- 1 Introduction
- 2 Terminology
- 3 Prerequisites
- 4 Let the hacking begin
- 5 Add-on configuration and usage
- 5.1 CanvasBlocker
- 5.2 Cookie AutoDelete
- 5.3 CSS Exfil Protection
- 5.4 Decentraleyes
- 5.5 Smart HTTPS
- 5.6 uBlock Origin
- 5.7 uMatrix
- 5.8 Configuring the optional add-ons
- 6 THE END (finally)
- 7 Further reading on this website
- 8 Further resources
- 9 Revision history
This article was last updated on November 16, 2018. See the revision history at the end of this document for a list of changes.
Though this guide is centered around Firefox, users of other web browsers may find it helpful as well. It is also useful for the Thunderbird email client.
Many of us are aware of the immense threats to our on-line privacy and security posed by various technology companies, governments and malicious hackers, any of which often go to great lengths to monitor our electronic communications. Governments and their “intelligence” apparatuses not only spy on each other, but on the citizenry as well and they leverage the services of various companies to do so, including Google, Facebook, Verizon, Comcast, Amdocs and many others which most of us have probably never heard of. While the data they compile may be used for relatively benign purposes such as displaying targeted advertising on web pages, the intentions are often far more sinister. Much of what Edward Snowden has brought to the table is not new, but it seems the information has been presented in a way that has captured the attention of the privacy and security conscious public, prompting many to seek ways of mitigating the threats.
For many of us our web browser is our primary window to the the digital world and it is therefore necessary for any privacy conscious individual to have a basic understanding what information flows through our browser and how that information is used to track and profile us, as well as compromise the security of our browser. Contrary to statements made in The Mozilla Manifesto, it is my opinion that respecting the privacy of its users is largely an afterthought for the multi-million dollar Mozilla Foundation and their flagship produce, Firefox. This is readily apparent when one considers the array of ethics devoid multinationals which Mozilla has chosen to partner with, including Google, Yahoo, Microsoft, Telefónica, LG Electronics, Sony, Verizon, Cisco and others. Furthermore, even core features of the “open source” browser are proprietary, such as its Pocket service which has a less than ethical “privacy” policy. And let’s not forget the ‘Looking Glass’ fiasco which you can read about in Looking Glass: The next ‘bright idea’ from Mozilla. Google Chrome is certainly no better when it comes to respecting our privacy (also see this) and Internet Explorer isn’t worth the effort required to express an opinion. In short, there is no mature, capable, extensible, open source, privacy-centric web browser that is suitable for mainstream usage at this time so far as i am aware. Given the lack of alternatives, i think Firefox is currently the best of them and, with some effort, it can be beaten into submission. I suspect the folks behind the Tor Project may also feel compelled to use Firefox in their Tor Browser Bundle for similar reasons, though their options, and ours, may grow in the near future.
As with any modern, mainstream browser, Mozilla Firefox is a very complex beast consisting of millions of lines of code and hundreds of configuration options, many of which are interlinked, hidden, or undocumented. Things can go down the toilet plenty quick if you change a setting without knowing what you’re doing and poorly coded add-ons can compound the problem. Here we will attempt to accomplish our goals in an efficient manner with a minimal dependency upon 3rd party add-ons.
A bit of a trade-off should be expected when we tighten up on security and privacy insomuch as some websites will cease to function properly until the settings for those specific sites are adjusted. Anyone who has used a content filter such as NoScript or Request Policy will understand that certain resources must be allowed for a given website to function in an acceptable way. Similar to NoScript however, the process of allowing required resources usually consists of a mouse click or three followed by a page refresh and once we have made the necessary adjustments for all of our favorite websites, our workload will be greatly reduced. Nevertheless, you be prepared to put a little more effort into your web surfing experience in general and expect the occasional hard-case where more fiddling than usual is required to get a particular site functioning properly. The pay-off however is a much cleaner and faster web that is less able to track and profile us, as well as a somewhat hardened and speedier Firefox that is more resistant to attack.
Add-on/extension: I use these terms interchangeably. A web browser add-on or extension is a piece of software typically developed by a 3rd party that extends the built-in capability of the browser it is designed for.
AMO: addons.mozilla.org, the Mozilla add-ons website.
Crapware: I consider crapware to be software which contains code that is not relevant to the functionality users expect. In this case the term crapware refers to adware, tracking mechanisms and malicious code, mostly in web browser extensions. Crapware is often added to browser extensions by a marketing company or solo developer for the purpose of monetizing the extension which often takes the form of profiling users and selling the data. Crapware often presents a highly significant threat to user privacy and browser security.
CDN: A Content Delivery Network is a service that hosts reusable content, such as graphics and scripts which website authors can leverage to make building web platforms easier. CDNs often present a threat to our privacy by tracking our web activities. They are perhaps a most formidable threat because a single CDN service may be used by many millions of popular websites and therefore the tracking and profiling capabilities of the company providing the CDN service can be very widespread and cross-domain in nature. The use of CDNs is prolific today and since many websites will not function without the content they deliver, globally blocking CDN content is hardly an option.
CSS: Cascading Style Sheets are used primarily to apply visual styling to HTML elements, thus making web pages look pretty, however the capability of CSS has been expanded well beyond what it was able to do originally and thus it can be used for nefarious purposes.
Domain/subdomain/TLD: In the example ‘sub.example.com’, ‘example’ is the root domain, ‘sub’ is a subdomain of the root domain and ‘com’ is the TLD, or Top Level Domain. You can think of root domains and subdomains as sort of different containers which are used to separate content on a single website. For example, let’s say kitties.com is focused primarily on information about kittens, but they also might have a web store where they sell paper bags. In order to keep their store content separate from their primary content, they may host the store on the subdomain ‘shop.kitties.com’.
