Coronavirus information & resources
Treating effects of COVID-19 vax
Vaccines - What You Need To Know

Firefox Configuration Guide for Privacy Freaks and Performance Buffs

Tutorial

UPDATE: I first published this guide in 2015. I wrote it as much for myself to be able to refer to as i did to share it with others.

I never really felt qualified to be writing such a guide, however i failed to locate a truly comprehensive guide anywhere else that covers as wide a gamut including terminology, preferences, the arkenfox project, system add-ons, user add-ons and how to configure them, profiles, web storage, etc..

i'd like to 'pass the torch', as it were, to someone more capable than i, someone who understands the inner workings of Firefox and the threats to privacy better than i do.

If you're interested in picking up where i left off, let's talk. I do have some conditions however which i think should be acceptable and are very much in keeping with a guide of this kind:

  • you must keep the guide up to date, always - a lot of people depend on this
  • i would like to see it remain as comprehensive as it is, covering all aspects of configuration, add-ons, etc. - a one-stop-shop for FF configuration as it were
  • the guide relies heavily on the arkenfox user.js and i think arkenfox is the best of such projects at this time - their user.js is very comprehensive and the project is very active and i'd like to see it remain an integral part of this guide

End update.

See the revision history at the end for a list of changes.

Before embarking on this journey into the bowels of Firefox, you may want to first read, Tor verses a VPN – Which is right for you?. If you choose to use the Tor Browser, you need not digest this guide.

Introduction

The following video will provide an overview of one aspect of what it is we're up against and why i wrote the Firefox configuration guides. I encourage everyone to view it, especially if you're one of the many people who aren't worried about surveillance because you 'have nothing to hide'.

Video: Prof Shoshana Zuboff on surveillance capitalism

This guide is long, boring, dry, tedious and somewhat technical, so if you don't feel comfortable digesting it give the The Firefox Privacy Guide For Dummies! a shot instead, however be aware that it doesn't offer quite the same degree of protection.

To understand my personal position regarding the ethical nature of the Mozilla Foundation, read The Mozilla Monster.

WARNING: This guide is not for use with the Tor browser. Configuring the Tor browser as outlined in this guide may/will result in serious risks to your privacy and personal security.

Though this guide is centered around the Firefox web browser, users of other browsers, email clients and Mozilla products may find it useful. If you are interested in hardening the Thunderbird email client, see The Thunderbird Privacy Guide for Dummies!.

Many of us are aware of the immense threats to our on-line privacy and security posed by various technology companies, governments and malicious hackers, any of which may go to great lengths to monitor our electronic communications. Governments and their "intelligence" apparatuses not only spy on each other, but on the citizenry as well and they leverage the services of many corporations to do so, including Microsoft, Google, Facebook, Verizon, Comcast, Amdocs and many, many others. While the data these corporations collect may be used for relatively benign purposes such as targeted advertising, the intentions are usually far more sinister. Governments, intelligence organizations and their contractors present a whole new level of threat. Much of what Edward Snowden has brought to light is not new, but it seems Snowden has presented the information in a way that has captured the attention of a broader range of the public, prompting many to seek ways to mitigate such threats.

While the primary goal of this guide is to help the reader thwart some of the more obvious efforts to track and profile us as we surf the web, as well as increase browser security and performance, understand that i am not an expert in computer security or privacy and there are surely many more variables and vectors for attack than i am aware of. For example, even if you are a knowledgeable, technically proficient and privacy conscious individual who uses open hardware devices running secure, open source software on a security enhanced operating system, and even if you connect to the internet only through Tor, you may still be at risk of being tracked because, disregarding everything else, your unique writing style can be used to identify you. It is not this level of sophistication that i will attempt to address here however. My goal is to share what i have learned over the years as a casual web surfer and computer user who has a hobbyist-grade interest in computer security and digital privacy. Having said that, i believe, and please correct me if i'm wrong, that this guide is currently one of the most comprehensive of its kind in that it its scope includes Firefox configuration, extensions and optimizations. If you want to go further than i can carry you, see the resources section at the end which include the fine article, Improve Your Privacy in the Age of Mass Surveillance. I would also highly recommend using a VPN to help prevent spying by your ISP and other bad actors. That One Privacy Site is a good resource for choosing a VPN, as is TorrentFreak which publishes annual reports regarding many of the popular VPN service providers. Their 2018 report is here.

As with any modern and mainstream web browser, Mozilla Firefox is a highly complex beast consisting of millions of lines of code and hundreds of configuration options, many of which are interlinked, hidden, or undocumented. The modern web browser has reached the point where they exceed the complexity and size of entire computer operating systems in some cases and things can go down the toilet quickly if one starts messing around with browser settings willy-nilly. Poorly coded browser extensions are an additional weak point that can compound the problem. Here we will attempt to accomplish our goals in an efficient manner with a minimal number of carefully chosen and necessary browser extensions.

A trade-off must be expected when we tighten security and privacy insomuch as some websites will cease to function as we expect until the settings for those specific sites are adjusted. Anyone who has used a content filter such as uBlock, NoScript or Request Policy will understand that certain resources must be allowed for a given website to function in an acceptable way. Similar to NoScript however, the process of allowing required resources for a particular website usually consists of a few mouse clicks followed by a page refresh. Nevertheless, be prepared to put a little more effort into your web surfing activities initially and expect the occasional hard-case where more fiddling than usual will be required to get a particular site to work. As adjustments are made to your most visited websites your workload will decrease significantly and the pay-off will be a much cleaner, faster web that is less able to track, profile and fingerprint you, as well as a Firefox that is more resistant to attack.

A note regarding user comments

When reading the user comments on this page, keep in mind that this guide has been around since 2015 and, given the dynamic nature of the web and Firefox, some of the information in comments, including information provided by myself, may be obsolete or entirely wrong. Nevertheless i decided to retain all comments because... nostalgia. If you have any questions, ask.

Terminology

Add-on/extension: I use these terms interchangeably. A web browser add-on or extension is a piece of software, typically developed by a 3rd party individual or company, which extends the capability of the browser. Web extensions, which leverage the WebExtension API (Application Programming Interface), have replaced the older legacy (XUL/XPCOM) extensions beginning with Firefox version 57. The newer API is essentially the same as used by Google Chrome and some other web browsers. The WebExtension API is severely limited compared to the older API and while this is a plus with regard to browser security and stability, it also strictly limits what extensions are able to do.

AMO: Addons.Mozilla.Org - the Mozilla Add-ons website.

Crapware/malware: I consider crapware/malware to be software that contains code which is not relevant to the functionality users expect. As such, the term crapware, or malware, refers largely to adware, tracking code and any other malicious code with regard to web browser extensions. Much of this garbage is delivered by JavaScript (JS). Crapware is often added to browser extensions by a company or solo developer who wishes to monetize their work and often takes the form of profiling users and selling the data collected by the extension to a marketing company, however much worse is possible.

CDN: A Content Delivery Network is a service that hosts often bloated and insecure reusable content for idiot "web developers" that can't write good code themselves. This may include graphics and libraries which developers can leverage to make building crappy web platforms easier. CDN's often present a threat to our privacy by tracking our web activities and browser security by delivering insecure code. CDN's are used by many millions of websites and therefore the damage potential to both privacy and security is formidable. The use of CDN's is so prolific today that many websites will not function without them and so blocking them entirely is hardly an option.

CSS: Cascading Style Sheets are used primarily to apply visual styling to HTML elements, thus making web pages look pretty, however much like HTML and other web technologies, the capability of CSS has been expanded well beyond its original intention to the point where it too can be used for nefarious purposes.

Domain/subdomain/TLD: In the example 'sub.example.com', 'example' is the root domain, 'sub' is a subdomain of the root domain and 'com' is the TLD, or Top Level Domain. You can think of root domains and subdomains as sort of different containers which are used to separate content for a single website. For example, let's assume kitties.com is focused primarily on information about kittens, but they also might have a web store where they sell paper bags. In order to keep the store content separate, they may host the store on the subdomain 'shop.kitties.com'.

Fingerprinting: Web developers can employ a plethora of techniques in an attempt to identify your computer and thus track your on-line activities, though much of this relies on JavaScript being enabled. Your hardware, web browser and other environment variables all contribute to your uniqueness. This data may be gleaned from such things as querying the browsers capabilities, its cache, its viewport dimensions, what add-ons or plugins you have installed, your display resolution, your locale, your operating system, what fonts are installed and how they are rendered, the Canvas API and much more. This information can be obtained using various techniques, including through HTTP header data and JavaScript. For further information, see A Primer on Information Theory and Privacy and Panopticlick. See also the explanation for 'tracking' and 'web storage' below.

HTTP/HTTPS: Hypertext Transfer Protocol and Hypertext Transfer Protocol Secure are communication protocols used by computers to transmit data over the internet. For HTTP an insecure, unencrypted connection is established between your web browser and the website you're visiting. This is dangerous because such a connection is vulnerable to ISP (Internet Service Provider) snooping and man-in-the-middle attacks. An HTTPS connection on the other hand offers a more secure connection because the data you send and receive is encrypted. Some web servers simply do not support HTTPS however and for this reason, as well as others, i would strongly suggest using a VPN.

