need to read the uMatrix and uBlock wiki – links are in the guide

          1. Thank you very much for the answers and sorry if I stun you.

            I do not understand if I need to create a new profile or put the files directly in the default folder?

            to me from the beginning had two profiles: Profile: default-release and Profile: default.I put the files in the main profile Profile: default-release
            now i have to do the process again because like you told me the new version is arkenfox .

            and I’m confused about user-overrides.js. arkenfox does not include them all;

            1. you never need to create a new profile to put a new version of the ‘arkenfox’ user.js in – you should be using the updater script in the arkenfox repo to update the user.js

              user-overrides.js is where your custom settings go – it does not exist by default – i offer my personal user-overrides.js for people to use if they want, but you can create your own as well – the content of this file will be appended to the user.js using the updater script

              ALL custom setting should go in user-overrides, such as any settings in user.js or prefs.js that you want to change

    1. Site Bleacher cannot clean indexedDB storage per-host – it can only dump iDB globally (for all hosts), so this can potentially break sites – also Site Bleacher was originally coded for Chromium, not Firefox, and i don’t think the developer is very familiar with the Firefox extension API, so i have a lot more faith in CAD

  2. I found some interesting extensions on the arkenfox userjs wiki that I wanted to know your opinion of. Request Control and Header Editor both appear to much of the same thing; combine the features of Httpz, Redirector and ClearURLs. Both are a lot more complicated though. Next is Smart Referer, which controls referer headers much like POOP and uMatrix. Not sure if it’s better at it, hence why I wanted your thoughts.
    I also wanted to mention a few things about the user-overrides.js. The overrides script sets container tabs to off by default but Canvas Blocker requires it to be enabled and overrides the setting making it redundant. Hiding the UI is probably more than enough. It would probably also be useful to include the firstparty.isolate setting (set to true by default of course) for those that would rather disable it for use with Temporary Containers with Multi-Account Containers. I’ve been playing around with these two lately and, while can’t say they’re better than first party isolate with site bleacher, can say they have their own merits. Finally, while a VPN is definitely better than any of the secure dns crap, privacytools io has a page for secure dns responders; it might be worth while to include blank versions of the lines “network.trr.uri” and “network.trr.custom_uri” with a link to the page in the comments as to prevent users who do decide to enable it from completely screwing themselves with cloudflare’s service.
    Going back to Canvas Blocker, is it ok to use with firefox’s builtin finger print protection?

    1. Request Control and Header Editor i really can’t comment on – i don’t use either – it’s one of those deals where, if you think you need it, use it, else don’t complicate things because more “things” means more breakage

      i wouldn’t compare ClearURLs with Request Control – there’s a lot going on with ClearURLs and it pulls its filters from the developers repo, and there’s a lot of them

      i don’t think Smart Referer is needed if you enable the option ‘Spoof HTTP referrer string of third-party requests’ in uMatrix – if you don’t use uM, then yeah, i’d probably go with Smart Referer – i don’t know if it works better or not

      re: Canvas Blocker – i personally don’t use it since Firefox now handles most of what CB does (not all) and i just found that it requires too much attention and it’s yet another thing to troubleshoot when something breaks

      > Going back to Canvas Blocker, is it ok to use with firefox’s builtin finger print protection?

      yes, far as i know – CB detects if RFP is enabled and acts accordingly (gets out of the way where necessary) – the dev mentions this somewhere

      > It would probably also be useful to include the firstparty.isolate setting

      if you mean in my overrides, yeah, i agree – i’ll do that (actually i just did)

      re: Site Bleacher – you can drop that if you want in favor of Cookie AutoDelete – it handles indexedDB storage now, per-host, automatically (cleans when you close the last tab for that host)

      i’ll look in to the DNS stuff

      thanks much for bringing these things up – it’s good that you guys keep an eye on me o_0

  3. Excellent article as usual! Just curious, can you give a complete list of the addons you use currently? (Including non-privacy extensions.) I’m curious as to whether you use a password manager. Also any thoughts on ungoogled Chromium? It’s supposedly more secure than Firefox.

