Firefox Search Engine Cautions, Recommendations

This tutorial will cover how to sanitize and add search engine plugins for Mozilla Firefox in order to protect your privacy.

See the revision history at the end of this document.

Introduction

This tutorial covers various aspects of search engines for Firefox (or a derivative thereof) including sanitizing the default search engine plugins and how to add new search engines. For a list of alternative search engines, see Alternative Search Engines That Respect Your Privacy.

When 'free' software isn't

I suggest reading The Mozilla Monster as a primer.

Have you ever wondered how Mozilla get paid by the mega-monopolies like Google? Simple: When you use the default search engine plugins that are packaged with the browser, parameters similar to these are added to your search query:

client=firefox
name="appid" value="ff"
name="hspart" value="mozilla"

These parameters inform the search engine that you're using a Firefox/Mozilla product and that's all it takes for Mozilla to rake in the dough. If you do not wish to participate in these affiliate schemes and/or value your privacy, read on.

Types of search engines

The two basic types of search engines are meta search engines and search indexes and it is important to understand the difference. Google, Yahoo and Bing for example, use software robots called "crawlers" to discover and index web content. In other words these companies actively seek out updated and fresh content to store in their databases so it's ready for you to find. On the other hand, meta search engines do not typically index the web and instead rely primarily upon third parties like the aforementioned to provide their search results and therefore when you use these so-called "alternative" search engines, such as DuckDuckGo, Startpage, Searx, etc., you are still subject to the filter bubbles and censorship that is employed by the corporate giants. That said, the ethical meta search engines still make a great deal of sense from a privacy perspective since one can avoid being tracked by the big companies directly. Understand though that they are not true alternatives as they are often described, but rather proxies that insulate you from the privacy thrashing search engine giants. These alternative search engines are also subject to local laws, such as secret surveillance requests issued by a government.

Indexing the web and storing the massive amount of data that results is an incredibly expensive proposition which requires a massive amount of infrastructure and this is why the much smaller meta search companies like DuckDuckGo, Startpage and others rely heavily upon corporations like Google. There is a better solution than meta search engines, one which both respects your privacy and is censorship resistant. Ever hear of a peer-to-peer distributed search engine? Imagine a free, open-source, decentralized search engine where the web index is created and distributed by ordinary people using personal computers, each storing a piece of the whole. This is what the developers behind YaCy have done with their search engine and i think it's a great way to escape the filter bubbles created by big tech.

Adding search engines to Firefox

Possibly the easiest way to mitigate risks to your anonymity posed by the default Firefox search engines is to simply disable all of them and use alternatives. One of my favorites is the open source and highly customizable Searx meta search engine which you can host on your own server if you like, or you can use any one of a number of Searx instances hosted by others. Like DuckDuckGo, Startpage and others, Searx is not an index and so it does not crawl the web like Google, however the big difference between Searx and most of the other meta search engines is that it is capable of pulling results from many other indexes including Google, Yahoo, Bing, Wikipedia, DuckDuckGo, Startpage, Qwant and many more, as well as decentralized peer-to-peer indexes such as YaCy. The Searx interface also offers a lot of configuration options for fine-tuning your search results, including the ability to select exactly what combinations of search engines you want to use for a particular type of search, of which there are currently 10.

One easy way to add Searx to Firefox is to locate a hosted instance which you like and which is preferably close to you geographically, then from the Firefox search bar menu, simply click the "Add" menu item. While searx.me is the original instance of Searx as provided by the developers, it is best not to use it because it can become overloaded. The Searx developers cannot afford to have too many people using their instance without your help and so they will disable it at times in order to promote other Searx instances. That said, a potential pitfall of using a third party instance is that the server may be logging traffic, such as IP addresses, location, etc., so you'll have to decide whether you can trust them.

Most other search engines can be added to Firefox in the same way as described above, but there are additional methods also. The Mycroft Project hosts tens of thousands of preconfigured search engine plugins for a variety of web browsers, the top 100 of which are listed here. They also have a form for writing your own search plugins. Although it is not possible to review the code from the main listing of search plugins, you can use their submission form to do so by mousing over the plugin name to reveal its numeric ID, then filling in that ID in their submission form page. Because Mozilla changed they way search engine plugins are added to Firefox, you'll need the Add Search Engine from Mycroft Project add-on to install the search plugins from Mycroft.

Another easy way to add a custom search engine to Firefox is with the Add custom search engine add-on by Tom Schuster. This add-on allows more control over the above methods, including the ability to define the website icon path or base64 code (a binary-to-text encoding scheme that encodes the site icon in text form). A great on-line resource for converting an icon to base64 code is the Base64 Encoder utility which can accept the icon URL or an uploaded file.

The Search Engines Helper add-on by 'Soufiane Sakhi' is another easy way to add search plugins to Firefox, as well as import and export your search plugins. Like the Add custom search engine add-on, this one also allows using a URL or base64 code for the icon.

My preferred method of adding and editing search engine plugins is with the mozlz4-edit Firefox add-on by 'serj_kzv'. This slick extension allows you to edit the search.json.mozlz4 search plugin file directly from within Firefox, though a browser restart is necessary before the changes are realized. It is in this file that Firefox stores the code for all of the search engine plugins. The add-on works for both the newer compressed version of the file with the *.mozlz4 extension, as well as the older, uncompressed version (search.json). Regardless of how you add search plugins, the mozlz4-edit add-on is a handy tool to have for editing the search.json.mozlz4 file because you can use it to decompress, edit, sanitize, recompress and then save it, overwriting the old one (make sure to make a backup first). See the Sanitizing the default search engine plugins section below before you do this though.

Sanitizing the default search engine plugins

If you would rather avoid the hassle of manually sanitizing the default Firefox search engine plugins, see the Pre-sanitized search plugins section below.

Sanitizing manually

If you choose to use the default search engine plugins provided by Mozilla, you may want to sanitize them in order to circumvent some risks to your privacy, however you should be aware that doing so will not prevent tracking or other privacy risks when using the default search engine plugins. If you insist on using the default search engines, you should use something like the ClearURLs add-on which at least strips the tracking parameters from the search engine result links. You should also disable JavaScript for the search engine web page if possible.

If you have already added custom search engines to Firefox, then the first thing to do before you start hacking is to create a copy of search.json.mozlz4 and work with the copy, reason being that if you mess up, Firefox will will delete all of your search plugins and restore only the default ones. If you don't want to see or use the default ones, disable them in the search preferences of Firefox rather than removing them from the plugin file.

To edit the search.json.mozlz4 file you first need to decompress it. There's at least a few utilities available that will handle this, but i would suggest using the mozlz4-edit Firefox add-on by 'serj_kzv' since it is very easy to use and it provides a basic code editor with syntax highlighting. Simply click the 'mozlz4-edit' toolbar button to load the add-on. Next, click the 'Open file' button and navigate to your Firefox profile folder and select the search.json.mozlz4 file. In the following example we will sanitize the Google search plugin which should give you an idea of what to look for when you decide to sanitize the other default search plugins. As of Firefox version 62, here's what the default code for the Google search plugin looks like, though without the lengthy base64 icon string which i removed for brevity:

{
    "_name": "Google",
    "_shortName": "google-2018",
    "_loadPath": "jar:[app]/omni.ja!/google-2018.xml",
    "description": "Google Search",
    "__searchForm": null,
    "_iconURL": "[base64 icon code removed]",
    "_metaData": {
        "order": 5
    },
    "_urls": [
        {
            "template": "https://www.google.com/complete/search?client=firefox&q={searchTerms}",
            "rels": [],
            "resultDomain": "www.google.com",
            "type": "application/x-suggestions+json",
            "params": []
        },
        {
            "template": "https://www.google.com/search",
            "rels": [
                "searchform"
            ],
            "resultDomain": "www.google.com",
            "params": [
                {
                    "name": "q",
                    "value": "{searchTerms}"
                },
                {
                    "name": "ie",
                    "value": "utf-8"
                },
                {
                    "name": "oe",
                    "value": "utf-8"
                },
                {
                    "name": "client",
                    "value": "firefox-b-1-ab",
                    "purpose": "keyword"
                },
                {
                    "name": "client",
                    "value": "firefox-b-1",
                    "purpose": "searchbar"
                }
            ]
        }
    ],
    "queryCharset": "UTF-8"
},

In the above code you will notice the string firefox is used several times. This is how Google knows you're using Firefox and thus how Mozilla gets paid when you use the Google search plugin, though it may not be the only way Google knows you're using Firefox. To sanitize the code,we simply want to remove any mention of firefox, but we first need to duplicate that block of code, else Firefox will restore the default plugins as previously mentioned. To duplicate the code, highlight the entire Google block of code beginning with the opening bracket ( { ) and ending with the closing bracket and comma ( }, ). Note that you must eliminate the comma if you paste the copy as the last one in the "engines": section. You will also need to add a comma after the closing bracket for the plugin code block above your copy if that code was the last one in the "engines": section. If this is confusing, just know that each block of code for every search plugin must end with a closing bracket followed by a comma ( }, ), except for the last one where there can be no comma.

After removing the parameters which identify Firefox as our browser, here's what our sanitized copy of the Google plugin looks like:

{
    "_name": "[s] Google",
    "_shortName": "google-2018",
    "_loadPath": "jar:[app]/omni.ja!/google-2018.xml",
    "description": "Google Search",
    "__searchForm": null,
    "_iconURL": "[base64 icon code removed]",
    "_metaData": {
        "order": 5
    },
    "_urls": [
        {
            "template": "https://www.google.com/complete/search?q={searchTerms}",
            "rels": [],
            "resultDomain": "www.google.com",
            "type": "application/x-suggestions+json",
            "params": []
        },
        {
            "template": "https://www.google.com/search",
            "rels": [
                "searchform"
            ],
            "resultDomain": "www.google.com",
            "params": [
                {
                    "name": "q",
                    "value": "{searchTerms}"
                },
                {
                    "name": "ie",
                    "value": "utf-8"
                },
                {
                    "name": "oe",
                    "value": "utf-8"
                }
            ]
        }
    ],
    "queryCharset": "UTF-8"
}

You can simply copy the above code and paste it as the last search plugin as described earlier, just be careful to add a comma to the last closing bracket of the search plugin above it as described earlier.

Here are the changes we made:

This...

    "_name": "Google",

became this...

    "_name": "[s] Google",

There's two reasons for the above change, 1) you can't have two search plugins with the same name and 2) prefixing Google with the [s] let's us know that this is the sanitized version of the Google search plugin.

Next, this...

"template": "https://www.google.com/complete/search?client=firefox&q={searchTerms}",

became this...

"template": "https://www.google.com/complete/search?q={searchTerms}",

and this...