JavaScript (JS): A powerful programming language used by many websites to run code locally on your computer. Although JavaScript is used by some websites for legitimate reasons, such as to make them interactive, it can, and often is, used maliciously to perform a wide variety of attacks against the browser and your privacy. Many browser fingerprinting and tracking techniques depend on JavaScript however because it is so widespread and used for so many (largely unnecessary) things, it is enabled by default in every mainstream web browser.

Tracking: Once a unique identity for the browser has been established through fingerprinting, it is then possible to track your web browsing activities both within the same domain and across domains. See also the explanation for 'web storage'.

Web fonts/remote fonts: These are font packages typically hosted by a 3rd party (CDN), such as Google, which a web developer may use to specify how text is displayed on a website because they don't give a crap about your choices. Web fonts present a few problems regarding browser tracking and, potentially, security.

Web server: For the purpose of this document, a web server is a computer that is connected to the internet which hosts (serves) one or more websites, such as this one.

Web storage: In addition to HTTP cookies and object caching, most/all mainstream web browsers also allow a web server to store a great deal of data locally using several other storage methods including local and session storage, indexedDB storage, window.name storage, Etag cache storage, Local Shared Objects storage, Service Workers, offline storage, HTTP Strict Transport Security storage and other methods. Stored data for Firefox may consume up to 50% of your free disk space. If you are concerned about protecting your privacy, trust me, you have far more to worry about than the simple text cookies of yesteryear. The web has evolved and not in a good way.

Prerequisites

Code editor

You will need a decent code editor with syntax highlighting to edit Firefox's configuration files. Linux users should have something suitable installed by default, however if you're running Windows i might suggest Notepad++ or PSPad, the latter being the simpler of the two.

Unhide file extensions

If Windows is using you, the geniuses at Microsoft have taken it upon themselves to hide file extensions from the user. You will need to address that stupidity.

Getting Firefox

Though i personally recommend using the stable release version of Firefox, there are other versions such as the ESR (Extended Support Release), however it is usually an older version. There is also a Developer Edition which includes the very latest features (and bugs). While there are many 3rd party modifications and forks of Firefox, including Waterfox, Cyberfox, Pale Moon (or Basilisk from the same developer), etc., i do not recommend using any of them. The small development teams for these 3rd party builds often lag behind regarding security patches and they can be buggy and incompatible with the latest add-ons (Pale Moon doesn't support the newer Web Extensions at all apparently). While some forks may be more privacy-centric out of the box, we can accomplish essentially the same degree of privacy, or better, with the official version from Mozilla.

The user.js file

While the prefs.js file is the primary configuration file for Firefox, the user.js or user-overrides.js file (we'll get into that later) is where all your personal preferences are best kept. In our case we will be using a preconfigured user.js template and then supplementing that with a user-overrides.js file which will be appended to our user.js using a script.

The user.js file we will use is a result of a formidable effort by 'pants' and the rest of the 'arkenfox/user.js' crew and contributors. Their work became rather popular when it was published as A comprehensive list of Firefox privacy and security settings by Martin Brinkmann on ghacks.net. The project has since changed names and moved GitHub, but don't download anything just yet.

Firefox post install cleanup

If you have been using Firefox, back-up your current profile before making any changes. If you don't know where your Firefox profile is, enter about:profiles in the address bar and click the 'Open Directory' button in the 'Root Directory' row. The easiest way to backup your profile is to select your profile folder under the /firefox directory and press Ctrl+C to copy the folder, then Ctrl+V to paste it in the same place but with a different name. I might suggest keeping the original name and just appending -bak to the copy. From this point on, all changes should be made to your original profile, leaving your backup profile untouched in case something explodes.

Next, delete all content in your original profile keeping only your bookmarks and whatever else you need if you're not starting with a fresh install. See the article Profiles - Where Firefox stores your bookmarks, passwords and other user data if you need help with what data is stored where in your profile folder.

System add-ons

Packaged with Firefox are a bunch of system add-ons which are installed without your consent and they are essentially hidden (they are not listed in about:addons). Some of these add-ons have been and may currently be used for highly controversial purposes such as collecting data without your consent. Typically i remove all of them, however you may want to keep some of them after researching what they do and whether you need them. On a Linux-based OS these add-ons might be found at /usr/lib/firefox/browser/features and for Windows in \Program Files (x86)\Firefox\browser\features or \Program Files\Firefox\browser\features . You can delete them from the terminal in Linux:

cd /usr/lib/firefox/browser/features
sudo rm *.xpi

These system add-ons will be reinstalled each time Firefox is upgraded. On Windows you can apparently use CCleaner to handle them. If you're running Linux with the pacman package manager (Arch, Manjaro, Artix, etc.), you can prevent their re-installation by editing the pacman configuration file, pacman.conf. Note that this will not work if using Pamac, the GUI package manager, until this bug is addressed. In my case i find it preferable to just bookmark the /features folder in my file manager and then run the command above each time i update Firefox.

Search engines

I recommend reading Firefox Search Engine Cautions and Recommendations which offers information about how Mozilla monetizes Firefox with the included search engine plugins and what can be done to opt out of their affiliate scheme should you so choose. While it may seem, and is in fact contradictory for me to recommend Firefox while suggesting to de-monetize Mozilla, i personally feel it is an ethical move given the utterly stupid and unethical things the company has pulled in the past and continues to do.

Required and suggested add-ons and settings

All of the add-ons listed here are of the WebExtension variety, all of which will work with the latest version of Firefox. Download and configure each add-on one by one. Each of these add-ons are important and so it's suggested to not skip any of them unless otherwise noted.

LocalCDN by nobody42

Note: This add-on is optional since the 'arkenfox' user.js negates the privacy aspect of connecting to CDNs, however LocalCDN will speed-up page loading so you may want to use it. Do note that it can break websites on rare occasions in which case the solution may be to enable the HTML filter option for that particular website, or LocalCDN can be disabled altogether for the site.

Description: Helps to prevent tracking and speeds-up page loading by using local copies of common JavaScript libraries rather than fetching them from a CDN.

Settings: Following are the most important settings. Others are optional.

  • Disable link prefetching: enabled
  • Strip metadata from allowed requests: enabled

Enabling the option to 'Block requests for missing resources' will break more websites and so the choice is yours.

Privacy-Oriented Origin Policy (POOP) by claustromaniac

Description: Helps to protect privacy by manipulating Cross-Origin Resource Sharing (CORS) requests.

Settings: I would recommend setting the 'Global mode' to 'aggressive' and enabling the 'Exclude root domain matches' and 'Spoof cross-origin Referer' options. You can also add the following to the 'Exclusions area:

www.youtube.com *.googlevideo.com
www.youtube-nocookie.com *.googlevideo.com
*.dailymotion.com *.dmcdn.net

Skip Redirect by Sebastian Blask

Description: Skips link redirections such as used by Google, YouTube, AMO and many other websites, thus helping to prevent tracking. Redirects are intermediate links, such as 'click-track.com/abc123' or short links, that forward the browser to the final destination.

Settings: I would suggest enable the pop-up option so that you know when Skip Redirect skips a redirect, other than that the default settings are sufficient. You will likely have to whitelist sites that no longer work properly which Skip Redirect makes easy to do since you can copy the last skipped URL by right-clicking its toolbar icon and then adding that URL or domain to the blacklist.

uBlock Origin (uBO)

Description: uBlock Origin is an excellent ad/content blocker that can use the same filter lists as Adblock Plus as well as many more. Make sure you use the original uBlock Origin by Raymond Hill and no other. It is important that you enable advanced mode in uBO and learn how to use its dynamic filtering capabilities.

Settings: See the uBlock Origin Suggested Settings Guide. and use the settings in the 'Advanced guide settings' column.

Additional add-ons

For more possibilities regarding add-ons, see Firefox Extensions: My Picks.

Automatic add-on updates

The tl;dr version: Do NOT enable automatic add-on updates. The longer version...

Regarding automatic add-on updates, which is enabled by default in Firefox, this function is disabled in the 'arkenfox' user.js file and i would strongly suggest keeping it disabled. Automatic checking for updates is fine and this is enabled in the 'arkenfox' user.js, but we do not want Firefox to update add-ons without our explicit consent. The problem here is that developers may, at any time, and without notice, monetize their add-on or sell their work to an unethical 3rd party and this often results in compromising your privacy. Examples of some currently or formerly popular add-ons which contain(ed) such crapware are Abduction, a screen capture utility; Quick Locale Switcher, a language switcher; FasterFox Lite, a largely useless utility which claims to speed-up Firefox but doesn't; BlockSite, a content blocker; Stylish, a very popular utility for changing the appearance of websites, and many, many others. Not all of these extensions contained crapware when they were first introduced which is why i strongly suggest keeping automatic add-on updates disabled and carefully reviewing the change logs, permissions and privacy policies each time an update is available. The Extension source viewer add-on by Rob W. is a handy toolfor reviewing the source code of any add-on on AMO while visiting the site. For more about Firefox add-ons, see Firefox Extensions – My Picks.

