The Firefox Privacy Guide For Dummies!

Facebook created same day Pentagon kills similar project

See the revision history at the end (if you make it that far).

Before embarking on this journey into the bowels of Firefox, you may want to first read, Tor verses a VPN – Which is right for you?. If you choose to use the Tor Browser, you need not digest this guide.

You're aware that companies like Facebook, Instagram, Google, YouTube and even your ISP are spying on you, even if you may not be aware of how they're doing it or what they're doing with your data. You're concerned about this invasion of privacy, but what can you do you about it?

Welcome to the 'for dummies' edition of the Firefox Configuration Guide for Privacy Freaks and Performance Buffs!!!

The goal here is to provide a simple guide (to the extent that's possible) which will yield a privacy enhanced configuration of the Firefox web browser whilst breaking as few websites as possible. That said, be prepared to put a little more effort into your surfing activities, at least until the dust settles. The pay-off will be a much faster, cleaner, less annoying web that is less able to track and profile you. Note that i said "less", not "not".

WARNING: This guide is not intended for use with the Tor browser (which is also Firefox). Configuring the Tor browser as outlined here will result in imminent doom.

Catching the Fox

This guide isn't going to work spectacularly for any web browser other than Firefox and it's the standard release version you want (no Pale Moon, no Waterfox, no… whatever), so if you don't have it, get it. If you run a Linux-based operating system, look in your package manager. Since it's privacy we're interested in, we're way too smart to be goofing around with Google Chrome or Microsoft Edge, though if you have an inferior alternative browser installed you could, i suppose, retain it as a backup (just remember to hang yourself before using it).

Profiling the Fox

Start Firefox and enter about:profiles in the address bar — you can call it the "location" bar or the "awesome" bar, i call it the "address bar" — then press your 'Enter' key to load that address. This is where Firefox keeps a list of all your profiles. Profiles are where most of your settings, bookmarks and lots more junk gets stored.

Firefox Profile Manager
click me

You can have as many profiles as you want, but by default there will be just one named 'default'. We need another one, so click the 'Create a New Profile' button and name the new one 'privacy'. You can change the name later, but leave it be for now. Once you're done, exit Firefox.

Firefox will now annoy you (and let it keep annoying you for the duration of our month together) by asking which profile you want to load every time you start it and you should typically choose your 'privacy' profile.

Pro Tip

There are many 'about:' pages in Firefox, but not all are accessible from the various menus. To see some of those that aren't, enter about:about in the address bar, but be careful what you mess with in there!

Training the Fox

Firefox Profile Manager 2
click me

Restart Firefox and this time you should see the Choose User Profile window. Load your privacy profile but don't visit any web pages just yet, other than this one if you want. Firefox may load some default pages when is starts and that's something we'll fix later.

Profile Pro Tip

If you don't want Firefox whining about which profile to load every time it starts, you can select your preferred profile and check the 'Don't ask at startup' option, but don't do that yet! Another way is to create a shortcut to load any profile you want.

For more about profiles, see Use the Profile Manager to create and remove Firefox profiles and Multiple Firefox profiles.

For more about penguins being tickled, go here.

 

If you're running Windows you will need to un-hide file extensions, and i suggest you keep them un-hidden.

With Firefox up and running, load about:preferences in the address bar or click the Hamburg icon on the toolbar, then 'Preferences'. Click the 'Search' menu item on the left and under where it says 'Search Bar', click 'Add search bar in toolbar'.

Next, go to the ghacks-user.js GitHub repository. We need their prefsCleaner.bat (Windows) or prefsCleaner.sh (Linux) file and the updater.bat (Windows) or updater.sh (Linux) file. Now before you mess up, hear me out: One by one, click on the file names, then click the 'Raw' button, then press Ctrl+S to save the files to your desktop. Failing to heed my advice can cause the file formatting to be messed up which, in turn, will provoke Russia to launch its nukes… apparently. If you want to avoid those steps, use these direct links to the raw files: updater.sh (Linux), updater.bat (Windows), prefsCleaner.sh (Linux), prefsCleaner.bat (Windows). Now if you're one of those smart people, you may know we're going to need that user.js file too but we'll grab that later using the updater script.

