Firefox Configuration Guide for Privacy Freaks and Performance Buffs

Tutorial

See the revision history at the end for a list of changes to this document.

Introduction

This guide is long, possibly boring, and somewhat technical. If you don’t feel comfortable digesting it, try the The Firefox Privacy Guide For Dummies! instead, however be aware that it does not offer the same degree of protection as this one.

IMPORTANT: If you incorporate suggestions made in this guide, please subscribe to the Firefox category on the subscription page. This article is updated fairly often and that is the best way to stay informed.

Though this guide is centered around the Firefox web browser, users of other browsers may find it helpful. It is also useful for configuring the Thunderbird email client and some other Mozilla based software.

Many of us are aware of the immense threats to our line privacy and security posed by various technology companies, governments and malicious hackers, any of which may go to great lengths to monitor our electronic communications. Governments and their “intelligence” apparatuses not only spy on each other, but on the citizenry as well and they leverage the services of various companies to do so, including Google, Facebook, Verizon, Comcast, Amdocs as well as many others. While the data these companies collect may be used for relatively benign purposes such as targeted advertising, the intentions are often far more sinister. Much of what Edward Snowden has brought to the table is not new, but it seems the information has been presented in a way that has captured the attention of the public, prompting many to seek ways to mitigating the threats.

While the primary goal of this guide is to help the reader thwart some of the more obvious efforts to track and profile us as we surf the web, as well as increase browser security and performance, understand that i am not an expert in computer security or privacy and there are surely many more variables and vectors for attack than i am aware of. While there are many known methods that can be used to compromise our digital well being, how many more are there which we know nothing of? Or what about established technologies that most of us never consider? For example, even if you are a knowledgeable, technically proficient and privacy conscious individual who uses open hardware devices running open source firmware and a security enhanced operating system with carefully chosen software, and even if you connect to the internet only through Tor, you may still be at risk of being tracked because, disregarding everything else, your unique writing style can be used to identify you. It is not this level of sophistication that this guide will address however. My goal is to share what i have learned over the years as a casual web surfer and computer user who has a hobbyist-grade interest in computer security and digital privacy. Having said that, i believe — and please correct me if i’m wrong — this guide is currently one of the more comprehensive of its kind in that it addresses many aspects of the Firefox browser including configuration and extensions as well as other optimizations. If you want to go further than this guide can carry you, see the resources section at the end which includes the fine article, Improve Your Privacy in the Age of Mass Surveillance. I would also highly recommend using a VPN to help prevent spying by your ISP or other actors. That One Privacy Site is an excellent resource, as is TorrentFreak which publishes annual reports regarding many of the popular VPN service providers. Their 2018 report is here.

For many of us our web browser is our primary window to the the digital world and it is therefore necessary for any privacy conscious individual to have a basic understanding what information flows through our browser and how that information is used to track and profile us,. Contrary to statements made in The Mozilla Manifesto, it is my opinion that respecting the privacy of its users is less important than revenue generation for the multi-million dollar Mozilla Foundation and their flagship product, Firefox. This is readily apparent when one considers the array of ethically challenged multinationals which Mozilla has chosen to partner with, including Google, Yahoo, Microsoft, Telefónica, LG Electronics, Sony, Verizon, Cisco and others. Furthermore, core features of the “open source” browser may be proprietary and rely upon 3rd parties which have their own privacy policies, such as its Pocket service and its “privacy” policy. And let’s not forget the ‘Looking Glass’ fiasco which you can read about in Looking Glass: The next ‘bright idea’ from Mozilla. Google Chrome, developed by a privacy hating company, is certainly no better and Internet Explorer isn’t worth the effort required to express an opinion. In short, there exists no mature, capable, extensible, stable, open source, privacy-centric web browser that is suitable for mainstream usage at this time so far as i am aware. Given the lack of alternatives, i think Firefox is currently the best candidate for our purposes and, with some effort, it can be beaten into submission. I suspect the folks behind the Tor Project may feel compelled to use Firefox in their Tor Browser Bundle for similar reasons.

As with any modern, mainstream browser, Mozilla Firefox is a highly complex beast consisting of millions of lines of code and hundreds of configuration options, many of which are interlinked, hidden, or undocumented. Things can go down the toilet real quick if you start messing around with its settings willy-nilly and poorly coded add-ons can compound the problem. Here we will attempt to accomplish our goals in an efficient manner with a minimal dependency upon 3rd party add-ons.

A bit of a trade-off must be expected when we tighten up on security and privacy insomuch as some websites will cease to function properly until the settings for those specific sites are adjusted. Anyone who has used a content filter such as NoScript or Request Policy will understand that certain resources must be allowed for a given website to function in a way that is acceptable to us. Similar to NoScript however, the process of allowing required resources usually consists of a mouse click or three followed by a page refresh and once we have made the necessary adjustments for our favorite websites, our workload will be greatly reduced. Nevertheless, be prepared to put a little more effort into your web surfing activities in general and expect the occasional hard-case where more fiddling than usual will be required to get a particular site working properly. The pay-off is a much cleaner and faster web that is less able to track and profile us, as well as a somewhat hardened and speedier Firefox that is more resistant to attack.

Terminology

Add-on/extension: I use these terms interchangeably. A web browser add-on or extension is a piece of software typically developed by a 3rd party that extends the built-in capability of the browser. Web extensions, which leverage the WebExtension API (Application Programming Interface), have replaced the older legacy (XUL/XPCOM) extensions beginning with Firefox version 57. This newer type is essentially the same format as used by Google Chrome and other web browsers. Unfortunately the WebExtension API is severely limited. For example, such extensions cannot modify the GUI (Graphic User Interface) of Firefox in the same way legacy extensions could.

AMO: addons.mozilla.org, the Mozilla Add-ons website.

Crapware/malware: I consider crapware to be software which contains code which is not relevant to the functionality users expect. As such the term crapware, or malware, refers largely to adware, tracking code and other malicious code with regard to web browser extensions. Crapware is often added to browser extensions by a company or solo developer who wishes to monetize their work. Often this takes the form of profiling users and selling the data collected by the extension to a marketing company, however much worse is possible.

CDN: A Content Delivery Network is a service that hosts reusable content, such as graphics and reusable scripts which developers can leverage to make building web platforms easier. CDNs often present a threat to our privacy by tracking our web activities. They are perhaps a most formidable threat because a single CDN service may be used by many millions of popular websites and therefore the spying capabilities of the company providing the CDN service can be widespread and cross-domain in nature. The use of CDNs is prolific today and since many websites will not function without the content they deliver, globally blocking CDN content is hardly an option.

CSS: Cascading Style Sheets are used primarily to apply visual styling to HTML elements, thus making web pages look pretty, however the capability of CSS has been expanded well beyond its original specifications to the point where it can now be used for nefarious purposes.

Domain/subdomain/TLD: In the example ‘sub.example.com’, ‘example’ is the root domain, ‘sub’ is a subdomain of the root domain and ‘com’ is the TLD, or Top Level Domain. You can think of root domains and subdomains as sort of different containers which are used to separate content on a single website. For example, let’s say kitties.com is focused primarily on information about kittens, but they also might have a web store where they sell paper bags. In order to keep the store content separate, they may host the store on the subdomain ‘shop.kitties.com’.

Fingerprinting: Web servers can employ a wide variety of methods to uniquely identify your web browser, hardware and software configuration, collectively known as fingerprinting. Fingerprint data may consist of many bits of information about your environment which, when combined, can be used to uniquely identify you. This information may include such things as the browser viewport dimensions, installed add-ons and it capabilities, your locale, your operating system, your display resolution and much more. This information can be gleaned using various techniques, including through HTTP header information, JavaScript, and others, and it is often used for the purpose of tracking and profiling the user and their web activities. For further information, see A Primer on Information Theory and Privacy and Panopticlick. See also the explanation for ‘tracking’ and ‘web storage’ below.

HTTP/HTTPS: Hypertext Transfer Protocol and Hypertext Transfer Protocol Secure are communication protocols used by computers to transmit data over the internet. For HTTP an unsecured, unencrypted connection is established which is vulnerable to ISP (Internet Service Provider) snooping and man-in-the-middle attacks, while a secure, encrypted connection is established with HTTPS. While browser extensions like HTTPS Everywhere will always attempt to encrypt your connection whenever possible, some web servers simply do not support HTTPS. For this reason i will again point out the advantage of using a VPN.