Firefox configuration

This guide depends heavily on the 'arkenfox' user.js configuration file which alters hundreds of important Firefox preferences related to privacy and security, thus you need not worry about manually configuring anything from the Preferences menu of Firefox other than a search setting which we'll get to. If you choose to not use the 'arkenfox' user.js, then your job is likely to be considerably more difficult assuming your goals are similar. Still, you may find it helpful to refer to the 'arkenfox' project should you choose to start from scratch.

Search bar on navigation bar

I would suggest adding the search bar to the navigation bar and using it instead of the address bar for searching the web. Not only might you find it more convenient, but there are potential privacy concerns when searching from the address bar. To accomplish this, open the Firefox Preferences page, click the Search item on the left, then enable the option 'Add search bar in toolbar'.

Firefox profile in RAM

With the wide adoption of speedy Solid State Drives (SSDs), the concept of sticking the Firefox profile in RAM for performance reasons may seem obsolete, however there are still benefits to doing so.

If you don't want to disable disk caching, web storage and cookies globally, and thus break a lot of websites in the process, there will be substantial read and write activity for your storage media. Placing your Firefox profile in RAM will alleviate much of this, however doing so can be risky should a catastrophic failure occur, such as a power failure which could result in data loss or corruption. Fortunately there are ways to minimize this risk.

If you use Windows you're on your own since i don't, suffice to say that there exists Windows compatible software that can manage RAM disks and backup your profile to your storage media ('Bushdoctor' provides a method in a comment left on this article). Those using most any flavor of Linux have access to a very spiffy utility called Profile-sync-daemon (PSD) which is designed specifically for this task and it works with quite a few browsers. Check your package manager to see if it's available in your repository. To get PSD working, run man psd in a terminal or consult the guide on the Arch wiki. Setting it up was very easy in my case and it has worked flawlessly and transparently ever since.

Cache

Note that Firefox stores its web cache in a location other than the profile directory. On Linux you might find it in /home/[user]/.cache/mozilla/firefox/ . Normally you would have to deal with web cache separately if you wanted to store it in RAM also, however since disk caching is completely disabled in the 'arkenfox' user.js (cache is stored in memory) and the cache is dumped when you exit Firefox, you need not worry about it. If you're thinking it would be more efficient to keep the browser cache instead of having to re-download objects for the websites you visit frequently, you're right, however doing so can compromise your privacy. We won't exactly be dumping all of the browser cache either since we're using the LocalCDN add-on.

Configuration files

Keep the following hierarchy in mind as you read this section. When Firefox starts:

  1. prefs.js is read by Firefox
  2. user.js is read by Firefox - all preferences in the user.js file are copied to the prefs.js file and any preferences that are duplicated in both files are overridden by those in user.js - prefs.js is then used to generate what you see in about:config
  3. user-overrides.js is never read by Firefox but these preferences are appended to the 'arkenfox' user.js with a script (preferred) or by manual copying. If using the 'arkenfox' user.js then the user-overrides.js is the only file you should edit and it is where all your custom preferences should be placed. This may defy conventional knowledge, so let me be clear:

If you are going to use the 'arkenfox' user.js file then you should never edit it, (nor the prefs.js file that Firefox creates) nor should you change important settings from about:config unless you're only testing something. All of your custom preferences should be placed in your user-overrides.js file and then appended to the 'arkenfox' user.js using their updater script.

One reason for this is because the 'arkenfox' user.js file is quite a large and is updated frequently, so if you edit it and then update it, all your custom changes will be lost, whereas if you copy the preferences you want to alter from the 'arkenfox' user.js to your user-overrides.js and change the values there, then updating the 'arkenfox' user.js will be a lot less painful. On the other hand, should you choose to not use the 'arkenfox' user.js, then you should add your changes to your own user.js instead of using my user-overrides.js and you can ignore everything stated here about the user-overrides.js. Either way, never edit the prefs.js file directly or by way of about:config unless you're just testing.

If you do not have a general understanding of the the user.js file, you may want to read this on the 'arkenfox' wiki. You should also poke around elsewhere in the wiki for detailed information on using and maintaining their user.js file.

Obtaining and maintaining the user preferences files

In your profile folder, delete or rename your existing user.js file if you have one. You can transfer any needed settings later if they are not already covered in the 'arkenfox' one. Next, i might suggest considering my user-overrides.js file. Go to the 12bytes.org/Firefox-user.js-supplement at my Codeberg.org repository and download the user-overrides.js file to your Firefox profile directory. The easiest way to get the file without messing up the formatting is to view the raw file, then press Ctrl+S to save it to your Firefox profile directory. Next, open the file for editing using your code editor and follow the instructions within.

After that we want the 'arkenfox' user.js from the arkenfox GitHub repository but you need not download it directly. Instead, grab their updater.sh (Linux) or updater.bat (Windows) script by clicking the file name, then clicking the 'Raw' button in the new page and pressing Ctrl+S to save the file to your Firefox profile directory. Use the same method to get a copy of their prefsCleaner.sh (Linux) or prefsCleaner.bat (Windows) and place it in your Firefox profile directory. The prefsCleaner script will reset any depreciated, removed, or inactive preferences and it's important that you do this whenever you update the user.js. If you're running Linux, don't forget to make the files executable. Next, run the updater script in a terminal to fetch the 'arkenfox' user.js ( $ ./updater.sh ). The script will automatically append the contents of your user-overrides.js to the 'arkenfox' user.js it if it finds one.

At this point it is important to go through the entire 'arkenfox' user.js file and read all of the comments and review each of the settings to be sure everything is configured the way you want. As stated above, any preferences you want to change in the user.js file should be copied to your user-overrides.js file where you will then change their values. Note that if you ever add and then comment out or delete a custom preference in your user-overrides.js which is not contained in the 'arkenfox' user.js, and you have run Firefox after doing so, that setting will remain in the prefs.js file. The safest way to remove such preferences is to open about:config in Firefox and reset them.

Over time it is possible that your user-overrides.js file will contain preferences that are obsolete. The 'arkenfox' user.js file contains a list of some of these preferences in [SECTION 9999]: DEPRECATED / REMOVED / LEGACY / RENAMED and these preferences should be removed from your user-overrides.js file. One very tedious way to do this is to go through the list line by line and see if they are duplicated in your user-overrides.js. An easier way is to use the -c switch (documentation here) when you run the updater script which will output a 'diff' file containing the differences between the old user.js and the new one.

I suggest you run the updater script with the -c option (Linux only) every time you update the user.js file or make changes to the user-overrides.js file. This will create a "diff" file containing the differences between the old and current versions. You can read more about the updater script here and the cleaner script here.

Verifying the integrity of user.js

IT IS VITAL that you perform two integrity checks whenever the 'arkenfox' user.js file is updated or you have edited the user-overrides.js file if you're using one.

From the 'arkenfox' crew:

In FF60+, not all syntax errors cause parsing to abort i.e. reaching the last debug pref no longer necessarily means that all prefs have been applied. Check the console right after startup for any warnings/error messages related to non-applied prefs.

They reference the article, 'A New Preferences Parser for Firefox' if you're interested in knowing more.

To perform this check, you might want to disable your network connection so that, in the event there is a problem with a preference, Firefox cannot connect to the network and potentially allow data to flow in or out which you may have wanted to avoid. With that done, start Firefox and open the Browser Console from the Web Developer toolbox (Ctrl+Shift+J might work) and check for any preferences errors by pressing Ctrl+F to open the find dialog and entering 'pref' or 'user' and seeing if any errors point to preferences in your user.js file (other errors and warnings can usually be ignored).

Now we will further check the integrity of the user.js file and, by extension, also the user-overrides.js file since the content of the latter was copied to the end of former with the updater script.

You may have noticed a bunch of unusual looking _user.js.parrot preferences in the 'arkenfox' user.js as well as in my user-overrides.js if you're using it. These are used find the approximate location of any syntax errors. When you run Firefox for the first time after updating the user.js or making changes to your user-overrides.js, check the value of the troubleshooting preference by entering about:config in the address bar and searching for the _user.js.parrot preference (it may be the first one listed without having to search). The value should match the very last _user.js.parrot preference value in your user-overrides.js or, if you are not using a user-overrides.js, then it should be the last value in the 'arkenfox' user.js.

If you're using only the 'arkenfox' user.js, the value should be, " SUCCESS: No no he's not dead, he's, he's restin'! ".

If you're also using my user-overrides.js, the value should be "SUCCESS! USER-OVERRIDES SETTINGS LOADED" .

If the value for the troubleshooting preference is not what you expect, then you can use it to quickly determine in which section of the user.js or user-overrides.js the syntax error lies. While it cannot narrow down the problem to a specific preference or line number, at least you will know where to begin looking.