Next, go to the 12bytes.org/Firefox-user.js-supplement page at Codeberg.org and download my user-overrides.js file to your desktop. Again, click the 'Raw' button, then press Ctrl+S to save it (here's the direct link to the raw file).

Next you'll need a decent code editor (not Notepad!) with syntax highlighting. If you're running Wintendo (that's one of my several derogatory names for "Windows"), PSPad is nice, simple and free. If you're running Linux you've probably got something installed already, so poke around.

What you need to do now is open that user-overrides.js file in your code editor and follow the directions Very Carefully. Every single little thing you could ever possibly need to know is in there (except whatever i forgot to put in there).

Now that you've sifted through that convoluted mess (go you!), open Firefox's about:profiles page again. Note that user profiles and web cache are stored in separate folders, thus why you may see more than one directory path for each profile. In the row labeled 'Root Directory' under your 'privacy' profile, click the 'Open Directory' button and then kill Firefox.

In your file manager you may have noticed that the folder containing your 'privacy' profile actually has a longer name with a bunch of gobbledygook in front of 'profile'. Ignore that like you ignore your goofy neighbor with the tinfoil wallpaper. If you see a prefs.js file in there, you're probably in the right place. Next, grab those files from your desktop you pirated earlier and stick 'em in your 'privacy' profile folder where the prefs.js file is.

DIY furniture Pro Tip

This looks fun…

 

Now we need to run that updater script. How to do that depends on whether…

...you're running Linux

You will need to make those .sh files executable. You could try meditation or sacrificing a goat, but it'd probably be quicker to just right-click on each of them to open the file properties dialog window and click the 'Is executable' checkbox on the 'Permissions' tab (or similar). If your file browser doesn't have such an option, see How do I run .sh files?.

We need to run that updater.sh script from a terminal, so open one and change the directory to your 'privacy' profile directory where the updater.sh file is. In the example below you'll need to change 'gobbledygook' to match the correct name of your profile folder:

cd ~/.mozilla/firefox/gobbledygook.privacy/

Now run the updater.sh script by preceding the file name with a dot and a slash:

./updater.sh

 

...or Windows

To run that updater.bat script, navigate to your Firefox profile directory, hold down the Shift key and right-click in an empty space where the file is, then select "Open Command Window Here". Enter updater.bat and hit Enter. If you have trouble, see How to Run a BAT File on Windows: 13 Steps (with Pictures).

 

The updater script will spit out some introductory stuff and then prompt you to continue. If by chance everything in the universe is aligned just so, and you've followed the directions, the script will download a fresh copy of the 'ghacks' user.js file to your profile directory and append the contents of your user-overrides.js to it just like it says on the tin.

The 'ghacks' user.js is updated fairly frequently and so, with Firefox closed, you should re-run the updater script occasionally in order to check for a new version, maybe bi-monthly or so. Each time you run the updater script, be sure to follow it up by running the prefsCleaner script using the same method as described earlier for your operating system. The prefsCleaner script will reset any depreciated, removed, or inactive preferences and it is important that you do this.

updater script Pro Tip

If you use Linux you can run the script with the -c switch (./updater.sh -c) which will create a 'diff' file that will list all the differences between the old user.js and the newer one.

To see all the options for running the 'ghacks' user.js updater script for both Linux and Windows, see the Updater Scripts article on the 'ghacks' wiki.

Fattening the Fox

Now we're going to go to the Firefox Add-ons website (AMO – addons.mozilla.org) because we need some add-ons. Start (or restart) Firefox and select your 'privacy' profile (yes, it's OK now, i promise), then come back here.

Why does he say 'WE' and 'WE'RE' when 'I' am the one doing all the f'n work?!

Plausible deniability. If i screw something up that causes your computer to explode, it's your fault.

 

One at a time, middle click each of the links below to open their pages in a new tab, then Read What Their Pages Say and install them. If any of the links are dead, let me know and don't install something you think is equivalent.

Once you have all those installed, find the 'Customize' option in one of the Firefox menus or by right-clicking on an empty space on a toolbar somewhere. With the exception of First Party Isolation, Site Bleacher and uBlock Origin, you can drag all of the add-on icons to the overflow menu since you will rarely be interacting with them. Next we'll configure each add-on.

A note regarding add-ons

More add-ons = more bad (generally speaking).