    1. the add-ons i use are listed here

      i use Firefox’s built-in password manager – i’m not sure that’s the best idea because i never researched whether it’s secure

      as for ungoogled Chromium, is it more secure than Firefox after implementing the ‘arkenfox’ user.js? i don’t know, but i know there are certain things that are done differently in Chromium that make it less attractive from a privacy standpoint, though at the moment i don’t recall what they are – also the Tor project uses Firefox as a base for their browser, so i think that says something – then there’s the ‘arkenfox’ user.js project which has some very knowledgeable people on board with connections to Mozilla and Tor

      1. Oh yeah, I read your addons article, I just didn’t know you used all of those. Good points. I need to mess around with user.js a bit. Check out a guy on reddit by the username “cn3m”. He’s quite knowledgable about security and uses UG Chromium. Also, your articles introduced me to HTTPZ which is a hidden gem. Thanks for the reply!

        1. Firefox has a preference for forcing https, unfortunately there is no fallback to http, thus the need for HTTPZ (or something like it) – i happen to be a bit familiar with the developer who is a great guy and i prefer the why it works over the others

    1. as much as my guides are for others, for sanity’s sake i keep them current with the version of Firefox i’m running – maintaining them for older versions would just be a big fat headache

      i suspect you already know this, but the CSP issue is resolved in 77

    1. CB informs you what it blocked, so you’ll have to go by that – personally i quit using it and it will hopefully be removed from my guides soon since the Firefox devs have been making progress with canvas anti-fingerprinting (it’s almost there now)

    1. i thank you much for sharing that since this information may be valuable to many users – and i will credit you and add a note about this in the guide – however regarding DoH, it appears it can be disabled in the Firefox preferences UI: Preferences > General > Network Settings > Enable DNS over HTTPS – you can also select a provider there, or specify a custom one – you can also use the preference network.trr.mode to control DoH, which, for those using my user-overrides.js, is already disabled

      1. Uncomfortable with that option since it is easy for less technical users to bypass all effort (like family filter, no logging DNS) with a single click. The lock option within admin folder (/usr/(local)/lib/firefox/distribution) setting ensures a safety net by completely taking it out of picture.

        Credit or no credit – the yeomen service feels satisfactory! Thank you for your consideration.

  4. Thanks for the guide, loving it so far. Just one question; I am using Bitwarden and it keeps logging me out. Didn’t used to happen on my older firefox setup. Is there anything I need to change to stop it from doing so?

  5. 12bytes,

    1. Can you please provide an example on how to do this for Skip Redirect extension? Whitelist and blacklist are confusing terms for end-users.
    Link: https://www.reddit.com/r/firefox/comments/84zooj/skip_redirect_addon_breaking_waybackmachine_addon/
    2. The uBlock Origin Settings page needs to have ‘My rules’ tab setting updated similar to one here for LocalCDN.
    3. CanvasBlocker now has default setup options of template that might be interesting to add to in the article.

    A Request: Any resources to make the arkenfox user.js scripts be shellcheck compliant (remove bashisms)?

    Thanks to all you do and a shoutout to the arkenfox team as well.

    1. #1 – for Skip Redirect, enable the following options:

      * Skip all redirects except for URLs matching any of the lines in the blacklist.
      * Skip redirects for URLs with the same public domain
      * Enable popup

      now when a redirect does occur, but you didn’t want it to, right click on the toolbar icon (i put the icon in the overflow menu) and click the ‘Copy last skipped URL’ menu item, then click the icon again to open the settings and add the domain to the blacklist

      what you add to the blacklist is up to you – in the case of archive.org, you can add just that, or you can add web.archive.org if you want to skip redirects only for that subdomain, or you can add archive.org/whatever to skip redirects for a particular path

      here are some examples…

      alexa.com/siteinfo
      archive.is
      archive.org
      google.com/searchbyimage
      bing.com/images
      some-wordpress-site.com/wp-login.php

      #2 – not sure i understand your comment, but if you mean that the LocalCDN domain list needs to be added to uBO, that is true only if you’re using uBO in advanced mode (you enable dynamic filtering)

      #3 – i haven’t played with the templates yet – thanks for reminding me about that

      does shellcheck do JS? i thought it was only for shell scripts – also that’s something i would not worry about since you should never be editing user.js

      1. For #2, meant to say the reference is still for Decentraleyes in the article which has been retired in favor of LocalCDN.