Updating the user.js and user-overrides.js files

To update the 'arkenfox' user.js file, run the updater script (you can add the the -c switch as explained earlier if you're running a Linux OS). To update my personal user-overrides.js file, just copy the contents of the new version to your user-overrides.js, then run the updater script. Lastly, always run the 'arkenfox' prefsCleaner script with Firefox closed whenever you update the user.js or my user-overrides.js.

The 'arkenfox' user.js is updated frequently and so you'll need to check for updates regularly. There's two ways you can check for updates if you're running Linux and one if you're running Windows, however there's only one (easy) way to actually update the user.js and that's by using the 'arkenfox' updater script.

user.js-notify script message (Linux)If you're using a Linux-based OS you can use my user.js-notify.sh script to be automatically notified via a desktop notification when:

  • the 'arkenfox' user.js is updated
  • my user-overrides.js is updated
  • this guide is updated

You can add the script to your startup programs so it runs each time you log-on to your desktop, or run it automatically some other way. Instructions for implementing the script are contained within the script. Open the file with a code/text editor to read the instructions and edit the options.

To check for a new user.js if you're running Windows, or to actually update the file, exit Firefox and run the 'arkenfox' updater script. If you're running Windows, or if you're running Linux and don't wish to use my user.js-version-checker.sh script, you should run the updater script every week or so in order to check for a new version. You always want the user.js version that corresponds to the major version of Firefox, so if the updater script says Available online: * version 80-alpha and you're running Firefox version 79.0.1, you'll want to cancel the update because 80 doesn't equal 79.

Each time you run the updater script, be sure to follow it up by running the prefsCleaner script with Firefox closed.

To be notified of updates to my user-overrides.js file you can subscribe to the news feed for the Firefox category or watch the front page feed.

DNS over HTTPS (DoH)

In the alleged interest of privacy, Firefox has added code which allows to route all DNS look-ups over HTTPS to a resolver of your choice. Typically DNS queries are routed through your ISP, so while they cannot view your traffic as long as it's encrypted (HTTPS), they can see what websites you visit and this is a serious privacy concern. There are several ways to mitigate this, one of them being to use a VPN that provides DNS services. Another is to enable DoH within Firefox, however this will only protect your browser and not any other programs on your system that connect to the internet. Moreover, there seems to be a lot of controversy regarding DoH, so before you enable this setting you might want to watch the video, Paul Vixie talks about DNS over HTTPS, and read this on Wikipedia, and also the article, Mozilla is becoming evil.

Part of the DoH system in Firefox can be controlled with the preference, network.trr.mode , however it is easier to simply use the Preferences UI to do so (Preferences > General > Network Settings > Connection Settings). The default DNS resolver is Cloudflare, but given what i have read about this company, i would highly suggest not using it. You might want to do some research and locate a privacy-centric DNS resolver to use for DoH should you decide to enable DoH.

If you decide to use my user-overrides.js preferences file, note that it disables DoH by setting network.trr.mode to '5' (i use a VPN that provides DNS). You will need to change that if you want to enable DoH.

policies.json

Thanks to 'AHappyUser' for reminding me about the policies.json configuration file which can be used to control how Firefox behaves, particularly in enterprise environments. 'AHappyUser' linked to the Controlling Firefox section of the article, Mozilla is becoming evil - be careful with Firefox, which provides a few examples of what can be done with the policies.json file. Note that all of the examples given can be controlled via preferences in your user.js file so there is no need to create the policies.json file, however i mention it because some folks may find it useful. For more information regarding what can and cannot be done with policies.json, see the Mozilla repository on GitHub.

Persistent web storage (cookies, etc.)

A problem that will likely creep up at some point is a website not saving settings across browser sessions that you wanted to save, such search engine settings for example (If you want to learn more about alternative search engines, read Alternative Search Engines That Respect Your Privacy). To save this data you will need to edit the permissions for the domain and there's two easy ways to access them; you can click the padlock icon in the address bar, then the right-facing arrow, then "More information", or simply hit Ctrl + I. In the window that opens, click the "Permissions" icon and scroll down until you see the "Set Cookies" item. Finally, deselect the "Use Default" preference and select the "Allow" preference. Firefox will now save the website data for the domain you're visiting even after it is restarted.

THE END (lie)

While there are many more things you could do if you're really concerned about protecting your privacy and browser integrity, i hope this guide has been of some use to the technically adept novice or intermediate web surfer at which it is aimed. Understand however that there are threats present in almost all computers which users have little or no control over regardless of what software or operating system is used. Such threats include the Unified Extensible Firmware Interface (UEFI) which has all but replaced the Basic Input/Output System (BIOS) for booting the computer. Intel's Management Engine (IME) and AMD's Secure Processor (SP) / Platform Security Processor (PSP) present a massive threat to security and privacy for virtually everyone using any Intel or AMD powered device.

Lastly, if you are using a proprietary operating system, be it Windows or any other, it is absolutely crucial that you move to a more secure, open source OS such as Linux. The importance of doing so cannot be overstated in my opinion. For more information, read the free book, Free Yourself from Microsoft and the NSA.

I welcome any questions or comments you may have, just please leave them in the comment section so others can benefit (you need not be logged in).

IMPORTANT: If you incorporate suggestions made in this guide, please subscribe to the Firefox category on the subscription page. This article is updated fairly often and it's the best way to stay informed.

Credits

I must thank all of the dedicated and skilled people who created, maintain and contribute to the arkenfox/user.js repository, especially Thorin-Oakenpants (aka, 'pants') and earthlng. This guide would never have been as comprehensive as it is without the benefit of that bunch of misfits :) Also i'd like to thank the many people who make privacytoolsIO possible. Their website is an excellent resource for those looking to protect their privacy and security.

Also i thank the many people who have left comments here, many of which have been very helpful in correcting, maintaining and improving this guide.

Resources

Further reading on this website

The 'arkenfox' repository on GitHub

Everything else

Revision history

Click to expand...

25-Feb-2022

  • removed CSS Exfil Protection

18-Feb-2022

  • removed Clear URLs add-on - it's unnecessary given the 'arkenfox' user.js and updated suggested settings for uBlock Origin

17-Jan-2022

  • removed CanvasBlocker
  • removed Cookie AutoDelete (rather obsolete with dFPI and v96 of arkenfox user.js, plus due to delayed cleaning it doesn't offer the level of protection we want)
  • removed section on HSTS tracking (largely if not entirely obsolete)
  • added 'Persistent web storage' section

5-Jan-2022

  • changed user-overrides.js successful loading parrot from "SUCCESS! USER SETTINGS LOADED" to "SUCCESS! USER-OVERRIDES SETTINGS LOADED"

29-Nov-2021

  • removed all references to uMatrix since it's no longer developed and is becoming less effective at time ticks on - uM users are advised to use uBO in advanced mode instead
  • corrected some information and made some minor changes to language

5-Jan-2021

  • changed wording for the suggested uMatrix settings in the 'Settings, Convenience' section

4-Dec-2020

  • trivial edit

1-Dec-2020

  • updated info for the privacy settings for uMatrix
  • removed HTTPZ add-on and associated info - no longer needed since Firefox v83 as long as dom.security.https_only_mode is enabled
  • added a note in ClearURLs settings regarding hyperlink auditing
  • minor clarifications, edits

10-Oct-2020

  • minor edits and clarifications in the 'Terminology' section

8-Oct-2020

  • changed recommendation for the use of CAD (i DO recommend it) - see sections 'Cookie AutoDelete by CAD Team' and 'Cookie AutoDelete (CAD) usage'
  • minor edits

7-Oct-2020

  • added info about the user.js-notify.sh script

27-Sep-2020

  • reversed the order of this revision history so the latest changes are at the top - big sloppy kiss to 'Anon' for helping with that

24-Sep-2020

  • added notes to CanvasBlocker, Cookie AutoDelete and LocalCDN stating that they are optional - the reason they are optional are because of settings in the 'arkenfox' user.js, particularly privacy.firstparty.isolate , privacy.resistFingerprinting and the clearing of storage on browser exit - many readers may see this decision as strange, in which case i'd recommend reading the Questions regarding compartmentalization, extensions and uniqueness thread in the 'arkenfox' user.js issues
  • for uMatrix several suggested settings in the "Settings, Privacy" section were removed, these being:
    • Delete blocked cookies
    • Delete non-blocked session cookies minutes after the last time they have been used
    • Delete local storage content set by blocked hostnames
    • Clear browser cache every minutes
    • Strict HTTPS: forbid mixed content
  • added info in the 'Cookie AutoDelete by CAD Team' section instructing how to save storage for a website if not using CAD

12-Sep-2020

  • added info about how to automatically be notified when a new version of the 'arkenfox' user.js is available (Linux only) in the 'Updating the user.js and user-overrides.js files' section
  • minor edits

25-Aug-2020

  • replaced Site Bleacher with Cookie AutoDelete (CAD) - search for "Cookie AutoDelete" to see the edited content
  • minor edits

23-Aug-2020

  • added info about importing rules from LocalCDN to uMatrix - see the paragraph beginning with "If you're using the LocalCDN add-on"
  • added link to article, How to setup uMatrix [a beginners guide] | Step-by-step with pictures
  • added info about having to reload (vs. refresh) a page when allowing frames in uMatrix - see paragraph beginning with "Note that any time you allow frames"

18-Aug-2020

  • minor edit

16-Aug-2020

  • minor edit

13-Aug-2020

  • added a bit more info to the 'THE END' section regarding AMD and Intel backdoors

16-Jul-2020

  • slight change to the uMatrix section regarding the spoof noscript option

13-Jul-2020

  • added information about the uMatrix option 'Spoof <noscript> tags when 1st-party scripts are blocked' and how this can break the displaying of images when the option is disabled.