It's pretty important, and especially so if you're new to the game, to NOT install add-ons willy-nilly. The more you install, the more likely it is that things will break and that your privacy will be compromised.

The selection of recommended add-ons in this guide accounts for not only how they interact with each other, but also how well they mesh with a Firefox that has been extensively modified by the 'ghacks' user.js. If you install certain additional add-ons that address privacy (or others), you can very well end up compromising your privacy.

Firefox has built-in mechanisms that help to guard your privacy and protect against browser fingerprinting. Alone they are not enough, which is why we're here, but they do cover several very important bases that were previously covered only by add-ons. The problem is that some add-on developers ignore the recent changes in Firefox and continue to publish add-ons that can actually compromise privacy when combined with certain Firefox preferences.

For more on the subject and what to look for when considering add-ons, see Firefox Extensions – My Picks.

 

Neutering the Wild World Web (and the Fox)

We need to configure some of the add-ons we installed, but first a word to the wise: Unless you know what you're doing (and you probably wouldn't be here if you did), configure these add-ons as suggested, else Russia.

To configure your add-ons, load about:addons in the address bar or find the 'Add-ons' menu item in one of the Firefox menus.

Clear URLs: On the 'Preferences' tab, make sure the 'Filter' and 'Badges' options are enabled. The rest are optional.

Decentraleyes: On the 'Preferences' tab, click the 'Options' (gear icon) button and select the following options where [X] indicates the option is enabled:

[X] Display injection counts on icon
[_] Block requests for missing resources
[X] Disable link prefetching
[X] Strip metadata from allowed requests
Exclude domains from inspection (leave this empty)

Privacy-Oriented Origin Policy: On the 'Preferences' tab, configure it like so:

Set the 'Global mode' to 'relaxed'.

In the 'Exclusions' section, enable 'Exclude root domain matches', then paste the following code in the big text box below that. It'll come in handy if you ever switch POOP to its 'aggressive' mode:

www.youtube.com *.googlevideo.com
www.youtube-nocookie.com *.googlevideo.com
*.dailymotion.com *.dmcdn.net

In the 'Other' section, make sure 'Spoof cross-origin Referer' is enabled.

uBlock Origin: This is a huge biggie! I know, supposed to be the 'for dummies' guide and all, but you really MUST to learn how to use uBlock Origin (uBO). The good news: It's got a 'dummy' mode and it's enabled by default!

To set up uBO, read my uBlock Origin Suggested Settings.

Of particular importance, DO NOT select the 'I am an advanced user' option! Don't look at it. Don't think about it. Don't think about looking at it … at least not until you read all that 'required reading' stuff and understand fully what uBO is, does, how to configure it, and how easy it is to break the interwebs if you don't know what you're doing. Did i scare you? Totally intentional.

Now it's really important that you read this and this and, finally, this, but only up to the 'Medium mode' part. Once you complete that you'll be a certified uBlock wizard (or perhaps just certifiable like me).

Training the Foxineer

With that all done and Firefox running, close all tabs and click the Hamburger button again to open the Preferences window and click the Privacy & Security menu item, or load about:preferences#privacy in the address bar. Scroll down to the Cookies and Site Data section and click the Manage Data button. In the Manage Cookies and Site Data window that opens, click Remove All. This will remove all (almost) of the stored data (cache) that Firefox has accumulated so far. We're just doing this to nuke any data that was stored before we installed our privacy add-ons which would have cleaned up some of this stuff.

If you've used Firefox before, there's going to be some changes. One of them is that you'll be searching from the search bar (or a web page that isn't Google hopefully) instead of the address bar. The reason for this is a little creepy, suffice to say it's a privacy/security thing. Live search suggestions are also disabled (also a creepy privacy/security thing), though the search bar will still suggest stuff from your history, bookmarks and previous searches.

Now for the biggie: Remember the part at the beginning when you started reading this last week? You know, where i said we would be "breaking as few websites as possible"? Kek! Since we disabled JavaScript globally in uBO, every other website you visit is going to be busted, but it's for good reason.

There's a few things you need to know about JavaScript: 1), it's awesome (ish), 2) it's a privacy nIGhTMarE, 3) almost every website on planet Earth uses it (even this one).

