Jump to content

My Firefox Settings: Difference between revisions

From Copper9 Wiki
No edit summary
No edit summary
Line 1: Line 1:
== THIS ARTICLE IS IMPORTED FROM MY OLD NOTE-TAKING APP AND MAY BE OUTDATED ==
<blockquote>'''Note:''' This article is imported from an old note-taking app and may be outdated.</blockquote>


== Remove Add-ons ==
== Core Modifications & Bloatware Removal ==


Some guides, such as the [https://spyware.neocities.org/guides/firefox Spyware Watchdog Mitigation Guide], recommend deleting default plugins bundled within the Firefox directory that may introduce privacy concerns or act as bloatware.
Navigate to your Firefox features directory and remove unnecessary add-ons:
<syntaxhighlight lang="bash">
<syntaxhighlight lang="bash">
cd /usr/lib/firefox/browser/features
cd /usr/lib/firefox/browser/features
Line 8: Line 11:
</syntaxhighlight>
</syntaxhighlight>


== Firefox Settings for Hardening ==
'''List of bundled plugins commonly removed:'''
=== [https://github.com/awesome-windows11/firefox Awesome Firefox] ===
* <code>firefox@getpocket.com.xpi</code> — Pocket
=== [https://gist.github.com/atcuno/3425484ac5cce5298932#reqpluginsff atcuno's Privacy Guide] ===
* <code>followonsearch@mozilla.com.xpi</code> — Follow-On Search
=== [https://github.com/drduh/macOS-Security-and-Privacy-Guide#browser drduh's Guide] ===
* <code>activity-stream@mozilla.org.xpi</code> — Activity Stream
 
* <code>screenshots@mozilla.org.xpi</code> — Screenshots
=== [https://sunknudsen.com/privacy-guides sunknudsen's Guide] ===
* <code>onboarding@mozilla.org.xpi</code> — Onboarding
 
* <code>formautofill@mozilla.org.xpi</code> — Autofill
=== [https://wrongthink.link/posts/hardened-web-browser/ Wrongthink Guide] ===
* <code>webcompat@mozilla.org.xpi</code> — Web Compatibility Reporter
 
 
 
=== Disable Firefox SessionStore in about:config ===
 
=== Disable browser.urlbar.maxRichResults ===
 
=== about:support -> Places Database -> Verify Integrity ===
 
=== Turn Off Firefox Sidebar ===
Look [https://utcc.utoronto.ca/~cks/space/blog/web/FirefoxPdfViewerSidebarOff here].
 
=== Disable Firefox Translator [https://xnacly.me/posts/2023/disable-firefox-translation/ here] ===


=== Disable Firefox Restricted Domains and Make uBlock more Agressive ===
== Configuration Tweaks (about:config) ==
Look [https://12bytes.org/tech/mozilla-wants-more-control-over-your-add-ons/ here] and [https://12bytes.org/ublock-origin-suggested-settings/ here].


=== Fingerprint.com's Blog [https://fingerprint.com/blog/browser-anti-fingerprinting-techniques/ Post] ===
=== Privacy, Security & Networking ===
; <code>network.trr.mode</code> : Set to <code>3</code> to force DNS over HTTPS (DoH) every time you make a DNS request, even if your DNS server doesn't respond. (Alternatively, change the "DNS protection" preference in Settings).
; <code>security.tls.version.min</code> : Set to <code>3</code> to enforce strict TLS standards.
; <code>network.http.referrer.spoofSource</code> : Set to <code>true</code>.
; <code>browser.display.use_document_fonts</code> : Set to <code>0</code> to mitigate font fingerprinting.
; <code>browser.urlbar.maxRichResults</code> : Set to <code>0</code> (or desired low number) to limit URL bar suggestions.
; <code>accessibility.blockautorefresh</code> : Set to <code>true</code> to disable forced redirections. Combining this with disabled CSS and JS yields raw, unmangled result links. [https://pedantic.software/fxc/blog/why_there_is_no_css_on_my_website.html (via Pedantic Software)]
; <code>browser.sessionstore.interval</code> : Set to a very high value to reduce disk writes and SessionStore tracking.