                },
                {
                    "name": "client",
                    "value": "firefox-b-1-ab",
                    "purpose": "keyword"
                },
                {
                    "name": "client",
                    "value": "firefox-b-1",
                    "purpose": "searchbar"
                },

was removed entirely to become this...

                }

Notice that we needed to remove the comma after the last closing }of the parameter code block since it is now the last block of code in the "params": section.

Finally, the last closing bracket for the Google plugin code block which looked like this...

},

had the comma removed since we pasted the new Google plugin code block at the end of the "engine": section.

Sanitizing the remaining search plugins is accomplished in a similar way as above; you want to look for and remove any instances of 'firefox', or 'mozilla', or sometimes just 'moz' or 'ff'. Once you've sanitized the default search plugins, just use the 'mozlz4-edit' add-on to save your changes as a 'mozlz4' file, overwriting your existing search.json.mozlz4 file. If you restart Firefox and all your customizations are missing, then there was likely a syntax error in your edits.

Download pre-sanitized search plugins

If you do not want to sanitize the default search engine plugins yourself you can download my pre-sanitized copy which contains a search.json.mozlz4 file that should work for Firefox version 57 and up ("up" meaning until the next time the M@M's (Morons@Mozilla) decide to break everything again). The download contains the default engines which come with Firefox version 62, plus the sanitized versions of them, plus all of the engines i personally use. All in all there's over 40 search engine plugins which you can edit or disable as you see fit. Many are already disabled since i only use them occasionally, so be sure to adjust as necessary in your Firefox Search preferences.

Download: search.json.mozlz4.zip

Install: Backup your existing search.json.mozlz4 file, then extract the the one from the archive to your Firefox profile directory and restart Firefox.

Sanitizing the prefs.js search engine preferences

Another item you should check is whether prefs.js in your Firefox profile directory contains any browser.search.param preferences. To sanitize these, load about:config in the browser address bar and enter browser.search.param in the search field. If none are found, great, but at the time i originally wrote this article there were two preferences found; browser.search.param.yahoo-fr and browser.search.param.yahoo-fr-ja. The default values may be different in your case, but in mine they were data:text/plain,browser.search.param.yahoo-fr=linuxmint and an empty string, respectively. What you should do is create a custom user.js file to store your modified preferences if you don't already have one, then copy the following code to it:

user_pref("browser.search.param.yahoo-fr", ""); // sanitize Yahoo
user_pref("browser.search.param.yahoo-fr-ja", ""); // sanitize Yahoo

Removing Firefox system add-ons

Mozilla packages some system add-ons with Firefox, installs them without your permission and doesn't provide the user with any convenient means to remove or disable them. These system add-ons have been used for very controversial purposes in the past. To remove them, see the 'System add-ons' section of the Firefox Configuration Guide for Privacy Freaks and Performance Buffs.

We've only scratched the surface...

Sanitizing the default Firefox search engine plugins is a good start, but there is much more to do if you're interested in circumventing the risks to your privacy. For further information see the Tech section of this website.

Resources

Special mention goes to 'Thorin-Oakenpants' (aka 'Pants') as well as the 'ghacks' crew and their GitHub repository where they host an excellent privacy-centric user.js for Firefox and its derivatives, as well as an extensive Wiki full of valuable information.

Revision history

Click to expand...

15-Sep-2017

  • first publish

16-Sep-2017

  • added this change log
  • corrected an error in the pre-sanitized Wikipedia search plugin and re-uploaded sanitized_search_plugs.zip
  • added information as suggested by 'Pants' in his comment below, particularly details and resources regarding the followonsearch@mozilla.com.xpi system add-on in a new section titled "Removing the 'Follow On Search' system add-on"
  • added Hulbee and MetaGer to the search engine list
  • added a "Decentralized" column to the search engine table
  • added resource: 5 Best Search Engines That Respect Your Privacy - BestVPN.com
  • misc. cleanup and edits

17-Sep-2017

  • corrected typo in metager URL
  • added "Requires JS / Cookies" column in search engine table
  • changed links for search engines in table to point to company/about page and added links to point to search page
  • added link to the 'lite' version of DDG
  • added a link to the uBO filters to block Startpage/Ixquick tracking images
  • misc. minor edits

18-Sep-2017

  • added "Client Required" column to search engine table
  • corrected some info regarding the search engines in the table
  • minor misc. edits

24-Sep-2017

  • added a link to the Duck Duck Go: Illusion of Privacy article
  • added findx to the search engine list
  • minor edits

27-Sep-2017

  • added Qwant to the search engine table

29-Sep-2017

  • misc. edits and added info, nothing really important

3-Oct-2017

  • very minor edits

23-Oct-2017

  • moved the list of alternative search engines to it own page
  • minor edits

5-Dec-2017

  • minor change to the section 'Sanitizing the default search engine plugins' thanks to commenter 'nohamelin' - more changes coming shortly thanks to this persons comments

23-Dec-2017

  • updated search plugin import/export instructions as per the very helpful comment left by 'nohamelin', the developer of the XML Search Engines Exporter/Importer add-on in which he made available Scratchpad scripts that work with FF v57+
  • corrected an error in the pre-sanitized search engine archive, added Startpage and re-uploaded a new archive
  • misc. minor edits

28-Jan-2018

  • polishing

2-Oct-2018

  • major changes, additions and deletions

3-Oct-2018

  • fixed corrupted download files
  • added info about Add custom search engine add-on
  • added better instructions for installing the search plugin file, search.json.mozlz4
  • minor edits

21-Oct-2018

  • rewrote the section on manually sanitizing search plugins
  • various minor edits

15-Nov-2018

  • updated the search.json.mozlz4 file
  • spelling corrections

27-Nov-2018

  • updated the search.json.mozlz4 file
  • minor edits

11-Dec-2018

  • referred to my Firefox configuration guide for info on removing system add-ons

21-May-2019

  • moved info about Mozilla to it's own page
  • minor edits, corrections

30-Nov-2019

  • updated search.json.mozlz4
  • minor edits

Firefox Configuration Guide for Privacy Freaks and Performance Buffs

Want to configure Firefox and other Gecko-based browsers for better performance and security?

See the revision history at the end for a list of changes.

Before embarking on this journey into the bowels of Firefox, you may want to first read, Tor verses a VPN – Which is right for you?. If you choose to use the Tor Browser, you need not digest this guide.

Introduction

This guide is long, boring, dry, tedious and somewhat technical, so if you don't feel comfortable digesting it, try the The Firefox Privacy Guide For Dummies! instead, however be aware that it doesn't offer the same degree of protection.

To understand my personal position regarding the ethical nature of the Mozilla Foundation, read The Mozilla Monster.

WARNING: This guide is not for use with the Tor browser. Configuring the Tor browser as outlined in this guide will result in potentially serious risks to your privacy.

Though this guide is centered around the Firefox web browser, users of other browsers, email clients and Mozilla products may find it useful. If you are interested in hardening the Thunderbird email client, see The Thunderbird Privacy Guide for Dummies!.

Many of us are aware of the immense threats to our on-line privacy and security posed by various technology companies, governments and malicious hackers, any of which may go to great lengths to monitor our electronic communications. Governments and their "intelligence" apparatuses not only spy on each other, but on the citizenry as well and they leverage the services of various companies to do so, including Microsoft, Google, Facebook, Verizon, Comcast and Amdocs as well as many, many others. While the data these companies collect may be used for relatively benign purposes such as targeted advertising, the intentions are often far more sinister. Much of what Edward Snowden has brought to light is not new, but it seems the information has been presented in a way that has captured the attention of the public, prompting many to seek ways to mitigate the threats.

While the primary goal of this guide is to help the reader thwart some of the more obvious efforts to track and profile us as we surf the web, as well as increase browser security and performance, understand that i am not an expert in computer security or privacy and there are surely many more variables and vectors for attack than i am aware of. While there are many known methods that can be used to compromise our digital well being, how many more are there of which we know nothing? Or what about techniques that most of us never consider? For example, even if you are a knowledgeable, technically proficient and privacy conscious individual who uses open hardware devices running open source software and a security enhanced operating system, and even if you connect to the internet only through Tor, you may still be at risk of being tracked because, disregarding everything else, your unique writing style can be used to identify you. It is not this level of sophistication that i will attempt to address here however. My goal is to share what i have learned over the years as a casual web surfer and computer user who has a hobbyist-grade interest in computer security and digital privacy. Having said that, i believe -- and please correct me if i'm wrong -- this guide is currently one of the more comprehensive of its kind in that it addresses many aspects of the Firefox browser including configuration, extensions and optimizations. If you want to go further than this guide can carry you, see the resources section at the end which include the fine article, Improve Your Privacy in the Age of Mass Surveillance. I would also highly recommend using a VPN to help prevent spying by your ISP and other bad actors. That One Privacy Site is a good resource for choosing a VPN, as is TorrentFreak which publishes annual reports regarding many of the popular VPN service providers. Their 2018 report is here.

As with any modern and mainstream web browser, Mozilla Firefox is a highly complex beast consisting of millions of lines of code and hundreds of configuration options, many of which are interlinked, hidden, or undocumented. Things can go down the toilet real fast if you start messing around with its settings willy-nilly and poorly coded add-ons can compound the problem. Here we will attempt to accomplish our goals in an efficient manner with a minimal number of carefully chosen browser extensions, or add-ons.

A bit of a trade-off must be expected when we tighten security and privacy insomuch as some websites will cease to function properly until the settings for those specific sites are adjusted. Anyone who has used a content filter such as NoScript or Request Policy will understand that certain resources must be allowed for a given website to function in an acceptable way. Similar to NoScript however, the process of allowing required resources usually consists of a mouse click or three followed by a page refresh and once we have made the necessary adjustments for our favorite websites, our workload will be greatly reduced. Nevertheless, be prepared to put a little more effort into your web surfing activities in general and expect the occasional hard-case where more fiddling than usual will be required to get a particular site working properly. The pay-off is a much cleaner and faster web that is less able to track and profile us, as well as a somewhat hardened and speedier Firefox that is more resistant to attack.

Terminology

Add-on/extension: I use these terms interchangeably. A web browser add-on or extension is a piece of software typically developed by a 3rd party that extends the capability of the browser. Web extensions, which leverage the WebExtension API (Application Programming Interface), have replaced the older legacy (XUL/XPCOM) extensions beginning with Firefox version 57. This newer type is essentially the same format as used by Google Chrome and other web browsers. Unfortunately the WebExtension API is severely limited. For example, such extensions cannot modify the GUI (Graphic User Interface) of Firefox in the same way legacy extensions could.

AMO: addons.mozilla.org, the Mozilla Add-ons website.