HTTP/HTTPS: Hypertext Transfer Protocol and Hypertext Transfer Protocol Secure are communication protocols used by computers to transmit data over the internet. For HTTP an unsecured, unencrypted connection is established which is vulnerable to ISP (Internet Service Provider) snooping and man-in-the-middle attacks, while a secure, encrypted connection is established with HTTPS. While browser extensions like HTTPS Everywhere will always attempt to encrypt your connection whenever possible, some web servers simply do not support HTTPS. For this reason i will again point out the advantage of using a VPN.
Web server: For the purpose of this document, a web server is a computer that is connected to the internet which hosts (serves) one or more websites.
WebExtension/Legacy extension: Mozilla dropped support for legacy (XUL/XPCOM) extensions beginning with Firefox version 57 and moved to the WebExtension API which is the same format used by the Google Chrome and other web browsers. Unfortunately the WebExtension API (Application Programming Interface) is severely limited. For example, such extensions cannot modify the GUI (Graphic User Interface) of Firefox in the same way the old legacy extensions could.
Web fonts/remote fonts: These are font packages typically hosted by a 3rd party, such as Google, which a web developer may use to specify how text is displayed on their website. Web fonts present a few problems regarding tracking and security.
Web storage: In addition to HTTP cookies and web caching, most/all popular web browsers also allow a web server to store data using local and session storage, indexedDB storage, window.name storage, Etag cache storage and other methods. If you are concerned about preserving your privacy, you have far more to worry about than the so-called “cookies” of yesteryear which were just simple text files that, in theory, but not always in practice, could be read only by the domain that placed them there.
Get a decent code editor
You should have a decent code editor with syntax highlighting to edit Firefox’s configuration files. Linux users should have something suitable installed by default, such as Kate, however if you’re running Windows i might suggest Notepad++ or PSPad, the latter being the simpler of the two.
Unhide file extensions
There are several flavors of Firefox including the stable release version, the ESR version (Extended Support Release), which is usually an older version that may not contain the latest features but may be more stable, and also a Developer Edition which includes the latest features (and bugs). While there are advantages in using unofficial 3rd party builds such as Waterfox, Cyberfox, Pale Moon, etc., i currently do not recommend them since they may not keep up with the latest security patches, or are buggy, or are simply outdated and incompatible with the latest add-ons. While some 3rd party builds are more privacy-centric out of the box, we can accomplish essentially the same degree of privacy using the official Mozilla builds with minimal effort.
The user.js file
user.js file is the best way to store your personal preferences for Firefox. The one we will be using is a result of a lot of effort by ‘Pants’ and ‘earthing’ and the rest of the ‘ghacks’ crew and contributors whose work became rather popular when it was published as A comprehensive list of Firefox privacy and security settings by Martin Brinkmann on ghacks.net. The ‘ghacks’
user.js is now maintained on GitHub.
In addition to the ‘ghacks’
user.js, you may wish to append my personal preferences from my
user-overrides.js on my GitLab repository, though this is entirely optional. Note that my preferences are strictly intended to be appended to the ‘ghacks’
user.js and not to be used independently. Some of my preferences are original and some are copies of those in the ‘ghacks’ version where i changed some of their settings to suit my own needs and cause less webpage breakage. It also contains preferences which enable smooth, dynamic scrolling when using a mouse wheel. Note that i only make available a single release for the version of Firefox that i currently use.
How to properly incorporate the
user-overrides.js files is described in a later section.
The necessary (and not so necessary) add-ons
All of the add-ons listed here are of the WebExtension variety, meaning most should work with Firefox versions 57 to 59 and all should work with versions 60 and higher.
Following are the add-ons i highly recommend:
- Cookie AutoDelete: Automatically manages cookies and web storage, helping to prevent tracking and improving privacy.
- CSS Exfil Protection: Helps to prevent attackers from stealing data by exploiting Cascading Style Sheets (CSS)
- Neat URL: Removes many tracking and other (mostly) unnecessary parameters from links, such as the
utm_*tracking parameters used by Google Analytics.
- uBlock Origin (uBO): An and excellent ad/content blocker for Firefox and Chromium, uBlock can use the same filter lists as Adblock Plus as well as many more which it cannot. Make sure you use the original uBlock Origin by Raymond Hill and not one of the many copycat versions.
- uMatrix (uM): By the same developer as uBlock Origin, uMatrix is also a powerful content blocker that will provide more granular control over web content requests than uBlock.
The following add-ons are optional, but recommended:
- Don’t touch my tabs!: Prevents a new tab opened from a hyperlink from hijacking the original tab by adding the
rel=noopenerattribute to all hyperlinks.
- Header Editor: allows to modify HTTP request and response headers. You can use this to prevent ETag tracking among other things.
- Skip Redirect: skips link redirections such as used by Google, AMO and many other companies and websites, thus helping to prevent tracking.
- Smart HTTPS: Attempts to force websites to use an encrypted connection (HTTPS) but will fall back to an unencrypted connection (HTTP) if the website does not support HTTPS.
The following add-ons are optional:
- NoScript Security Suite: since uMatrix will be used to control scripts, this functionality is not required from NoScript, though it may add a bit more protection in terms of cross-site request forgeries, click hijacking and possibly other areas. If you use NoScript you will might want to disable script blocking in NoScript and pass that job to uMatrix since it offers easier control of script blocking.
- Smart Referer: Sends the referring domain/page to the web server only when you visit another page within the same domain, thus helping to thwart tracking. This is not needed if using uMatrix.
For more possibilities regarding add-ons, see Firefox Extensions: My Picks.