JavaScript (JS): A powerful programming language that runs code within the browser, often to make pages interactive. Although JavaScript is used by many websites for legitimate reasons, it can and often is used maliciously to perform a wide variety of attacks against the browser and our privacy. Several browser fingerprinting techniques depend on JavaScript being enabled and this is the default in every popular web browser.

Tracking: Once the identity of the browser is known through fingerprinting, it is then possible to track its activity both within the same domain and across domains. See also the explanation for ‘web storage’ below.

Web fonts/remote fonts: These are font packages typically hosted by a 3rd party, such as Google, which a web developer may use to specify how text is displayed on a website. Web fonts present a few problems regarding browser tracking and security.

Web server: For the purpose of this document, a web server is a computer that is connected to the internet which hosts (serves) one or more websites.

Web storage: In addition to HTTP cookies and web caching, most/all popular web browsers also allow a web server to store data locally using several other methods including local and session storage, indexedDB storage, window.name storage, Etag cache storage, Local Shared Objects storage, Service Worker storage, offline storage, HTTP Strict Transport Security storage and other methods. Stored data for Firefox may consume up to 50% of your free disk space. If you are concerned about protecting your privacy, you have far more to worry about than the cookies of yesteryear which were simple text files which in theory, but not always in practice, could be read only by the domain that set them.

Prerequisites

A code editor

You should have a decent code editor with syntax highlighting to edit Firefox’s configuration files. Linux users should have something suitable installed by default, however if you’re running Windows i might suggest Notepad++ or PSPad, the latter being the simpler of the two.

Unhide file extensions

If Windows is using you, the geniuses at Microsoft have taken it upon themselves to hide file extensions from the user. You will need to un-do that.

Getting Firefox

Though i recommend using the stable release version of Firefox, there are other versions such as the ESR (Extended Support Release), though it is usually an older one that may not contain the latest features but may be more stable. There is also a Developer Edition which includes the very latest features (and bugs). While there are many 3rd party builds and forks of Firefox, such as Waterfox, Cyberfox, Pale Moon, etc., and while there are certain advantages to running a 3rd party build, i currently do not recommend any of them. These 3rd party builds may not keep up to date with the latest security patches, or can be buggy, or are simply outdated and incompatible with the latest add-ons. While some are more privacy-centric out of the box, we can accomplish essentially the same degree of privacy or better with minimal effort while using the official Mozilla release version. A future exception may be Librefox, though it needs to bake a little longer.

The user.js file

The user.js file is typically where your personal Firefox preferences are best kept, however in our case we will be using a preconfigured one and then storing our personal preferences in a user-overrides,js file.

The user.js file we will be using is a result of a dedicated effort by ‘pants’ and the rest of the ‘ghacks-user.js’ crew and contributors. Their work became rather popular when it was published as A comprehensive list of Firefox privacy and security settings by Martin Brinkmann on ghacks.net. The project is now maintained on GitHub, but don’t download any files just yet.

The necessary (and not so necessary) add-ons

All of the add-ons listed here are of the WebExtension variety, meaning most should work with Firefox versions 57 to 59 and all should work with versions 60 and higher.

Following are the add-ons that are required for this guide:

  • CSS Exfil Protection: Helps to prevent attackers from stealing data by exploiting Cascading Style Sheets (CSS)
  • Decentraleyes: Helps to prevent tracking and speeds-up page loading by using local copies of common JavaScript libraries rather than fetching them from a CDN.
  • Firefox Multi-Account Containers: Works with Temporary Containers (below) to enable permanent storage for specified domains. This is useful to avoid having to re-authenticate when revisiting a website, as well as saving website settings.
  • Neat URL: Removes many tracking and other (mostly) unnecessary parameters from links, such as the utm_* tracking parameters used by Google Analytics.
  • Privacy-Oriented Origin Policy (POOP): Helps to preserve privacy by manipulating Cross-Origin Resource Sharing (CORS) requests.
  • Skip Redirect: skips link redirections such as used by Google, AMO and many other companies and websites, thus helping to prevent tracking.
  • Smart HTTPS: Attempts to force websites to use an encrypted connection (HTTPS) but will fall back to an unencrypted connection (HTTP) if the website does not support HTTPS.
  • Temporary Containers (TC): Isolates stored web data in temporary containers which are (mostly) inaccessible by other containers if you configure it as directed. This accents First Party Isolation if it is enabled or works without it if not. TC is a very important add-on with regard to protecting your privacy and it eliminates several other privacy related add-ons.
  • uBlock Origin (uBO): An and excellent ad/content blocker for Firefox and Chromium, uBlock can use the same filter lists as Adblock Plus as well as many more. Make sure you use the original uBlock Origin by Raymond Hill and no other.
  • uMatrix (uM): By the same developer as uBlock Origin, uMatrix is also a powerful content blocker that provides more granular control over web requests than uBlock does.

For more possibilities regarding add-ons, see Firefox Extensions: My Picks.

A word about uBlock Origin and uMatrix

It seems a lot of people have questions and misunderstandings about these two important add-ons. Here’s some questions i see frequently and my answers to them:

Q: What’s the difference between uBlock and uMatrix?
A: Although they perform similar functions in that they essentially block content much like a software firewall, the developer tries to target two different audiences and they work somewhat differently. Many people think uBlock is easier to use, while uMatrix offers more granular control.

Q: Can they be used together?
A: Absolutely, but because there is overlapping functionality they need to be properly configured to work efficiently together.

Q: which one should i use?
A: Both. This guide will use uBlock Origin to handle all of the static filtering (the 3rd party filter lists used for ad blocking and such) and uMatrix to handle most of the dynamic filtering (JavaScript, cookies, frames, etc.). They were both wrapped in a single extension at one time and i think the developer unnecessarily complicated matters when he split the functionality and created two extensions with overlapping features, one (uBO) apparently targeted toward novices, but which includes an advanced mode option, the other targeted toward advanced users. In reality uMatrix is no more difficult to use than uBlock in it’s advanced mode. The confusion caused by this mess is apparent by the number of users asking these kinds of questions.

Automatic add-on updates

Regarding automatic add-on updates which are enabled by default in Firefox, they are disabled in the ‘ghacks’ user.js file and i would strongly suggest keeping them disabled. Automatic checking for updates is fine and this is enabled in the ‘ghacks’ user.js, but we do not want Firefox to update add-ons without our explicit consent. The problem with automatic add-on updating is that developers may, at any time and without notice, monetize their add-on or sell their work to an unethical 3rd party and this usually results in compromising your privacy through data collection. The problem of crapware containing add-ons has exploded in the AMO repository for a couple reasons; 1), because Mozilla moved to the WebExtension API, it is now trivial for developers of Google Chrome extensions to port their to work to Firefox and, 2), Firefox extensions are no longer reviewed by humans, except perhaps in special cases. Examples of some currently or formerly popular add-ons which contain(ed) such crapware are Abduction, a screen capture utility, Quick Locale Switcher, a language switcher, FasterFox Lite, a largely useless utility which claims to speed-up Firefox but doesn’t, BlockSite, a content blocker, Stylish, a very popular utility for changing the appearance of websites, and many, many others. Not all of these extensions contained crapware when they were first developed which is why i strongly suggest keeping automatic add-on updates disabled and carefully monitoring the change logs, permissions and privacy policies each time an add-on update becomes available. For more about Firefox add-ons, see Firefox Extensions – My Picks.

Let the hacking begin

Firefox post install cleanup

Before you make any changes, back-up your entire Firefox profile. If you don’t know where it is, enter about:profiles in the address bar. The easiest way to do this is to simply to select your profile folder inside the /firefox folder, press Ctrl+C to copy it, then Ctrl+V to paste it in the same place but with a different name. I might suggest keeping the original name and just appending -bak to the copy. From this point on, all changes should be made to your original profile, leaving your backup profile untouched in case something explodes. If you want to start fresh you may want to empty all unnecessary contents of your profile, keeping only your bookmarks and whatever else you need. See the article Profiles – Where Firefox stores your bookmarks, passwords and other user data if you need help with what data is stored in which file.