=== Disable CSS Visited Links ===
=== Media & Autoplay Limitations ===
Look [https://www.reddit.com/r/privacy/comments/15fddo0/retrieving_your_browsing_history_through_a/juf5br1/ here].
To disable autoplay and drastically reduce background video caching, apply the following:
* <code>media.autoplay.enabled</code> = <code>false</code>
* <code>media.cache_readahead_limit</code> = <code>0</code>
* <code>media.cache_resume_threshold</code> = <code>10</code>
* <code>media.autoplay.blocking_policy</code> = <code>1</code>
* <code>media.autoplay.allow-muted</code> = <code>false</code>


=== Firefox user.js generators ===
=== Experimental Social Settings ===
[https://ffprofile.com ffprofile.com]
''Note: These disable legacy social integrations. May not be necessary on modern versions.''
* <code>social.whitelist</code> = (leave empty)
* <code>social.toast-notifications.enabled</code> = <code>false</code>
* <code>social.shareDirectory</code> = (leave empty)
* <code>social.remote-install.enabled</code> = <code>false</code>
* <code>social.directories</code> = (leave empty)
* <code>social.share.activationPanelEnabled</code> = <code>false</code>


=== How to Block Pop-Ups in Firefox ===
=== Additional Hardening Actions ===
Look [https://support.mozilla.org/bm/questions/1369602 here]
* '''Disable Firefox SessionStore''': Search for <code>browser.sessionstore</code> in <code>about:config</code> and disable relevant telemetry/saving mechanisms.
* '''Disable CSS Visited Links''': Mitigates history-sniffing vulnerabilities. [https://www.reddit.com/r/privacy/comments/15fddo0/retrieving_your_browsing_history_through_a/juf5br1/ Read the Reddit discussion here.]


=== Chrome Extensions on Firefox ===
== User.js Templates & Generators ==
Look [https://news.slashdot.org/story/23/08/24/2233242/firefox-users-may-import-chrome-extensions-now?utm_source=rss1.0mainlinkanon&utm_medium=feed here]


=== Outdated but helpful [https://gist.github.com/atcuno/3425484ac5cce5298932 guide] ===
Instead of manually configuring <code>about:config</code>, you can use pre-configured <code>user.js</code> files.


=== Oh, [https://github.com/CISOfy/privacy-guide/blob/master/browser-security.md one more] ===
'''Generators:'''
 
* [https://ffprofile.com ffprofile.com] — Interactive <code>user.js</code> generator.
=== My Notes From ffprofile.com (with my opinions) ===
** ''Note on User-Agent Spoofing:'' While you can spoof your user-agent to a more common one (e.g., Chrome), doing so on Firefox can actually make your browser fingerprint [https://deviceinfo.me more unique] ([https://www.billdietrich.me/ComputerPrivacy.html alternative tools list]). Because Firefox's engine behaves differently than Chromium, mismatched engine/user-agent data is easily detectable. For common agents, see [https://techblog.willshouse.com/2012/01/03/most-common-user-agents/ Willhouse] or [https://www.whatismybrowser.com/guides/the-latest-user-agent/chrome WhatIsMyBrowser].
You can change your user-agent to more common than Firefox's default user-agent.
 
[https://techblog.willshouse.com/2012/01/03/most-common-user-agents/ This] website shows most common user-agents.
 
Or you can use [https://www.useragents.me/ this] or [https://www.whatismybrowser.com/guides/the-latest-user-agent/chrome this] website.
 
But because of Firefox isn't Chromium-based, it can make you [https://deviceinfo.me more unique] ([https://www.billdietrich.me/ComputerPrivacy.html list of alternative tools]) (because of some engine differences) instead less unique.
 
