The Ghacks user.js Firefox privacy and security list has been updated
We released a privacy and security settings list for the Firefox web browser back in August 2015. That list, created by Ghacks reader Pants, has been updated regularly since then.
The newest version of it, featuring hundreds of advanced preferences for Firefox, has been released today. The latest version of the preferences list contains 298 different preferences for Firefox, and it is growing with every release.
With the release come fundamental changes to the layout of the list, how it is made available, and its format among other things.
You can click on the link at the top to visit the updated article that lists download options and each entry in article format directly on the site, or, and that is a first, use the newly created HTML versions instead which offer better formatting altogether.
Pants has created a light and dark version, and both are included in the archive that you can download so that you can access both HTML documents locally on your system.
You can download the archive containing all files including both HTML templates, the user.js file and the changelog with a click on the following download link: (Download Removed)
You are probably wondering what has changed in version 0.08 of the ghacks user.js file:
BIG change in format
- Â section headers use /*** and subsequent section lines are indented 5 spaces
- numbered preference items use // and subsequent commented lines are indented 3 spaces, including commented out user_pref
- tried to use 95 characters as a column width (basically there's about 8 lines over 95 characters, nothing over 105)
- the two changes above make it far easier to spot each numbered item and commented out or active preference in an IDE (even with color coding), and the shorter lines will benefit the posted version on Ghacks and improve readability (no need to turn on word wrap in your IDE or swivel your head too far)
Quite a bit of rewording on prefs to read better. I also added in or replaced existing links on quite a few prefs as well.
An HTML version is provided. It's color coded, for example all "warning:" 's are red (the word not the actual warning itself), the section headers stand out, and so on. You'll see. Also links are all hyper-linked to open in a new tab.
Revamped the intro section at the top to make more sense and to highlight important information better such as the need to make a backup before you apply changes or go through them to make sure you don't run into any inconveniences or issues.
Actual Change log
* various extra links, info, rewording
+ added 0101 browser.usedOnWindows10.introURL
! fixed 033b typo datareporting.healthreport.about.reportUrlInified (wrong) datareporting.healthreport.about.reportUrlUnified (correct)
> split 0373a (reader view) out of 0373 (pocket)
+ added 0373 browser.pocket.oAuthConsumerKey
+ added 0411 browser.safebrowsing.reportPhishMistakeURL (a heap of other prefs in 0411 went to deprecated)
+ added 0411b added six new safebrowsing prefs from FF43
+ added 0421a disabling SSL error reporting
+ added 0603a something to do with necko (captivedetect.canonicalURL). I killed it weeks ago and no effects
* changed 0807 all 3 history manipulation preferences values changed - these are MY settings, you may not like em
+ added 1006 browser.sessionhistory.max_total_viewers
* changed 1206 security.OCSP.require from false to true (now the default value in FF43) - BUT this is one that causes breakage
* changed 1208 cert pinning - I uncommented it, so it is now active on a strick setting of 2
+ added 1209 settings to enforce the TLS minimum version
+ added 1210 disable 1024-DH Encryption
* changed 1401 downloadable fonts are now blocked (these are my settings)
+ added 1404 default fonts - these have been uncommented and are LIVE. This is my user.js after all and since I block downloadable fonts, I'm tweaking. Two of the three fonts are different so far from
LATIN defaults. The web doesn't really uglify that much without DL'ed fonts. You get used to it.
* changed 1805 disabled plugin scanning is uncommented out, so unless you change it, you'll have no plugins
* changed 1807 disable auto-play of html5 media - was live, is now commented out
+ added 2001 media.peerconnection.turn.disable
+ added 2001a preference that if you have WebRTC enabled, this fixes the IP Leak
+ added 2004 browser.link.open_newwindow.restriction, commented out (its really there for TOR about leaking screen res, which we cant stop in FF anyway)
+ added 2413 2 x dom.vr.oculus prefs
* changed 2418 full-screen API is now uncommented and set to block full-screen
+ added 2419 dom.w3c_touch_events.enabled
+ added 2420 disable support for asm.js
+ added 2430 disable web/push notifications (this is a global default, you can allow changes via site permissions)
+ added 2431 disable push notifications (was previously 2420 with one pref, now has five prefs) just on a side note: I'm not sure if push has security or privacy issues (well, privacy yes due to the fact apps can notify even when the app is not loaded or focused), but for now it seems like bloat. It's also more in line with the keeping FF quiet mantra.