A word about uBlock Origin and uMatrix
It seems a lot of people have questions and misunderstandings about these two important add-ons. Here’s some of the questions i see a lot and my answers to them:
Q: What’s the difference between uBlock and uMatrix?
A: Although they perform similar functions in that they essentially block content much like a software firewall, they are oriented toward different audiences and they operate somewhat differently. Many people think uBlock is easier to use, while uMatrix offers more granular control.
Q: Can they be used together?
A: Absolutely, but they have overlapping functionality and therefore need to be properly configured to work efficiently together and reduce frustration.
Q: which one should i use?
A: Both. In this guide we will use uBlock Origin to handle all of the static filtering (the 3rd party filter lists) and uMatrix to handle most of the dynamic filtering. They both used to be wrapped up in a single add-on and, personally, i wish the developer would have left it that way. I find uMatrix to be less difficult to use than uBlock and i do not like to run two extensions with overlapping functionality.
Automatic add-on updates
Regarding automatic add-on updates which are enabled by default in Firefox, they are disabled in the ‘ghacks’
user.js file and i would strongly suggest keeping them disabled. Automatic checking for updates is fine and this is enabled in the ‘ghacks’
user.js, but we do not want Firefox to install add-on updates without our explicit consent. The problem with automatic add-on updating is that developers may, at any time and without notice, monetize their add-on or sell their work to an unethical 3rd party and this usually results in compromising your privacy by turning you into the product. The problem of crapware containing add-ons has exploded in the AMO repository for a couple reasons; 1), because Mozilla moved to the WebExtension API, it is now fairly trivial for every unethical developer that has infected Google Chrome with their garbage to port their extensions to run on Firefox and, 2), Firefox extensions are no longer reviewed by humans, except perhaps in special cases. Examples of some currently or formerly very popular add-ons which contain(ed) such crapware are Abduction, a screen capture utility, Quick Locale Switcher, a language switcher, FasterFox Lite, a largely useless utility which claims to speed-up Firefox but doesn’t, BlockSite, a content blocker, and many, many others. Not all of these extensions contained crapware when they were first developed which is why i strongly suggest keeping automatic add-on updates disabled and reading the change logs, permissions and privacy policies carefully each time an add-on update becomes available.
Let the hacking begin
Firefox post install cleanup
I recommend reading Firefox Search Engine Cautions and Recommendations which offers information about how Mozilla monetizes Firefox with the included search engine plugins and what you can do to opt out of this affiliate scheme. Be sure to read the section Removing the ‘Follow On Search’ system add-on which will inform you how to remove Firefox’s “system add-ons” which are essentially hidden from the user, some of which have been used for quite controversial purposes in the past.
Before you make any changes, back-up your entire Firefox profile (click here to locate it if you don’t already know where it is). The easiest way to do this is to simply to select your profile folder inside the
/firefox folder, press
Ctrl+C to copy it, then
Ctrl+V to paste it in the same place, but with a different name. I might suggest keeping the original name and just appending
.bak to the copy. From that point on, all changes should be made to your original profile, leaving your backup profile untouched in case something explodes.
Regarding digital privacy and browser security, this guide depends heavily on the ‘ghacks’
user.js configuration file which will automatically adjust crucial Firefox preferences, thus you need not worry about manually configuring privacy and storage settings and such from the Preferences menu of Firefox. If you choose to not use the ‘ghacks’
user.js, then your job will be much harder if you have similar goals as we do here. Nevertheless, you may find it very helpful to refer to the ‘ghacks’
user.js when configuring preferences manually.
Firefox profile in RAM
With the wide adoption of speedy Solid State Drives (SSDs), the concept of sticking the Firefox profile in RAM for performance reasons may seem obsolete, however there are still benefits to be gained, especially if you store your profile on a Hard Disk Drive (HDD). If you don’t want to disable disk browser caching, web storage and cookies globally, and thus break a lot of websites in the process, then there will be lots of disk reads and writes resulting in unnecessary wear and tear on your storage media. Placing your Firefox profile in RAM can be risky however should some sort of catastrophic failure occur which might corrupt it, though there are ways to minimize that risk.
If you use Windows you’re on your own since i don’t, suffice to say that there is Windows compatible software that can manage RAM disks and write your profile back to disk when you exit Firefox. Those using most any flavor of Linux have access to a spiffy utility called Profile-sync-daemon which is designed specifically for this task and it works with quite a few browsers. Check your package manager to see if it’s in your repository. To get it working, run
man psd in a terminal or consult the Profile-sync-daemon guide on ArchWiki. Setting it up was very easy in my case.
Note that Firefox stores its web cache in a location other than the profile directory. On Linux it’s kept at
/home/[user]/.cache/mozilla/firefox/. Normally you would have to deal with this cache separately if you wanted to store it in RAM also, however since disk caching is disabled in the ‘ghacks’
user.js (browser cache is stored in memory only) and the cache is dumped when you exit Firefox, you need not worry about it.