5-Jul-2020

  • added the video, Prof Shoshana Zuboff on surveillance capitalism

28-Jun-2020

23-Jun-2020

  • added info to the uMatrix usage section about solving a problem regarding uMatrix and file downloads
  • very minor edits

6-Jun-2020

  • removed info about CSP (Content Security Policy) issue since this is fixed in Firefox v77
  • adjusted Canvas Blocker settings to accommodate for absence of CSP issue
  • added the policies.json section
  • added section 'DNS over HTTPS (DoH)'

5-Jun-2020

  • minor clarifications/edits

2-May-2020

  • minor clarification in the uMatrix section regarding LocalCDN rules for uBlock Origin

28-Apr-2020

  • removed invalid uM directive: no-workers: 1st-party false - thanks to 'theltalpha' for pointing this out

24-Apr-2020

  • replaced remaining references to Decentraleyes with LocalCDN
  • updated the URL for the uBlock Origin Suggested Settings Guide

23-Apr-2020

  • updated uMatrix settings and information regarding web/service workers (added a directive to allow 1st part workers by default for less breakage)

18-Apr-2020

  • slight edits to the 'Verifying the integrity of user.js' for clarification

15-Apr-2020

  • added the 'A note regarding user comments' section

5-Apr-2020

  • swapped out Decentraleyes for LocalCDN - thanks to commenter 'theltalpha' for reminding me about this

21-Mar-2020

  • removed ETag Stoppa since eTag filtering is now handled by ClearURLs
  • added detail regarding ClearURLs settings

10-Mar-2020

  • minor updates/clarifications

18-Feb-2020

  • minor edits to uBlock, uMatrix and HTTPZ settings

7-Feb-2020

  • added ETag Stoppa
  • added more info regarding browser fingerprinting

23-Jan-2020

  • minor edits

13-Jan-2020

  • updated info for CanvasBlocker

29-Nov-2019

  • minor edit

18-Nov-2019

  • added a note to Canvas Blocker marking it as optional
  • added a note regarding the no-workers: * true setting in uMatrix

6-Nov-2019

  • stuck the uBlock config stuff on its own page

18-Oct-2019

  • moved my user-overrides.js from GitLab to Codeberg code repository

13-Jun-2019

  • updated setup instructions for HTTPZ
  • minor edits

8-Jun-2019

  • very minor edit

27-May-2019

  • added note that this guide is not intended to be use with the Tor browser
  • minor edits

23-May-2019

  • added a note about enabling the search bar on the navigation bar
  • minor edits

21-May-2019

  • moved my Mozilla rant to a separate page
  • added a cryptominer block filter URL to uBlock

17-May-2019

  • removed mention of LibreFox (project is currently stalled due to legal nonsense)
  • minor corrections, clarifications and edits

7-May-2019

6-May-2019

  • minor edits

1-May-2019

  • minor edits

24-Apr-2019

  • several clarifications and minor edits

23-Apr-2019

  • removed info about manually cleaning the user-overrides.js file in favor of using the -c switch when running the updater.js/updater.bat script
  • added Site Bleacher to list of required add-ons
  • removed all info regarding containers as well as the Temporary Containers and Firefox Multi-Account Containers add-ons - i prefer to enable privacy.firstparty.isolate (the default in the 'arkenfox' user.js) in combination with Site Bleacher (far less headaches)
  • replaced Neat URL with ClearURLs - while the former is a good extension, i think the latter is even better
  • replaced Smart HTTPS with HTTPZ
  • moved all add-on settings info to the required add-ons section
  • uBlock: added info for globally blocking 3rd party fonts while allowing 1st party fonts
  • misc. edits

29-Mar-2019

  • added instructions for cleaning user-overrides.js of obsolete preferences
  • minor edits

28-Feb-2019

  • added a link to a comment by 'Bushdoctor' who was kind enough to provide information about loading Firefox profiles in RAM for Windows users

22-Jan-2019

  • updated info on HSTS tracking
  • updated info regarding downloading my user-overrides.js file

17-Jan-2019

  • minor polishing

12-Jan-2019

  • clarify information regarding the downloading of the configuration files thanks to a commenter
  • updated user-overrides.js
  • fix minor typo

3-Jan-2019

  • minor edit

29-Dec-2018

  • added some more info regarding HSTS tracking and the SiteSecurityServiceState.txt file based on user feedback - it appears some AV's might have a problem if this file is set to read only
  • added a new resources section specific to the 'arkenfox/user.js' GitHub repo
  • added Temporary Containers (TC) add-on and associated info - this results in several major changes throughout the guide
  • added Firefox Multi-Account Containers add-on and associated info - this is used in conjunction with the TC add-on
  • added 'Using containers' section
  • removed Canvas Blocker add-on - not needed with TC
  • removed Restrict to Domain add-on - not needed with TC
  • removed Don't touch my tabs! add-on - (probably) not needed with TC
  • removed Header Editor - not needed for what we were using it for since the function is handled by TC
  • re-added privacy.firstparty.isolate = false to user-overrides.js
  • edited some uMatrix info regarding its privacy settings to reflect changes as a result of the TC add-on
  • added more info about importing rule-sets for uMatrix
  • moved Smart HTTPS add-on to the required section
  • moved Skip Redirect add-on to the required section
  • removed the suggested add-ons section
  • corrected mistakes and updated info in the section regarding integrity checking of the user.js/user-overrides.js files
  • reworked and updated the entire user-overrides.js file
  • removed mention of the template user-overrides.js file and associated download link - user should use the one provided in my GitLab repo
  • several minor edits/clarifications

26-Dec-2018

  • add notice about newsletter subscribing
  • corrected advice regarding spoofing the referrer which was suggested for both POOP and uM (now it's enabled in uM only)
  • dumped Cookie AutoDelete add-on - not needed when using uM and First Party Isolation, nor are any of these storage cleaning add-ons able to delete IndexedDB storage due to a shortcoming in the WebExt API, which is another reason to enable FPI
  • removed privacy.firstparty.isolate = false in user-overrides.js in order to enable First Party Isolation
  • added Restrict to Domain add-on to toggle privacy.firstparty.isolate (FPI) via toolbar button
  • removed the list of optional add-ons (NoScript and Smart Referrer)
  • minor edits
  • coming up: looks like i may be recommending to disable FPI in the very near future and use the Temporary Containers add-on instead - i'm playing with it now

22-Dec-2018

  • minor clarifications

21-Dec-2108

  • added POOP as a required add-on and accompanying configuration information
  • configuration information for Neat URL was located in the wrong section
  • minor polishing

11-Dec-2018

  • clarified much information regarding the user.js files as well as other parts
  • added more info about browser fingerprinting
  • added more detail regarding system add-ons
  • added a user-overrides.js template
  • updated Header Editor rules download
  • added several more 3rd party resources
  • misc. minor edits

30-Nov-2018

  • added more info to the uMatrix section, particularly about indexedDB storage
  • minor edits

27-Nov-2018

  • added info about HSTS tracking
  • minor edits

2-NOV-2018

  • added info about using the user created rule sets for uMatrix, as well correcting some mistakes and clarifying other uM info
  • polishing

31-OCT-2018

  • add Cookie AutoDelete as a highly recommended add-on and updated configuration information for uMatrix to allow 1st party cookies by default
  • removed information about the Forget Me Not add-on
  • added information about First Party Isolation
  • added rule to uM to prevent web workers
  • added information about the uBO and uM logging functions
  • corrected some mistakes
  • polishing

30-OCT-2018

  • added uMatrix to the add-on pile again
  • added the uMatrix sections of this document
  • removed info about running uBlock in advanced mode since we're using uMatrix for dynamic filtering instead
  • several minor edits
  • polishing

27-OCT-2018

  • lots of clarifications and polishing, added several resources

26-OCT-2018

  • added the section 'Firefox profile in RAM'
  • misc. other minor edits

25-OCT-2018

  • rewrote most of this guide, so if you read it before, read it again :)

24-OCT-2018

  • removed cryptocurrency miner section
  • removed information about the OpenH264 Video Codec plug-in since it seems Firefox is no longer shipping it, at least not on Linux
  • removed the Load from Cache add-on
  • removed some information about uMatrix since uBlock Origin covers most everything uMatrix does and is better suited for removing advertisements, plus it's a much more active project.
  • updated some information
  • note that many more updates will occur in the next days, so i would suggest waiting until they are published before following this guide

2-MAR-2018

  • minor edits

19-DEC-2017

  • added a link to my post about the Firefox add-on, Looking Glass
  • misc. minor edits

11-DEC-2017

  • added to the list of recommended add-ons
  • updated some content to reflect the current state of Firefox and WebExtensions
  • misc. minor edits

30-SEP-2017

  • added more info about IndexDB storage in the "Terminology" and "uMatrix configuration" sections.