* changed 2619 network redirect limit is uncommented and now live at a value 10
+ added 2620 middlemouse.contentLoadURL
+ added 2621 disable IPv6 (commented out - its been added to warning people not to disable IPv6)
+ added 2622 security.dialog_enable_delay (added to enforce to people they should have a delay)
+ added 3006 disabling enforced addon signing
+ added 3007 open new windows in a new tab
+ added 3008 disable "Do you really want to leave this site?" popups
+ added 3009 turn on APZ (Async Pan/Zoom)
+ deprecated section: read it: tons of stuff got moved into here
3001a: full-screen-api.approval-required
0411: 8 x safebrowsing prefs
1803: pfs.datasource.url
3001a: full-screen-api.approval-required
2615: a http2 pref
0309+0310 two plugin prefs: are supposed to be deprecated in FF43, but they wont delete.
They may be legacy code, but for now they can stay uncommented
Thanks
My thanks go out to Pants who put an incredible amount of work into creating the list and maintaining it. Without him, the list would not exist.
Please provide feedback on the update, the new format, the HTML versions of the list, preferences, and anything else you can think of that help us make the list even better than it is right now.
NOTICE: I will no longer monitor any of the comments on the various ghacks user.js articles. If you have any suggestions or questions, use the official repo at github: https://github.com/ghacksuserjs/ghacks-user.js/issues
Have been using user.js [ghacks]-0.08.js on FF 47.0, Arch linux for a few weeks.
user_pref(“extensions.webservice.discoverURL”, “http://127.0.0.1”);
prevents Add-ons page to load, if dnscrypt-proxy is enabled.
user_pref(“security.tls.version.min”, 2);
prevents https://goes-app.cbp.dhs.gov/main/goes to load.
Thank you.
There is a version 10 you know :) Use the link back to the original article
For your information and mainly for those who have disabled Firefox’s HELLO (loop) :
I was having a look at my about:support page when I noticed the presence of an add-on in the ‘Extensions’ list that I had never installed :
NAME: Firefox Hello Beta 0.1
ID: loop@mozilla.org
I then went to check on my about:addons page and that add-on wasn’t listed!
I finally discovered that the add-on had been added by Firefox itself as :
c:\Program Files\Mozilla Firefox\browser\features\loop@mozilla.org.xpi
(c:\Program Files\Mozilla Firefox\ is my Firefox x64 install folder)
I removed the loop@mozilla.org.xpi extension file from the folder and ‘Firefox Hello Beta 0.1′ has disappeared accordingly from my about:support Extensions’ list.
No idea how, when this sneaky loop@mozilla.org.xpi extension got installed.
I’m on FF44 – I run portable versions (I can either update it from within the program or grab a new PAF from portableapps.com) – I’ll keep an eye out when I upgrade
Hence we can leave it or delete this xpi file in its ‘features’ folder mentioned above, but not simply disable it as it is what they call a ‘system add-on” … unless it be with CCleaner! where this system add-on appears as all other add-ons in CCleaner -> Tools -> Browser plug-ins -> Firefox — This can be an interesting work-around even if, as you mention it, this particular system add-on can’t do harm on a Firefox where loop is disabled, but worth being noted I guess for future ‘system add-ons’ as long as Firefox won’t offer the option to disable them as it does now for regular add-ons.
Confirmed. Came in the FF45 update (both new and updated via the interface). Since it’s part of the software (rather than in the user’s profile) I expect it will be there in every update. “\browser\features\” will need some monitoring (not that there’s anything nefarious about it, the loop xpi probably doesn’t even matter at all if the preferences were set – but prefs are a per user settings, that xpi is for all users)
nothing like that here … beta huh .. probably its an old remnant from much earlier
Sorry for being so personal but I cannot edit my past comments here.
More info about the issue : winaero dot com/blog/how-to-disable-and-uninstall-firefox-hello-add-on/
Anyone refusing Firefox’s Hello should read this.
Just had a look at Firefox 15 install log :
c:\Program Files\Mozilla Firefox\install.log
Installing main files /
Installed File: C:\Program Files\Mozilla Firefox\browser\features\loop@mozilla.org.xpi
It was installed by Firefox 45 itself.
I always install Firefox updates the clean way : uninstall running version then install new one (keeping of course my profile), which means this extension was included in Firefox 45 ‘features’ folder OR was installed afterwards but not by me. This ‘features’ folder is dated 15 mar 2016 when others have the Firefox install date of 8 mar 2016, but 15 mar 2016 23:25 is the time I removed the extension from that folder hence re-dating it obviously when restarting Firefox.
I’d have to do a clean install again to confirm, but what is certain is that I have not installed that add-on and if I had it would appear in my profile, not in a Firefox’s install sub-folder. This is weird. Moreover because you haven’t this issue.
Do you know what could be causing YouTube comments not to display (perpetual loading)? With all extensions disabled they still don’t load. Thank you.