Editing the user-overrides.js file
Keep this hierarchy in mind as you read this section:
prefs.js– read by Firefox first
user.js– read by Firefox second – any duplicate preferences in
prefs.jsare overridden by those in this file
user-overrides.js– this is the only file you should edit if using the ‘ghacks’
user.js– Firefox never reads this file, but these preferences are appended to
user.jsvia a script, or manual copying
If you do not have a comprehensive understanding of the the
user.js file that is used by Firefox to load your personal preferences, you may want to read this. You should also poke around the ‘ghacks’ wiki for detailed information on using and maintaining their
In your profile folder, delete your
user.js file if you have one and create a new file named
user-overrides.js. You can transfer any needed settings from your backup
user.js to the new one later on if they are not already covered in the ‘ghacks’ file. You will very likely be changing many Firefox preferences and storing them in this new file which will later be appended to the ‘ghacks’
user.js file using a script. I know this may defy conventional knowledge, so let me be clear: If you are going to use the ‘ghacks’
user.js file then you should never edit it, (nor the
prefs.js file) nor should you change important settings from
about:config unless you’re just testing something which you will then either revert or add to your
user-overrides.js. All of your custom preferences should be placed in your
user-overrides.js file and no where else. The reason for this is because the ‘ghacks’
user.js is a fairly large file that is updated frequently. If you make changes to this file directly and then update it, you will lose all your changes, forcing you to go through the entire file again and redo your changes, whereas if you copy the preferences you want to change from the ‘ghacks’
user.js to your
user-overrides.js and change the values there, then updating the ‘ghacks’ one will be quite painless. On the other hand, should you choose to not use the ‘ghacks’
user.js, then you should add your changes to your own
user.js and you can ignore everything stated here about the
user-overrides.js. Either way, never edit the
prefs.js file directly or by way of
about:config unless you’re just testing something as stated earlier.
user.js file we want is hosted on the ghacksuserjs/ghacks-user.js GitHub repository. To download the file for older versions of Firefox, click the releases link and find the version that corresponds to the version of Firefox you’re using. For current versions of Firefox i would suggest downloading instead their
updater.sh (Linux) or
updater.bat (Windows) script from the main page of the repository and using that to fetch their
user.js file. You might also want to download prefsCleaner.sh (Linux) or prefsCleaner.bat (Windows) to reset any unused or old preferences in your
prefs.js file. After backing up your entire Firefox profile, copy the new files to your active profile folder and run the updater script from a terminal. The script will backup your current
user.js file if one exists and, optionally, download the latest version of the ‘ghacks’
user.js and, finally, if one exists, it will append the contents of your
user-overrides.js to the ‘ghacks’
user.js. Don’t forget to make the script executable if you use Linux. You can read more about the updater scripts here and the cleaner scripts here.
At this point it is important to go through the entire ‘ghacks’
user.js file and read all of the comments and review each of the settings to be sure everything is configured the way you want. This is where having a decent code editor comes in handy. As stated above, any preferences you want to change should be copied to your
user-overrides.js file where you will then change its value. Note that if you ever comment out or delete a preference in your
user-overrides.js file after having run Firefox, that setting will remain in the
prefs.js files. The easiest and best way to remove such preferences from the
prefs.js files is to run the ‘ghacks’ prefsCleaner script and restart Firefox.
If you use my
user-overrides.js, there is a section provided especially for your personal preferences. My
user-overrides.js contains my personal settings and because i wish to avoid the hassle of editing them for public consumption each time i update it, you will need to review them carefully as it is highly likely you will have to make changes. Remember to run the ‘ghacks’ updater script as previously described any time you make changes.
Verifying the integrity of user.js
It is vital to perform an integrity check each and every time you update the ‘ghacks’
user.js file or edit your
You might notice a bunch goofy looking
_user.js.parrot preferences in both the ‘ghacks’
user.js and my personal
user-overrides.js files, should you decide to use the latter. These are used for troubleshooting syntax errors by quickly identifying a specific section of the
user.js in which the error lies. When you run Firefox for the first time after making any changes to your
user-overrides.js file, you should disable your network connection and then check the value of the troubleshooting preference by entering
about:config in the address bar and searching for the
_user.js.parrot preference (it will likely be the first one listed without having to search). Here is what the value of that preference should be:
- If you are using only the ‘ghacks’ file and have not appended anything to it, then the value should be “
SUCCESS: No no he's not dead, he's, he's restin'!“
- If you have appended my
user-overrides.jsto the ‘ghacks’ file and have not added anything more, then the value should be “
12bytes.org settings loaded“
- If you have added anything else to your
user-overrides.js, the value should be whatever you set it to, such as “
user settings loaded“. An example troubleshooting preference for your personal use and further instructions are contained in my
If the value for the troubleshooting preference is not what you expect, then you can use it to quickly determine in which section of the
user.js file the syntax error lies. While it cannot narrow down the problem to a specific line number, at least you will know in which section to begin looking. Some common mistakes that i’ve made are forgetting to end a line with a semi-colon, or ending it with a full colon, or forgetting a bracket, a quote character or comma, or keying in
user_perf instead of
user_pref, or forgetting to put string values in quotes, or mistakenly putting quotes around integer or boolean values.
The reason i suggest disabling your network connection when you run this check is because Firefox will not load any further preferences in user.js beyond the point just prior to where the error is and therefor this could potentially present a risk if you you have a network connection.
Updating the user.js file
Updating the ‘ghacks’
user.js file is as easy as running the updater script. To update my
user-overrides.js file, just copy the contents of the new version to your
user-overrides.js and then run the updater script. You should also run the ‘ghacks’ prefsCleaner script. If you want to keep up with the latest version of the ‘ghacks’
user.js and/or my
user-overrides.js files, subscribe to the following feeds:
- the ‘ghacks’ GitHub feed: https://github.com/ghacksuserjs/ghacks-user.js/commits/master.atom
- my ‘labwrat’ GitLab feed: https://gitlab.com/labwrat/Firefox-user.js.atom
- optionally you can subscribe to my website feed (there is no specific feed for this guide)
Add-on configuration and usage
For the CanvasBLocker settings i would suggest enabling the following:
- Enable expert mode
- Display descriptions
All other settings can be left at their default values.
When CanvasBlocker fudges something for a website, you should see a fingerprint icon in your address bar from where you can see exactly what it did and, if need be, whitelist the site.
