Jump to content

My Firefox Settings: Difference between revisions

From Copper9 Wiki
Created page with "== Remove Addons == <syntaxhighlight lang="bash"> cd /usr/lib/firefox/browser/features doas rm *.xpi </syntaxhighlight> == Firefox Settings for Hardening == === [https://github.com/awesome-windows11/firefox Awesome Firefox] and [https://gist.github.com/atcuno/3425484ac5cce5298932#reqpluginsff atcuno's Privacy Guide] and [https://github.com/drduh/macOS-Security-and-Privacy-Guide#browser drduh's Guide] === === [https://sunknudsen.com/privacy-guides Some Thingies] ===..."
 
 
(12 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Remove Addons ==
<blockquote>'''Note:''' This article is imported from an old note-taking app and may be outdated.</blockquote>


== Core Modifications & Bloatware Removal ==
Some guides, such as the [https://spyware.neocities.org/guides/firefox Spyware Watchdog Mitigation Guide], recommend deleting default plugins bundled within the Firefox directory that may introduce privacy concerns or act as bloatware.
Navigate to your Firefox features directory and remove unnecessary add-ons:
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
cd /usr/lib/firefox/browser/features
cd /usr/lib/firefox/browser/features
doas rm *.xpi
sudo rm *.xpi
</syntaxhighlight>
</syntaxhighlight>


== Firefox Settings for Hardening ==
'''List of bundled plugins commonly removed:'''
 
* <code>firefox@getpocket.com.xpi</code> — Pocket
 
* <code>followonsearch@mozilla.com.xpi</code> — Follow-On Search
=== [https://github.com/awesome-windows11/firefox Awesome Firefox] and [https://gist.github.com/atcuno/3425484ac5cce5298932#reqpluginsff atcuno's Privacy Guide] and [https://github.com/drduh/macOS-Security-and-Privacy-Guide#browser drduh's Guide] ===
* <code>activity-stream@mozilla.org.xpi</code> — Activity Stream
 
* <code>screenshots@mozilla.org.xpi</code> — Screenshots
=== [https://sunknudsen.com/privacy-guides Some Thingies] ===
* <code>onboarding@mozilla.org.xpi</code> — Onboarding
 
* <code>formautofill@mozilla.org.xpi</code> — Autofill
=== [https://wrongthink.link/posts/hardened-web-browser/ Some One More Guide] ===
* <code>webcompat@mozilla.org.xpi</code> — Web Compatibility Reporter
 
 
 
=== Disable Firefox SessionStore in about:config ===
 
=== Disable browser.urlbar.maxRichResults ===
 
=== about:support -> Places Database -> Verify Integrity ===
 
=== Turn Off Firefox Sidebar ===
Look [https://utcc.utoronto.ca/~cks/space/blog/web/FirefoxPdfViewerSidebarOff here].
 
=== Disable Firefox Translator [https://xnacly.me/posts/2023/disable-firefox-translation/ here] ===
 
=== Disable Firefox Restricted Domains and Make uBlock more Agressive ===
Look [https://12bytes.org/tech/mozilla-wants-more-control-over-your-add-ons/ here] and [https://12bytes.org/ublock-origin-suggested-settings/ here].
 
=== Fingerprint.com's Blog [https://fingerprint.com/blog/browser-anti-fingerprinting-techniques/ Post] ===
 
=== Disable CSS Visited Links ===
Look [https://www.reddit.com/r/privacy/comments/15fddo0/retrieving_your_browsing_history_through_a/juf5br1/ here].


=== Firefox user.js generators ===
== Configuration Tweaks (about:config) (if user.js does not cover them) ==
[https://ffprofile.com ffprofile.com]


=== How to Block Pop-Ups in Firefox ===
=== Privacy, Security & Networking ===
Look [https://support.mozilla.org/bm/questions/1369602 here]
; <code>accessibility.blockautorefresh</code> : Set to <code>true</code> to disable forced redirections. Combining this with disabled CSS and JS yields raw, unmangled result links. [https://pedantic.software/fxc/blog/why_there_is_no_css_on_my_website.html (via Pedantic Software)]
; <code>browser.sessionstore.interval</code> : Set to a very high value to reduce disk writes and SessionStore tracking.