System add-ons

Packaged with Firefox are a bunch of system add-ons which are installed without asking and they are essentially hidden from the user (they are not listed in about:addons). Some of these add-ons have been and may be currently used for controversial purposes such as collecting data about how users interact with search engines or the browser, etc.. I suggest removing all of them. On Linux these add-ons are located in /usr/lib/firefox/browser/features and for Windows in \Program Files (x86)\Firefox\browser\features or \Program Files\Firefox\browser\features. You can delete them in Linux using the terminal:

cd /usr/lib/firefox/browser/features
sudo rm *.xpi

These system add-ons will be automatically reinstalled each time Firefox is upgraded. If you’re running Linux with the pacman package manager (Arch, Manjaro), you can prevent their reinstallation by editing the pacman configuration file, pacman.conf. Note that this will not work using Pamac, the GUI package manager, until this bug is addressed. Be sure the example path is correct for your particular case:

sudo nano /etc/pacman.conf

Add the following under the [options] key:

NoExtract = /usr/lib/firefox/browser/features/*

You can also try changing the permissions of the /features directory:

sudo chmod 444 /usr/lib/firefox/browser/features

I assume such an option is available for other package managers as well, however i was unable to quickly locate an example for dpkg, the package manager for Debian and its derivatives (Ubuntu, Mint, etc.). Nevertheless, there are multiple ways to prevent these system add-ons from being installed. On Windows you can apparently use CCleaner to disable them.

Search engines

I recommend reading Firefox Search Engine Cautions and Recommendations which offers information about how Mozilla monetizes Firefox with the included search engine plugins and what can be done to opt out of this affiliate scheme should you so choose.

HSTS tracking

To understand how HTTP Strict Transport Security (HSTS) works and how it can be used to track browsing activity, as well as the implications of disabling it, read How to prevent HSTS tracking in Firefox on the ghacks website. Setting the preference security.cert_pinning.enforcement_level to ‘0’ may disable HSTS and Public Key Pinning, however there is a security risk in doing so. If you set the preference to ‘0’ and experience the error “The server uses key pinning (HPKP) but no trusted certificate chain could be constructed that matches the pinset.”, reset the preference. Likewise if you set the preference to ‘2’ and experience the error “MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE”, reset the preference.

Firefox settings

This guide depends heavily on the ‘ghacks’ user.js configuration file which will alter hundreds of important Firefox preferences related to privacy and security, thus you need not worry about manually configuring privacy and storage settings and such from the Preferences menu of Firefox. If you choose to not use the ‘ghacks’ user.js, then your job may be considerably more difficult assuming your goals are similar to ours here. Still, you may find it quite helpful to refer to the ‘ghacks’ user.js if you choose to start from scratch.

Firefox profile in RAM

With the wide adoption of speedy Solid State Drives (SSDs), the concept of sticking the Firefox profile in RAM for performance reasons may seem obsolete, however there are still benefits to be gained. If you don’t want to disable disk browser caching, web storage and cookies globally, and thus break a lot of websites in the process, then there will be lots of reads and writes to your storage media resulting in unnecessary wear and tear. Placing your Firefox profile in RAM will alleviate this, however doing so can be risky should some sort of catastrophic failure occur resulting in data loss or corruption. Fortunately there are ways to minimize the risk. If you use Windows you’re on your own since i don’t, suffice to say that there exists Windows compatible software that can manage RAM disks and write your profile back to your storage media when you exit Firefox. Those using most any flavor of Linux have access to a very spiffy utility called Profile-sync-daemon which is designed specifically for this task and it works with quite a few browsers. Check your package manager to see if it’s available in your repository. To get it working, run man psd in a terminal or consult the Profile-sync-daemon guide on the Arch wiki. Setting it up was very easy in my case and it has worked flawlessly and transparently ever since.

Note that Firefox stores its web cache in a location other than the profile directory. On Linux it’s kept at /home/[user]/.cache/mozilla/firefox/. Normally you would have to deal with this cache separately if you wanted to store it in RAM also, however since disk caching is completely disabled in the ‘ghacks’ user.js (browser cache is stored in memory only) and the cache is dumped when you exit Firefox, you need not worry about it. If you’re thinking it would be more efficient to keep the browser cache instead of having to re-download objects for websites you visit frequently, you’re right, however doing so will compromise your privacy. We won’t exactly be dumping all of the browser cache either if we use the Decentraleyes add-on.

Configuration files

Keep the following hierarchy in mind as you read this section. When Firefox starts:

  1. prefs.js is read by Firefox
  2. user.js is read by Firefox – all preferences in the user.js file are copied to the prefs.js file and any preferences that are duplicated in both files are overridden by those in user.js – prefs.js is then used to generate what you see in about:config
  3. user-overrides.js is never read by Firefox but these preferences are appended to the ‘ghacks’ user.js with a script (preferred) or by manual copying – if using the ‘ghacks’ user.js this is the only file you should edit and it is where all your custom preferences should be placed

This may defy conventional knowledge, so let me be clear:

If you are going to use the ‘ghacks’ user.js file then you should never edit it, (nor the prefs.js file) nor should you change important settings from about:config unless you’re only testing something. All of your custom preferences should be placed in your user-overrides.js file and no where else.

One reason for this is because the ‘ghacks’ user.js is a large file that is updated frequently. If you make changes to this file and then apply an update, your changes will be lost, whereas if you copy the preferences you want to change from the ‘ghacks’ user.js to your user-overrides.js and change the values there, then updating the ‘ghacks’ one will be fairly painless. On the other hand, should you choose to not use the ‘ghacks’ user.js, then you should add your changes to your own user.js and you can ignore everything stated here about the user-overrides.js. Either way, never edit the prefs.js file directly or by way of about:config unless you’re just testing something.

If you do not have a general understanding of the the user.js file, you may want to read this on the ‘ghacks’ wiki. You should also poke around elsewhere in the wiki for detailed information on using and maintaining their user.js file.

Obtaining and maintaining the user preferences files

In your profile folder, delete or rename your existing user.js file if you have one. You can transfer any needed settings later if they are not already covered in the ‘ghacks’ one. Next i would suggest downloading the user-overrides.js file from the labwrat/Firefox-user.js GitLab repository by clicking the file name:

GitLab - DL file 1 of 2

… then the little cloud-looking icon:

GitLab - DL file 2 of 2

Place the file in your profile directory and then open it using a decent code editor with syntax highlighting and carefully follow the instructions within.

Next we want the ‘ghacks’ user.js file on the ghacksuserjs/ghacks-user.js GitHub repository but you need not download it directly. Instead, grab their updater.sh (Linux) or updater.bat (Windows) script by clicking the file name, then clicking the ‘Raw’ button in the new page and, finally, Ctrl+S in the next page to save the file to your Firefox profile directory. Finally, use the same method to get a copy of their prefsCleaner.sh (Linux) or prefsCleaner.bat (Windows) and place it in your Firefox profile directory. This script is used to reset any unused or old preferences in your prefs.js file. Next, run the updater script to fetch the ‘ghacks’ user.js and append the contents of your user-overrides.js to it. In Linux, make the script executable, then run ./updater.sh in a terminal and follow the prompts. If you get an error, grab a new copy of the file being careful to use the method described earlier.

At this point it is important to go through the entire ‘ghacks’ user.js file and read all of the comments and review each of the settings to be sure everything is configured the way you want. As stated above, any preferences you want to change in the user.js file should be copied to your user-overrides.js file in the appropriate section where you will then change the value of the preference. Note that if you ever add and then comment out or delete a custom preference in your user-overrides.js which is not contained in the ‘ghacks’ user.js, and you have run Firefox after doing so, that setting will remain in the prefs.js file. The safest way to remove such preferences is to open about:config in Firefox and reset them.

Don’t forget to run the updater script every time you make changes to the user-overrides.js file. You can read more about the updater script here and the cleaner script here.

Verifying the integrity of user.js

It is important to perform an integrity check whenever the ‘ghacks’ user.js file is updated or you have changed anything in the user-overrides.js file.

From the ‘ghacks’ crew:

In FF60+, not all syntax errors cause parsing to abort i.e. reaching the last debug pref no longer necessarily means that all prefs have been applied. Check the console right after startup for any warnings/error messages related to non-applied prefs.