These are the settings i would recommend enabling:
- Enable Automatic Cleaning? Delay Before Cleaning: [ 10 ] Second(s)
- Enable Cleanup Log and Counter
- Clean Cookies from Open Tabs on Startup
- Localstorage Cleanup (Firefox 58+)
I don’t see any real advantage in using Container Tabs from a privacy/anti-tracking perspective and therefore i wouldn’t recommend enabling support for them in Cookie AutoDelete. Note that Container Tabs is not the same thing as First Party Isolation, which i also do not recommend enabling at this time unless you’re willing to put up with the potential headaches it can cause.
CSS Exfil Protection
Turn it on. Done.
You can enable all of the options with the possible exception of ‘Block requests for missing resources’ which will break some websites. Don’t forget to add these rules to uMatrix.
The default settings are sufficient, except i personally disable the whitelisting of HTTP protocols. Normally when you visit an HTTP site Smart Redirect will attempt to forward your request to HTTPS and, if that fails, it will fall back to HTTP and then add the domain to the whitelist so that subsequent visits would default to HTTP. While the developer does not recommend disabling this behavior, i do it anyway for two reasons: First of all, the whitelist can grow to be very large and, while some of the whitelisted domains truly don’t support HTTPS, others do, but if they take too long to respond then Smart HTTPS will mistakenly add them to the whitelist. Every so often i would delete all the whitelisted domains to address this problem, but doing so is a pain because you can’t dump them all at once. Secondly, i don’t care if Smart HTTPS hammers an HTTP-only site with HTTPS requests every time i visit it because every site administrator should be using HTTPS, especially since one can get valid SSL certificates for free from Let’s Encrypt. And so i prefer to send them the message via their visitor logs.
uBlock Origin (uBO) will be used in its easy mode in order to block ads and prevent tracking by employing some of the many 3rd party static filter lists which it offers. Read the uBlock wiki sections pertaining to the easy mode to understand how to use it properly.
Once uBlock Origin is installed, click its toolbar icon to reveal the main pop-up interface, then click the little settings icon to reveal the Dashboard:
The first tab in the Dashboard is the Settings tab and here are the ones i recommend enabling:
- Hide placeholders of blocked elements (optional – if you are new to content blocking, you may not want to enable this so that you can get an indication as to what was blocked)
- enable all
- Default behavior:
- Block remote fonts
Blocking remote fonts will uglify quite a few websites. In such cases you can click the little ‘A’ icon on the uBO pop-up interface to allow remote fonts for the specific domain you’re visiting.
Next we want to temporarily enable the advanced user option. Notice that a little gray gears icon appears next to it when it’s enabled and clicking it will display some advanced settings. I would suggest changing the value of
true. Although there is no guarantee, uBO will try to prevent tab loading until it is ready to handle the requests. This is perhaps especially useful when you exit Firefox with open tabs and have it set to restore your previous tabs on restart. After changing that setting, go back to the Dashboard and disable the ‘I am an advanced user’ option since we will be using uMatrix for all our dynamic filtering needs because it allows more granular control. Whether that option is effective when uBlock’s advanced mode is disabled, i don’t know, but it can’t hurt.
Click the settings button again on the uBlock Origin pop-up interface and select the Filter lists tab. Here are the settings and filter lists i recommend enabling:
- Auto-update filter lists
- Parse and enforce cosmetic filters
- Ignore generic cosmetic filters
- network/cosmetic filters
- My filters
- uBlock filters
- uBlock filters – Annoyances
- uBlock filters – Badware risks (enable if you run Windows)
- uBlock filters – Privacy
- uBlock filters – Resource abuse (blocks many cryptocurrency mining scripts)
- uBlock filters – Unbreak (un-breaks some websites that may be broken by other filter lists)
- Adblock Warning Removal List (hide annoying website messages warning about using an ad-blocker)
- Adguard Base Filters
- enable all lists
- Malware domains
- Malvertising filter list by Disconnect
- Malware Domain List (enable if you run Windows)
- Malware domains (enable if you run Windows)
- Adguard’s Annoyance List
- Dan Pollock’s hosts file
- Peter Lowe’s Ad and tracking server list
As of this writing you can find over 12 million filter lists on the FilterLists website, however i strongly advise to be very careful about what ones you add, if any. In my experience the default filter lists offered by uBO are sufficient and adding more may only slow things down and consume more resources.
All other settings for the remaining tabs can remain at their defaults.
SET THE SCOPE, CLICK THE LOCK!
Burn that into your noggin and don’t forget it as you read this section :)
You will likely be spending far more time with uMatrix (uM) than all the other add-ons here combined and, being it is one of the most important ones in the pile, it is vital you understand how to use it, so read the wiki because i’m not going to go into great detail here.
Once uMatrix is installed, click the toolbar button and then the pop-up title bar to open the Dashboard:
Following are the settings i recommend enabling:
On the Settings tab:
- Collapse placeholder of blacklisted elements (but not blocked elements, at least not until you become more comfortable with uM)
Cookies and web storage will be handled by Cookie AutoDelete, so there is no need to enable those settings in uM.
My research indicates that spoofing the browser user-agent string is essentially useless as far as thwarting fingerprinting and it can cause problems.
The reason there is an option to clear the browser cache in the Privacy section is because objects in the cache can be used to track you (as if there aren’t already enough ways for evil corporations to invade your privacy, right?). Personally i do not enable this option because i typically clear browser cache manually fairly often, plus it is automatically cleared when Firefox exits. If you run into problems when this option is enabled you might want to do the same.
On the ‘My rules’ tab, add the following to the ‘Temporary rules’ pane, then save and commit your change:
no-workers: * true
This will disable web workers which will prevent certain JS from running in the background, including many/all cryptocurrency mining scripts. If a page breaks as a result, you can enable web workers on a per-site basis from the uM pop-up by clicking the vertical 3 dot button. One resource this setting will break is 1st party or embedded videos from dailymotion.com. For example, if you visit this page and allow everything for all of the Dailymotion domains, the video will still not play until you allow web-workers.