=== Chrome Extensions on Firefox ===
=== Additional Hardening Actions ===
Look [https://news.slashdot.org/story/23/08/24/2233242/firefox-users-may-import-chrome-extensions-now?utm_source=rss1.0mainlinkanon&utm_medium=feed here]
* '''Disable Firefox SessionStore''': Search for <code>browser.sessionstore</code> in <code>about:config</code> and disable relevant telemetry/saving mechanisms.
* '''Disable CSS Visited Links''': Mitigates history-sniffing vulnerabilities. [https://www.reddit.com/r/privacy/comments/15fddo0/retrieving_your_browsing_history_through_a/juf5br1/ Read the Reddit discussion here.]


=== Outdated but helpful [https://gist.github.com/atcuno/3425484ac5cce5298932 guide] ===
== User.js Templates & Generators ==


=== Oh, [https://github.com/CISOfy/privacy-guide/blob/master/browser-security.md one more] ===
Instead of manually configuring <code>about:config</code>, you can use pre-configured <code>user.js</code> files.


=== My Notes From ffprofile.com (with my opinions) ===
To use a <code>user.js</code> file, you need to place it in your Firefox profile directory. This file is read every time Firefox starts, overriding any matching settings in <code>about:config</code> or <code>prefs.js</code>:
You can change your user-agent to more common than Firefox's default user-agent.


[https://techblog.willshouse.com/2012/01/03/most-common-user-agents/ This] website shows most common user-agents.
# Navigate to <code>about:support</code> in your URL bar.
# Find the '''Profile Directory''' row and click the '''Open Directory''' button.
# Create a new text file in this directory and name it exactly <code>user.js</code>.
# Open the file using a text editor.
# Paste your desired configuration settings from the templates below into the file and save it.
# Restart Firefox for the changes to take effect.


Or you can use [https://www.useragents.me/ this] or [https://www.whatismybrowser.com/guides/the-latest-user-agent/chrome this] website.
'''Generators:'''
 
* [https://ffprofile.com ffprofile.com] — Interactive <code>user.js</code> generator.
But because of Firefox isn't Chromium-based, it can make you [https://deviceinfo.me more unique] ([https://www.billdietrich.me/ComputerPrivacy.html list of alternative tools]) (because of some engine differences) instead less unique.
** ''Note on User-Agent Spoofing:'' While you can spoof your user-agent to a more common one (e.g., Chrome), doing so on Firefox can actually make your browser fingerprint [https://deviceinfo.me more unique] ([https://www.billdietrich.me/ComputerPrivacy.html alternative tools list]). Because Firefox's engine behaves differently than Chromium, mismatched engine/user-agent data is easily detectable. For common agents, see [https://techblog.willshouse.com/2012/01/03/most-common-user-agents/ Willhouse] or [https://www.whatismybrowser.com/guides/the-latest-user-agent/chrome WhatIsMyBrowser].
 
=== Templates ===
# [https://github.com/arkenfox/user.js/raw/master/user.js Arkenfox] (well-known)
# [https://raw.githubusercontent.com/pyllyukko/user.js/master/user.js Pyllyukko]
# [https://git.nixnet.services/Narsil/desktop_user.js/raw/branch/master/user.js Narsil's user.js] (privacy focused not security)