They reference the article, ‘A New Preferences Parser for Firefox‘ if you’re interested in knowing more.

To perform this check, you should disable your network connection, then start Firefox and open the Browser Console from the Web Developer toolbox (Ctrl+Shift+J might work) and check for the error messages as advised.

The reason it is suggested to disable your network connection is because, in the event there is a problem with an important preference, a network connection may allow data to flow in or out which you wanted to avoid.

Now we will further check the integrity of the user.js and user-overrides.js files. You may have noticed a bunch unusual looking _user.js.parrot preferences in both files. These are used for troubleshooting syntax errors by quickly identifying a specific section in which the error lies. When you run Firefox for the first time after making changes to your user-overrides.js file, check the value of the troubleshooting preference by entering about:config in the address bar and searching for the _user.js.parrot preference (it will likely be the first one listed without having to search). The value should match the very last _user.js.parrot preference in your user-overrides.js. If the value for the troubleshooting preference is not what you expect, then you can use it to quickly determine in which section of the user-overrides.js file the syntax error lies, or the user.js file if you mistakenly edited it. While it cannot narrow down the problem to a specific preference or line number, at least you will know where to begin looking.

Updating the user.js file

To update the ‘ghacks’ user.js file just run the updater script. To update my personal user-overrides.js file, just copy the contents of the new version to your user-overrides.js and then run the updater script. Lastly, you should also run the ‘ghacks’ prefsCleaner script with Firefox closed. If you want to keep up with the latest version of the ‘ghacks’ user.js and/or my user-overrides.js files, you can subscribe to the following feeds:

Required add-on configuration and usage

CSS Exfil Protection

Turn it on. Next.

Decentraleyes

You can enable all of the options with the possible exception of ‘Block requests for missing resources’ which will break some websites.

Firefox Multi-Account Containers

From it’s toolbar button you can create and edit containers (you can delete the default ones and create your own if you wish).

Neat URL

The default settings are sufficient. You may have to whitelist sites that no longer work properly.

Privacy-Oriented Origin Policy (POOP)

I would recommend setting the ‘Global mode’ to ‘aggressive’ and enabling the ‘Exclude root domain matches’ option. If you not are using uMatrix, enable the ‘Spoof cross-origin Referer’ option.

Skip Redirect

The default settings are sufficient. You will likely have to whitelist sites that no longer work properly which Skip Redirect makes easy to do since you can copy the last skipped URL by right-clicking its toolbar icon and then adding that URL or domain to the blacklist.

Smart HTTPS

The default settings are sufficient, except i personally disable the whitelisting of HTTP protocols. Normally when you visit a website over HTTP, Smart HTTPS will attempt to forward your request to HTTPS and, if that fails, it will fall back to HTTP and then add the domain to the whitelist so that subsequent visits would default to HTTP. While the developer does not recommend disabling this behavior, i do it anyway for two reasons: First of all, the whitelist can grow to be very large and while some of the whitelisted domains don’t currently support HTTPS, others do, but if they take too long to respond then Smart HTTPS will mistakenly add them to the whitelist. Every so often i would delete all the whitelisted domains to address this problem, but doing so is a pain because you can’t dump them all at once. Secondly, i don’t care if Smart HTTPS hammers an HTTP-only site with HTTPS requests because every website should be using HTTPS, especially since one can get free, valid SSL certificates from Let’s Encrypt, and so i prefer to repeatedly send them the message via their web logs.

Temporary Containers

On the ‘General’ tab of the settings, enable ‘Automatic Mode’ and ‘Random Container Color’.

On the ‘Isolation’ tab, then the ‘Global’ tab, set all of the navigation/event options to ‘If the Navigation Target Domain/clicked Link Domain does not match the Active Tabs Domain.

On the ‘Isolation’ tab, then the ‘Multi-Account Containers’ tab, make sure the following option is disabled: ‘Open new Temporary Containers if a Permanent Container Tab tries to load a Domain that isn’t assigned to “Always open in” that container’. Because of how we set the options in the ‘Isolation’, Global’ tab, domains which do not match those assigned to a permanent container will still be opened in a new temporary container/tab.

The above settings will create temporary containers for every domain you visit by default.

Set the rest of the settings as desired.

uBlock Origin

uBlock Origin (uBO) will be used in its easy mode in order to block ads and prevent tracking by employing some of the many 3rd party static filter lists which it offers. Read the uBlock wiki sections pertaining to the easy mode to understand how to use it properly.

Once uBlock Origin is installed, click its toolbar icon to reveal the main pop-up interface, then click the little settings icon to reveal the Dashboard:

uBlock open dashboard

The first tab in the Dashboard is the Settings tab and here are the ones i recommend enabling:

  • Hide placeholders of blocked elements (optional – if you are new to content blocking, you may not want to enable this so that you can get an indication as to what was blocked)
  • Privacy:
    • enable all
  • Default behavior:
    • Block remote fonts

Blocking remote fonts will uglify quite a few websites. In such cases you can click the little ‘A’ icon on the uBO pop-up interface to allow remote fonts for the specific domain you’re visiting. Don’t forget to click the padlock icon to save your changes if you want them to be permanent.

Next we want to temporarily enable the advanced user option. Notice that a little gray gears icon appears next to it when it’s enabled and clicking it will display some advanced settings. I would suggest changing the value of suspendTabsUntilReady to true. Although there is no guarantee, uBO will attempt to prevent tab loading until it is ready to handle the requests. This is perhaps especially useful when you exit Firefox with open tabs and have it set to restore your previous tabs on restart. After changing that setting, go back to the Dashboard and disable the ‘I am an advanced user’ option since we will be using uMatrix for all our dynamic filtering needs since it allows more granular control.

Click the settings button again on the uBlock Origin pop-up interface and select the Filter lists tab. Here are the settings and filter lists i recommend enabling:

  • Auto-update filter lists
  • Parse and enforce cosmetic filters
  • Ignore generic cosmetic filters
  • network/cosmetic filters
    • My filters​​​​​
  • Built-in:
    • uBlock filters
    • uBlock filters – Annoyances
    • uBlock filters – Badware risks (enable if you run Windows)
    • uBlock filters – Privacy
    • uBlock filters – Resource abuse (blocks many cryptocurrency mining scripts)
    • uBlock filters – Unbreak (un-breaks some websites that may be broken by other filter lists)
  • Ads:
    • Adblock Warning Removal List (hide annoying website messages warning about using an ad-blocker)
    • Adguard Base Filters
    • EasyList
  • Privacy:
    • enable all lists
  • Malware domains
    • Malvertising filter list by Disconnect​​​​​
    • Malware Domain List
    • Malware domains
    • Spam404
  • Annoyances:
    • Adguard’s Annoyance List
  • Multipurpose:
    • Dan Pollock’s hosts file
    • Peter Lowe’s Ad and tracking server list

As of this writing you can find over 12 million filter lists on the FilterLists website, however i strongly advise to be very careful about what ones you add, if any. In my experience the default filter lists offered by uBO are quite sufficient and adding more may only slow things down, consume more resources and potentially break stuff.

All other uBlock settings are optional.

uMatrix

SET THE SCOPE, LOCK THE LOCK!

Keep that in mind as you read this section.

You will likely be spending far more time with uMatrix (uM) than all the other add-ons here combined and, being it is one of the most important ones in the pile, it is vital you understand how to use it, so read the wiki because i’m not going to go into great detail here.

uMatrix configuration

Once uMatrix is installed, click the toolbar button and then the title bar of the pop-up to open the Dashboard:

Following are the settings i recommend enabling:

Settings, Convenience:

  • Show the number of blocked resources on the icon
  • Collapse placeholder of blacklisted elements (but not blocked elements, at least not until you become more comfortable with uM)
  • Spoof <noscript> tags when 1st-party scripts are blocked

Settings, Privacy:

No other settings need to be enabled in the ‘Privacy’ section if using the Temporary Containers add-on and you configure it as suggested.

Regarding the spoofing of the browser User-Agent string, my research indicates this is essentially useless and can actually make fingerprinting the browser easier. There are other potential pitfalls with spoofing the UA as well.