Browser fingerprinting: Web servers can employ a wide variety of methods to uniquely identify your web browser, hardware and software configuration, collectively known as fingerprinting. Fingerprint data may consist of many bits of information about your environment which, when combined, can be used to uniquely identify a web browser. This information may include such things as the browser viewport dimensions, installed add-ons, its capabilities, your locale, your operating system, querying the browser cache, your display resolution and much more. This information can be gleaned using various techniques, including through HTTP header information, JavaScript, and others, and it is often used for the purpose of tracking and profiling the user and their web activities. For further information, see A Primer on Information Theory and Privacy and Panopticlick. See also the explanation for 'tracking' and 'web storage' below.

Crapware/malware: I consider crapware/malware to be software which contains code which is not relevant to the functionality users expect. As such the term crapware, or malware, refers largely to adware, tracking code and other malicious code with regard to web browser extensions. Crapware is often added to browser extensions by a company or solo developer who wishes to monetize their work and often takes the form of profiling users and selling the data collected by the extension to a marketing company, however much worse is possible.

CDN: A Content Delivery Network is a service that hosts reusable content, such as graphics and reusable scripts which developers can leverage to make building web platforms easier. CDNs often present a threat to our privacy by tracking our web activities. They are perhaps a most formidable threat because a single CDN service may be used by many millions of popular websites and therefore the spying capabilities of the company providing the CDN service can be widespread and cross-domain in nature. The use of CDNs is prolific today and since many websites will not function without the content they deliver, globally blocking CDN content is hardly an option.

CSS: Cascading Style Sheets are used primarily to apply visual styling to HTML elements, thus making web pages look pretty, however the capability of CSS has been expanded well beyond its original specifications to the point where it can now be used for nefarious purposes.

Domain/subdomain/TLD: In the example 'sub.example.com', 'example' is the root domain, 'sub' is a subdomain of the root domain and 'com' is the TLD, or Top Level Domain. You can think of root domains and subdomains as sort of different containers which are used to separate content for a single website. For example, let's say kitties.com is focused primarily on information about kittens, but they also might have a web store where they sell paper bags. In order to keep the store content separate, they may host the store on the subdomain 'shop.kitties.com'.

Fingerprinting: Fingerprinting is the technique of developing a unique signature that can be used to identify and track the browser within a domain, across domains, and even across sessions. There are many ways to fingerprint a browser including by installed fonts and how they are rendered, the dimensions of the the browser view port, the Canvas API, web storage and more. Many fingerprinting techniques rely upon JavaScript.

HTTP/HTTPS: Hypertext Transfer Protocol and Hypertext Transfer Protocol Secure are communication protocols used by computers to transmit data over the internet. For HTTP an insecure, unencrypted connection is established which is vulnerable to ISP (Internet Service Provider) snooping and man-in-the-middle attacks, while a secure, encrypted connection is established with HTTPS. Some web servers simply do not support HTTPS and for this reason i will again point out the necessity of using a VPN.

JavaScript (JS): A powerful programming language that runs code within the browser, often to make pages interactive. Although JavaScript is used by many websites for legitimate reasons, it can and often is used maliciously to perform a wide variety of attacks against the browser and our privacy. Many browser fingerprinting/tracking techniques depend on JavaScript being enabled and this is the default in every mainstream web browser.

Tracking: Once a unique identity for the browser is established through fingerprinting, cookies, storage, or other methods, it is then possible to track its activity both within the same domain and across domains. See also the explanation for 'web storage' below.

Web fonts/remote fonts: These are font packages typically hosted by a 3rd party, such as Google, which a web developer may use to specify how text is displayed on a website. Web fonts present a few problems regarding browser tracking and security.

Web server: For the purpose of this document, a web server is a computer that is connected to the internet which hosts (serves) one or more websites.

Web storage: In addition to HTTP cookies and web caching, most/all popular web browsers also allow a web server to store data locally using several storage methods including local and session storage, indexedDB storage, window.name storage, Etag cache storage, Local Shared Objects storage, Service Workers, offline storage, HTTP Strict Transport Security storage and other methods. Stored data for Firefox may consume up to 50% of your free disk space. If you are concerned about protecting your privacy, you have far more to worry about than the simple text cookies of yesteryear which in theory, but not always in practice, could be read only by the domain that set them and this problem only seems to worsen as the web grown more complex.

Prerequisites

Code editor

You will need a decent code editor with syntax highlighting to edit Firefox's configuration files. Linux users should have something suitable installed by default, however if you're running Windows i might suggest Notepad++ or PSPad, the latter being the simpler of the two.

Unhide file extensions

If Windows is using you, the geniuses at Microsoft have taken it upon themselves to hide file extensions from the user. You will need to un-do that.

Getting Firefox

Though i recommend using the stable release version of Firefox, there are other versions such as the ESR (Extended Support Release), however it is usually an older version. There is also a Developer Edition which includes the very latest features (and bugs). While there are many 3rd party forks of Firefox, including Waterfox, Cyberfox, Pale Moon (or Basilisk from the same developer), etc., i do not recommend using any of them. The small development teams for these 3rd party builds often lag far behind regarding security patches and they can be buggy and incompatible with the latest add-ons (Pale Moon doesn't support the newer Web Extensions at all). While some forks may be more privacy-centric out of the box, we can accomplish essentially the same degree of privacy or better with the official Mozilla release version.

The user.js file

The user.js file is typically where your personal Firefox preferences are best kept, however in our case we will be using a preconfigured one and then storing our personal preferences in a user-overrides.js file which will be appended to user.js using a script.

The user.js file we will use is a result of a formidable effort by 'pants' and the rest of the 'ghacks-user.js' crew and contributors. Their work became rather popular when it was published as A comprehensive list of Firefox privacy and security settings by Martin Brinkmann on ghacks.net. The project has since moved GitHub, but don't download anything yet.

Firefox post install cleanup

After installing Firefox, and before you make any changes, back-up your current profile. If you don't know where it is, enter about:profiles in the address bar and click the 'Open Directory' button in the 'Root Directory' row. The easiest way to backup your profile is to select your profile folder under the /firefox directory and press Ctrl+C to copy the folder, then Ctrl+V to paste it in the same place but with a different name. I might suggest keeping the original name and just appending -bak to the copy. From this point on, all changes should be made to your original profile, leaving your backup profile untouched in case something explodes. Next, delete everything from your original profile, keeping only your bookmarks and whatever else you need. See the article Profiles - Where Firefox stores your bookmarks, passwords and other user data if you need help with what data is stored in which file/folder.

System add-ons

Packaged with Firefox are a bunch of system add-ons which are installed without your consent and they are essentially hidden (they are not listed in about:addons). Some of these add-ons have been and may currently be used for controversial purposes such as collecting data about how users interact with search engines, the browser, etc.. Typically i remove all of them, however you may want to keep some them after researching what they do and whether they preserve your privacy. On Linux these add-ons may be found at /usr/lib/firefox/browser/features and for Windows in \Program Files (x86)\Firefox\browser\features or \Program Files\Firefox\browser\features. You can delete them in Linux using the terminal:

cd /usr/lib/firefox/browser/features
sudo rm *.xpi

These system add-ons will be reinstalled each time Firefox is upgraded. On Windows you can apparently use CCleaner to disable them. If you're running Linux with the pacman package manager (Arch, Manjaro), you can prevent their re-installation by editing the pacman configuration file, pacman.conf. Note that this will not work using Pamac, the GUI package manager, until this bug is addressed. In my case i find it easier to just bookmark the /features folder in my file manager and run the command above each time i update Firefox.

Search engines

I recommend reading Firefox Search Engine Cautions and Recommendations which offers information about how Mozilla monetizes Firefox with the included search engine plugins and what can be done to opt out of this affiliate scheme should you so choose.

Required add-ons and settings

Following are the add-ons required for this guide and their recommended settings. All of the add-ons listed here are of the WebExtension variety, meaning most should work with Firefox versions 57 to 59 and all should work with versions 60 and up. Download and configure each add-on as you go through the list. Each of these add-ons is important so don't skip any of them with the possible exception of uMatrix.

Note that there is a serious problem with Firefox regarding Content Security Policy (CSP) which has yet to be addressed by Mozilla. The short version is that, when two or more add-ons use CSP injection to modify HTTP headers, and many do, only one will succeed. For example, both uBlock Origin and uMatrix leverage CSP, as well as other suggested add-ons here. In some cases the use of CSP can be disabled in add-on settings and i have noted this in the suggested settings. Also see the Extensions section of the 'ghacks' wiki. Please create an account at Bugzilla and vote for this issue.

CanvasBlocker by kkapsner

Description: Helps to prevent browser fingerprinting through the JavaScript Canvas APIs.

Settings: Following are the most important settings. Others are optional.

General tab:

  • Expert mode: enabled
  • Block mode: fake
  • Faking
    • Random number generator: non-persistent
  • Notifications
    • Show notification icon: enabled

API tab:

  • Canvas API
    • Protected part of the canvas API: readout
    • Protected API features: all options enabled
  • Audio API
    • Protect audio API: enabled
    • Protected API features: all options enabled
  • History API
    • Protected API features: all options enabled
  • Window API
    • Protect window API: enabled
    • Protected API features: all options enabled
  • DOMRect API
    • Protect DOMRect API: enabled
    • Protected API features: all options enabled

Misc tab:

  • Block data URL paged: disabled (CSP issue)
  • Logging level: error

ClearURLs by Kevin R.

Description: Strips many tracking and other (mostly) unnecessary parameters from hyperlinks, such as the utm_* tracking parameters used by Google Analytics. Unlike other similar extensions, ClearURLs uses a remotely updated list from GitLab and requires little or no interaction.

Settings: Following are the most important settings. Others are optional.

  • Allow domain blocking: if you are not using any of the major ad filtering lists in uBlock, then enable this
  • Skip URLs on local hosts
  • Prevent tracking injection over history API
  • Block hyperlink auditing
  • Filters ETag headers from requests

CSS Exfil Protection by Mike Gualtieri

Description: Helps to prevent attackers from exploiting Cascading Style Sheets (CSS) vulnerabilities.

Settings: None.

HTTPZ by claustromaniac

Description: Attempts to force websites to use an encrypted connection (HTTPS) but will fall back to an unencrypted connection (HTTP) if the website does not support HTTPS.

Settings:

  • The default settings are fine. You can disable 'Fallback to HTTP without warning' if you want HTTPZ to be notified when HTTPZ is unable to upgrade an HTTP request.

LocalCDN by nobody42

Description: Helps to prevent tracking and speeds-up page loading by using local copies of common JavaScript libraries rather than fetching them from a CDN.

Settings: Following are the most important settings. Others are optional.

  • Display injection counts on icon
  • Disable link prefetching
  • Strip metadata from allowed requests

Enabling the option to 'Block requests for missing resources' will further decrease threats to privacy, however this will break more websites as well and so the choice is yours.

Privacy-Oriented Origin Policy (POOP) by claustromaniac

Description: Helps to protect privacy by manipulating Cross-Origin Resource Sharing (CORS) requests.