'''Popular Pre-configured Templates:'''
# [https://github.com/arkenfox/user.js/raw/master/user.js Arkenfox] (Highly recommended, well-known)
# [https://raw.githubusercontent.com/pyllyukko/user.js/master/user.js Pyllyukko] (Security focused)
# [https://git.nixnet.services/Narsil/desktop_user.js/raw/branch/master/user.js Narsil's user.js] (Privacy focused) (I use this one)
# [https://codeberg.org/polarhive/vulpes Vulpes]
# [https://codeberg.org/polarhive/vulpes Vulpes]
# [https://git.nixnet.services/Narsil/palemoon_user.js Narsil's user.js for Pale Moon] (for Pale Moon) (privacy focused not security)
# [https://git.nixnet.services/Narsil/palemoon_user.js Narsil's user.js for Pale Moon] (Privacy focused)
# [https://git.sr.ht/~krathalan/firefox-complement krathalan config]
# [https://git.sr.ht/~krathalan/firefox-complement krathalan config]
# [https://github.com/simeononsecurity/FireFox-Privacy-Script simeononsec FireFox Script]
# [https://github.com/simeononsecurity/FireFox-Privacy-Script simeononsec FireFox Script]
# [https://vermaden.wordpress.com/2024/03/18/sensible-firefox-setup/ vermaden]
# [https://vermaden.wordpress.com/2024/03/18/sensible-firefox-setup/ vermaden's Sensible Setup]
 
=== Guides for Firefox Hardening ===
[https://github.com/JArmandoG/Firefox-Hardening JArmandoG's Guide]
 
[https://spyware.neocities.org/guides/firefox Spyware Watchdog Mitigation Guide]
 
==== My Notes From JArmandoG's Guide ====
These are some about:config options to consider changing after applied user.js settings.
# security.tls.version.min -> 3
# network.http.referrer.spoofSource -> true
# browser.display.use_document_fonts -> 0
 
==== My Notes From Spyware Watchdog Guide ====
You need to delete several default plugins in Firefox directory at /path/to/Firefox/browser/features
 
(I.e. /usr/lib/Firefox/browser/features/) that can violate privacy:
 
* firefox@getpocket.com.xpi — Pocket
* followonsearch@mozilla.com.xpi — Follow-On Search
* activity-stream@mozilla.org.xpi — Activity Stream
* screenshots@mozilla.org.xpi — Screenshots
* onboarding@mozilla.org.xpi — Onboarding
* formautofill@mozilla.org.xpi — Autofill
* webcompat@mozilla.org.xpi — Web Compatibility Reporter
 
==== My Notes From Mullvad DNS Blog ====
In about:config make this: network.trr.mode -> 3
 
Or change the "DNS protection" preference in Settings.


It will force DNS over HTTPS every time you make a DNS request. (even if your DNS server doesn't respond)
== Extensions & Add-ons ==


==== My Notes From Unixsheikh ====
* '''ximatrix''': A Firefox extension similar to uMatrix capable of blocking inline scripts and advanced requests. [https://github.com/xi/xiMatrix Source code available here].
Look [https://unixsheikh.com/articles/choose-your-browser-carefully.html#tweaking-firefox here]
** ''Alternative:'' [https://gitler.moe/Wrongthink/paraMatrix paraMatrix] (a fork of ximatrix).
* '''Chrome Extensions on Firefox''': Firefox has introduced capabilities for importing Chrome extensions. [https://news.slashdot.org/story/23/08/24/2233242/firefox-users-may-import-chrome-extensions-now Read the Slashdot coverage].
* '''Extension Restrictions''': Mozilla occasionally restricts add-ons on specific domains. To disable these restrictions and allow uBlock Origin to operate aggressively everywhere, read [https://12bytes.org/tech/mozilla-wants-more-control-over-your-add-ons/ 12bytes' analysis] and their [https://12bytes.org/ublock-origin-suggested-settings/ uBlock suggested settings].


==== My Notes From [https://pedantic.software/fxc/blog/why_there_is_no_css_on_my_website.html Pedantic Software Blog] ====
== Browser UI & Maintenance Tweaks ==
"For google, I take this even further: if redirections are disabled (in Firefox's about:config, set accessibility.blockautorefresh to true; this used to be available in the normal config dialog, in the good old days), in addition to both CSS and javascript being disabled, then you'll see a simple page with the unmangled results links."