JavaScript (JS) can be used to do all kinds of cool (and creepy) things like make web pages interactive, make dull things look un-dull, animate stuff, etc.. It's used a lot for making navigation menus work, displaying images, as well as for annoying things like displaying ads and pop-ups. JS is also leveraged heavily for tracking and profiling you, your web browser, your computer, your DNA makeup, bathroom habits and worse, and thus it's a privacy (and security) nightmare. Now do you see why we disabled JS globally in uBO? Thing is, it's very easy to enable again for those specific websites where you really need it to be enabled. "Need", i said. Not "like" or "want", but "need".

Start Firefox and load up your privacy profile, then middle-click this link to open it in a new tab and click some of the colors on the color swatch and…… well that was boring, but WAIT! THERE'S MORE! Now click the uBlock Origin button on your toolbar and in the lower right corner there's an icon that looks like </>, except it has a red 'X' through it. That icon is secret code for [CENSORED]. Click it to remove the 'X' and you will have enabled JavaScript for that particular domain after which you'll see a new button appear out of thin air that has circlely arrows on it. Clicking that button (or pressing F5) will refresh the page at www.w3schools.com and this time your browser will allow JS to run for the entire w3schools.com domain. That color swatch page will now look very different and this time when you click the colors, awesome things will appear that will surely keep you busy for hours on end (like that damned triangle puzzle-peg thingy in every Cracker Barrel).

The point of that intensely interesting exercise was to demonstrate the power of JavaScript by showing you how different it can make a website look and work, as well as how necessary it is in some, but not all cases. For example, if you're reading this nail-biting page-turner with your Firefox privacy profile loaded and JS disabled, it wouldn't make much of a difference because the place looks and works pretty much the same whether JS is enabled or not.

Now you're going to take the JavaScript Oath. DON'T LAUGH! This is important sh*t! OK, repeat after me:

EYE SHALL NOT ENABLE JAVASCRIPT FOR ANY WEBSITE UNLESS A) THE WEB DEVELOPER IS AN ETHICAL BLOOD RELATIVE WHOM I TRUST WITH MY LIFE AND B) IT MUST BE ENABLED IN ORDER TO PROVIDE REQUIRED FUNCTIONALITY THAT WOULD OTHERWISE NOT BE AVAILABLE (AND LOOKING AT BOOBS DON'T COUNT!).

Importing stuff from an old profile

If you're are not a first-time Firefox user and you have important bookmarks or other stuff you want to import to your new privacy profile, make a backup copy of your profile and then go ahead and read this.

What to do when the Fox bites

It's inevitable that you're going to have trouble with some websites. Keep calm. Breeeeath! You've already gotten a taste of how a website can be rendered useless with JavaScript disabled and although i let you enable it for the site given in the example earlier, i only did so because it's a trustworthy place, more or less. The next website you visit may not be (you're here aren't you? Kidding!).

To make a broken website function again, you'll need to use uBlock Origin to enable the functionality you need for those websites you trust. If you cannot get a website to cooperate by making site specific changes in uBlock, you can always spin-up a fresh, empty profile, but understand that you will now be at the mercy of a completely default Firefox configuration with all of our extra privacy protections removed. For websites you don't trust, don't disable any protections ever and, secondly, why are you visiting them? Porn? Warez? If you value your privacy and digital security, forget that stuff. Seriously.

The point here is to not disable any protection globally for all websites when using your daily-driver 'privacy' profile. If you have to adjust something for a particular website which you trust, fine, but use other profiles if you need to make extensive compromises.

Another problem that will probably creep up at some point is a website not saving settings that you wanted to save. This is the fault of the Site Bleacher add-on which deletes most of what websites stored data from your Firefox profile, including 'cookies'. If you want to save site settings or preserve the ability to log-on automatically, then click the little bleach bottle icon on your toolbar and whitelist the website. I would not suggest whitelisting any privacy-hating social media site or mainstream search websites like Google or Yahoo If you want read about my suggestions for alternative search engines, read Alternative Search Engines That Respect Your Privacy.

The Fox hole

Even with everything we've done, you're still vulnerable to being tracked and profiled, however you're in better position now then you started out, except for one little problem: Your Internet Service Provider!

At the very least your ISP can tell what websites you visit and when you're surfing the web and when you're not. They may even inject ads, malware and other junk in your data stream. The solution: Hijack your neighbors unprotected WiFi and… Kidding! Listen, you and i have gotten to know each other throughout this extended and difficult ordeal. We're kinda like buddies now. Kinda. And i can already tell you're ethics are of a higher caliber than mine that!