Settings: I would recommend setting the 'Global mode' to 'aggressive' and enabling the 'Exclude root domain matches' option. If you not are using uMatrix, enable the 'Spoof cross-origin Referer' option. You can also add the following to the 'exclude requests using patterns' area:

www.youtube.com *.googlevideo.com
www.youtube-nocookie.com *.googlevideo.com
*.dailymotion.com *.dmcdn.net

Site Bleacher by wooque

Description: Automatically deletes web storage when a domain is revisited. Site Bleacher is the *only* add-on at this time that is capable of clearing IndexedDB storage on a dynamic basis.

Settings: Other than a whitelist there are no settings.

Skip Redirect by Sebastian Blask

Description: Skips link redirections such as used by Google, AMO and many other companies and websites, thus helping to prevent tracking. Redirects are intermediate links, such as 'click-track.com/abc123' or short links, that forward the browser to the final destination.

Settings: The default settings are sufficient. You will likely have to whitelist sites that no longer work properly which Skip Redirect makes easy to do since you can copy the last skipped URL by right-clicking its toolbar icon and then adding that URL or domain to the blacklist.

uBlock Origin (uBO)

Description: uBlock Origin is an excellent ad/content blocker that can use the same filter lists as Adblock Plus as well as many more. Make sure you use the original uBlock Origin by Raymond Hill and no other. If you choose not to use uMatrix, it is important that you enable advanced mode in uBO and learn how to use its dynamic filtering capabilities.

Settings: If you decide to use both uBlock Origin and uMatrix as suggested, the former will be used primarily for its static filtering capability (the filter lists for ads, tracking, malware, etc.) while the latter will be used primarily for its dynamic filtering capability (JS, cookies, frames, etc). To set up uBO, see the uBlock Origin Suggested Settings Guide. and use the settings in the 'Advanced guide settings' column.

uMatrix (uM)

Description: By the same developer as uBlock Origin, uMatrix is also a powerful content blocker that provides more granular control over web requests than uBlock does. Using uMatrix is somewhat optional, however if you choose not to use it then it is important that you enable advanced mode in uBlock Origin and learn how to use its dynamic filtering capabilities.

Settings:

Once uMatrix is installed, click the toolbar button and then the title bar of the pop-up to open the Dashboard.

Following are the settings i recommend enabling.

Settings, Convenience:

  • Show the number of blocked resources on the icon
  • Collapse placeholder of blacklisted elements (but not blocked elements, at least not until you become more comfortable with uM)

A note regarding the option 'Spoof <noscript> tags when 1st-party scripts are blocked': Enabling this setting is entirely optional as there are advantages either way. If you enable it, then some websites will present a notification that you have disabled JavaScript (which we will certainly do) and this can be very helpful, especially to those who are new to blocking JS. On the other hand, some content for some websites that would normally be available with JS disabled will not be available if this option is enabled, so it's your choice as to whether to enable it.

Settings, Privacy:

Note that the three options to delete web storage are not strictly required since Site Bleacher handles this storage, however i think it's better to have the redundancy, plus they both work differently.

  • Delete blocked cookies
  • Delete non-blocked session cookies 60 minutes after the last time they have been used
  • Delete local storage content set by blocked hostnames
  • Clear browser cache every 60 minutes
  • Spoof HTTP referrer string of third-party requests
  • Block all hyperlink auditing attempts

Do not enable the Strict HTTPS option if you're going to use the HTTPZ add-on which i highly recommend you do.

Optionally, on the 'My rules' tab, you can add the following to the 'Temporary rules' pane, then save and commit your change:

no-workers: * true

This will disable web workers which will prevent certain JS from running in the background. If a page breaks as a result, you can enable web workers on a per-site basis from the uM pop-up by clicking the vertical 3 dot icon. One resource this setting will break is videos on the dailymotion.com website. For example, videos from Dailymotion will not play until you allow web-workers for dailymotion.com.

Note that web workers depend on JavaScript being enabled. Also note that blocking workers with uM may be problematic in that, if they were blocked by the Firefox prefs instead, the web page may fall back to one that doesn't depend on workers whereas if they are blocked in uM then the page may just break.

On the 'Assets' tab, disable all of the host file filter lists, purge the caches and save your changes. It is better to use uBlock Origin to control static filtering since it offers many more options by default, plus the hosts filters are more likely to break website functionality.

Also on the 'Assets' tab, you can enable the 'Ruleset recipes for English websites​​​​​​​' option. On the uM toolbar pop-up you will notice a puzzle piece icon which you can use to quickly import a rule-set for resources used by the page you're visiting if it uses a 3rd party resource and if someone has created a rule-set for that resource. For example, if you visit a page with an embedded YouTube video, you can import the rule-set for YouTube instead of configuring the filters manually. You might want to switch to the global scope before doing this so that embedded YouTube videos will play on all websites.

If you're using the Decentraleyes add-on you need to add some rules to the 'My Rules' tab in the Dashboard. When adding the rules, be sure to remove any conflicting rules for the same domains if you have any (you won't if you're starting fresh).

Additional add-ons

For more possibilities regarding add-ons, see Firefox Extensions: My Picks.

Automatic add-on updates

The tl;dr version is: Do NOT enable automatic add-on updates. The longer version follows...

Regarding automatic add-on updates, which is enabled by default in Firefox, this function is disabled in the 'ghacks' user.js file and i would strongly suggest keeping it disabled. Automatic checking for updates is fine and this is enabled in the 'ghacks' user.js, but we do not want Firefox to update add-ons without our explicit consent. The problem here is that developers may, at any time, and without notice, monetize their add-on or sell their work to an unethical 3rd party and this often results in compromising your privacy. Examples of some currently or formerly popular add-ons which contain(ed) such crapware are Abduction, a screen capture utility; Quick Locale Switcher, a language switcher; FasterFox Lite, a largely useless utility which claims to speed-up Firefox but doesn't; BlockSite, a content blocker; Stylish, a very popular utility for changing the appearance of websites, and many, many others. Not all of these extensions contained crapware when they were first introduced which is why i strongly suggest keeping automatic add-on updates disabled and carefully reviewing the change logs, permissions and privacy policies each time an add-on update is available. For more about Firefox add-ons, see Firefox Extensions – My Picks.

Firefox configuration

This guide depends heavily on the 'ghacks' user.js configuration file which alters hundreds of important Firefox preferences related to privacy and security, thus you need not worry about manually configuring anything from the Preferences menu of Firefox other than a search setting which we'll get to. If you choose to not use the 'ghacks' user.js, then your job is likely to be considerably more difficult assuming your goals are similar. Still, you may find it helpful to refer to the 'ghacks' user.js should you choose to start from scratch.

Search bar on navigation bar

I would suggest adding the search bar to the navigation bar and using it instead of the address bar for searching the web. Not only might you find it more convenient, but there are potential privacy concerns when searching from the address bar. To accomplish this, open the Firefox Preferences page, click the Search item on the left, then enable the option 'Add search bar in toolbar'.

Firefox profile in RAM

With the wide adoption of speedy Solid State Drives (SSDs), the concept of sticking the Firefox profile in RAM for performance reasons may seem obsolete, however there are still benefits in doing so. If you don't want to disable disk caching, web storage and cookies globally, and thus break a lot of websites in the process, there will be substantial read and write activity for your storage media. Placing your Firefox profile in RAM will alleviate much of this, however doing so can be risky should a catastrophic failure occur, such as a power failure which could result in data loss or corruption. Fortunately there are ways to minimize this risk. If you use Windows you're on your own since i don't, suffice to say that there exists Windows compatible software that can manage RAM disks and backup your profile to your storage media. 'Bushdoctor' provides a method in a comment left on this article. Those using most any flavor of Linux have access to a very spiffy utility called Profile-sync-daemon (PSD) which is designed specifically for this task and it works with quite a few browsers. Check your package manager to see if it's available in your repository. To get PSD working, run man psd in a terminal or consult the guide on the Arch wiki. Setting it up was very easy in my case and it has worked flawlessly and transparently ever since.

Cache

Note that Firefox stores its web cache in a location other than the profile directory. On Linux it's kept at /home/[user]/.cache/mozilla/firefox/. Normally you would have to deal with web cache separately if you wanted to store it in RAM also, however since disk caching is completely disabled in the 'ghacks' user.js (cache is stored in memory) and the cache is dumped when you exit Firefox, you need not worry about it. If you're thinking it would be more efficient to keep the browser cache instead of having to re-download objects for the websites you visit frequently, you're right, however doing so can compromise your privacy. We won't exactly be dumping all of the browser cache either since we're using the Decentraleyes add-on.

Configuration files

Keep the following hierarchy in mind as you read this section. When Firefox starts:

  1. prefs.js is read by Firefox
  2. user.js is read by Firefox - all preferences in the user.js file are copied to the prefs.js file and any preferences that are duplicated in both files are overridden by those in user.js - prefs.js is then used to generate what you see in about:config
  3. user-overrides.js is never read by Firefox but these preferences are appended to the 'ghacks' user.js with a script (preferred) or by manual copying - if using the 'ghacks' user.js this is the only file you should edit and it is where all your custom preferences should be placed - this may defy conventional knowledge, so let me be clear:

If you are going to use the 'ghacks' user.js file then you should never edit it, (nor the prefs.js file) nor should you change important settings from about:config unless you're only testing something. All of your custom preferences should be placed in your user-overrides.js file and no where else, and then appended to the 'ghacks' user.js using their updater script.

One reason for this is because the 'ghacks' user.js is quite a large file that is updated fairly frequently and if you edit it and then update it, all your custom changes will be lost, whereas if you copy the preferences you want to alter from the 'ghacks' user.js to your user-overrides.js and change the values there, then updating the 'ghacks' user.js one will be a lot less painful. On the other hand, should you choose to not use the 'ghacks' user.js, then you should add your changes to your own user.js and you can ignore everything stated here about the user-overrides.js. Either way, never edit the prefs.js file directly or by way of about:config unless you're just testing something.

If you do not have a general understanding of the the user.js file, you may want to read this on the 'ghacks' wiki. You should also poke around elsewhere in the wiki for detailed information on using and maintaining their user.js file.

Obtaining and maintaining the user preferences files

In your profile folder, delete or rename your existing user.js file if you have one. You can transfer any needed settings later if they are not already covered in the 'ghacks' one. Next, i might suggest downloading my user-overrides.js file. Go to the 12bytes.org/Firefox-user.js-supplement at my Codeberg.org repository and download the user-overrides.js file to your Firefox profile directory. The easiest way to get the file without messing up the formatting is to view the raw file, then press Ctrl+S to save it. Next, open the file for editing using your code editor and follow the instructions within.