On the ‘Assets’ tab, disable all of the host file filter lists, purge the caches and save your changes. It is better to use uBlock Origin to control the static filter lists since it offers many more of them by default.
If you’re using the Decentraleyes add-on you will need to add some rules to uMatrix which can be found on the Frequently asked questions page of the Decentraleyes repository which also has instructions for adding them. When adding the rules, be sure to remove any conflicting rules for the same domains if you have any (if you’re just starting out, you won’t).
uMatrix basic usage
When you first install uMatrix, it will allow all 1st party requests by default and we need to sledgehammer that, so load up 12bytes.org in a new tab and click the uM toolbar icon to display the main pop-up interface:
Because you have read the uMatrik wiki (you did, right?), you already know that YOU MUST REMEMBER TO SET THE SCOPE in which uM operates before making any changes. Failing to do this can break things unexpectedly. You also know that any changes you make are temporary unless you save them. Since we first want to set some basic default rules that affect all websites, we need to change to the global scope. Start by opening 12bytes.org in a new tab and then switching to the global scope:
Once we’re operating in the global scope, i suggest setting up uMatrix like so:
This configuration will result in the following behavior:
- 1st party cookies will be allowed globally, though only for the site being visited
- CSS will be allowed globally, including 3rd party CSS
- Images will be allowed globally, including 3rd party images
- 1st party frames will be allowed globally, though only for the site being visited
Unless you only want your changes to be temporary, always remember to click the padlock icon to save them.
Note that in the screenshots that follow, the 1st party cookies block in the global scope will not be green as in the one above due to an oversight on my part when i created the screenshots.
Now load up this post in a new tab. Look like something’s missing? Sure enough, if we open the uMatrix pop-up interface again, we see youtube-nocookie.com in the resource list which should tell you that there must be a YouTube video in that post which is being blocked. It also tells you exactly what was blocked, in this case a single frame:
If uMatrix is hiding the subdomains and you don’t see www.youtube-nocookie.com, click this little thing in the ‘all’ row and it will expand the list of domains:
In the screenshots above you can see we are operating in the local scope (12bytes.org). You will notice that i allowed all requests for the 1st party domain, 12bytes.org, because it’s my site and i trust it. You need not do the same and, actually, as a rule of thumb you should not do the same, nor is it required to get the video to play, at least not on 12bytes.org.
Now, we want to get that YouTube video working, but do we want to allow embedded YouTube videos for 12bytes.org only, or for all websites? This is what you need to be thinking any time you allow requests for 3rd party resource such as YouTube. Since you probably want to allow YouTube videos for all of the websites you visit, again we need to switch to the global scope and unblock the blocked frame for the youtube-nocookie.com domain and save our change:
Now when we refresh the post page, we might expect to see that YouTube video, but we don’t. Opening the uM pop-up again and switching to the global scope, we discover that allowing the frame for youtube-nocookie.com caused more stuff to show up:
Making sure we are working in the global scope, let’s unblock the blocked script and blocked frame for youtube-nocookie.com as well as the blocked scripts for ytimg.com. Make sure to save your changes:
Now when you reload the post page, everything should look good. We see the video frame and a nice intro image. Great. Click the play button again and… nothing! Open the uM pop-up once more and we find that we need to allow XHR for the youtube-nocookie.com domain. You know what to do, so go ahead and make the change, making sure you’re working in the global scope and remembering to save your change afterwards. Refresh the post page again and click the play button on the video. It still doesn’t work! Again, open the uM pop-up and you’ll see another new domain has appeared, this time googlevideo.com (in case you didn’t know, Google owns YouTube). Again, make sure you’re working in the global scope and unblock those XHR requests for googlevideo.com and save your changes:
Now refresh the post page one last time and the video should play. If it does not, you messed something up and there’s a fair chance it’s because you made one or more changes in the wrong scope and tried to correct them. For example, let’s say you mistakenly allow scripting for youtube-nocookie.com in the local scope and saved the change. Suddenly you realize you made a mistake and so you switch to the global scope and allow scripting for youtube-nocookie.com as you should have before, but then you switch back to the local scope and “correct” your earlier mistake by disabling scripting for youtube-nocookie.com. The video will not play because you’ve now created two rules which conflict with our intention of allowing YouTube videos globally, one which allows scripting for youtube-nocookie.com globally and one which denies scripting for youtube-nocookie.com for 12bytes.org. What you could have done instead is just ignore the mistake you made by enabling scripting in the local scope and uMatrix would have corrected the problem for you. If you messed something up, open the uM Dashboard, click the ‘My rules’ tab and in the ‘Temporary rules’ pane, delete all of the rules you created related to YouTube videos and 12bytes.org, but be careful not to delete the default rules or the global rules we set up originally. To do this, select the rules and press your delete key, then the ‘Save’ and ‘Commit’ buttons:
Once you’ve deleted those rules and committed the changes to the ‘Permanent rules’ list, go back to the first step and try again.
De-borking other websites is generally not as time consuming as it was to get this YouTube video to play and is usually accomplished with a couple mouse clicks and a page refresh. Just remember to turn to uMatrix first when a website is busted. If it is blocking something it will let you know by displaying a badge on the toolbar icon. uBlock Origin will do the same, but it won’t usually be the cause of the problem since we offloaded its dynamic filtering to uMatrix. Again, make sure you read the uMatrix wiki.