One solution to the problem is a Virtual Private Network (VPN). Ever wanted to be in 30 places at once?

A VPN works by encrypting the traffic between you and another computer run by the VPN service provider which we'll call an 'exit node'. That exit node could be anywhere in the world. From the exit node your traffic flows as normal to whatever website you want to visit and the website then sends the kitty video you clicked on back to the exit node thinking IT is YOU, but alas, IT AIN'T! The video then secretly makes its way back to you through this secret tunnel which was secretly established between you and the exit node. So far as the website is concerned, it doesn't know your real physical locatio. Ever annoyed by that galactically stupid "Sorry, this video is not available in your country" crap? Pfff. And as far as your ISP is concerned, all it sees is gobbledygook that looks like Braille to a blind pet rock.

There are truck loads of different VPN service providers and it seems not a lot take customer privacy all that seriously, however i think both NordVPN and AirVPN are good companies that offer a good service at a good price. I've used both and i like both. Both have servers (think 'exit nodes') all around the globe and neither restrict any protocols (think 'BitTorrent'). Both offer client applications that you can install to make using their service stupid simple. If you'd prefer to pick a VPN provider yourself however, i recommend you visit That One Privacy Site and browse the fantastic spreadsheets the dude puts together. Another good resource is TorrentFreak's annual VPN reviews. Here's the one for 2018.

The downside? Though VPN services are cheap, it's still an additional expense. VPN exit node IP addresses can become blacklisted which could cause problems sending mail and accessing certain services on the web, however in my experience this hasn't often been an issue and, even if is is, it's usually just a couple of mouse clicks to switch exit nodes. Latency (the time between the mother-in-law jumping in front of your car and your realization that you need to slam on the breaks) and bandwidth (how many tweets per second you can send notifying your friends of the "accident") will be affected, but in my experience the difference is usually minimal. In short, i think the pluses outweigh the minuses. That said, you can never trust any VPN service 100%, but any reputable one should be OK for general web surfing and it will prevent your ISP from spying on you.

WHAT THE FOX!

So now you're all smitten thinking you're invincible and ready to hack NASA to see if aliens really built intergalactic brothels on the back of the moon (they did, pretty sure). You're not, but you've taken one, small step for man, and on….. Truth is, there's probably far more vectors for attack than you and i will ever know about, so don't get all uppity. Perfect privacy on the web is a pipe dream and it wasn't the goal here anyway. We've covered a few important bases that will help to prevent websites (and your ISP) from tracking and profiling you, but not all of them. Remember that when you're creating fake profiles on Facebook to stalk your ex.

After you've taken plenty of time to get comfortable with your new Firefox configuration, i suggest reading everything in the uBlock Origin wiki and learning how to use it in its advanced mode. And after that, it's the Firefox Configuration Guide for Privacy Freaks and Performance Buffs.

Be safe. Be ethical. And if you need help (after you've tried to help yourself), leave a comment.

IMPORTANT: If you incorporate suggestions made in this guide, please subscribe to the Firefox category on the subscription page. This article is updated fairly often and it's the best way to stay informed.

Further resources

Revisions

Click to expand...

26-Dec-2018

  • first (pre) release

27-Dec-2018

  • added more info about using the user.js updater and prefsCleaner scrips
  • many small changes and polishing

29-Dec-2018

  • polishing, clarifications

6-Jan-2019

  • clarified a lot of stuff that may not have been clarified clearly enough
  • eliminated the 'relaxed_user-overrides.js' file – the user-overrides.js is now used for both the advanced and dummy guides
  • updated the user-overrides.js file
  • lots of minor edits, corrections

12-Jan-2019

  • clarified info regarding the downloading of the configuration files

22-Jan-2019

  • added better description and screen-caps for how to download user-overrides.js
  • minor edit

29-Feb-2019

  • minor edit

29-Apr-2019

  • added HTTPZ
  • added Site Bleacher and associated information
  • removed temporary profile info
  • lots of minor edits

23-May-2019

  • added instructions for enabling the search bar in the navigation bar since setting the preference alone in user.js doesn't work for some reason
  • minor edits

27-May-2019

  • added a warning about using this guide with Tor
  • added a resources section

5-Nov-2019

  • rewrote several bits of the guide in an attempt to clarify things and make it a bit shorter
  • edited some content to bring it up to date with the newest version of Firefox
  • adjusted settings for uBO

6-Nov-2019

  • stuck the uBlock config stuff on its own page

13-Nov-2019

  • misc. edits and clarifications, nothing too drastic

15-Nov-2019

  • added a more extensive warning about installing add-ons in addition to those recommended herein

3-Dec-2019

  • minor edit

23 thoughts on “The Firefox Privacy Guide For Dummies!”