I’m not sure. I have actually relaxed my own version. I am so sick and tired of fighting the web (so I have other solutions which allow a per site control – so many settings in FF now are better handled by extensions on a more granular level). I believe your problem will be dom storage and cookies for youtube.
of all the items under listed under the common issues, I have disabled (and reset in about:config) the following. That is, in the user.js file, comment them out with //, and then in about:config find the entry and right click and reset/
0807 – set all three to true (this is the history manipulation which screws with the navigation and urls) – YOU WILL want to do this if you use youtube a lot
2201 – set to true (this is the context menu) – probably not relevant to your problem
2401 – THIS ONE DUDE – make sure dom storage is set to true
Also allow cookies for youtube – not sure what your default is, but under the site permissions (click on the green padlock in the url bar, from the info that slides down click on the right arrow, then click on more information, then click on permissions and under “set cookies” overide the default by selecting allow or allow for session – you get the idea)
I don’t have a youtube/google account, and I never even look at comments, but as soon as I allowed youtube cookies + dom (using cookie controller), comments loaded. Let me know if it worked.
That’s a great list. Thanks.
I’m using it in Cyberfox 44 instead of FF 44 and it seems to be compatible.
I had to set 0807…
user_pref(“browser.history.allowPopState”, true);
user_pref(“browser.history.allowPushState”, true);
user_pref(“browser.history.allowReplaceState”, true);
…back to “true” because it was breaking the back function in Google Images.
I set 1603 to…
user_pref(“network.http.sendRefererHeader”, 0);
user_pref(“network.http.referer.spoofSource”, false);
…and use the ‘Change Referer Button’ extension instead.
When the referer is “0” or “1” it breaks Instagram. By the way they format their referer ‘RefControl’ doesn’t resolve, so I’ve found it better to leave it set to “0” by default and then use the button to change it to “2” when needed. (Which so far, for me, is only for Instagram)
I use uMatrix so 2401-2-3-4 are all REM’d out. (you know what I mean).
I had to turn back on 2418…
user_pref(“full-screen-api.enabled”, true);
…to allow Youtube to fullscreen.
Last, in 2803-4 I turn Cookies and Session to True and only leave Passwords at False.
If I close my browser I want everything gone except for non-sensitive passwords. Any sensitive passwords should be stored outside of the browser anyway in LastPass, or better yet, in KeePass.
I am surprised though that there were no performance tweaks at all. I know it’s not security or privacy, but I really figured at least connections and pipelining would be set for optimal.
Anyway, Thanks again for all the time, effort, and energy.
The vast majority of all those performance tweaks are a load of crap. There are too many real world variables for there to be a one-suits-all magic solution.
Glad to see you like the list and took the time to modify the entries to suit :)
Some of the items are better handled by extensions. This is one reason I don’t add referrer settings to spoof or block or anything (1603 is commented out). I personally use RefControl with a default block, and whitelist a few to forge or allow. Same with cookies (yes I included block all in the settings under custom), I use Cookie Controller with a default block all and then fine tune some session, some 1st party only. Passwords saved, cleared on close (same with form data, history, search history etc) – I leave that up to the end users really – especially as a lot of it is directly available in the options interface. Although I am slowly adding more prefs in in order to build a more comprehensive list and to easily migrate settings to new setups, clients, forks.
Speaking of forks, a setting certainly can’t hurt, even if it is legacy – eg quite a lot of these won’t made an iota of difference to PaleMoon, but a lot will :) I’m sure someone could check/remove anything that doesn’t exist in a vanilla PM and post it somewhere – like in the PM forums.
Which setting would I need to change to stop the console warning “Use of getPreventDefault() is deprecated. Use defaultPrevented instead”?
Nothing to do with user.js and firefox preferences. I suspect it has something to do with an extension or a particular website (or JS library) ?
I’ve discovered a new about:config setting that I’ll mention here even if it concerns memory rather than privacy or security. I’ve added it to a section of my user.js that I named “Cache related”
memory.free_dirty_pages – default is false, suggested is true.
What does it concern?
A quote :
“When freeing memory jemalloc keeps a bunch of empty pages around in order to speed up future allocations. Having been used these pages are dirty and thus will show up as part of the resident set of a process even if in practice they are not being used. Set to true frees up the dirty pages jemalloc keeps around.”
For whom may find this setting interesting.
https://bugzilla.mozilla.org/show_bug.cgi?id=805855#c49
Unless you’re really desperate for memory, I don’t think this saves much. To be honest, it just sounds like making FF do more work – as fast as you close pages, you open them again. It’s like freeing up RAM and then instantly filling it back up. That’s what it’s there for. That’s my take anyway.
PS: memory concerns privacy/security. TBB is always trying to harden against these things, but at the end of the day, some things are really an OS function = GPU memory, page files, swap files, RAM and so on. If someone is poking around in my RAM and page files, I’ll just assume I’m compromised already :)
The only overall cache/memory pref I’ve turned on is having the disk cache off (1. forensics and 2. killing writes on SSDs). Anything else is better left to FF to handle I think, otherwise it will probably impact performance – eg 1003, 1006. The only other thing I do is to clear my memory cache periodically (using an extension).