Next we want the 'ghacks' user.js file from the ghacksuserjs/ghacks-user.js GitHub repository but you need not download it directly. Instead, grab their updater.sh (Linux) or updater.bat (Windows) script by clicking the file name, then clicking the 'Raw' button in the new page and pressing Ctrl+S to save the file to your Firefox profile directory. Use the same method to get a copy of their prefsCleaner.sh (Linux) or prefsCleaner.bat (Windows) and place it in your Firefox profile directory. This script is used to reset any unused or old preferences in your prefs.js file. If you're running Linux, don't forget to make the files executable. Next, run the updater script to fetch the 'ghacks' user.js and append the contents of your user-overrides.js to it. In Linux run ./updater.sh in a terminal and follow the prompts. If you have given the file the executable flag and still get an error, try grabbing a new copy being careful to use the method i described earlier.

At this point it is important to go through the entire 'ghacks' user.js file and read all of the comments and review each of the settings to be sure everything is configured the way you want. As stated above, any preferences you want to change in the user.js file should be copied to your user-overrides.js file in the appropriate section where you will then change their values. Note that if you ever add and then comment out or delete a custom preference in your user-overrides.js which is not contained in the 'ghacks' user.js, and you have run Firefox after doing so, that setting will remain in the prefs.js file. The safest way to remove such preferences is to open about:config in Firefox and reset them (right-click the preference, click 'Reset').

Over time it is possible that your user-overrides.js file will contain preferences that are obsolete. The 'ghacks' user.js file contains a list of some of these preferences in the section titled [SECTION 9999]: DEPRECATED / REMOVED / LEGACY / RENAMED and these preferences should be removed from your user-overrides.js file. One very tedious way to do this is to go through the list line by line and see if they are duplicated in your user-overrides.js. An easier way is to use the -c switch (documentation here) when you run the updater script which will output a 'diff' file containing the differences between the old user.js and the new one.

IMPORTANT: Don't forget to run the updater script with the -c switch every time you update the user.js file or make changes to the user-overrides.js file. You can read more about the updater script here and the cleaner script here.

Verifying the integrity of user.js

It is important to perform an integrity check whenever the 'ghacks' user.js file is updated or you have changed anything in the user-overrides.js file.

From the 'ghacks' crew:

In FF60+, not all syntax errors cause parsing to abort i.e. reaching the last debug pref no longer necessarily means that all prefs have been applied. Check the console right after startup for any warnings/error messages related to non-applied prefs.

They reference the article, 'A New Preferences Parser for Firefox' if you're interested in knowing more.

To perform this check, you might want to disable your network connection, then start Firefox and open the Browser Console from the Web Developer toolbox (Ctrl+Shift+J might work) and check for and preferences errors.

The reason it is suggested to disable your network connection is because, in the event there is a problem with an important preference, a network connection may allow data to flow in or out which you wanted to avoid.

Now we will further check the integrity of the user.js and user-overrides.js files. You may have noticed a bunch of unusual looking _user.js.parrot preferences in both files. These are used for troubleshooting syntax errors by quickly identifying a specific section in which the error lies. When you run Firefox for the first time after updating the user.js or making changes to your user-overrides.js, check the value of the troubleshooting preference by entering about:config in the address bar and searching for the _user.js.parrot preference (it will likely be the first one listed without having to search). The value should match the very last _user.js.parrot preference value in your user-overrides.js or, if you are not using a user-overrides.js, then it should be the last value in the 'ghacks' user.js, "SUCCESS: No no he's not dead, he's, he's restin'!". If the value for the troubleshooting preference is not what you expect, then you can use it to quickly determine in which section of the user.js or user-overrides.js the syntax error lies. While it cannot narrow down the problem to a specific preference or line number, at least you will know where to begin looking.

Updating the user.js and user-overrides.js files

To update the 'ghacks' user.js file just run the updater script with the -c switch as explained earlier. To update my personal user-overrides.js file, just copy the contents of the new version to your user-overrides.js, then run the updater script with the -c switch. Lastly, run the 'ghacks' prefsCleaner script with Firefox closed. To be notified of updates to the 'ghacks' user.js and/or my user-overrides.js files, i strongly suggest subscribing to the following:

HSTS tracking

To understand how HTTP Strict Transport Security (HSTS) works and how it can be used to track browsing history, as well as the implications of disabling it, read How to prevent HSTS tracking in Firefox on the ghacks website. Setting the preference security.cert_pinning.enforcement_level to '0' may disable HSTS and Public Key Pinning, however there is a security risk in doing so. If you set the preference to '0' and experience the error "The server uses key pinning (HPKP) but no trusted certificate chain could be constructed that matches the pinset.", reset the preference. Likewise if you set the preference to '2' and experience the error "MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE", reset the preference.

uMatrix usage

!!! SET THE SCOPE, LOCK THE LOCK !!! Keep that in mind as you read this section.

You will likely be spending far more time with uMatrix (uM) than all the other add-ons combined and, being it is one of the most important ones in the pile, it is vital you understand how to use it, so read the wiki because i'm not going to go into great detail here.

When you first install uMatrix, it will allow all 1st party requests by default and we need to sledgehammer that, so load up 12bytes.org in a new tab and click the uM toolbar icon to display the main pop-up interface:

Because you have read the uMatrik wiki (you did, right?), you already know that YOU MUST REMEMBER TO SET THE SCOPE in which uM operates before making any changes. Failing to do this will threaten your privacy and/or security. You also know that any changes you make are temporary unless you save them. Since we first want to set some basic default filters that affect all websites, we need to change to the global scope:

Once we're operating in the global scope, i suggest setting up uMatrix to allow CSS, images and, if you're using Site Bleacher, 1st party cookies, all globally. Optionally you may want to allow 1st party media and/or frames globally.

The configuration above will result in the following behavior:

  • 1st party cookies will be allowed globally
  • CSS will be allowed globally, including 3rd party CSS
  • Images will be allowed globally, including 3rd party images
  • 1st party frames will be allowed globally

Unless you only want your changes to be temporary, always remember to click the padlock icon to save them.

Note that in the screenshots that follow, the 1st party cookies block will not always be green as in the one above due to an oversight on my part when i created the screenshots.

Now load up this post in a new tab. Does it look like something's missing? Sure enough, if we open the uMatrix pop-up interface again, we see youtube-nocookie.com (or just youtube.com) in the resource list which should tell you that there must be a YouTube video in that post that is being blocked. It also tells you exactly what was blocked, in this case a single frame:

If uMatrix is hiding the subdomains and you don't see www.youtube-nocookie.com, click this little thing in the 'all' row and it will expand the list of domains:

In the screenshots above you can see we are operating in the local scope (12bytes.org). You will notice that i allowed all requests for the 1st party domain, 12bytes.org, because it's my site and i trust it. You need not do the same and, as a rule of thumb, you should not do the same, nor is it required to get the video to play, at least not on 12bytes.org.

So we want to get that YouTube video working, but do we want to allow embedded YouTube videos for 12bytes.org only, or for all websites? This is what you need to be thinking any time you create filter rules. Since you probably want to allow YouTube videos for all websites, we need to switch uMatrix to the global scope and unblock the blocked frame for either the youtube-nocookie.com domain or the www.youtube-nocookie.com domain. Which you choose depends on whether you want to allow the resource for the root domain, including any sub-domain, or only the sub-domain. In this instance i suggest keeping it simple and allowing the frame for the root domain and all subdomains as shown. Make sure you save the change:

Now when we refresh that page, we might expect to see that YouTube video, but we don't. Opening the uM pop-up again and switching to the global scope, we discover that allowing the frame for youtube-nocookie.com caused more stuff to show up, this time a script for www.youtube-nocookie.com as well as another for a new domain, ytimg.com:

Making sure your are working in the global scope, let's unblock scripts for ytimg.com and youtube-nocookie.com. Make sure to save your changes:

Now when you reload the post page, everything should look good. We see the video frame and a nice image. Great. Click the play button and... nothing! Open the uM pop-up once more and we find that we need to allow XHR for the youtube-nocookie.com domain. You know what to do, so go ahead and make the change, making sure you're working in the global scope and remembering to save your change afterwards. Refresh the page again and click the play button on the video. It still doesn't work! Again, open the uM pop-up and you'll see another new domain has appeared, this time googlevideo.com (in case you didn't know, Google owns YouTube). If googlevideo.com is not displayed in the list, hold your Shift button when clicking the reload icon on the uM toolbar in order to force a full page reload and bypass the browser cache. Having to do this is typical when dealing with frames. Again, make sure you're working in the global scope and unblock the XHR requests for googlevideo.com and save your changes:

Now refresh the page one last time and the video should play. If it does not, you probably messed something up and there's a fair chance it's because you made one or more changes in the wrong scope and tried to correct them. If you messed something up, open the uM Dashboard, click the 'My rules' tab and in the 'Temporary rules' pane, delete all of the rules you created related to YouTube videos and 12bytes.org, but be careful not to delete the default rules or the global rules we set up originally. To do this, select the rules and press your delete key, then click the 'Save' and 'Commit' buttons:

Once you've deleted those rules and committed the changes to the 'Permanent rules' list, go back to the first step and try again.

De-borking other websites is generally not as time consuming as it was to get embedded YouTube videos to play and is instead usually accomplished with a couple mouse clicks and a page refresh verses a page reload. Just remember to turn to uMatrix first when a website isn't working as expected. If uM is blocking something it will let you know by displaying a badge on the toolbar icon. uBlock Origin will do the same, but it won't usually be the cause of the problem since we offloaded its dynamic filtering to uMatrix by not enabling its advanced mode of operation. Again, make sure you read the uMatrix wiki.

Another way to get a website working quickly is to check if there any user created rule recipes available for the site you're visiting or the resource it wants to load. If there are, that little puzzle-piece icon on the uM pop-up interface will become active and from it you can click a rule-set to import. Make sure you set uM to operate in the scope you want before importing the rule-set and then save the changes if you wish to make them permanent. Also be aware that user created rule-sets may allow more than you want to allow, however you can always adjust as necessary before saving the changes. User rule-sets can be helpful in determining why a site does not function properly. By the way, you could have done this for YouTube videos on 12bytes.org instead of letting me drag you through the mud, but it's important that you understand how uMatrix works and how to work with it.

Lastly i want to stress the importance of both the uBlock Origin logger and the uMatrix logger which are invaluable tools for troubleshooting tougher problems. You can get a better understanding of the uM logger by reading the documentation for the uBO logger since it is far more complete as of this writing, though some information is uBO specific.

THE END (lie)

While there are many more things you could do if you're really concerned about protecting your privacy and browser integrity, i hope this guide has been of some use to the technically adept novice or intermediate web surfer at which it is aimed. I welcome any questions or comments you may have, just please leave them in the comment section so others can benefit (you need not be logged in).