=== Templates ===
# [https://github.com/arkenfox/user.js/raw/master/user.js Arkenfox] (well-known)
# [https://raw.githubusercontent.com/pyllyukko/user.js/master/user.js Pyllyukko]
# [https://git.nixnet.services/Narsil/desktop_user.js/raw/branch/master/user.js Narsil's user.js] (privacy focused not security)


'''Popular Pre-configured Templates:'''
# [https://github.com/arkenfox/user.js/raw/master/user.js Arkenfox] (Highly recommended, well-known)
# [https://raw.githubusercontent.com/pyllyukko/user.js/master/user.js Pyllyukko] (Security focused)
# [https://git.nixnet.services/Narsil/desktop_user.js/raw/branch/master/user.js Narsil's user.js] (Privacy focused)
# [https://codeberg.org/polarhive/vulpes Vulpes]
# [https://codeberg.org/polarhive/vulpes Vulpes]
# [https://git.nixnet.services/Narsil/palemoon_user.js Narsil's user.js for Pale Moon] (for Pale Moon) (privacy focused not security)
# [https://git.nixnet.services/Narsil/palemoon_user.js Narsil's user.js for Pale Moon] (Privacy focused)
# [https://git.sr.ht/~krathalan/firefox-complement krathalan config]
# [https://git.sr.ht/~krathalan/firefox-complement krathalan config]
# [https://github.com/simeononsecurity/FireFox-Privacy-Script simeononsec FireFox Script]
# [https://github.com/simeononsecurity/FireFox-Privacy-Script simeononsec FireFox Script]
# [https://vermaden.wordpress.com/2024/03/18/sensible-firefox-setup/ vermaden]
# [https://vermaden.wordpress.com/2024/03/18/sensible-firefox-setup/ vermaden's Sensible Setup]
 
=== Guides for Firefox Hardening ===
[https://github.com/JArmandoG/Firefox-Hardening JArmandoG's Guide]
 
[https://spyware.neocities.org/guides/firefox Spyware Watchdog Mitigation Guide]
 
==== My Notes From JArmandoG's Guide ====
These are some about:config options to consider changing after applied user.js settings.
# security.tls.version.min -> 3
# network.http.referrer.spoofSource -> true
# browser.display.use_document_fonts -> 0
 
==== My Notes From Spyware Watchdog Guide ====
You need to delete several default plugins in Firefox directory at /path/to/Firefox/browser/features
 
(I.e. /usr/lib/Firefox/browser/features/) that can violate privacy:
 
* firefox@getpocket.com.xpi — Pocket
* followonsearch@mozilla.com.xpi — Follow-On Search
* activity-stream@mozilla.org.xpi — Activity Stream
* screenshots@mozilla.org.xpi — Screenshots
* onboarding@mozilla.org.xpi — Onboarding
* formautofill@mozilla.org.xpi — Autofill
* webcompat@mozilla.org.xpi — Web Compatibility Reporter
 
==== My Notes From Mullvad DNS Blog ====
In about:config make this: network.trr.mode -> 3
 
Or change the “DNS protection” preference in Settings.
 
It will force DNS over HTTPS every time you make a DNS request. (even if your DNS server doesn't respond)
 
==== My Notes From Unixsheikh ====
Look [https://unixsheikh.com/articles/choose-your-browser-carefully.html#tweaking-firefox here]
 
==== My Notes From [https://pedantic.software/fxc/blog/why_there_is_no_css_on_my_website.html Pedantic Software Blog] ====
“For Google, I take this even further: if redirections are disabled (in Firefox's about:config, set accessibility.blockautorefresh to true; this used to be available in the normal config dialog, in the good old days), in addition to both CSS and javascript being disabled, then you'll see a simple page with the unmangled results links.”
 