==== Config Page ====
* '''Verify Database Integrity''': Navigate to <code>about:support</code> -> Scroll down to '''Places Database''' -> Click '''Verify Integrity'''.
[chrome://geckoview/content/config.xhtml Open it...]
* '''Turn Off Firefox Sidebar''': [https://utcc.utoronto.ca/~cks/space/blog/web/FirefoxPdfViewerSidebarOff Guide to disabling the PDF viewer sidebar].
[http://kb.mozillazine.org/Category:Firefox Wiki]
* '''Disable Firefox Translator''': [https://xnacly.me/posts/2023/disable-firefox-translation/ Guide to disabling built-in local translation].
* '''Block Pop-Ups''': [https://support.mozilla.org/bm/questions/1369602 Mozilla Support thread on native pop-up blocking].
* '''GeckoView Config''': You can access deeper settings via [chrome://geckoview/content/config.xhtml chrome://geckoview/content/config.xhtml].


==== One More Thing ====
=== Custom GUI Settings ===
In about config, do this:
Navigate to the standard Firefox Settings (<code>about:preferences</code>) to adjust the following:


* media.autoplay.enabled -> false
'''General'''
* media.cache_readahead_limit = 0
* '''Tabs:''' Enable ''Open links in tabs instead of new windows''. Disable ''Show an image preview when you hover on a tab'' and disable ''Enable link previews''.
* media.cache_resume_threshold = 10
* '''Fonts:''' Uncheck ''Allow pages to choose their own fonts, instead of your selections above''.
* media.autoplay.blocking_policy = 1
* '''Language:''' Set to English (US). Enable ''Request English versions of web pages for enhanced privacy''. Disable ''Enable full page translations''.
* media.autoplay.allow-muted -> false
* '''Typing:''' Disable ''Check your spelling as you type''.
* '''Browsing & Media:''' Disable ''Enable picture-in-picture video controls'' and ''Control media via keyboard, headset, or virtual interface''.


This will disable autoplay and reduce video caching.
'''Home'''
* '''New Windows and Tabs:''' Set both ''Homepage and new windows'' and ''New tabs'' to '''Blank Page'''.


=== I don't know if it is necessary or not ===
'''Search'''
about:config settings but haven't tried it yet (I temporarily switched to Chromium)
* '''Default Search Engine:''' Switch to a privacy-respecting alternative like <code>lite.duckduckgo.com</code>, or your own self-hosted '''SearXNG''' or '''4get''' instance.
* '''Search Suggestions:''' Disable ''Show search suggestions''.


* social.whitelist -> nothing
'''Privacy & Security'''
* social.toast-notifications.enabled -> false
* '''Tracking Protection:''' Set Enhanced Tracking Protection to '''Strict''' (disable ''Fix major site issues'' if opting for absolute strictness without exceptions).
* social.shareDirectory -> nothing
* '''Global Privacy Control:''' Enable ''Tell websites not to sell or share my data''.
* social.remote-install.enabled -> false
** ''Note:'' You can also explicitly enable the Do Not Track header by setting <code>privacy.donottrackheader.enabled</code> to <code>true</code> via the hidden <code>about:config</code> entry.
* social.directories -> nothing
* '''Cookies and Site Data:''' Enable ''Delete cookies and site data when Firefox is closed''.
* social.share.activationPanelEnabled -> false
* '''Logins and Passwords:''' Disable saving passwords, payments, and addresses.
* browser.sessionstore.interval -> set it too high
* '''History:''' Set to ''Use custom settings for history'' and enable ''Clear history when Firefox closes''.
* '''Permissions:''' Disallow all requests (Location, Camera, Microphone, Notifications, etc.). Enable ''Block pop-up windows'' and ''Warn you when websites try to install add-ons''.
* '''Data Collection and Use:''' Disallow/uncheck all telemetry and data collection options.
* '''Security:''' Enable ''HTTPS-Only Mode in all windows''.
* '''DNS over HTTPS:''' Set to '''Max Protection''' and select a privacy-friendly provider.