27-SEP-2017

  • added section "A special note about cryptocurrency miners"

22-SEP-2017

  • i didn't keep track of all the changes and many were made - you'll have to re-read the guide :)

11-DEC-2017

  • added some add-ons to the recommended section
  • misc. minor edits

17-SEP-2017

  • rewrote and updated much of the content pertaining to uMatrix
  • added section "Removing system add-ons"
  • added section "Sanitizing the default search engine plugins"

12-MAR-2017

  • deleted the GitHub repository which i forked from Pants' 'arkenfox' repository and created a new repository which does not include his code
  • some changes to user.js
  • some major editing of this document mostly in regard to the creation and changes of the GitHub repositories

20-FEB-2017

  • updated user.js to version 51r2 - see the GitHub page for the change-log
  • updated info here regarding the user custom preferences section of user.js

19-FEB-2017

  • published my user.js on GitHub which was forked from Pants' code
  • removed my user.js code from this page and linked to it on the GitHub page instead
  • changed my versioning scheme to match Pants' where the user.js version coincides with the version of Firefox it was developed for, so v51r1 would equate to version 51.x of Firefox and the r1 signifies the revision, in this case the first revision
  • updated user.js to include v51 of Pants' config - no preference changes so far as i know, just added/removed/changed comments
  • updated text in user.js section to account for the new changes
  • changes to comments and troubleshooting preference names and values, other minor changes

18-FEB-2017

  • switched to using Pants' config v0.11 and mostly just appending my settings to the end of his - because this is a major update, no history of changes to individual preferences will be published

28-SEP-2016

  • removed Extension Defender from the list of recommended add-ons since it's home page is gone and the code hasn't been updated in two years
  • updated user.js file

16-SEP-2016

  • removed duplicate preferences in use.js file (see change-log in the file for details)

3-JUL-2016

  • changed the name of the troubleshooting/bogus preference to 12bytes.org-user-js-settings and added values to indicate the point at which the file stopped loading - a huge thanks to commenter 'Pants' for suggesting the troubleshooting preference and also for suggesting a far better way of implementing it than what i had done (by the way, 'Pants' is the author of the user.js config file used in the 'arkenfox' article, A comprehensive list of Firefox privacy and security settings by Martin Brinkmann, so i'm very glad to have his input here)

1-JUL-2016

  • corrected 'plugin.scan.*' values to be strings
  • added bogus preferences in the user.js file at the end of each section for troubleshooting potential loading problems

23-JUN-2016

  • added some basic information for configuring the Clean Links add-on

17-JUN-2016

  • set 'browser.fixup.hide_user_pass' back to its default value
  • added 'network.http.redirection-limit'

3-JUN-2016

  • corrected an error with pref 'layout.css.devPixelsPerPx' where the value was an integer instead of a string - this caused all prefs following it to be ignored

12-MAY-2016

  • updated user.js file
  • minor grammar/spelling corrections

1-MAY-2016

  • updated user.js file

29-APR-2016

  • updated guide information
  • updated user.js file and added a revision history to the file

12-FEB-2016

  • updated user.js file contents

5-FEB-2016

  • updated user.js file contents

20-AUG-2015

  • updated user.js file
  • removed pcxFirefox as a suggested 3rd party build since i had display corruption issues with it

13-JUL-2015

  • Minor edits for uMatrix usage text

9-JUL-2015

  • added more info for uMatrix and IP Config test results
  • updated user.js file contents
  • various other edits

8-JUL-2015

  • removed HTTP UserAgent cleaner since it is no longer being developed
  • removed Self Destructing Cookies add-on since its functionality can be handled by uMatrix
  • added uMatrix

25-JUN-2015

  • updated uBlock settings to match the current development version (0.9.9.2)
  • misc. minor updates

5-JUN-2015

  • switched to Raymond Hill's version of uBlock
  • updated uBlock filter information
  • added Fetch information for new version of HTTP UserAgent cleaner
  • updated user.js file contents
  • misc. minor updates

17-MAY-2015

  • added information for securing DNS traffic
  • misc. minor updates

14-MAY-2015

  • minor updates to user.js file contents

13-MAY-2015

  • updated user.js file contents
  • updated a few settings recommendations for HTTP UserAgent cleaner

5-MAY-2015

  • updated list of recommended filters for uBlock
  • updated user.js file contents

3-MAY-2015

  • added Pure URL as a suggested add-on
  • updated contents of the user.js file
  • added and edited some information for HTTP UserAgent cleaner
  • added more resources in the References section

2-MAY-2015

  • updated HTTP UserAgent cleaner information to match changes in version 0.7.4.11a

26-APR-2015

  • updated the information for the Fonts filter on the HTTP tab of HTTP UserAgent cleaner

25-APR-2015

  • updated information for HTTP UserAgent cleaner, including adding descriptions for the newly added features, Canvas and Fonts on the HTTP tab
  • updated the user.js file
  • updated some definitions of terms used in this document
  • added some more resources

23-APR-2015

  • updated some HTTP UserAgent cleaner information
  • deleted information for 2 bugs regarding the X-Forward-For setting for HTTP UserAgent cleaner since they were not bugs
  • misc. other minor changes

22-APR-2015

  • updated information for HTTP UserAgent cleaner
  • updated user.js file
  • minor updates to uBlock information
  • misc. other minor changes

18-APR-2015

  • updated HTTP UserAgent cleaner information
  • for HTTP UserAgent cleaner settings, the suggested settings were split into Suggested global setting for casual browsing and Suggested global setting for best protection.

17-APR-2015

  • updated and added more information for uBlock
  • updated one HTTP UserAgent cleaner screen-shot
  • misc. other corrections/updates/edits

16-APR-2015

  • updated user.js file
  • switched uBlock versions since a new fork was created
  • updated uBlock images and documentation
  • added a "Current notices" section
  • misc. other corrections/updates/edits

15-APR-2015

  • updated user.js file
  • several other small updates and a few corrections

14-APR-2015

  • removed all Shim Storage add-on information since this functionality is duplicated in HTTP UserAgent cleaner.
  • almost all of the documentation for HTTP UserAgent cleaner was heavily revised.
  • various other edits and corrections.

11-APR-2015

  • first publishing

Comments

Note that both reader and my comments, while they may have been accurate at the time, might be inaccurate today. This is a highly dynamic environment so please verify the accuracy of comment content should you wish to utilize it. Failing that, ask me and i'll give it a crack.

486 thoughts on “Firefox Configuration Guide for Privacy Freaks and Performance Buffs”

  1. Probably the stupidest question ever, but for duckduckgo and youtube specifically, whenever I reload these sites, their settings (or at least dark mode) seems to reset, I use Cookie AutoDelete, and arkenfox config along with container tabs, am I doing something wrong with cookies?

    1. > … am I doing something wrong with cookies?

      sure sounds like it – have you grey or whitelisted those sites in CAD and enabled the option to keep cookies?

      also what exactly do you mean by “reload” – do you mean refresh as in F5, reload as in Ctrl+F5, or close and re-open the tab?

      1. When I mean reload, I mean Crtl + R, and those sites are whitelisted in CAD, with the proper options setup. However, I think it fixed only DDG, as with YouTube it still automatically sets the theme to light mode.

        1. are you allowing the proper storage items in CAD? usually just allowing cookies works, but sometimes you also have to allow indexedDB and/or LocalStorage

          also i don’t know what effect containers have since i don’t use them

          if you can’t work it out, you may want to start with a fresh profile and add one thing at a time (user.js, containers, CAD, etc.) and see what causes the failure

            1. use the process of elimination to find what pref is causing the issue – remove user.js and verify the problem still exists – if so, cut (Ctrl+X) half of the prefs in prefs.js and re-test – keep repeating this until the issue disappears at which point you know the problem pref is on your clipboard, so then remove everything from prefs.js and paste the clipboard contents – keep repeating the procedure until you narrow it down

  2. Does canvas fingerprint protection (in about:config) itself and Canvasblocker manipulate speed-battle.com results or it really lowers score by around 150-200 points from 600 to 450 or lower

    1. i assume you’re using the ‘arkenfox’ user.js?

      because of the canvas anti-fingerprint protection built into Firefox via the privacy.resistFingerprinting pref, i no longer use CB, though to my knowledge i’m not sure the built-in protection covers every single aspect that CB does, thus why i still list CB in this guide

      whether privacy.resistFingerprinting affects the site you referenced i wouldn’t know – you can always disable it to test

  3. >It is unnecessary to enable the ‘Block all hyperlink auditing attempts’ setting as this is covered by the ‘arkenfox’ user.js.