==== Config Page ====
[chrome://geckoview/content/config.xhtml Open it…]
[http://kb.mozillazine.org/Category:Firefox Wiki]


==== One More Thing ====
== Extensions & Add-ons ==
In about config, do this:


* media.autoplay.enabled -> false
* '''ximatrix''': A Firefox extension similar to uMatrix capable of blocking inline scripts and advanced requests. [https://github.com/xi/xiMatrix Source code available here].  
* media.cache_readahead_limit = 0
** ''Alternative:'' [https://gitler.moe/Wrongthink/paraMatrix paraMatrix] (a fork of ximatrix).
* media.cache_resume_threshold = 10
* '''Chrome Extensions on Firefox''': Firefox has introduced capabilities for importing Chrome extensions. [https://news.slashdot.org/story/23/08/24/2233242/firefox-users-may-import-chrome-extensions-now Read the Slashdot coverage].
* media.autoplay.blocking_policy = 1
* '''Extension Restrictions''': Mozilla occasionally restricts add-ons on specific domains. To disable these restrictions and allow uBlock Origin to operate aggressively everywhere, read [https://12bytes.org/tech/mozilla-wants-more-control-over-your-add-ons/ 12bytes' analysis] and their [https://12bytes.org/ublock-origin-suggested-settings/ uBlock suggested settings].
* media.autoplay.allow-muted -> false


This will disable autoplay and reduce video caching.
== Browser UI & Maintenance Tweaks ==


=== I don't know if it is necessary or not ===
* '''Verify Database Integrity''': Navigate to <code>about:support</code> -> Scroll down to '''Places Database''' -> Click '''Verify Integrity'''.
about:config settings but haven't tried it yet (I temporarily switched to Chromium)
* '''Turn Off Firefox Sidebar''': [https://utcc.utoronto.ca/~cks/space/blog/web/FirefoxPdfViewerSidebarOff Guide to disabling the PDF viewer sidebar].
* '''Disable Firefox Translator''': [https://xnacly.me/posts/2023/disable-firefox-translation/ Guide to disabling built-in local translation].
* '''Block Pop-Ups''': [https://support.mozilla.org/bm/questions/1369602 Mozilla Support thread on native pop-up blocking].
* '''GeckoView Config''': You can access deeper settings via [chrome://geckoview/content/config.xhtml chrome://geckoview/content/config.xhtml].


* social.whitelist -> nothing
== Comprehensive Hardening Guides & Reading ==
* social.toast-notifications.enabled -> false
* social.shareDirectory -> nothing
* social.remote-install.enabled -> false
* social.directories -> nothing
* social.share.activationPanelEnabled -> false
* browser.sessionstore.interval -> set it too high


=== ximatrix extension ===
* [https://github.com/awesome-windows11/firefox Awesome Firefox]
ximatrix is a Firefox extension similar to uMatrix. ximatrix can block anything that uMatrix can. It's also can block inline things.
* [https://github.com/JArmandoG/Firefox-Hardening JArmandoG's Firefox Hardening Guide]
You can look the code with [https://github.com/xi/xiMatrix this] link.
* [https://github.com/drduh/macOS-Security-and-Privacy-Guide#browser drduh's macOS Browser Privacy Guide]
Or you can use [https://gitler.moe/Wrongthink/paraMatrix paraMatrix] which is fork of ximatrix.
* [https://sunknudsen.com/privacy-guides sunknudsen's Privacy Guides]
* [https://wrongthink.link/posts/hardened-web-browser/ Wrongthink: Hardened Web Browser]
* [https://unixsheikh.com/articles/choose-your-browser-carefully.html#tweaking-firefox Unixsheikh: Tweaking Firefox]
* [https://spyware.neocities.org/guides/firefox Spyware Watchdog: Firefox Mitigation]
* [https://fingerprint.com/blog/browser-anti-fingerprinting-techniques/ Fingerprint.com: Browser Anti-Fingerprinting Techniques]
* [https://gist.github.com/atcuno/3425484ac5cce5298932 atcuno's Privacy Guide] (Outdated but helpful concepts)
* [https://github.com/CISOfy/privacy-guide/blob/master/browser-security.md CISOfy Browser Security Guide]
* [http://kb.mozillazine.org/Category:Firefox MozillaZine Firefox Wiki]


[[Category:Hardening]]
[[Category:Hardening]]

Revision as of 20:48, 17 May 2026

Note: This article is imported from an old note-taking app and may be outdated.