=== ximatrix extension ===
== Comprehensive Hardening Guides & Reading ==
ximatrix is a Firefox extension similar to uMatrix. ximatrix can block anything that uMatrix can. It's also can block inline things.
You can look the code with [https://github.com/xi/xiMatrix this] link.
Or you can use [https://gitler.moe/Wrongthink/paraMatrix paraMatrix] which is fork of ximatrix.


=== Enable Wayland ===
* [https://github.com/awesome-windows11/firefox Awesome Firefox]
Search about it and enable Wayland support in Firefox.
* [https://github.com/JArmandoG/Firefox-Hardening JArmandoG's Firefox Hardening Guide]
* [https://github.com/drduh/macOS-Security-and-Privacy-Guide#browser drduh's macOS Browser Privacy Guide]
* [https://sunknudsen.com/privacy-guides sunknudsen's Privacy Guides]
* [https://wrongthink.link/posts/hardened-web-browser/ Wrongthink: Hardened Web Browser]
* [https://unixsheikh.com/articles/choose-your-browser-carefully.html#tweaking-firefox Unixsheikh: Tweaking Firefox]
* [https://spyware.neocities.org/guides/firefox Spyware Watchdog: Firefox Mitigation]
* [https://fingerprint.com/blog/browser-anti-fingerprinting-techniques/ Fingerprint.com: Browser Anti-Fingerprinting Techniques]
* [https://gist.github.com/atcuno/3425484ac5cce5298932 atcuno's Privacy Guide] (Outdated but helpful concepts)
* [https://github.com/CISOfy/privacy-guide/blob/master/browser-security.md CISOfy Browser Security Guide]
* [http://kb.mozillazine.org/Category:Firefox MozillaZine Firefox Wiki]


[[Category:Hardening]]
[[Category:Hardening]]

Latest revision as of 11:09, 18 May 2026

Note: This article is imported from an old note-taking app and may be outdated.

Core Modifications & Bloatware Removal

[edit | edit source]

Some guides, such as the Spyware Watchdog Mitigation Guide, recommend deleting default plugins bundled within the Firefox directory that may introduce privacy concerns or act as bloatware.

Navigate to your Firefox features directory and remove unnecessary add-ons:

cd /usr/lib/firefox/browser/features
sudo rm *.xpi

List of bundled plugins commonly removed:

  • firefox@getpocket.com.xpi — Pocket
  • followonsearch@mozilla.com.xpi — Follow-On Search
  • activity-stream@mozilla.org.xpi — Activity Stream
  • screenshots@mozilla.org.xpi — Screenshots
  • onboarding@mozilla.org.xpi — Onboarding
  • formautofill@mozilla.org.xpi — Autofill
  • webcompat@mozilla.org.xpi — Web Compatibility Reporter

Configuration Tweaks (about:config) (if user.js does not cover them)

[edit | edit source]

Privacy, Security & Networking

[edit | edit source]
accessibility.blockautorefresh
Set to true to disable forced redirections. Combining this with disabled CSS and JS yields raw, unmangled result links. (via Pedantic Software)
browser.sessionstore.interval
Set to a very high value to reduce disk writes and SessionStore tracking.

Additional Hardening Actions

[edit | edit source]
  • Disable Firefox SessionStore: Search for browser.sessionstore in about:config and disable relevant telemetry/saving mechanisms.
  • Disable CSS Visited Links: Mitigates history-sniffing vulnerabilities. Read the Reddit discussion here.

User.js Templates & Generators

[edit | edit source]

Instead of manually configuring about:config, you can use pre-configured user.js files.