A very easy way to get a website working is to check if any there are any user created rule recipes for the site you’re visiting. If there are any, that little puzzle-piece icon on the uM pop-up interface will become active. Just be aware that the user created rule sets seem to be fairly lax in their restrictions and may allow more than you want to allow, however you can always adjust as necessary. If nothing else they can be very helpful in determining why a site does not function properly.
Lastly i want to stress the importance of both the uBlock Origin logger and the uMatrix logger which are invaluable tools for troubleshooting tougher problems. You can get a better understanding of the uM logger by reading the documentation for the uBO logger since it is far more complete as of this writing, though some information is uBO specific. The uM logger is available in the Firefox sidebar in addition to a browser tab which can be really handy because you can set it to display all of the network events it records and watch in real-time as you surf without it getting in your way.
Configuring the optional add-onsClick to expand...
Don’t touch my tabs!
Install it. Forget it.
There are very few options to set and the defaults are fine. You can import my Header Editor rules if you like.
The default settings are sufficient. You may have to whitelist sites that no longer work properly.
The default settings are sufficient. You will likely have to whitelist sites that no longer work properly which Skip Redirect makes easy to do since you can copy the last skipped URL by right-clicking its toolbar icon and then adding that page or domain to the blacklist.
The default settings are sufficient. You may have to whitelist sites that no longer work properly.
FYI, apparently, long, long ago, some tech geek spelled ‘referrer’ with one ‘R’ and it stuck.
THE END (finally)
While there are many more things you could do if you’re really serious about protecting your on-line privacy and browser security, i hope this guide has been of some use to the novice and intermediate web surfers at which it was aimed. I welcome any questions or comments you may have, just please leave them in the comment section below so others can benefit (you need not be logged on).
Lastly i want to thank and credit all of the very dedicated and skilled people who created, maintain and contribute to the ghacks-user.js repository, especially Thorin-Oakenpants (aka, ‘Pants’) and earthlng. This guide would not be as comprehensive as it is without that bunch of misfits :)
Further reading on this website
- Alternative Search Engines That Respect Your Privacy
- Encrypting DNS Traffic (and why you want to)
- Firefox/Mozilla-Based Browser Tech
- 2013 Mozilla Foundation Fed 990 Public Disclosure
- A comprehensive list of Firefox privacy and security settings
- About:config entries (mozillaZine)
- Anonymous Surfing with JonDoFox
- Client-Side: WebRTC
- Cross-site scripting | Wikipedia
- Crypto Mining Scripts – Mycryptopedia
- CSS Is So Overpowered It Can Deanonymize Facebook Users
- DOM Storage guide (Mozilla Developer Network)
- Edward Snowden | The Guardian
- Evercookie (WordPress plug-in)
- Firefox 39: Tracking Protection for private browsing mode
- Firefox Browser Privacy Notice
- Firefox hardening
- Firefox Health Report
- Firefox/Privacy – ArchWiki
- Firefox user agent string reference (MDN)
- How to block automatic connections that Firefox makes
- How to disconnect “search suggest”?
- How to import Tor Browser profile
- How to stop Firefox from making automatic connections
- HTML5 Browser Storage: the Past, Present and Future
- Improve online privacy by controlling referrer information
- Improve Your Privacy in the Age of Mass Surveillance – Internet of Things Darwin Award
- Internet Privacy – ISP Snooping and U.S. Surveillance Laws
- IP Check (JonDonym)
- IP Check: Next generation of website tracking analysis (JonDonym)
- IP/DNS Detect
- List of HTTP header fields (Wikipedia)
- Man-in-the-middle attack
- Means and Methods of Web Tracking: Its effects on privacy and ways to avoid getting tracked
- Mozilla and Telefónica Partner to Simplify Voice and Video Calls on the Web
- Mozilla Corporation (Wikipedia)
- Mozilla Foundation (Wikipedia)
- Mozilla networking preferences
- Mozilla re-negotiates Google multi-million dollar sugar-daddy deal
- Mozilla Revenue Tops $311 Million From Open-Source Technology (2012)
- Mozilla vs Google on user privacy: WebSockets
- Necko Predictive Network Actions
- Network Information API (MDN)
- OpenH264 Now in Firefox
- Privacy Tools – Encryption Against Global Mass Surveillance
- Profile-sync-daemon – ArchWiki
- Quantifying the effects of Firefox’s Tracking Protection
- SPDY (Wikipedia)
- Tails – Privacy for anyone anywhere
- The Mozilla Manifesto
- Things to Know (and Potential Dangers) with Third-Party Scripts
- ToR Browser Bundle
- Tracking Protection on Firefox
- uBlock Wiki
- Warning: Your Browser Extensions Are Spying On You
- Web storage (Wikipedia)
- What is First-Party Isolation in Firefox and what breaks if you enabled it
Revision historyClick to expand...
Scroll to the bottom if you want to see the latest changes.
- first publishing
- removed all Shim Storage add-on information since this functionality is duplicated in HTTP UserAgent cleaner.
- almost all of the documentation for HTTP UserAgent cleaner was heavily revised.
- various other edits and corrections.
- updated user.js file
- several other small updates and a few corrections
- updated user.js file
- switched uBlock versions since a new fork was created
- updated uBlock images and documentation
- added a “Current notices” section
- misc. other corrections/updates/edits
- updated and added more information for uBlock
- updated one HTTP UserAgent cleaner screen-shot
- misc. other corrections/updates/edits
- updated HTTP UserAgent cleaner information
- for HTTP UserAgent cleaner settings, the suggested settings were split into Suggested global setting for casual browsing and Suggested global setting for best protection.