Core Modifications & Bloatware Removal

Some guides, such as the Spyware Watchdog Mitigation Guide, recommend deleting default plugins bundled within the Firefox directory that may introduce privacy concerns or act as bloatware.

Navigate to your Firefox features directory and remove unnecessary add-ons:

cd /usr/lib/firefox/browser/features
doas rm *.xpi

List of bundled plugins commonly removed:

  • firefox@getpocket.com.xpi — Pocket
  • followonsearch@mozilla.com.xpi — Follow-On Search
  • activity-stream@mozilla.org.xpi — Activity Stream
  • screenshots@mozilla.org.xpi — Screenshots
  • onboarding@mozilla.org.xpi — Onboarding
  • formautofill@mozilla.org.xpi — Autofill
  • webcompat@mozilla.org.xpi — Web Compatibility Reporter

Configuration Tweaks (about:config)

Privacy, Security & Networking

network.trr.mode
Set to 3 to force DNS over HTTPS (DoH) every time you make a DNS request, even if your DNS server doesn't respond. (Alternatively, change the "DNS protection" preference in Settings).
security.tls.version.min
Set to 3 to enforce strict TLS standards.
network.http.referrer.spoofSource
Set to true.
browser.display.use_document_fonts
Set to 0 to mitigate font fingerprinting.
browser.urlbar.maxRichResults
Set to 0 (or desired low number) to limit URL bar suggestions.
accessibility.blockautorefresh
Set to true to disable forced redirections. Combining this with disabled CSS and JS yields raw, unmangled result links. (via Pedantic Software)
browser.sessionstore.interval
Set to a very high value to reduce disk writes and SessionStore tracking.

Media & Autoplay Limitations

To disable autoplay and drastically reduce background video caching, apply the following:

  • media.autoplay.enabled = false
  • media.cache_readahead_limit = 0
  • media.cache_resume_threshold = 10
  • media.autoplay.blocking_policy = 1
  • media.autoplay.allow-muted = false

Experimental Social Settings

Note: These disable legacy social integrations. May not be necessary on modern versions.

  • social.whitelist = (leave empty)
  • social.toast-notifications.enabled = false
  • social.shareDirectory = (leave empty)
  • social.remote-install.enabled = false
  • social.directories = (leave empty)
  • social.share.activationPanelEnabled = false

Additional Hardening Actions

  • Disable Firefox SessionStore: Search for browser.sessionstore in about:config and disable relevant telemetry/saving mechanisms.
  • Disable CSS Visited Links: Mitigates history-sniffing vulnerabilities. Read the Reddit discussion here.

User.js Templates & Generators

Instead of manually configuring about:config, you can use pre-configured user.js files.

Generators:

  • ffprofile.com — Interactive user.js generator.
    • Note on User-Agent Spoofing: While you can spoof your user-agent to a more common one (e.g., Chrome), doing so on Firefox can actually make your browser fingerprint more unique (alternative tools list). Because Firefox's engine behaves differently than Chromium, mismatched engine/user-agent data is easily detectable. For common agents, see Willhouse or WhatIsMyBrowser.

Popular Pre-configured Templates:

  1. Arkenfox (Highly recommended, well-known)
  2. Pyllyukko (Security focused)
  3. Narsil's user.js (Privacy focused)
  4. Vulpes
  5. Narsil's user.js for Pale Moon (Privacy focused)
  6. krathalan config
  7. simeononsec FireFox Script
  8. vermaden's Sensible Setup

Extensions & Add-ons

  • ximatrix: A Firefox extension similar to uMatrix capable of blocking inline scripts and advanced requests. Source code available here.
  • Chrome Extensions on Firefox: Firefox has introduced capabilities for importing Chrome extensions. Read the Slashdot coverage.
  • Extension Restrictions: Mozilla occasionally restricts add-ons on specific domains. To disable these restrictions and allow uBlock Origin to operate aggressively everywhere, read 12bytes' analysis and their uBlock suggested settings.

Browser UI & Maintenance Tweaks

Comprehensive Hardening Guides & Reading