Lastly i want to again thank all of the dedicated and skilled people who created, maintain and contribute to the ghacks-user.js repository, especially Thorin-Oakenpants (aka, 'pants') and earthlng. This guide would never have been as comprehensive as it is without the benefit of that bunch of misfits :) Also i'd like to thank the many people who make privacytoolsIO possible. Their website is an excellent resource for those looking to protect their privacy and security.

IMPORTANT: If you incorporate suggestions made in this guide, please subscribe to the Firefox category on the subscription page. This article is updated fairly often and it's the best way to stay informed.

Resources

Further reading on this website

The 'ghacks' repository on GitHub

Everything else

Revision history

Click to expand...

custom Scroll to the bottom to see the latest changes.

11-APR-2015

  • first publishing

14-APR-2015

  • removed all Shim Storage add-on information since this functionality is duplicated in HTTP UserAgent cleaner.
  • almost all of the documentation for HTTP UserAgent cleaner was heavily revised.
  • various other edits and corrections.

15-APR-2015

  • updated user.js file
  • several other small updates and a few corrections

16-APR-2015

  • updated user.js file
  • switched uBlock versions since a new fork was created
  • updated uBlock images and documentation
  • added a "Current notices" section
  • misc. other corrections/updates/edits

17-APR-2015

  • updated and added more information for uBlock
  • updated one HTTP UserAgent cleaner screen-shot
  • misc. other corrections/updates/edits

18-APR-2015

  • updated HTTP UserAgent cleaner information
  • for HTTP UserAgent cleaner settings, the suggested settings were split into Suggested global setting for casual browsing and Suggested global setting for best protection.

22-APR-2015

  • updated information for HTTP UserAgent cleaner
  • updated user.js file
  • minor updates to uBlock information
  • misc. other minor changes

23-APR-2015

  • updated some HTTP UserAgent cleaner information
  • deleted information for 2 bugs regarding the X-Forward-For setting for HTTP UserAgent cleaner since they were not bugs
  • misc. other minor changes

25-APR-2015

  • updated information for HTTP UserAgent cleaner, including adding descriptions for the newly added features, Canvas and Fonts on the HTTP tab
  • updated the user.js file
  • updated some definitions of terms used in this document
  • added some more resources

26-APR-2015

  • updated the information for the Fonts filter on the HTTP tab of HTTP UserAgent cleaner

2-MAY-2015

  • updated HTTP UserAgent cleaner information to match changes in version 0.7.4.11a

3-MAY-2015

  • added Pure URL as a suggested add-on
  • updated contents of the user.js file
  • added and edited some information for HTTP UserAgent cleaner
  • added more resources in the References section

5-MAY-2015

  • updated list of recommended filters for uBlock
  • updated user.js file contents

13-MAY-2015

  • updated user.js file contents
  • updated a few settings recommendations for HTTP UserAgent cleaner

14-MAY-2015

  • minor updates to user.js file contents

17-MAY-2015

  • added information for securing DNS traffic
  • misc. minor updates

5-JUN-2015

  • switched to Raymond Hill's version of uBlock
  • updated uBlock filter information
  • added Fetch information for new version of HTTP UserAgent cleaner
  • updated user.js file contents
  • misc. minor updates

25-JUN-2015

  • updated uBlock settings to match the current development version (0.9.9.2)
  • misc. minor updates

8-JUL-2015

  • removed HTTP UserAgent cleaner since it is no longer being developed
  • removed Self Destructing Cookies add-on since its functionality can be handled by uMatrix
  • added uMatrix

9-JUL-2015

  • added more info for uMatrix and IP Config test results
  • updated user.js file contents
  • various other edits

13-JUL-2015

  • Minor edits for uMatrix usage text

20-AUG-2015

  • updated user.js file
  • removed pcxFirefox as a suggested 3rd party build since i had display corruption issues with it

5-FEB-2016

  • updated user.js file contents

12-FEB-2016

  • updated user.js file contents

29-APR-2016

  • updated guide information
  • updated user.js file and added a revision history to the file

1-MAY-2016

  • updated user.js file

12-MAY-2016

  • updated user.js file
  • minor grammar/spelling corrections

3-JUN-2016

  • corrected an error with pref 'layout.css.devPixelsPerPx' where the value was an integer instead of a string - this caused all prefs following it to be ignored

17-JUN-2016

  • set 'browser.fixup.hide_user_pass' back to its default value
  • added 'network.http.redirection-limit'

23-JUN-2016

  • added some basic information for configuring the Clean Links add-on

1-JUL-2016

  • corrected 'plugin.scan.*' values to be strings
  • added bogus preferences in the user.js file at the end of each section for troubleshooting potential loading problems

3-JUL-2016

  • changed the name of the troubleshooting/bogus preference to 12bytes.org-user-js-settings and added values to indicate the point at which the file stopped loading - a huge thanks to commenter 'Pants' for suggesting the troubleshooting preference and also for suggesting a far better way of implementing it than what i had done (by the way, 'Pants' is the author of the user.js config file used in the 'ghacks' article, A comprehensive list of Firefox privacy and security settings by Martin Brinkmann, so i'm very glad to have his input here)

16-SEP-2016

  • removed duplicate preferences in use.js file (see change-log in the file for details)

28-SEP-2016

  • removed Extension Defender from the list of recommended add-ons since it's home page is gone and the code hasn't been updated in two years
  • updated user.js file

18-FEB-2017

  • switched to using Pants' config v0.11 and mostly just appending my settings to the end of his - because this is a major update, no history of changes to individual preferences will be published

19-FEB-2017

  • published my user.js on GitHub which was forked from Pants' code
  • removed my user.js code from this page and linked to it on the GitHub page instead
  • changed my versioning scheme to match Pants' where the user.js version coincides with the version of Firefox it was developed for, so v51r1 would equate to version 51.x of Firefox and the r1 signifies the revision, in this case the first revision
  • updated user.js to include v51 of Pants' config - no preference changes so far as i know, just added/removed/changed comments
  • updated text in user.js section to account for the new changes
  • changes to comments and troubleshooting preference names and values, other minor changes

20-FEB-2017

  • updated user.js to version 51r2 - see the GitHub page for the change-log
  • updated info here regarding the user custom preferences section of user.js

12-MAR-2017

  • deleted the GitHub repository which i forked from Pants' 'ghacks' repository and created a new repository which does not include his code
  • some changes to user.js
  • some major editing of this document mostly in regard to the creation and changes of the GitHub repositories

17-SEP-2017

  • rewrote and updated much of the content pertaining to uMatrix
  • added section "Removing system add-ons"
  • added section "Sanitizing the default search engine plugins"

11-DEC-2017

  • added some add-ons to the recommended section
  • misc. minor edits

22-SEP-2017

  • i didn't keep track of all the changes and many were made - you'll have to re-read the guide :)

27-SEP-2017

  • added section "A special note about cryptocurrency miners"

30-SEP-2017

  • added more info about IndexDB storage in the "Terminology" and "uMatrix configuration" sections.

11-DEC-2017

  • added to the list of recommended add-ons
  • updated some content to reflect the current state of Firefox and WebExtensions
  • misc. minor edits

19-DEC-2017

  • added a link to my post about the Firefox add-on, Looking Glass
  • misc. minor edits

2-MAR-2018

  • minor edits

24-OCT-2018

  • removed cryptocurrency miner section
  • removed information about the OpenH264 Video Codec plug-in since it seems Firefox is no longer shipping it, at least not on Linux
  • removed the Load from Cache add-on
  • removed some information about uMatrix since uBlock Origin covers most everything uMatrix does and is better suited for removing advertisements, plus it's a much more active project.
  • updated some information
  • note that many more updates will occur in the next days, so i would suggest waiting until they are published before following this guide

25-OCT-2018

  • rewrote most of this guide, so if you read it before, read it again :)

26-OCT-2018

  • added the section 'Firefox profile in RAM'
  • misc. other minor edits

27-OCT-2018

  • lots of clarifications and polishing, added several resources

30-OCT-2018

  • added uMatrix to the add-on pile again
  • added the uMatrix sections of this document
  • removed info about running uBlock in advanced mode since we're using uMatrix for dynamic filtering instead
  • several minor edits
  • polishing

31-OCT-2018

  • add Cookie AutoDelete as a highly recommended add-on and updated configuration information for uMatrix to allow 1st party cookies by default
  • removed information about the Forget Me Not add-on
  • added information about First Party Isolation
  • added rule to uM to prevent web workers
  • added information about the uBO and uM logging functions
  • corrected some mistakes
  • polishing

2-NOV-2018

  • added info about using the user created rule sets for uMatrix, as well correcting some mistakes and clarifying other uM info
  • polishing

27-Nov-2018

  • added info about HSTS tracking
  • minor edits

30-Nov-2018

  • added more info to the uMatrix section, particularly about indexedDB storage
  • minor edits

11-Dec-2018

  • clarified much information regarding the user.js files as well as other parts
  • added more info about browser fingerprinting
  • added more detail regarding system add-ons
  • added a user-overrides.js template
  • updated Header Editor rules download
  • added several more 3rd party resources
  • misc. minor edits

21-Dec-2108

  • added POOP as a required add-on and accompanying configuration information
  • configuration information for Neat URL was located in the wrong section
  • minor polishing

22-Dec-2018

  • minor clarifications

26-Dec-2018

  • add notice about newsletter subscribing
  • corrected advice regarding spoofing the referrer which was suggested for both POOP and uM (now it's enabled in uM only)
  • dumped Cookie AutoDelete add-on - not needed when using uM and First Party Isolation, nor are any of these storage cleaning add-ons able to delete IndexedDB storage due to a shortcoming in the WebExt API, which is another reason to enable FPI
  • removed privacy.firstparty.isolate = false in user-overrides.js in order to enable First Party Isolation
  • added Restrict to Domain add-on to toggle privacy.firstparty.isolate (FPI) via toolbar button
  • removed the list of optional add-ons (NoScript and Smart Referrer)
  • minor edits
  • coming up: looks like i may be recommending to disable FPI in the very near future and use the Temporary Containers add-on instead - i'm playing with it now

29-Dec-2018

  • added some more info regarding HSTS tracking and the SiteSecurityServiceState.txt file based on user feedback - it appears some AV's might have a problem if this file is set to read only
  • added a new resources section specific to the 'ghacks-user.js' GitHub repo
  • added Temporary Containers (TC) add-on and associated info - this results in several major changes throughout the guide
  • added Firefox Multi-Account Containers add-on and associated info - this is used in conjunction with the TC add-on
  • added 'Using containers' section
  • removed Canvas Blocker add-on - not needed with TC
  • removed Restrict to Domain add-on - not needed with TC
  • removed Don't touch my tabs! add-on - (probably) not needed with TC
  • removed Header Editor - not needed for what we were using it for since the function is handled by TC
  • re-added privacy.firstparty.isolate = false to user-overrides.js
  • edited some uMatrix info regarding its privacy settings to reflect changes as a result of the TC add-on
  • added more info about importing rule-sets for uMatrix
  • moved Smart HTTPS add-on to the required section
  • moved Skip Redirect add-on to the required section
  • removed the suggested add-ons section
  • corrected mistakes and updated info in the section regarding integrity checking of the user.js/user-overrides.js files
  • reworked and updated the entire user-overrides.js file
  • removed mention of the template user-overrides.js file and associated download link - user should use the one provided in my GitLab repo
  • several minor edits/clarifications