    So should we disable that option from uBlock and ClearURLs too?

  4. Hi!

    In settings search engine I do not have google, amazon, ebay… but when I check about:memory I have:
    (04.17%) ── Extension(id=amazondotcom@search.mozilla.org, name=”Amazon.com”, baseURL=moz-extension://41d7fd79-abbf-4f00-9bf1-a5f37e101014/)
    ├───1 (04.17%) ── Extension(id=bing@search.mozilla.org, name=”Bing”, baseURL=moz-extension://ce458385-1c2b-42a4-a3db-1e2de6fd0fa5/)
    Also for google, ebay…
    Is it possible to remove those links, please?
    Thank you.

    1. i have no idea if it’s possible to remove them, but i wouldn’t worry about it

      correction: actually i’m pretty sure it’s not possible to remove them – if you remove them from the search.json.mozlz4 file, they’ll be added right back, or perhaps the file is replaced, but either way, you can’t remove them

        1. if you’re really curious, look into the omni.ja file – that may be were the default search engines are kept – so maybe they can be removed, but personally i wouldn’t bother

    1. i never heard of this until now
      there’s a reason why there’s a special browser for accessing the Tor network – i don’t know how Brave has implemented this, but there are potential nightmares if it’s not done correctly – i don’t think it’s something i’d want to use

        1. I am a Unix user and try to make my system safe (network too) but I am using Firefox with addons and user.js plus some other tweeks and I feel safe. But if you like what options Brave browser has why do you use Firefox?

    1. PortableApps is a legit website so far as i know, however i would caution against doing that – make sure that the version they’re packaging is the latest version

      also, why don’t you want to install Firefox? maybe there’s something i can help with

      1. Well I said my laptop but I actually have to share it with other house mates.
        So that’s a safe website, good. Just to be sure, I can apply this guide to this portable Firefox too, right?

  5. the previous version of arkenfox user.js was better, in the results of panopticlick fingerprinting it came out yes and now with the new version of arkenfox user.js it gives me partial protection and sometimes near

    1. the short answer is, less hassle

      i’ve used TC before and in order to make containers more transparent, i had to use another container ext. from Moz (i forget its name) and i just found that containers + TC was more of a hassle than FPI + CAD – also TC broke moving forward and back in history if i was going forward or back to a different domain

      i think TC is a great ext. for those that want to use containers, but its not for me

      1. OK, thanks.
        The reason I am asking is because it seems TC could break less sites than FPI + CAD for a rather similar result, but with some drawbacks, as the one you pointed out indeed

  6. Hi!

    I put in uMatrix My rule:
    * * * block
    * * cookie block
    * * other block
    * * script block
    * * xhr block
    * 1st-party * allow

    What do you think? Is it okay along with uBlock Origin which I use too, please?
    Thank you.

    1. it all depends on what your needs are and how you have uBO setup – if you’re not confident, then i’d suggest reading the uBO and uM manuals and perhaps re-reading this guide

  7. Hi 12bytes,

    Man, what a great source, thank you for your work!

    Especially valuable is that you keep it constantly up-to-date and are trying to keep the browser lean, I like that a lot. CanvasBlocker, Cookie AutoDelete and LocalCDN are great Addons, but if they aren’t really necessary – better not have them, makes the browser faster and probably safer too through less code and complexity.

    Additions to the Firefox post install cleanup part:

    What you already recommended:
    cd /usr/lib/firefox/browser/features/
    sudo rm *.xpi

    These are unnecessary too, I read it on the Archwiki site of firefox if I remeber correctly:
    sudo rm /usr/lib/firefox/crashreporter
    sudo rm /usr/lib/firefox/minidump-analyzer
    sudo rm /usr/lib/firefox/pingsender

    Ubuntu-distro related garbage:
    sudo apt-get purge xul-ext-ubufox

    Changelog improvement:
    Since the -impressive!- changelog is chronological, one has to scroll through all these changes to arrive at the end.
    I think it were more practical to order it antichronological with the newest changes on top.
    If you want to change that it should be done very quickly via one of these ways:
    https://stackoverflow.com/questions/742466/how-can-i-reverse-the-order-of-lines-in-a-file

    hosts-file:
    What is your opinion on hosts files? I deactivated all lists from uMatrix and most from uBlock except a few cosmetic ones, because I think system wide hosts-protection is even better and I think it takes off some load from the browser. I think -Energized Protection- is a good start but for my taste a bit ‘bloated’ with entries I don’t need. What is good is that they list all their sources and I made one more minimalist but equally effective. I could share the (simple) script on codeberg and link it here if there is interest.

    Zoom setting question:
    There is one issue I simply haven found the solution yet, maybe you have an idea as it seems resist-fingerprinting-related:
    The “default Zoom” setting in the preferences right before the language settings in the ‘general’ section.
    I usually zoom quite a bit (how are others able to read with standard zoom?) and it is possible to set a nice value there, though after restart the default value ‘100%’ is restored again.
    I simply haven’t found what setting causes this, and the setting itself seems not directly changable through user.js prefs, which is very strange (f.e. after changing zoom to 150% there is no relevant appearance of ‘150’ or 1.5 or ‘zoom’ in the pref.js, so where is it stored? Is has to be somewhere!).
    Now I use a small addon for this, but it would be better to solve it via a simple entry in the user.js.

    Anyway, I hope you are save from Corona’s Witnesses these days.

    1. hi Anon – your comments were not published immediately because i manually approve all 1st-time commenters (i see you tried twice)

      i will certainly look in to the /usr/lib/firefox stuff – thanks for mentioning it

      re: changelog…

      > I think it were more practical to order it antichronological with the newest changes on top.

      agreed! but it’s gotten so long that i don’t feeling like doing it manually now for every page that has one … but i probably will anyway at some point

      re: hosts file…

      i believe it was ‘gorhill’ (uBlock dev) who mentioned that the host file filters are more likely to break websites and i actually experienced this myself at one time – that said, i think your idea makes sense if you need system-wide protection where you have more than one app accessing the web (you could implement this at the router level also), but i don’t use the hosts file for blocking this kind of stuff because you’d have manually update it, unless it can be automated (i’m sure it can) and the only software i’m aware of that would benefit from it in my case is the browser – i don’t do HTML mail (i have Thunderbird locked down) and i have nothing else that can access the www (and like you, i run a Linux OS)

      re: zoom…

      > I usually zoom quite a bit (how are others able to read with standard zoom?)

      all depends on screen size and resolution – i also zoom everything including the browser UI – 1080p on a 17″ screen and fonts are way too tiny

      > … and it is possible to set a nice value there, though after restart the default value ‘100%’ is restored again.
      > I simply haven’t found what setting causes this …

      with Firefox running, make a copy of prefs.js, then change the setting and use some ‘diff’ util to compare the changes

      > … and the setting itself seems not directly changable through user.js prefs…

      if you’re using the ‘arkenfox’ user.js, any and all changes you make should go in a user-overrides.js file and appended to user.js with their updater script … jus’ sayin’ :)

      > … which is very strange (f.e. after changing zoom to 150% there is no relevant appearance of ‘150’ or 1.5 or ‘zoom’ in the pref.js, so where is it stored? Is has to be somewhere!).

      you’ll have to do the diff thing, but also consider the layout.css.devPixelsPerPx pref – this will zoom everything, including the FF UI – the caveat is that you can’t use too large a value else shit breaks (i use 1.3) and what “too large” is i can’t really say – and see devtools.toolbox.zoomValue if you want to enlarge the dev toolbox

      1. That was a quick reply – thanks!
        Yes I posted twice, as I was not sure it worked but I totally get why you want to first approve new commenters.

        Changelog:
        I tried this to reverse a list and it worked flawlessly:

        tac a.txt > b.txt

        But I’m not sure what you are specifically running so I’ll link again to the relevant stackoverflow question where I got it from with more options:
        https://stackoverflow.com/questions/742466/how-can-i-reverse-the-order-of-lines-in-a-file
        Though I totally get that even with this, it is still a bit tedious if you want to do this with many changelogs.

        Zoom:
        Great idea! I’m a bit envious that I haven’t thought of it myself..
        I tried it but the prefs that changed hadn’t anything to do with this option, so it apparently really isn’t changeable there.

        But the solution turned out to be:
        I nearly always clean the profile and cache with bleachbit (via a simple alias in the terminal), as it removes f.e. some cookies and dom storage* – and the option “site preferences” in bleachbit was the cause.
        I looked into the config of bleachbit and it is the file ‘content-prefs.sqlite’ in the same folder as the prefs.js.