To use a user.js file, you need to place it in your Firefox profile directory. This file is read every time Firefox starts, overriding any matching settings in about:config or prefs.js:

  1. Navigate to about:support in your URL bar.
  2. Find the Profile Directory row and click the Open Directory button.
  3. Create a new text file in this directory and name it exactly user.js.
  4. Open the file using a text editor.
  5. Paste your desired configuration settings from the templates below into the file and save it.
  6. Restart Firefox for the changes to take effect.

Generators:

  • ffprofile.com — Interactive user.js generator.
    • Note on User-Agent Spoofing: While you can spoof your user-agent to a more common one (e.g., Chrome), doing so on Firefox can actually make your browser fingerprint more unique (alternative tools list). Because Firefox's engine behaves differently than Chromium, mismatched engine/user-agent data is easily detectable. For common agents, see Willhouse or WhatIsMyBrowser.

Popular Pre-configured Templates:

  1. Arkenfox (Highly recommended, well-known)
  2. Pyllyukko (Security focused)
  3. Narsil's user.js (Privacy focused) (I use this one)
  4. Vulpes
  5. Narsil's user.js for Pale Moon (Privacy focused)
  6. krathalan config
  7. simeononsec FireFox Script
  8. vermaden's Sensible Setup

Extensions & Add-ons

[edit | edit source]
  • ximatrix: A Firefox extension similar to uMatrix capable of blocking inline scripts and advanced requests. Source code available here.
  • Chrome Extensions on Firefox: Firefox has introduced capabilities for importing Chrome extensions. Read the Slashdot coverage.
  • Extension Restrictions: Mozilla occasionally restricts add-ons on specific domains. To disable these restrictions and allow uBlock Origin to operate aggressively everywhere, read 12bytes' analysis and their uBlock suggested settings.

Browser UI & Maintenance Tweaks

[edit | edit source]

Custom GUI Settings

[edit | edit source]

Navigate to the standard Firefox Settings (about:preferences) to adjust the following:

General

  • Tabs: Enable Open links in tabs instead of new windows. Disable Show an image preview when you hover on a tab and disable Enable link previews.
  • Fonts: Uncheck Allow pages to choose their own fonts, instead of your selections above.
  • Language: Set to English (US). Enable Request English versions of web pages for enhanced privacy. Disable Enable full page translations.
  • Typing: Disable Check your spelling as you type.
  • Browsing & Media: Disable Enable picture-in-picture video controls and Control media via keyboard, headset, or virtual interface.

Home

  • New Windows and Tabs: Set both Homepage and new windows and New tabs to Blank Page.

Search

  • Default Search Engine: Switch to a privacy-respecting alternative like lite.duckduckgo.com, or your own self-hosted SearXNG or 4get instance.
  • Search Suggestions: Disable Show search suggestions.

Privacy & Security

  • Tracking Protection: Set Enhanced Tracking Protection to Strict (disable Fix major site issues if opting for absolute strictness without exceptions).
  • Global Privacy Control: Enable Tell websites not to sell or share my data.
    • Note: You can also explicitly enable the Do Not Track header by setting privacy.donottrackheader.enabled to true via the hidden about:config entry.
  • Cookies and Site Data: Enable Delete cookies and site data when Firefox is closed.
  • Logins and Passwords: Disable saving passwords, payments, and addresses.
  • History: Set to Use custom settings for history and enable Clear history when Firefox closes.
  • Permissions: Disallow all requests (Location, Camera, Microphone, Notifications, etc.). Enable Block pop-up windows and Warn you when websites try to install add-ons.
  • Data Collection and Use: Disallow/uncheck all telemetry and data collection options.
  • Security: Enable HTTPS-Only Mode in all windows.
  • DNS over HTTPS: Set to Max Protection and select a privacy-friendly provider.

Comprehensive Hardening Guides & Reading

[edit | edit source]