3-Jan-2019

  • minor edit

12-Jan-2019

  • clarify information regarding the downloading of the configuration files thanks to a commenter
  • updated user-overrides.js
  • fix minor typo

17-Jan-2019

  • minor polishing

22-Jan-2019

  • updated info on HSTS tracking
  • updated info regarding downloading my user-overrides.js file

28-Feb-2019

  • added a link to a comment by 'Bushdoctor' who was kind enough to provide information about loading Firefox profiles in RAM for Windows users

29-Mar-2019

  • added instructions for cleaning user-overrides.js of obsolete preferences
  • minor edits

23-Apr-2019

  • removed info about manually cleaning the user-overrides.js file in favor of using the -c switch when running the updater.js/updater.bat script
  • added Site Bleacher to list of required add-ons
  • removed all info regarding containers as well as the Temporary Containers and Firefox Multi-Account Containers add-ons - i prefer to enable privacy.firstparty.isolate (the default in the 'ghacks' user.js) in combination with Site Bleacher (far less headaches)
  • replaced Neat URL with ClearURLs - while the former is a good extension, i think the latter is even better
  • replaced Smart HTTPS with HTTPZ
  • moved all add-on settings info to the required add-ons section
  • uBlock: added info for globally blocking 3rd party fonts while allowing 1st party fonts
  • misc. edits

24-Apr-2019

  • several clarifications and minor edits

1-May-2019

  • minor edits

6-May-2019

  • minor edits

7-May-2019

17-May-2019

  • removed mention of LibreFox (project is currently stalled due to legal nonsense)
  • minor corrections, clarifications and edits

21-May-2019

  • moved my Mozilla rant to a separate page
  • added a cryptominer block filter URL to uBlock

23-May-2019

  • added a note about enabling the search bar on the navigation bar
  • minor edits

27-May-2019

  • added note that this guide is not intended to be use with the Tor browser
  • minor edits

8-Jun-2019

  • very minor edit

13-Jun-2019

  • updated setup instructions for HTTPZ
  • minor edits

18-Oct-2019

  • moved my user-overrides.js from GitLab to Codeberg code repository

6-Nov-2019

  • stuck the uBlock config stuff on its own page

18-Nov-2019

  • added a note to Canvas Blocker marking it as optional
  • added a note regarding the no-workers: * true setting in uMatrix

29-Nov-2019

  • minor edit

13-Jan-2020

  • updated info for CanvasBlocker

23-Jan-2020

  • minor edits

7-Feb-2020

  • added ETag Stoppa
  • added more info regarding browser fingerprinting

18-Feb-2020

  • minor edits to uBlock, uMatrix and HTTPZ settings

10-Mar-2020

  • minor updates/clarifications

21-Mar-2020

  • removed ETag Stoppa since eTag filtering is now handled by ClearURLs
  • added detail regarding ClearURLs settings

5-Apr-2020

  • swapped out Decentraleyes for LocalCDN - thanks to commenter 'theltalpha' for reminding me about this

Firefox Extensions - My Picks

Mozilla Firefox is a popular web browser that is easily extended with add-ons, of which there are literally thousands. These are my favorites...

Mozilla Firefox is a popular, extensible, open source (mostly) web browser that is highly configurable and easy to use. Somewhat bare out of the box however, its functionality is easily extended with add-ons, or 'extensions' if you prefer, of which there are many thousands.

Beware

AMO Malware
A typical day at the Mozilla Firefox Add-ons repository, 2019.

With so many "free" add-ons, the casual user might be tempted to install lots of them, however i would strongly suggest installing only those you really like or need since the potential to break things and compromise browser security and your privacy increases with every add-on you install.

Another problem is unethical developers who may include unwanted and unnecessary functionality which is not relevant to the primary purpose of the add-on. Often this results in data collection, tracking your web activities or worse, all of which i categorize as malware. The problem of malware in Mozilla's add-on repository (AMO) has grown exponentially as a result of an automated review process and the company's move to the WebExtension API which made it easy for unethical developers who have infected the Google Chrome Store to port their garbage to Firefox. Although the WebExtension API is greatly limited in its capabilities as opposed to the older XUL/XPCOM extensions, user tracking and advertising are permitted and, on occasion, far more dangerous add-ons escape detection.

Add-on selection guidelines

  • You've been warned. Many extensions will be accompanied by a warning on their AMO pages which indicates that the extension is not monitored by Mozilla and therefore is more risky to install. While monitored extensions are likely to be more trustworthy in general, there are many others which are perfectly fine to install as long as you trust the developer or review the code yourself.
  • Be very wary of any tool-bar add-ons. Almost all of these contain 3rd party spyware/malware components for monetization purposes.
  • If an add-on has a privacy policy, read it. Some privacy policies are fine but many are clearly worrying. If the privacy policy is a wall of text (long), it's probably crap.
  • Read the add-on permissions. The Mozilla add-on website lists the permissions that add-ons require, though there seems to be major problems at this time in that all permissions used by an add-on may not be listed, or permissions which the add-on does not use may be listed, so don't trust this completely. That said, look for permissions that seem unnecessary given the described functionality of the add-on.
  • Don't install newly released add-ons. Mozilla uses a deeply flawed automated system to evaluate add-ons, so wait a while until others have had a chance to review it or flag it as abusive. If the add-on quickly disappears or gets poor reviews, be thankful you didn't install it.
  • Check the license. Be wary of developers who use a restrictive license, such as 'All Rights Reserved'. Most ethical developers will use a liberal, open source license, such as the General Public License (GPL) or the Mozilla Public License (MPL).
  • Is the source code published? Avoid developers that attempt to hide their source code. Most ethical developers will publish their source code on platforms like GitLab or GitHub where users can submit proper bug reports and feature requests. If the source code is not published, you can still view it by decompressing the add-on or by using the excellent Extension source viewer add-on, though you will need to have an understanding of JavaScript.
  • Does the developer offer support? Be wary of developers that makes it difficult or impossible to contact them or submit bug reports.
  • Read the user reviews. Always read the user reviews to see how well an add-on is liked and be wary if it is rated 3 stars or less, or not rated at all, or was rated highly by only a few people. Sometimes the developer of the add-on will be the first to "review" it, giving it 5 stars. Regardless of the rating however, always check the comments of the people that gave it the lowest rating to see if their gripes seem legitimate. Don't depend on ratings alone however as there are many add-ons that have been highly rated by hundreds or thousands of people that contain malware.
  • Check the developers profile. Always check to see what other add-ons the developer has created and how those are rated. Be wary when the developer is named as a company and not an individual, or when the name used is anonymous, such as "Firefox user" followed by a random string of numbers.
  • Visit the developers website. See what kind of content is on the developers website if they link to one and look for marketing hype.
  • Be wary of very popular add-ons. Many developers of hugely popular add-ons have been contacted by malware distributing 3rd parties wanting to buy their add-on or make a deal with them. Adblock Plus by Eyeo GmbH (Wladimir Palant), which currently lists over 8 million users, is a glaring example where a developer created a hugely popular ad blocking extension which allows ads by default. The company charges advertisers 30% of their revenue from ad blocking users. Giorgio Maone, the developer of the very popular NoScript add-on, engaged in similar chicanery a while back.
  • Keep your add-ons updated, but DO NOT allow automatic updates. Before updating an add-on, read the version history to see what was changed and make sure the privacy policy, if there is one, remains strong. The problem with automatic add-on updates is that a developer may decide to monetize their work at any time and without warning, or sell their extension to an unethical party such as the developer of Stylish apparently did. Ingo Wennemaring, the well liked developer the once popular All-in-One Sidebar add-on, warned about this in a blog post:

It was always very important for me to be honest and fair to the users. I had very good offers to sell the extension, but I didn't want to see that AiOS turn into adware or spyware.

CSP: The non-bug bug crisis

Lastly, another good reason to install as few extensions as possible has to do with Content Security Policy (CSP) and HTTP header modification. Some extensions, such as uBlock Origin, uMatrix, Canvas Blocker, etc., can modify HTTP headers in order to do what ever it is they need to do. The problem here is that there's a rather critical bug in Firefox that remains unaddressed, the result of which is that only one extension can modify any given HTTP header and this can break the functionality of other extensions which attempt to modify the same header. Making matters worse, Mozilla refuses to call this bug a bug and therefore it isn't a high priority item. What this means for users is that, for example, arbitrary JavaScript may run on a website even if you have scripting disabled with something like uBlock Origin or uMatrix.

There's a few things you can do to minimize the problem: 1), don't install more extensions than necessary, 2), disable any unneeded CSP related options in an extension, 3), check if an extension uses CSP prior to installing it with the Extension source viewer add-on (you can do this by searching the code using !content-security-policy), 4), when starting Firefox, go immediately to the add-on page (about:addons) and disable any critical extensions that use CSP and then re-enable them. For example, the most important add-ons to me are uBlock Origin and uMatrix, so when i start Firefox, i disable both and then re-enable uBlock first and uMatrix last. The last extension that you enable is the one that will have priority regarding CSP header modification.

To learn how you can disable unnecessary CSP related options in some of the add-ons listed here, see the Extensions section of the 'ghacks' user.js wiki.

For more, see the sticky: unofficial: the extension csp header modification game issue on the 'ghacks' user.js repository. Also please vote for the following issues on Bugzilla: 1421725 - finalize how changing headers should work and 1477696 - webExtension: webRequest.onHeadersReceived: accidentally overwriting header from other extensions. You can also gripe to Mozilla about this without having to create an account.

Add-ons

Add-ons are tagged with either [enhancement] or [privacy/security] in order to identify their primary role.

0T Reverse Image Search by ZcnS [enhancement]

0T Reverse Image Search is a privacy friendly add-on used to find different versions of a given image using 3rd party services such as TinEye. Reverse image searching is a great way to find higher resolution versions of an image or to find when an image may have first been published to the web, the latter of which can be beneficial for researchers.

CanvasBlocker by kkapsner [privacy/security]

CanvasBlocker blocks or fakes 'Canvas' which is a JavaScript API used to draw graphics on-the-fly. Canvas poses a substantial threat to privacy in that it can be used to fingerprint the browser.

Caveats: For advanced users. Will likely break some sites until settings are adjusted.