On the ‘My rules’ tab, add the following to the ‘Temporary rules’ pane, then save and commit your change:

no-workers: * true

This will disable web workers which will prevent certain JS from running in the background, including some/many cryptocurrency mining scripts. If a page breaks as a result, you can enable web workers on a per-site basis from the uM pop-up by clicking the vertical 3 dot button. One resource this setting will break is 1st party and embedded videos from dailymotion.com. For example, if you visit this page and allow everything for all of the Dailymotion domains, the video will still not play until you allow web-workers, but do not enable workers globally (select the local scope, not the global scope when you make the change).

On the ‘Assets’ tab, disable all of the host file filter lists, purge the caches and save your changes. It is better to use uBlock Origin to control the static filter lists since it offers many more of them by default.

Also on the ‘Assets’ tab, enable the ‘Ruleset recipes for English websites​​​​​​​’ option. On the uM toolbar pop-up you will notice a puzzle piece icon which you can use to quickly import a rule-set for a resources used by the page you’re visiting if it uses a 3rd party resource and if someone has created a rule-set for that resource. For example, if you visit a page with an embedded YouTube video, you can import the rule-set for YouTube instead of doing it manually.

If you’re using the Decentraleyes add-on you will need to add some rules to uMatrix which can be found on the Frequently asked questions page of the Decentraleyes repository. When adding the rules, be sure to remove any conflicting rules for the same domains if you have any (if you’re just starting out, you won’t).

uMatrix basic usage

When you first install uMatrix, it will allow all 1st party requests by default and we need to sledgehammer that, so load up 12bytes.org in a new tab and click the uM toolbar icon to display the main pop-up interface:

Because you have read the uMatrik wiki (you did, right?), you already know that YOU MUST REMEMBER TO SET THE SCOPE in which uM operates before making any changes. Failing to do this can break things unexpectedly and threaten your privacy. You also know that any changes you make are temporary unless you save them. Since we first want to set some basic default filters that affect all websites, we need to change to the global scope:

Once we’re operating in the global scope, i suggest setting up uMatrix like so:

This configuration will result in the following behavior:

  • 1st party cookies will be allowed globally (for the domain being visited)
  • CSS will be allowed globally, including 3rd party CSS
  • Images will be allowed globally, including 3rd party images
  • 1st party frames will be allowed globally (for the domain being visited)

Unless you only want your changes to be temporary, always remember to click the padlock icon to save them.

Note that in the screenshots that follow, the 1st party cookies block in the global scope will not be green as in the one above due to an oversight on my part when i created the screenshots.

Now load up this post in a new tab. Does it look like something’s missing? Sure enough, if we open the uMatrix pop-up interface again, we see youtube-nocookie.com in the resource list which should tell you that there must be a YouTube video in that post that is being blocked. It also tells you exactly what was blocked, in this case a single frame:

If uMatrix is hiding the subdomains and you don’t see www.youtube-nocookie.com, click this little thing in the ‘all’ row and it will expand the list of domains:

In the screenshots above you can see we are operating in the local scope (12bytes.org). You will notice that i allowed all requests for the 1st party domain, 12bytes.org, because it’s my site and i trust it. You need not do the same and, as a rule of thumb, you should not do the same, nor is it required to get the video to play, at least not on 12bytes.org.

So we want to get that YouTube video working, but do we want to allow embedded YouTube videos for 12bytes.org only, or for all websites? This is what you need to be thinking any time you allow requests for resource such as YouTube. Since you probably want to allow YouTube videos for all of the websites you visit, again we need to switch to the global scope and unblock the blocked frame for either the youtube-nocookie.com domain or the www.youtube-nocookie.com domain. Which you choose depends on whether you want to allow the resource for the root domain, including any sub-domain, or only the sub-domain (www in this case). In this instance i suggest keeping it simple and allowing the frame for the root domain as shown. Make sure you save the change:

Now when we refresh that page, we might expect to see that YouTube video, but we don’t. Opening the uM pop-up again and switching to the global scope, we discover that allowing the frame for youtube-nocookie.com caused more stuff to show up, this time the ytimg.com domain:

Making sure we are working in the global scope, let’s unblock scripts for ytimg.com and youtube-nocookie.com. Make sure to save your changes:

Now when you reload the post page, everything should look good. We see the video frame and a nice image. Great. Click the play button and… nothing! Open the uM pop-up once more and we find that we need to allow XHR for the youtube-nocookie.com domain. You know what to do, so go ahead and make the change, making sure you’re working in the global scope and remembering to save your change afterwards. Refresh the post page again and click the play button on the video. It still doesn’t work! Again, open the uM pop-up and you’ll see another new domain has appeared, this time googlevideo.com (in case you didn’t know, Google owns YouTube). Again, make sure you’re working in the global scope and unblock the XHR requests for googlevideo.com and save your changes:

Now refresh the post page one last time and the video should play. If it does not, you probably messed something up and there’s a fair chance it’s because you made one or more changes in the wrong scope and tried to correct them. If you messed something up, open the uM Dashboard, click the ‘My rules’ tab and in the ‘Temporary rules’ pane, delete all of the rules you created related to YouTube videos and 12bytes.org, but be careful not to delete the default rules or the global rules we set up originally. To do this, select the rules and press your delete key, then click the ‘Save’ and ‘Commit’ buttons:

Once you’ve deleted those rules and committed the changes to the ‘Permanent rules’ list, go back to the first step and try again.

De-borking other websites is generally not as time consuming as it was to get embedded YouTube videos to play and instead is usually accomplished with a couple mouse clicks and a page refresh. Just remember to turn to uMatrix first when a website is busted. If it is blocking something it will let you know by displaying a badge on the toolbar icon. uBlock Origin will do the same, but it won’t usually be the cause of the problem since we offloaded its dynamic filtering to uMatrix by not enabling its advanced mode of operation. Again, make sure you read the uMatrix wiki.

Another way to get a website working very quickly is to check if there any user created rule recipes available for the site you’re visiting or the resource it wants to load. If there are, that little puzzle-piece icon on the uM pop-up interface will become active and from it you can click a rule-set to import. Just be aware that the user created rule-sets seem to be fairly lax in their restrictions and may allow more than you want to allow, however you can always adjust as necessary before saving the changes. If nothing else, the user rule-sets can be helpful in determining why a site does not function properly. By the way, you could have done this with 12bytes.org instead of letting me drag you through the mud, but doing so was a good learning exercise.

Lastly i want to stress the importance of both the uBlock Origin logger and the uMatrix logger which are invaluable tools for troubleshooting the tougher problems. You can get a better understanding of the uM logger by reading the documentation for the uBO logger since it is far more complete as of this writing, though some information is uBO specific. The uM logger is available in the Firefox sidebar in addition to a browser tab. This can be really handy because you can set it to display all of the network events it records and watch in real-time as you troubleshoot something without having to swap tabs constantly.

Using containers

The Temporary Containers (TC) add-on is vital to protecting our privacy and eliminating website breakage without having to manually edit configuration settings. Initially it will require some effort to set up, but i think the benefits are well-worth the effort.

If you have configured TC as suggested it will isolate web data on a per-domain basis by automatically creating and deleting containers and this works nearly transparently. The problem is when you want to stay logged-on or retain settings for a given website/domain after you close its tab or restart Firefox because TC will delete all the stored data for the domain by default, including cookies. This is where the Firefox Multi-Account Containers (MAC) add-on comes into play. We can use this add-on to create permanent containers for specific purposes or domains and then force certain websites to always load in those containers. The process is kind of clunky at the moment, but hopefully things will become easier in the near future.

As an example, let’s say you use one of the Searx search engine instances. Searx offers a lot of configuration options and you probably don’t want to adjust them every time you use your preferred Searx instance. One way to solve the problem is to create a permanent ‘Searx’ container which will retain stored data (cookies, etc.) for your preferred Searx instance. To accomplish this and automatically load a particular domain in its assigned container every time you visit that domain, follow these steps. We will the Searx instance at searx.me in our example:

  1. Click the Multi-Account Containers (MAC) toolbar icon and click the ‘+‘ icon to create a new container named ‘Searx’, then load the ‘Searx’ container by clicking the ‘Searx’ menu item in the pop-up
  2. In the address bar, enter searx.me and load the website
  3. From the MAC toolbar icon pop-up, enable the option ‘Always open in Searx’

Test your configuration by closing the searx.me tab/container, then open a new temporary tab/container and enter ‘searx.me’ in the address bar. If you did everything correctly, the colored container text in the address bar should say ‘Searx’ and not ‘tmp [n]’. This indicates that searx.me was loaded in the permanent container you created earlier and thus any preferences you change on the searx.me website will be saved (cookies) after closing the tab as well as across browsing sessions.