- updated information for HTTP UserAgent cleaner
- updated user.js file
- minor updates to uBlock information
- misc. other minor changes
- updated some HTTP UserAgent cleaner information
- deleted information for 2 bugs regarding the X-Forward-For setting for HTTP UserAgent cleaner since they were not bugs
- misc. other minor changes
- updated information for HTTP UserAgent cleaner, including adding descriptions for the newly added features, Canvas and Fonts on the HTTP tab
- updated the user.js file
- updated some definitions of terms used in this document
- added some more resources
- updated the information for the Fonts filter on the HTTP tab of HTTP UserAgent cleaner
- updated HTTP UserAgent cleaner information to match changes in version 0.7.4.11a
- added Pure URL as a suggested add-on
- updated contents of the user.js file
- added and edited some information for HTTP UserAgent cleaner
- added more resources in the References section
- updated list of recommended filters for uBlock
- updated user.js file contents
- updated user.js file contents
- updated a few settings recommendations for HTTP UserAgent cleaner
- minor updates to user.js file contents
- added information for securing DNS traffic
- misc. minor updates
- switched to Raymond Hill’s version of uBlock
- updated uBlock filter information
- added Fetch information for new version of HTTP UserAgent cleaner
- updated user.js file contents
- misc. minor updates
- updated uBlock settings to match the current development version (0.9.9.2)
- misc. minor updates
- removed HTTP UserAgent cleaner since it is no longer being developed
- removed Self Destructing Cookies add-on since its functionality can be handled by uMatrix
- added uMatrix
- added more info for uMatrix and IP Config test results
- updated user.js file contents
- various other edits
- Minor edits for uMatrix usage text
- updated user.js file
- removed pcxFirefox as a suggested 3rd party build since i had display corruption issues with it
- updated user.js file contents
- updated user.js file contents
- updated guide information
- updated user.js file and added a revision history to the file
- updated user.js file
- updated user.js file
- minor grammar/spelling corrections
- corrected an error with pref ‘layout.css.devPixelsPerPx’ where the value was an integer instead of a string – this caused all prefs following it to be ignored
- set ‘browser.fixup.hide_user_pass’ back to its default value
- added ‘network.http.redirection-limit’
- added some basic information for configuring the Clean Links add-on
- corrected ‘plugin.scan.*’ values to be strings
- added bogus preferences in the user.js file at the end of each section for troubleshooting potential loading problems
- changed the name of the troubleshooting/bogus preference to
12bytes.org-user-js-settingsand added values to indicate the point at which the file stopped loading – a huge thanks to commenter ‘Pants’ for suggesting the troubleshooting preference and also for suggesting a far better way of implementing it than what i had done (by the way, ‘Pants’ is the author of the
user.jsconfig file used in the ‘ghacks’ article, A comprehensive list of Firefox privacy and security settings by Martin Brinkmann, so i’m very glad to have his input here)
- removed duplicate preferences in use.js file (see change-log in the file for details)
- removed Extension Defender from the list of recommended add-ons since it’s home page is gone and the code hasn’t been updated in two years
- updated user.js file
- switched to using Pants’ config v0.11 and mostly just appending my settings to the end of his – because this is a major update, no history of changes to individual preferences will be published
- published my user.js on GitHub which was forked from Pants’ code
- removed my user.js code from this page and linked to it on the GitHub page instead
- changed my versioning scheme to match Pants’ where the user.js version coincides with the version of Firefox it was developed for, so v51r1 would equate to version 51.x of Firefox and the r1 signifies the revision, in this case the first revision
- updated user.js to include v51 of Pants’ config – no preference changes so far as i know, just added/removed/changed comments
- updated text in user.js section to account for the new changes
- changes to comments and troubleshooting preference names and values, other minor changes
- updated user.js to version 51r2 – see
the GitHub pagefor the change-log
- updated info here regarding the user custom preferences section of user.js
- deleted the GitHub repository which i forked from Pants’ ‘ghacks’ repository and created a new repository which does not include his code
- some changes to user.js
- some major editing of this document mostly in regard to the creation and changes of the GitHub repositories
- rewrote and updated much of the content pertaining to uMatrix
- added section “Removing system add-ons”
- added section “Sanitizing the default search engine plugins”
- added some add-ons to the recommended section
- misc. minor edits
- i didn’t keep track of all the changes and many were made – you’ll have to re-read the guide :)
- added section “A special note about cryptocurrency miners”
- added more info about IndexDB storage in the “Terminology” and “uMatrix configuration” sections.
- added to the list of recommended add-ons
- updated some content to reflect the current state of Firefox and WebExtensions
- misc. minor edits
- added a link to my post about the Firefox add-on, Looking Glass
- misc. minor edits
- minor edits
- removed cryptocurrency miner section
- removed information about the OpenH264 Video Codec plug-in since it seems Firefox is no longer shipping it, at least not on Linux
- removed the Load from Cache add-on
- removed some information about uMatrix since uBlock Origin covers most everything uMatrix does and is better suited for removing advertisements, plus it’s a much more active project.
- updated some information
- note that many more updates will occur in the next days, so i would suggest waiting until they are published before following this guide
- rewrote most of this guide, so if you read it before, read it again :)
- added the section ‘Firefox profile in RAM’
- misc. other minor edits
- lots of clarifications and polishing, added several resources
- added uMatrix to the add-on pile again
- added the uMatrix sections of this document
- removed info about running uBlock in advanced mode since we’re using uMatrix for dynamic filtering instead
- several minor edits
- add Cookie AutoDelete as a highly recommended add-on and updated configuration information for uMatrix to allow 1st party cookies by default
- removed information about the Forget Me Not add-on
- added information about First Party Isolation
- added rule to uM to prevent web workers
- added information about the uBO and uM logging functions
- corrected some mistakes
- added info about using the user created rule sets for uMatrix, as well correcting some mistakes and clarifying other uM info
- move along – nothing to see here :)