ClearURLs by Kevin R. [privacy/security]

ClearURLs replaces Neat URL as my preferred link cleaner. ClearURLs removes many tracking parameters from links you click, such as the Google utm_* garbage which is used to track where you go on the web. Unlike all of the other link cleaners i've seen and used, ClearURLs doesn't include a static list of parameters, nor does it have any options or whitelist that you need to mess with. This neat little extension pulls a file from the developers GitLab repository which negates having to update the extension when there's a change to the list of parameters. Though i was sure i was going to miss the ability to whitelist certain domains, i have yet to see anything break because of this extension.

CSS Exfil Protection by Mike Gualtieri [privacy/security]

CSS Exfil Protection prevents a certain CSS exploit that can be used to steal data from webpages.

Caveats: Could potentially break some websites, though it is easy to disable the add-on from its toolbar icon.

Dark Background and Light Text by Mikhail Khvoinitsky [enhancement]

Dark Background and Light Text replaces Dark Reader as my preferred add-on for darkening the entire web. These 'darkify' add-ons, of which there are many, change the colors used by all websites to a darker theme and this one seems to be the best of them.

Caveats: All of these dark web add-ons fail miserably in at least some cases and this one is no exception, however it seems to work better than all of the others i've tested and it offers a few different styles that can be assigned to specific websites when the default style fails.

LocalCDN by nobody42 [privacy/security]

LocalCDN, a fork of Decentraleyes, is a must-have privacy enhancing add-on that has the additional benefit of decreasing the load time for many websites which depend on 3rd party Content Delivery Networks (CDN) for various functionality. It accomplishes this by storing and loading several common JavaScript resources locally instead of having to fetch them from the server. The developer is also beginning to include common fonts with the add-on including Font Awesome which is widely used to display various icons.

Caveats: Could potentially break some websites, though this seems to happen very rarely in my experience, plus it's easy to white-list any affected domains.

Disable Tab Detach by Matt Hensman [enhancement]

Disable Tab Detach simply prevents moving a tab to a new Firefox window if you accidentally drag it downward from the tab bar. I find this behavior incredibly annoying and the lack of a built-in Firefox option to disable it is just stupid. Disable Tab Detach is kind of hacky in the way it works, but it gets the job done.

Extension source viewer by Rob W [enhancement]

Extension source viewer is a handy and well thought out utility to quickly view the source code of a Firefox extension right from the Mozilla add-ons website without having to download and unpack it manually. The extension has the ability to search the contents of the files in the source code by prefixing the search with '!'.

Caveats: For advanced users.

Feed Preview by Guido Berhörster [enhancement]

Feed Preview simply displays a formatted version of news feeds, a capability that was built-in to Firefox before the geniuses at Mozilla decided to remove it.

FireMonkey by erosman [enhancement]

FireMonkey is a lightweight utility used to inject JavaScript and/or CSS styles into pages. Unlike Greasemonkey and other add-ons of this type, FireMonkey respects your privacy.

Caveats: For advanced users. Installing user scripts is a security and/or privacy risk. While this holds true for extensions as well, user scripts are generally not scrutinized to the degree that extensions are when they are download from Mozilla.

First Party Isolation by freddyb [privacy/security]

First Party Isolation simply toggles the privacy.firstparty.isolate preference. First Party Isolation, or FPI, is a Firefox privacy feature which plays a very important role in preventing browser tracking and fingerprinting.

Caveats: Could potentially break some websites, though it can be quickly toggled off by clicking its toolbar button.

Flagfox by Dave G [enhancement]

Flagfox is a neat utility that adds an icon to the address bar which represents the flag of the country in which the web server is located. When the icon is right-clicked, a context menu is revealed with many more tools, such as a WHOIS lookup, URL shortening services and more. You can also add your own services.

Caveats: If you choose to display the menu icons, they are not stored locally and have to be fetched the first time you open the menu which some might see as a privacy issue.

HTTPZ by claustromaniac [privacy/security]

HTTPZ is a very simple install-it-and-forget-it add-on that attempts to redirect all all HTTP (insecure) traffic to HTTPS (secure).

Privacy Redirect by Simon Brazell [privacy/security]

Privacy Redirect redirects requests to several privacy-hating platforms to privacy-friendly alternatives. YouTube videos, including embedded, can be redirected to several alternatives, as can Twitter, Bibliogram and Google Maps requests.

Caveats: Sometimes the requested alternative service may be overloaded or down, however you can always switch to another provider very quickly from the toolbar icon.

Link Text and Location Copier by William Groenendijk [enhancement]

Link Text and Location Copier allows to copy formatted text and a link for a webpage in various ways, plus you can define your own templates. You can also paste content as Rich Text, meaning you can paste the title of a page and its link directly into the visual WordPress editor for example.

Mark-It by Matt [enhancement]

Mark-It is a simple and handy add-on that replaces your new tab page with one that allows you to write notes in markup format.

Maximize All Windows (Minimalist Version) by ericchase [enhancement]

Maximize All Windows (Minimalist Version) does one thing and does it well, and that is to make sure the Firefox window starts in a maximized state. If you typically maximize Firefox and you have privacy.firstparty.isolate enabled, you may be annoyed when it fails to remember its state after a restart. This add-on solves the problem, but be aware that Firefox may be far more vulnerable to fingerprinting as a result (this is due to various window dimensions, not the extension).

mozlz4-edit by Siarhei Kuzeyeu [enhancement]

mozlz4-edit allows one to edit, format and otherwise manipulate several types of compressed files including the search.json.mozlz4 file which is where Firefox stores all of its search engine plugins.

Caveats: For advanced users.

Privacy Oriented Origin Policy by claustromaniac [privacy/security]

Privacy Oriented Origin Policy (POOP) helps protect your privacy by preventing Firefox from sending Origin headers, though how it works is configurable.

Caveats: For advanced users. May break some websites, though it is easily disabled and sites can be whitelisted. There is a lengthy discussion about what led to the development of this add-on on GitHub if you're interested.

Redirector by Einar Egilsson [enhancement]

Redirector automatically redirects selected pages, links and more to another resource of your choosing. For some examples of how you can use Redirector, see the Redirecting this to that section of the Firefox Tweaks and Fixes and Styles and Things page.

Scroll Up Folder by Bruce Bujon [enhancement]

Scroll Up Folder adds an icon in the address bar that, when clicked, opens a list of the segments of the current document address. Clicking the list items makes it really easy to navigate up to a higher level of the address without having to manually edit it.

Site Bleacher by wooque [privacy/security]

Site Bleacher automatically removes cookies, local storage, IndexedDB storage and service workers. It is not perfect, but given the limitations of the Web Extension API and Mozilla's foot-dragging in fixing its problems, it is the only add-on at this time that automatically cleans IndexedDB and Service Workers storage automatically on a tab by tab basis.

Caveats: May break some websites, however the add-on includes a whitelist.

Skip Redirect by Sebastian Blask [privacy/security]

Redirects sometimes happen when you click on a hyperlink expecting to go directly to the destination and, instead, your request is passed through an intermediary. Redirects are often used to track your browsing history or display ads before you are forwarded to the target domain. Skip Redirect simply tries to bypass this annoying behavior. I would suggest keeping the notification enabled when Skip Redirect does its thing as this makes it easy to troubleshoot a problem.

Caveats: May break the functionality of some websites in which case they can be added to a whitelist.

Smart RSS Reader by zakius [enhancement]

Smart RSS Reader is a 3-pane news feed reader and a pretty good one at that. It hasn't been around long and so there's some little niggles with it and it's missing some non-trivial features, but it functions quite well as a basic reader. The developer is very friendly and open to suggestions.

Stylus by Armin Sebastian [enhancement]

Stylus is used to write, store and apply custom CSS styles to websites, or even the entire web if you wish. Though you can use FireMonkey for this, working with Stylus is much nicer. Note: Do not use Stylish, a similar add-on.

Toggle Fonts by Manuel Reimer [enhancement]

Toggle Fonts provides a simple toggle switch that forces all websites to use your preferred font settings as set in Firefox preferences.

Caveats: May occasionally break how a website is looks, but the add-on is easily disabled by clicking its toolbar icon. Only dictates what fonts a webpage can use; it does not prevent the downloading of fonts.

uBlock Origin by Raymond Hill [privacy/security]

uBlock Origin is a superior content filter (or firewall, if you like) that can replace several other content/ad blockers including Adblock Plus/Edge, NoScript, etc.. It is capable of using the same filter lists as Adblock Plus/Edge as well as many more that they cannot. Two of the most welcome differences with uBlock Origin is that it does not slow page loading to any noticeable degree and it uses less memory then the Adblock derivatives. Another major advantage is that it can block both 1st and 3rd party requests for images, scripts and frames. See my Firefox Configuration Guide for Privacy Freaks and Performance Buffs article for more information regarding uBlock Origin. Lastly, note that there are two versions of uBlock; uBlock and uBlock Origin. You absolutely need to use the latter which is written by the original developer, Raymond Hill.

Caveats: For advanced users. As with any content filtering extension, uBlock Origin has the potential to break website functionality until it is configured correctly.

uMatrix by Raymond Hill [privacy/security]

uMatrix is another powerful content blocker by Raymond Hill and though it is similar to uBlock Origin, it offers more granular control over blocking various resources including cookies, CSS, images, plug-ins, scripts, XHR, frames and more. You can use uMatrix and uBlock Origin together. See my guide, Firefox Configuration Guide for Privacy Freaks and Performance Buffs, for further information.

Caveats: For advanced users. As with any content filtering extension, uMatrix has the potential to break website functionality until it is configured correctly.

Web Archives by Armin Sebastian [enhancement]

Web Archives makes it easy to find archived version of webpages. It is fairly configurable, though it does not have an option to add your own archive resources, nor does it have an option to send a webpage to an archive, however i find the latter unnecessary since the archive sites i use allow you easily archive a page if one isn't isn't found.

Troubleshooting add-on related issues

See Firefox Tweaks and Fixes and Styles and Things.

Listing removed add-ons

While i'm sure there's a more geeky way of listing extensions which one has removed, this one works for me: In your Firefox profile folder, navigate to /extensions/staged and there should be folders with the names of the removed extensions. You can delete this folder if you like.

Doing it without an add-on

The fewer add-ons you install, the better, and there's a lot of things you can do to customize Firefox without add-ons.

Enhancing privacy and security

See: Firefox Configuration Guide for Privacy Freaks and Performance Buffs and The Firefox Privacy Guide For Dummies!

More tweaks

See: Firefox Tweaks and Fixes and Styles and Things

Giving back

If you like an add-on, or any other free and open source software, please donate to the developer. Trust me when i tell you that most developers of free software usually receive little or nothing for all their hours of hard work and support they provide. Developers are usually very appreciative of a donation regardless of how small it may be.

Recent changes

This list contains only the most recent changes

  • removed ETag Stoppa since eTag filtering is now handled by ClearURLs