I suggested naming the permanent container ‘Searx’ because you might want to add more Searx instances to that same container, though you will have to repeat the above process for each domain you add. If you wanted to create a container specifically for searx.me, you might have named it ‘searx.me’ instead, or perhaps ‘Search’ if you wanted to store the data for all of the search websites you use in one container.

Another problem arises with temporary containers when you log-on to a website that redirects you to another domain where you enter your credentials (or visa-versa). Such is the case for the Mozilla Add-ons (AMO) website, addons.mozilla.org, which redirects to accounts.firefox.com to log you on. If you configured TC as suggested then it will create a temporary container for both domains that cannot talk to each other and so the log-on will fail. Again this can be solved by creating a single permanent container which holds the data for both domains as previously described, but let’s go through this particular exercise because i’m going to add some additional information:

  1. Click the MAC toolbar icon and click the ‘+‘ icon to create a new container named ‘Mozilla’, then load the new container
  2. In the address bar, enter addons.mozilla.org and load the website
  3. From the MAC toolbar pop-up, enable the option ‘Always open in Mozilla’
  4. Click the ‘Register or Log in’ button to log-on and accounts.firefox.com will open in a new, temporary container from which you want to copy the URL in the address bar
  5. From the MAC toolbar pup-up, reopen the ‘Mozilla’ container, then paste the URL you copied in the address bar and load it
  6. From the MAC toolbar pop-up, enable the option ‘Always open in Mozilla’

Both domains will now share the same container and you can use that container, or any temporary container, to visit addons.mozilla.org and the domain will automatically load in the ‘Mozilla’ container, after which you can log-on as you normally would.

You can get creative with containers too. Maybe you have several web mail accounts with a particular host, but you can only log-on to one account at a time. You may be able to get around this by using multiple containers for the same domain (i say “may” because it depends on what the website does when it sees multiple log-on attempts from the same IP address).

While you can create permanent containers to hold any number of unique domains, such as a ‘Social’ container to hold the data for all of the social media websites you use, you should be cautious because your privacy may be compromised.

To sum up this section, i recommend creating separate containers for every website for which you want to keep the data they store on your computer, such as cookies. For websites which you trust and which fall under a particular category, such as our example with Searx, you could create a single container to hold all of them. The majority of your browsing however should take place in separate, temporary containers that are created and deleted dynamically as you surf the web.

THE END (lie)

While there are many more things you could do if you’re really serious about protecting your on-line privacy and browser integrity, i hope this guide has been of some use to the technically adept novice or intermediate web surfer at which it is aimed. I welcome any questions or comments you may have, just please leave them in the comment section below so others can benefit (you need not be logged on).

Lastly i want to again thank all of the dedicated and skilled people who created, maintain and contribute to the ghacks-user.js repository, especially Thorin-Oakenpants (aka, ‘pants’) and earthlng. This guide would never have been as comprehensive as it is without the benefit of that bunch of misfits :)

IMPORTANT: If you incorporate suggestions made in this guide, please subscribe to the Firefox category on the subscription page. This article is updated fairly often and it’s the best way to stay informed.

Further reading on this website

Further resources

From the ‘ghacks-userjs’ GitHub repository:

Everything else:

Revision history

Click to expand...

Scroll to the bottom if you want to see the latest changes.

11-APR-2015

  • first publishing

14-APR-2015

  • removed all Shim Storage add-on information since this functionality is duplicated in HTTP UserAgent cleaner.
  • almost all of the documentation for HTTP UserAgent cleaner was heavily revised.
  • various other edits and corrections.

15-APR-2015

  • updated user.js file
  • several other small updates and a few corrections

16-APR-2015

  • updated user.js file
  • switched uBlock versions since a new fork was created
  • updated uBlock images and documentation
  • added a “Current notices” section
  • misc. other corrections/updates/edits

17-APR-2015

  • updated and added more information for uBlock
  • updated one HTTP UserAgent cleaner screen-shot
  • misc. other corrections/updates/edits

18-APR-2015

  • updated HTTP UserAgent cleaner information
  • for HTTP UserAgent cleaner settings, the suggested settings were split into Suggested global setting for casual browsing and Suggested global setting for best protection.

22-APR-2015

  • updated information for HTTP UserAgent cleaner
  • updated user.js file
  • minor updates to uBlock information
  • misc. other minor changes

23-APR-2015

  • updated some HTTP UserAgent cleaner information
  • deleted information for 2 bugs regarding the X-Forward-For setting for HTTP UserAgent cleaner since they were not bugs
  • misc. other minor changes

25-APR-2015

  • updated information for HTTP UserAgent cleaner, including adding descriptions for the newly added features, Canvas and Fonts on the HTTP tab
  • updated the user.js file
  • updated some definitions of terms used in this document
  • added some more resources

26-APR-2015

  • updated the information for the Fonts filter on the HTTP tab of HTTP UserAgent cleaner

2-MAY-2015

  • updated HTTP UserAgent cleaner information to match changes in version 0.7.4.11a

3-MAY-2015

  • added Pure URL as a suggested add-on
  • updated contents of the user.js file
  • added and edited some information for HTTP UserAgent cleaner
  • added more resources in the References section

5-MAY-2015

  • updated list of recommended filters for uBlock
  • updated user.js file contents

13-MAY-2015

  • updated user.js file contents
  • updated a few settings recommendations for HTTP UserAgent cleaner

14-MAY-2015

  • minor updates to user.js file contents

17-MAY-2015

  • added information for securing DNS traffic
  • misc. minor updates

5-JUN-2015

  • switched to Raymond Hill’s version of uBlock
  • updated uBlock filter information
  • added Fetch information for new version of HTTP UserAgent cleaner
  • updated user.js file contents
  • misc. minor updates

25-JUN-2015

  • updated uBlock settings to match the current development version (0.9.9.2)
  • misc. minor updates

8-JUL-2015

  • removed HTTP UserAgent cleaner since it is no longer being developed
  • removed Self Destructing Cookies add-on since its functionality can be handled by uMatrix
  • added uMatrix

9-JUL-2015

  • added more info for uMatrix and IP Config test results
  • updated user.js file contents
  • various other edits

13-JUL-2015

  • Minor edits for uMatrix usage text

20-AUG-2015

  • updated user.js file
  • removed pcxFirefox as a suggested 3rd party build since i had display corruption issues with it

5-FEB-2016

  • updated user.js file contents

12-FEB-2016

  • updated user.js file contents

29-APR-2016

  • updated guide information
  • updated user.js file and added a revision history to the file

1-MAY-2016

  • updated user.js file

12-MAY-2016

  • updated user.js file
  • minor grammar/spelling corrections

3-JUN-2016

  • corrected an error with pref ‘layout.css.devPixelsPerPx’ where the value was an integer instead of a string – this caused all prefs following it to be ignored

17-JUN-2016

  • set ‘browser.fixup.hide_user_pass’ back to its default value
  • added ‘network.http.redirection-limit’

23-JUN-2016

  • added some basic information for configuring the Clean Links add-on

1-JUL-2016

  • corrected ‘plugin.scan.*’ values to be strings
  • added bogus preferences in the user.js file at the end of each section for troubleshooting potential loading problems

3-JUL-2016

  • changed the name of the troubleshooting/bogus preference to 12bytes.org-user-js-settings and added values to indicate the point at which the file stopped loading – a huge thanks to commenter ‘Pants’ for suggesting the troubleshooting preference and also for suggesting a far better way of implementing it than what i had done (by the way, ‘Pants’ is the author of the user.js config file used in the ‘ghacks’ article, A comprehensive list of Firefox privacy and security settings by Martin Brinkmann, so i’m very glad to have his input here)

16-SEP-2016

  • removed duplicate preferences in use.js file (see change-log in the file for details)

28-SEP-2016

  • removed Extension Defender from the list of recommended add-ons since it’s home page is gone and the code hasn’t been updated in two years
  • updated user.js file