  1. I am enjoying your write ups on achieving privacy and setting reasonable standards and expectations when browsing the web.

    I've applied the ghacks user.js and your overrides successfully but am missing one feature: the search from URL bar. I know you recommend using the dedicated search bar, but my muscle memory always has me attempting to use the url bar first.

    I've tried setting the appropriate flags in your user-overrides and reapplying, but to no avail. What are the proper flags I should be resetting?

    Thanks very much.

    1. i suggest retraining your muscle memory :)

      honestly i'm not entirely sure what the repercussions of using the address bar to search are any longer, but i know this was a major privacy and security risk in the past – i should probably refresh my knowledge on this because i'm not certain it's still an issue, though it probably depends on some Firefox preferences regarding searching – if anything you type gets sent over the net, then it's certainly still an issue

      that said, if you still don't want to use the search bar, then in your user-overrides.js…

      browser.urlbar.oneOffSearches = true
      browser.search.widget.inNavBar = false

      there's a couple other 'search' prefs in user-overrides you might want to look at – in your code editor, Ctrl+F and search for: search

      don't forget to run the updater script when your done

  2. Does anyone get this error when running the updater.sh?

    ./updater.sh: line 7: syntax error near unexpected token `newline'
    ./updater.sh: line 7: `'

    … and does anyone know what to do about this?

    I have tried running dos2unix on the file, after of course having made it executable, but this doesn't make the error disappear. Thank you for any help!

  3. @Pants; @12Bytes

    Exactly. The problem was with pref "security.cert_pinning.enforcement_level" having a value of '2' (strict). I solved it by changing the value to '1' in "user-overrides.js" by 12bytes.org.

    When I read these comments and thought about it, I decided to follow it up in good faith.

    Uninstalled Adguard ad blocker from the system. I had a lifetime license to use it two PCs and three smartphones/tabs. Frankly speaking, I uninstalled it reluctantly. It was my money sitting in the system tray and the browser doing its thing. Then I disabled these components in Kaspersky:

    1) Mozilla Firefox and Thunderbird
    Scan secure traffic in Mozilla applications
    If secure traffic scan is enabled, access to websites via the HTTPS protocol may be blocked. (This setting is buried inside somewhere. If you disable only 2-5 below, it doesn't help as far as Firefox is concerned).

    2) Safe Money
    Protects your data on websites of banks and payment systems.

    3) Traffic processing
    Inject script into web traffic to interact with web pages.

    4) Private Browsing
    Protects against collection of information about your activities on websites.

    5) Anti-Banner
    Blocks banners on websites and in some applications.

    Went back to "user-overrides.js" by 12bytes.org and deleted the added line: user_pref("security.cert_pinning.enforcement_level", 1); // 0=disabled 1=allow user MiTM (such as your antivirus), 2=strict. And updated the user.js by using updater.bat and prefsCleaner.bat.

    Firefox is blazing fast without issues (barring Invalid request. Err 2034C). The UI of uMatrix is different now. It doesn't display any Adguard or Kaspersky elements. Using uMatrix and uBlock Origin is pleasant and straight forward. Web sites load faster and cleaner.

    Now, is there a solution for this: Invalid request. Err 2034C. It happens when I try to login to a site using my Google id.

    Thank you guys for your invaluable help.