        *It should all be purged at the exit through settings in the user.js, but apparently something still persists, even with Cookie Auto Delete this was the case

        So I was wrong in my initial assumption that it would automatically restore the 100% Zoom when it really was my cleaning obsession, but thank you for your help, that helped me solve it and it’s now one less addon.

        One more thing:
        You recommend the addon auto-maximize which makes sense because of the small window start, though I found it acceptable to set one easy to reach key (like the “windows” key) as the shortcut to maximize a window in the settings of your desktop enviroment. If you use something xfce-based you’ll find the option in the ‘Window Manager’ -> ‘Keyboard’ and then ‘Maximize Window’.

        1. | “layout.css.devPixelsPerPx pref – this will zoom everything, including the FF UI – the caveat is that you can’t use too large a value else shit breaks (i use 1.3) and what “too large” is i can’t really say”

          Didn’t knew the layout.css.devPixelsPerPx pref.
          After a bit of testing I prefer the zoom setting because it doesn’t enlarge the browser ui though maybe it’s better considering tracking, as the zoom value is used as a parameter as far as I know.

        2. > tac a.txt > b.txt

          wow, cool – that’s a great solution!

          re: bleachbit – do you know exactly what is persisting that is missed by user.js and CAD? maybe it’s something necessary? i don’t trust external tools to clean stuff because then you run into what you ran into :)

          re: Maximize All Windows (Minimalist Version)…

          I found it acceptable to set one easy to reach key (like the “windows” key) as the shortcut to maximize a window in the settings of your desktop enviroment. If you use something xfce-based you’ll find the option in the ‘Window Manager’ -> ‘Keyboard’ and then ‘Maximize Window’.

          i use KDE which has options to create windows rules and i could never get it to auto-max. the Firefox window (no hotkey)… but i just tried again and it work flawlessly – so one less ext. for me too :)

          1. |”re: bleachbit – do you know exactly what is persisting that is missed by user.js and CAD? maybe it’s something necessary? i don’t trust external tools to clean stuff because then you run into what you ran into :)”

            You definitely have a point, yet I think bleachbit is trustworthy in the sense that they don’t remove things that break something, it’s well documented and used by millions of users daily, exists for many years, and I’m pretty sure it wouldn’t be included into all the software-repositorys if it would break stuff while doing something as basic as cleaning firefox (while claiming to be completely safe on the website) – of course with the exception of unintended deletion as in my case, though that was the first issue after years of usage and has nothing to do with bleachbit per se.

            Also these files are constantly recreated so I see no harm.

            In fact I think it is even a big plus that you don’t have to just trust mozilla that all cookies etc. are indeed deleted, because:

            These are the categories that allways find countless things even though I already purged everything on browser exit:

            Cookies:

            dom
            >Delete HTML5 cookies<

            Cache

            crash reports:

            Form history
            >A history of forms entered in web sites and in the Search bar<

            And then there is also

            Squlite compression:
            >Clean database fragmentation to reduce space and improve speed without removing any data<

            | i use KDE which has options to create windows rules and i could never get it to auto-max. the Firefox window (no hotkey)… but i just tried again and it work flawlessly – so one less ext. for me too :)

            Great, xfce unfortunately doesn’t have an auto-maximize feature, I consider taking a look at KDE now :D Especially after they apperntly improved speed so much.

            1. Oh, all the listed files got ignored and I hope you didn’t get a code-injection-attempt warning or something, second try:

              Cookies:

              ‘path=”$$profile$$/cookies.txt”/>’
              ‘path=”$$profile$$/cookies.sqlite”/>’
              ‘path=”$$profile$$/cookies.sqlite-shm”/>’
              ‘path=”$$profile$$/cookies.sqlite-wal”/>’
              ‘path=”$$profile$$/storage/default/http*”/>’

              dom
              >Delete HTML5 cookies’

              Cache

              ‘path=”~/.cache/mozilla/”/>’
              ‘path=”%LocalAppData%\Mozilla\Firefox\Profiles\*\cache2″/>’
              ‘path=”%LocalAppData%\Mozilla\Firefox\Profiles\*\jumpListCache”/>’
              ‘path=”%LocalAppData%\Mozilla\Firefox\Profiles\*\OfflineCache”/>’

              crash reports:

              ‘path=”$$base$$/Crash Reports/”/>’
              ‘path=”$$profile$$/minidumps/*.dmp”/>’

              Form history
              >A history of forms entered in web sites and in the Search bar’
              ‘path=”$$profile$$/formhistory.sqlite”/>’

              And then there is also

              Squlite compression:
              >Clean database fragmentation to reduce space and improve speed without removing any data’

            2. i don’t know that i would consider the cleaning of Firefox to be trivial – you’re getting into a lot of stuff here with databases, inexedDB, LocalStorage, cache, cookies, workers, HSTS and whatever else i’m missing – i would also speculate that stuff that remains after bleaching, such as the form history you mentioned, may well be just a default db entry – i know CAD also creates cookies for its own purposes but i don’t know if they’re persistent (they don’t show on the Site Data UI but i think you can find them in console)

              re: KDE – i’ve been using it for several years on an older laptop, but i disable all the effects and compositing – i tried XFCE (Manjaro) very recently because i like the more minimal approach, but i found it to be buggy where it shouldn’t be, not that KDE is issue free either, but i think it’s maybe the more polished desktop

              1. I’ve now tested this a bit and compared the size of deleted files in several conditions (just opening and closing browser, visiting several urls, visiting different urls and downloading videos files).

                Some numbers appear to not change what could definitely indicate they are just the default-file.

                What definitly varies pretty much every time is cache.
                Form history is always the same number, as well as crash reports (good thing I guess).

                Cookies and Dom storage have many times the same cleared size, but sometimes not, the later happens more in longer sessions, so that would indicate that in these cases they are probably not completely purger, but there may be other explanations or just no relevance if trackers and such can’t use it.

                So all in all it doesn’t appear that dramatic and I’m a more convinced that it is probably unnecessary, though I still think it’s not harmfull.

        3. I tried this to reverse a list and it worked flawlessly:

          tac a.txt > b.txt

          not flawlessly, but close – i used tac -s '' a > b' and then a teeny-weeny bit of manual editing

          that kept the order of each item within each date section – i already made the change on this page – and thanks again for suggesting ‘tac’!

          edit: dammit WP is wrecking my code – anyway, i used the UL closing tag as the separator

    2. These are unnecessary too, I read it on the Archwiki site of firefox if I remeber correctly:
      sudo rm /usr/lib/firefox/crashreporter
      sudo rm /usr/lib/firefox/minidump-analyzer
      sudo rm /usr/lib/firefox/pingsender

      crash reporter and, i believe, the ping util is disabled in the ‘arkenfox’ user.js – see sections 0330 and 0350 in user.js

      it also seems that pingsender is only used if debug mode is enabled???

      > In non-debug mode the ping sender doesn’t print anything, not even on error …

      with the exception of the system add-ons, i personally don’t recommend removing stuff that can be disabled via prefs because it’s just another thing one has to remember when FF is updated

      > I hope you are save from Corona’s Witnesses these days.

      no one is safe – what’s happening with this non-pandemic is, by FAR, the biggest threat to freedom i’ve ever seen

      1. | “crash reporter and, i believe, the ping util is disabled in the ‘arkenfox’ user.js – see sections 0330 and 0350 in user.js”

        Could be, but if I can delete that garbage – even better, it’s a bit unlikelier that the browser ‘forgets’ to honor that setting once in while.

        | “with the exception of the system add-ons, i personally don’t recommend removing stuff that can be disabled via prefs because ||it’s just another thing one has to remember when FF is updated”

        All I have to remeber is to type in “fupdate” in the terminal after the monthly update – all that is needed is a script and an alias:
        The following in a file called fupdate.sh :

        #!/bin/bash
        sudo apt-get purge xul-ext-ubufox –autoremove
        cd /usr/lib/firefox/browser/features/
        sudo rm *.xpi
        sudo rm /usr/lib/firefox/crashreporter
        sudo rm /usr/lib/firefox/minidump-analyzer
        sudo rm /usr/lib/firefox/pingsender

        Then I use an alias so if I type for example “fupdate” (without the quotation) in the terminal the script automatically launches. All that is needed is an entry in the .bashrc -file in the home-folder, you only have to set your own path to the containing folder:
        alias fupdate=’cd /Path to folder containing the script/ && bash fupdate.sh’

        | no one is safe – what’s happening with this non-pandemic is, by FAR, the biggest threat to freedom i’ve ever seen

        Unfortunately one has to ask “What freedom?” if it can turn that fascist in no time.

        1. i just use a file manager bookmark to quick-open the system addons dir and then delete them, but i’m wondering if your bash script could be triggered to run when firefox is updated via some package manager API maybe? there’s other ways of triggering it as well i’m sure

    1. hi Léonidas – thanks for your kind words
      POOP is very different than Privacy Possum and i would advise against using Privacy Possum if you’re using the ‘arkenfox’ user.js or have otherwise enabled privacy.resistFingerprinting

Leave a Reply

Your email address will not be published. Required fields are marked *