18-FEB-2017

  • switched to using Pants’ config v0.11 and mostly just appending my settings to the end of his – because this is a major update, no history of changes to individual preferences will be published

19-FEB-2017

  • published my user.js on GitHub which was forked from Pants’ code
  • removed my user.js code from this page and linked to it on the GitHub page instead
  • changed my versioning scheme to match Pants’ where the user.js version coincides with the version of Firefox it was developed for, so v51r1 would equate to version 51.x of Firefox and the r1 signifies the revision, in this case the first revision
  • updated user.js to include v51 of Pants’ config – no preference changes so far as i know, just added/removed/changed comments
  • updated text in user.js section to account for the new changes
  • changes to comments and troubleshooting preference names and values, other minor changes

20-FEB-2017

  • updated user.js to version 51r2 – see the GitHub page for the change-log
  • updated info here regarding the user custom preferences section of user.js

12-MAR-2017

  • deleted the GitHub repository which i forked from Pants’ ‘ghacks’ repository and created a new repository which does not include his code
  • some changes to user.js
  • some major editing of this document mostly in regard to the creation and changes of the GitHub repositories

17-SEP-2017

  • rewrote and updated much of the content pertaining to uMatrix
  • added section “Removing system add-ons”
  • added section “Sanitizing the default search engine plugins”

11-DEC-2017

  • added some add-ons to the recommended section
  • misc. minor edits

22-SEP-2017

  • i didn’t keep track of all the changes and many were made – you’ll have to re-read the guide :)

27-SEP-2017

  • added section “A special note about cryptocurrency miners”

30-SEP-2017

  • added more info about IndexDB storage in the “Terminology” and “uMatrix configuration” sections.

11-DEC-2017

  • added to the list of recommended add-ons
  • updated some content to reflect the current state of Firefox and WebExtensions
  • misc. minor edits

19-DEC-2017

  • added a link to my post about the Firefox add-on, Looking Glass
  • misc. minor edits

2-MAR-2018

  • minor edits

24-OCT-2018

  • removed cryptocurrency miner section
  • removed information about the OpenH264 Video Codec plug-in since it seems Firefox is no longer shipping it, at least not on Linux
  • removed the Load from Cache add-on
  • removed some information about uMatrix since uBlock Origin covers most everything uMatrix does and is better suited for removing advertisements, plus it’s a much more active project.
  • updated some information
  • note that many more updates will occur in the next days, so i would suggest waiting until they are published before following this guide

25-OCT-2018

  • rewrote most of this guide, so if you read it before, read it again :)

26-OCT-2018

  • added the section ‘Firefox profile in RAM’
  • misc. other minor edits

27-OCT-2018

  • lots of clarifications and polishing, added several resources

30-OCT-2018

  • added uMatrix to the add-on pile again
  • added the uMatrix sections of this document
  • removed info about running uBlock in advanced mode since we’re using uMatrix for dynamic filtering instead
  • several minor edits
  • polishing

31-OCT-2018

  • add Cookie AutoDelete as a highly recommended add-on and updated configuration information for uMatrix to allow 1st party cookies by default
  • removed information about the Forget Me Not add-on
  • added information about First Party Isolation
  • added rule to uM to prevent web workers
  • added information about the uBO and uM logging functions
  • corrected some mistakes
  • polishing

2-NOV-2018

  • added info about using the user created rule sets for uMatrix, as well correcting some mistakes and clarifying other uM info
  • polishing

27-Nov-2018

  • added info about HSTS tracking
  • minor edits

30-Nov-2018

  • added more info to the uMatrix section, particularly about indexedDB storage
  • minor edits

11-Dec-2018

  • clarified much information regarding the user.js files as well as other parts
  • added more info about browser fingerprinting
  • added more detail regarding system add-ons
  • added a user-overrides.js template
  • updated Header Editor rules download
  • added several more 3rd party resources
  • misc. minor edits

21-Dec-2108

  • added POOP as a required add-on and accompanying configuration information
  • configuration information for Neat URL was located in the wrong section
  • minor polishing

22-Dec-2018

  • minor clarifications

26-Dec-2018

  • add notice about newsletter subscribing
  • corrected advice regarding spoofing the referrer which was suggested for both POOP and uM (now it’s enabled in uM only)
  • dumped Cookie AutoDelete add-on – not needed when using uM and First Party Isolation, nor are any of these storage cleaning add-ons able to delete IndexedDB storage due to a shortcoming in the WebExt API, which is another reason to enable FPI
  • removed privacy.firstparty.isolate = false in user-overrides.js in order to enable First Party Isolation
  • added Restrict to Domain add-on to toggle privacy.firstparty.isolate (FPI) via toolbar button
  • removed the list of optional add-ons (NoScript and Smart Referrer)
  • minor edits
  • coming up: looks like i may be recommending to disable FPI in the very near future and use the Temporary Containers add-on instead – i’m playing with it now

29-Dec-2018

  • added some more info regarding HSTS tracking and the SiteSecurityServiceState.txt file based on user feedback – it appears some AV’s might have a problem if this file is set to read only
  • added a new resources section specific to the ‘ghacks-user.js’ GitHub repo
  • added Temporary Containers (TC) add-on and associated info – this results in several major changes throughout the guide
  • added Firefox Multi-Account Containers add-on and associated info – this is used in conjuction with the TC add-on
  • added ‘Using containers’ section
  • removed Canvas Blocker add-on – not needed with TC
  • removed Restrict to Domain add-on – not needed with TC
  • removed Don’t touch my tabs! add-on – (probably) not needed with TC
  • removed Header Editor – not needed for what we were using it for since the function is handled by TC
  • re-added privacy.firstparty.isolate = false to user-overrides.js
  • edited some uMatrix info regarding its privacy settings to reflect changes as a result of the TC add-on
  • added more info about importing rule-sets for uMatrix
  • moved Smart HTTPS add-on to the required section
  • moved Skip Redirect add-on to the required section
  • removed the suggested add-ons section
  • corrected mistakes and updated info in the section regarding integrity checking of the user.js/user-overrides.js files
  • reworked and updated the entire user-overrides.js file
  • removed mention of the template user-overrides.js file and associated download link – user should use the one provided in my GitLab repo
  • several minor edits/clarifications

3-Jan-2019

  • minor edit

12-Jan-2019

  • clarify information regarding the downloading of the configuration files thanks to a commenter
  • updated user-overrides.js
  • fix minor typo

17-Jan-2019

  • minor polishing

22-Jan-2019

  • updated info on HSTS tracking
  • updated info regarding downloading my user-overrides.js file

206 thoughts on “Firefox Configuration Guide for Privacy Freaks and Performance Buffs”

Leave a Reply

 

    1. PM mode can severely limit your ability to control some mechanisms – such as cookies. Cookies (and thus local storage) is protected by PB origin attributes – the only way to clear it is by ending the PB session. The P in PB is “private” but it is a misnomer – it only refers to persistent local data and has nothing to do with protecting yourself identity on the internet. It also has implications for Web Extensions that use IDB just to make things harder – hopefully this will change with Storage v2 – PB excludes IDB because there is no internal mechanism for clearing it (except the whole lot eg on close), and certainly not by host or time range. Storage v2 is heating up though.

      Starting in PB mode does almost nothing that you can’t achieve in normal windows with much better options and control. One-ff PB mode windows opened from normal mode can be awesome though :)

      1. “One-ff” … meant to type “One-off”

        “PB mode does almost nothing that…” – There are a couple of things, but I’m really struggling here to remember what they are, that PB mode provides that you can’t achieve in normal windows.

        1. “are they the same thing?”

          Not really. PB mode applies an OA (origin attribute). Containers also apply an OA, a ^ContextID=xx (I think, where xx is the container id). FPI attributes an OA of ^firstparty*something. You can have multiple OAs, eg turn on FPI and open a site in a container and you get a unique pairing. Same with PB+FPI.

          Containers, AFAIK, do not constrain persistent data, but seek to “contain” said data in buckets (kind of like isolation). So you could in essence have two google/youtube/gmail accounts in two different containers, and the data will persists (auto logins etc), but not be able to talk to each other. In PB mode, all that data is wiped when you close the PB session.