    1. Went back to "user-overrides.js" by 12bytes.org and deleted the added line: user_pref("security.cert_pinning.enforcement_level", 1);

      that's a mistake, and maybe i need to make it clearer in the 'dummy' guide; you never edit any existing prefs in prefs.js, user.js or user-overrides.js (assuming you're using mine) – any pref you want to change you need to copy to the appropriate section of user-overrides.js (near the bottom) where you can then change it's value

      or if you just want to test something, you can change the value using about:config without editing any files but of course it will be changed back upon restart (which is what you experienced earlier because user.js had a different value)

      in this case you're ok because you deleted a pref in user-overrides that exists in user.js and so Firefox reset the value to '2' upon restart as you probably expected it would, but if you make a habit messing with the default prefs in any of the aforementioned files, you'll make updating them far more difficult

      as for your new error, had you poked around on the web you might have come across a potential clue: CSRF – and if you search the user.js (the ghacks one) for 'csrf' you might find more clues

      are you spoofing the http referrer? perhaps with an add-on? or did you change that pref?

      there's several things you can do to troubleshoot – one is to spin up a new, default FF profile (about:profiles) and connect to the site you have trouble with – if you can then connect, this will tell you there's an issue in your other profile and so the hunt is on – to solve these issues yourself, see this.

      this can be frustrating at first, but once you get the kinks worked out things will go much smoother

      let me know how you made out

      1. Went back to "user-overrides.js" by 12bytes.org and deleted the added line: user_pref("security.cert_pinning.enforcement_level", 1);

        that's a mistake, and maybe i need to make it clearer in the 'dummy' guide; you never edit any existing prefs in prefs.js, user.js or user-overrides.js (assuming you're using mine) – any pref you want to change you need to copy to the appropriate section of user-overrides.js (near the bottom) where you can then change it's value

        But it was not a line that existed in your user-.js, no? I added it as a solution to the '2'(strict) problem I had because of the AV. And I deleted it as it deemed fit to my uninformed thinking. Please clarify.

        I'll follow up the other hints and post. Regards.

        1. i think i confused you because i'm not explaining things clearly – let's see if this helps…

          you should NEVER edit/delete/comment out any of the existing prefs in prefs.js OR user.js IF you are using the 'ghacks' user.js

          you should NEVER edit/delete/comment out any of the existing prefs in user-overrides.js IF you are using mine with the following exception: if you need to change anything in the 'ghacks' user.js, or my user-overrides.js, you should COPY the entire line you want to change to the USER CUSTOMIZATION section near the end of my user-overrides.js where you can then change the preference value

          if you are NOT using my user-overrides, but you still have one, then you can edit it all you want

          if you are using the 'ghacks' user.js, then, unless you do not want to change anything in it, you should be using a user-overrides.js (mine or otherwise) along with their updater.sh/updater.bat script

          does that clear things up? :)

          1. perhaps i should also add to that that having multiple instances of the same preference in any of the config files does not present any problem – Firefox reads the config files from the top down (prefs.js, then user.js), so if there's duplicate prefs, the value for the last one will be applied

            user.js (or user-overrides.js):

            user_pref("this", true);
            user_pref("this", true);
            user_pref("this", false);

            Firefox:
            this=false

              1. don't know what to say about that – seems it's usually attributed to google, though possibly not always

                i would create a new, empty profile for testing and then copy into it everything from your privacy profile EXCEPT prefs.js and user.js – if you still have the problem, then it may be an add-on – if you don't, then it's likely something in user.js in which case i'd then copy that to the testing profile and do this

          2. "if you are using the 'ghacks' user.js, then, unless you do not want to change anything in it, you should be using a user-overrides.js (mine or otherwise) along with their updater.sh/updater.bat script".

            Very clear. No doubts about it now. Thank you.

  4. I read about using 'user.js'for configuring Firefox browser in a German blog (in English translation) and a book (German, translated into English). Then I read about it in ghacks.net and finally in 12bytes.o rg. This quest was the continuation of my fascination with rooting my Android smartphone.

    This particular section of 12bytes.org titled "The Firefox Privacy Guide For Dummies!" is intended to help novices (dummies) like me. But, the sad truth is that dummies rarely seek help, because they don't know that they need help. Help for what? For safeguarding themselves on Internet. The greatest impediment is the attitude that "I don't have anything to hide from anybody". In fact, it's the height of ignorance.

    As long as common man views Google, Microsoft, Facebook, Twitter, etc., as knights on a mission to save humanity from ignorance, laziness and loneliness, there's no way to help him see the the truth. For example, I stopped using WhatsApp and asked all my contacts who mattered to me to give it up and adopt Telegram instead. (I can see the author of 12bytes.org laughing at me for the folly of my choice). Very little success.