        Shellcheck checks for POSIX-compliance. The shebang right now used by the arkenfox scripts (updater.sh and prefsCleaner.sh) works only with bash (to be fair: they state that outright in the github page). Making it shell-agnostic (the shebang to #/bin/sh) and removing bashisms (like double brackets, [[]]) would make it portable across portable machines (containers, VMs, etc). I spent half an afternoon porting it to ksh (pdksh specifically in the hopes of sharing it here) but am not an expert and failed at a little more than 70% through. I will give it a shot sometime else and will update here, if you don’t mind i.e.

        1. re: #2 – ok, i gotchya now – i updated the page accordingly and thanks for pointing that out

          re: shellcheck – i thought you meant you wanted to run it on the user.js – i misunderstood

          i agree that the updater script could be better and i would highly suggest you bring this up, as well as the changes you’ve made, on the arkenfox repo – i have nothing to do with the updater script nor am i an accomplished shell scripter

            1. your changes worked for me in a bash shell – i just saw 1 very minor shellcheck issue…

              In updater2.sh line 337:
              if [ ! -z "$diff" ]; then
              ^-- SC2236: Use -n instead of ! -z.

              and a small script issue…

              sed: character class syntax is [[:space:]], not [:space:]

              1. Not mine Sir, I just dug around from the link you provided on the closed github issues. Don’t see much activity with the user on this repo or github. I will be testing on the *BSD though and will report when done.

                1. The arkenfox script checks for update when first run which will override any of the changes unless checked in, i.e., the shebang of /bin/sh will be replaced by /bin/bash. The above-mentioned user’s script works alright.

    1. Hallo! In order to obtain the settings in your linked screenshot, you would have to add these lines to the “My Overrides” section in the user-overrides.js:

      user_pref(“network.cookie.cookieBehavior”, 4);
      user_pref(“privacy.trackingprotection.enabled”, true);
      user_pref(“privacy.trackingprotection.socialtracking.enabled”, true);

      1. Hello,
        Thank you very much! It worked. I added:

        user_pref(“network.cookie.cookieBehavior”, 4);
        user_pref(“privacy.trackingprotection.socialtracking.enabled”, true);

        (I already had user_pref(“privacy.trackingprotection.enabled”, true); )

        then ran ./updater.sh & ./prefsCleaner.sh

        Everything is fine.

    1. thanks for informing me of this
      i used regex101.com to test this since workers must be enabled for highlighting of the test string to work and i verified that the rule works … i just now re-tested this and it does NOT work – so i obviously messed something up

      i’ll update the info in the guide accordingly – thanks again

  6. Hi,
    I did a fresh Firefox install recently; been following this guide, but I’ve just noticed that with your suggested extensions (and related settings, except Matrix, which I’m not running) Element Picker and Element Zapper in uBlock don’t work. Any idea what extension might have caused this?
    Best regards.

    1. in the advanced config guide i recommend running uBlock with its advanced mode disabled and using uMatrix for dynamic filtering – when advanced mode is disabled, the element picker does not function – if you don’t want to use uMatrix, then i’d suggest enabling advanced mode in uBO, but make sure you read the uBO wiki

      1. Thing is, I have advanced mode turned on, but that still doesn’t allow me to use the element picker fucntion, which is why I’ve asked here in the first place.

  7. Hallo! In the description of uMatrix you still refer to Decentraleyes and some rules to implement, however, you should now refer to LocalCDN, the necessary rules of which to implement are to be found in that add-on’s settings (as well as the rules for uBlock Origin).

Leave a Reply

Your email address will not be published. Required fields are marked *