          That’s my take on it. I’ve never been interested in PB mode (see reasons above), and once FPI landed around the same time as containers got going, containers became obsolete in my eyes since FPI is superior.

          That’s not to say they are useful in one off situations

          1. Just wanted to add that, Containers and PB are the same in regards how they isolate data – that is, with the Origin Attribute as you correctly stated. So purely from the data storage perspective, they are essentially the same. What PB does different is that it by default tries to avoid to cache anything to disk (something e.g. the TorBrowser also does and something you can achieve by tweaking your about:config as well) and of course, all that data is wiped when closing the last PB window.

            However, if caching to disk isn’t your biggest concern (and if it is, one should consider one-use VMs anyway, something like Qubes), then containers can essentially give you multiple PR windows in tabs, all with OA separated storage. And if you delete the containers after usage (or let an Add-on do it for you), you effectively have PB, for every website you visit.

            Regarding FPI and containers – FPI doesn’t make containers obsolete at all. FPI doesn’t isolate your first-party data. So if you visit a website in one tab in the default container and later on in another tab in the same default container, the first party can see the same data. However, if you visit them in different containers, they can’t see the same first-party data. Of course FPI and containers can also be used in combination.

            So, personally I think, whether you use FPI, different profiles or even multiple VMs – containers can still give you some easy to handle data isolation on top.

            1. And since I need some coffee as well, here are some corrections:

              > you effectively have PB, for every website you visit

              Of course, PB has some different about:config tweaks that containers don’t have and PB also clears your history (though, a disposable containers Add-on could’ve a limited version, where every visited URL gets wiped from history, since containers don’t support a separate history yet, though its planned. e.g. I’ve implemented that into Temporary Containers). So its just really similar from the data storage perspective.

              > FPI doesn’t isolate your first-party data.

              That sounds funny. Probably should’ve added “in the sense that”

              Also, you’re right that one has to be aware that some Add-ons might not yet be container-aware or their features don’t work completely yet together with containers – and for some you have to switch on container-support in the settings (like Cookie AutoDelete).

  1. Came here for the “Firefox Configuration Guide,” stayed for the many great articles on other things I know to be true that most don’t, regarding vaccines, Alex Jones, NPR, Adolph Hitler, etc. Thanks for a great website!

  2. These “cryptocurrency” mining scripts have been around as long as Bitcoin. They’ve only just now come to light because more people are paying attention to the garbage being loaded by their browsers.

  3. This was excellent, thanks, but broke too many websites straight away for me. Still, I’ve implemented some of it!

    Would it be possible to have a guide with a gradual approach to privacy: going from vanilla FF to full on paranoid mode, from the settings that are the easiest to manage, provide most privacy, and break the lest websites all the way to the final touches?

    1. that would be difficult to do and, frankly, not something i’d want to do or maintain, nor am i technically knowledgeable enough in fact – what i will probably add in the future is a method to eliminate uMatrix altogether in favor of running uBlock Origin in advanced mode – i’m doing this now and it helps to simplify things a bit, but you really should have an extension to control cookies/storage if you do this and this is problematic because, at this time, it can’t be done with a WebExtension which means you have to run a flavor of Firefox that supports legacy extensions – i use Waterfox and to control storage i use Cookies Exterminator

      maybe one of the most important things though, from both a security and privacy perspective, is controlling which websites are allowed to run JavaScript – this is really something that needs to be blocked globally, then allowed for domains you trust – at first it’s a headache because you have to whitelist all the sites you commonly visit, but it becomes much less annoying after that

      also i would ask if you are using my custom user.js which relaxes the pants/ghacks settings a bit – there’s a link to mine in the article

      but yeah, if you’re interested in security/privacy, there are always trade-offs and things can break

      1. Thanks for this, it’s my #1 reference for browser privacy settings. Have you shared your custom rules in uBlock Origin? Like you, I suspect custom rules in uBO greatly avoid the maintenance required with uM. The granularity in uMatrix is great to have to experiment and find what doesn’t break but it’s too cumbersome for everyday use. I use “Self-Destructing Cookies” as my cookie manager. It’s a blunt instrument but it works for me. Any comments on it?
        As for those less willing to dedicate the time to really understand all this, just install “noscript” and “uBlock Origin” with Firefox properly configured for privacy, then get used to allowing scripts tremporarily. This will take you >80% of the way to relative privacy.

        1. i plan on updating the guide with info for using uBO without uM in the future, so i’ll certainly provide details for setting up uBO when i do

          i used to use Self-Destructing Cookies and, as i recall, it did fine – i believe it can handle HTML/local storage as well – for whatever reason, i switched to Cookies Exterminator (legacy) and i like it also

          1. I have abandoned my legacy browser (FF_v38ESR) on all my stuff save Linux on 32bit platforms so I probably won’t be reprogramming my user.js with your script. There are a few reasons for this but most importantly are the locked configurations in FF Quantum like [i]toolkit.telemetry.enabled[/i] and the maintenance headache. What does these modding scripts do when they encounter locked parameters such as these?
            Also, have you tried the Brave browser on Windows? I’ve been playing with it as a portable app and it is becoming a favorite for daily use. It’s particularly adept at handling CDN right out of the box but it does nothing to mitigate metadata collection. In fact, all modern browsers facilitate it and I suspect that’s the real reason they seem faster. The huge detailed data collections have become unwieldly for Google, et al so they streamlined the browser engine to expose and identify the trends in the “hive mind”.

    2. Skip user.js modding. Basic security is uMatrix with cookies and JS off by default, uBlock Origin, DecentralEyes. Getting any website to “work” should be as simple as ticking the 1st-party line to green in uMatrix.

      1. in my opinion that is bad advice for anyone interested in privacy/security, especially if they are using Mozilla Firefox instead of a more privacy-centric derivative, like Waterfox, Pale Moon, etc.

        what trade-offs between privacy and ease of web surfing one wants to make is up to the user, but there are many settings that can be changed which will increase privacy without ever breaking a thing

        1. I absolutely agree! However, getting there is black magic. The ghacks user.js (and yours) break most multimedia that isn’t youtube. A popular example, Twitch: To get that back to work you need to figure what to re-enable (a bunch of media extensions, web workers, some other user.js settings).
          That was the entire point of his question – how does he get *some* privacy that doesn’t require advanced knowledge of web implementation to “unbreak” sites he may want to use. If he doesn’t want Mozilla snooping, your suggestion of a different browser would be the next step.

          1. However, getting there is black magic.

            agreed – and i think that is a big problem with computer security/privacy in general – while the knowledge and tools are accessible to the uneducated user, they often don’t even realize the need for them, much less how to use them – so it’s the people that need them most that go without, or are tricked to install ‘security suites’ which give them a false sense of security

            getting the hell away from Windows and IE is a big step in the right direction, but that doesn’t solve the problem of proprietary hardware and firmware (BIOS for one, or the baseband firmware on mobiles) – so yeah, it really is black magic and even if you’re a wizard you’re probably screwed since there’s between nothing and almost nothing out there that’s fully open source and open architecture that’s actually worth using

            getting back to the browser though, i don’t know that there’s a better solution out there than the pants/ghacks user.js, but one has to be willing to read through the entire thing and do some searching else, yes, a lot of stuff is going to break

            i believe they mentioned about creating a relaxed user.js at one point, which would be great for a lot of people, but i don’t know if that’s still on their minds

  4. Great Guide! Since you seem to still update this guide regularly, it might be worth covering the Container Feature that Add-ons can enable since Firefox57 without further configuration. Two Add-on candidates could be “Multi-Account Containers” from Mozilla and maybe also interesting the “Temporary Containers” Add-on (that I made, sorry for the shameless plug).

    1. the container thing is on my list – thanks for suggesting it – i run behind FF however since i run Waterfox, so it takes me a little longer to cover stuff sometimes (Waterfox is at v56 at the moment)

      1. Glad to hear it’s already on your list. Just in case you didn’t know, though I doubt you don’t, containers are in Firefox since some versions, just have to enable them by switching on privacy.userContext.enabled and privacy.userContext.ui.enabled to true. I had also reports of people successfully running both mentioned Add-ons with up-to-date versions on Waterfox, just had to set extensions.checkCompatibility.56.0 to false