    Fortunately, the author of "The Firefox Privacy Guide For Dummies!" has taken all these facts into account. Otherwise why should he painstakingly do "The Firefox Privacy Guide For Dummies!" section? The section "Firefox Configuration Guide for Privacy Freaks and Performance Buffs" would have been sufficient.

    I read both these sections a couple of times before deciding that I was not a dummy (because I've been using Firefox browser for so long)! So, I took "Firefox Configuration Guide for Privacy Freaks and Performance Buffs" as my guide and proceed to tame my Fox.

    Everything went fine. The browser (a new installation after uninstalling and deleting all traces of the previous one) configuration amazed me because it was super fast now and had very few add-ons. The web pages looked clean as if I was reading printed content on white paper. No shenanigans. Nothing!

    But suddenly trouble cropped up: No Google domains opened (and some other sites). I cross checked the configuration. Everything was fine. And that was the real problem: Everything worked as they should but I lacked knowledge and skill to tweak things when necessary. My prejudices (I've been using Firefox for so long, after all) had prevented me from beginning from the beginning: The Firefox Privacy Guide For Dummies!

    The author of 12bytes.org was gracious enough to help me identify the problem and solve it. Did he solve it for me? Not really. He showed me how to solve it by leading me back to "The Firefox Privacy Guide For Dummies" section.

    Now you know where to begin. From the very beginning itself.

    Why should people like the author of this blog take the pain to offer their knowledge, skill, time and effort to us unasked? He and I are hemispheres apart.

    Maybe, because they know the true meaning of the trite saying: Sharing is caring. And they have commitment.

    1. The greatest impediment is the attitude that "I don't have anything to hide from anybody". In fact, it's the height of ignorance.

      very well said!!!

      Why should people like the author of this blog take the pain to offer their knowledge, skill, time and effort to us unasked? He and I are hemispheres apart.

      we're all human beings sharing one tiny planet and from that perspective you're just around the corner :)

      thanks much for your kind comments Murali, and i'm glad you persevered

      for the record, the problem in this case was the pref security.cert_pinning.enforcement_level having a value of '2' (strict), which is the current default in the 'ghacks' user.js – i don't understand this pref fully, but apparently that caused a problem with this persons anti-virus

      1. > the problem in this case was the pref security.cert_pinning.enforcement_level having a value of '2'

        No, the problem was the end user allows AV to act as a MitM and slurp up all his browser traffic. Personally, browsers are some of the most secure and protected pieces of software on the planet (by default: e.g among others, Safe Browsing lists curated by Google, which has the resources to do this right – e.g constantly adding protections for xss and other mechanisms, and MOAR), not to mention if you have Tracking Protection and/or uBlock Origin (and/or uMatrix) with blocklists and hosts lists and controlling JS etc – that forget about the tracking – the ATTACK surface is massively reduced

        At the end of the day, most damage is done by the end users (social engineering, visiting suspect websites, falling for BS), and the real solution here is to cut out the middle man – configure that AV to not interfere with web traffic.

        PS: "Don't touch my tabs" vs earthlng's "window opener be gone"
        – xpi is here: https://github.com/earthlng/testpages/ )
        – see https://github.com/ghacksuserjs/ghacks-user.js/issues/401#issuecomment-385262334

        1. i realize that completely and it wasn't my intention to imply that the problem was with the user.js – perhaps i should have worded it better – what i meant was that this pref caused a problem in this case for this user

          the guy is a good guy and he's trying, but no one is born knowledgeable – i politely scolded him in emails we exchanged about running Windows and 2 AV's and now he's interested in giving Linux a spin

          and thanks much for the window.opener info – i didn't realize earthing's worked differently

            1. these AV "suites" ARE a virus! the only proper way to uninstall some/many/all of them is to reinstall the OS – i learned long ago in my Windows days that a resident AV scanner is largely unnecessary, at best, provided the user is smart about what they do on-line and they use a decent on-demand scanner

              as i've said in this article, trusting your AV to keep you safe is like trusting guard rails to keep your car on the road

              thanks for the info – it reinforces my decision to keep 'security.cert_pinning.enforcement_level' at '1', at least for now

Leave a Reply