I’ve set disk cache off as well and increased memory’s cache to 512000, best value on my system after having tested with less and more.
Concerning the memory.free_dirty_pages setting I must admit having noticed no difference. I was interested in this setting less for RAM than by the fact that I had found it on a page concerned with privacy, recovered since the reference : https://github.com/betterwebleon/international-list
But nowadays computing myths and reality are often mixed up … our (your!) user.js list is clean in terms of objectivity and clearness, but I still get to read on the Web totally opposite arguments concerning most of the time a system’s speed, even found old switches for XP, only for XP and moreover condemned by other sites as being myths… and nevertheless proposed for Windows 7 to 8.1 :)
Anyway… I’ll have to dig further on this memory.free_dirty_pages setting, even if I agree with you that unless proven, “better left to FF to handle”.
@ Pants
This is great work, any way to impliment this with configfox?.
First of all, this is my opinion. I have no qualms about ConfigFox or the developer. People can develop what they want, and use what they want (and anything I provide, take what you want, sans credit, I don’t care). This is just my opinion (you don’t have to like it, but I have one).
Not really. I personally have issues with ConfigFox. For starters it will not work with portable Firefox. So until that is fixed I’m not touching it. Secondly, I do not like how ConfigFox, by default, edits the prefs.js directly, and treats commented out prefs in user.js as an instruction to remove them from prefs.js. In any sane world commented out code is ignored. However, Leandro added an option to disable this (editing the prefs.js directly) but calls it “paranoia” mode – which is meaningless. There is also no clear description of the difference and problems between the two modes. Because of the default mode, the list provided is a dumbed down list – as the developer decided the “fix” was to remove all items from the list that are in the Firefox UI, so end users wouldn’t get confused. So it’s not even a comprehensive list anymore – which reduces the functionality of the user.js in being able to enforce settings on a startup and for migration purposes. Its not a fix at all, it just hides the symptoms. I also wanted ConfigFox to be able to display all the information and links better, as I beef that side of things up. I have gone to a lot of work to provide this, so until it is used/displayed better – I am not really interested. The whole thing is quite frankly a mess. I had intended originally to provide a ConfigFox compliant version, but it’s not going to happen. As far as I am concerned, CF is fundamentally broken and flawed.
However, its not hard to make it Configfox compliant – just do a little editing and follow the rules for how ConfigFox parses the file.
Thanks ever so much for your reply, help and contribution Pants. Have learned much from it.
I don’t get it. What is a .js file (and don’t send me to the MozillaZine b/c I still don’t get it).
If I click on user.js-ghacks-0.08.zip are the changes made? Or do you have to do something else?
Jim, changes are only made if you place the js file in the Firefox profile directory. You should not do that however as it is recommended to a) backup everything before you even start and b) go through the listing and only use those preferences you feel comfortable with.
You can easily comment out preferences or entire sections. Another option is to make the changes on about:config instead which is a good option as you can reset them there when the need arises.
I normally work from https://github.com/pyllyukko/user.js to build my own user.js. When time permits I’ll diff this one and see what’s different.
Pants, is this list maintained in the open (github or the like) or are you exclusivly releasing through ghacks?
Just here. That way I have no responsibilities. You’ll find pyllyukko has 200 prefs, 45? of which are ciphers, half? of those are deprecated. And they include a few settings that are at default (eg tls.version.max). That’s all good, as they want backward compatibility and are covering all the bases.
The ghacks user.js on the other hand, if we exclude anything not relevant (deprecated, personal section 3000, and to be investigated), comes in at 285. Yup. 285. I wish we didn’t have that many, and some of it is overkill (eg removing urls – which I call future-proofing). And a lot of things I left out (eg cookies, I only set one pref and then recommended an extension for a per domain control: eg referers, I set two prefs and then recommended an extension for a per domain control: eg I included nothing about passwords because that is all available from the UI) and so on. I could easily add more. I think you’ll find the two are vastly different.
You’re making the net a comfy place brother
This listing is quite comprehensive and can be a bit overwhelming the first time someone looks at it, but I’ve found that using a diff-tool such as Beyond Compare, Meld, or WinMerge helps tremendously in getting updated versions of the listing in place, and working.
Thank you for the update, Pants, and thanks to you for hosting it, Martin!
That’s what I do to create the changelog. When I’m ready to give Martin a new version, I simply compare the previous version hosted on ghacks to the new one (I use Araxis Merge, but any compare tool will do).
I’ve been looking at the “Overview of Firefox’s about:config security and privacy preferences” that Martin published here…
https://www.ghacks.net/overview-firefox-aboutconfig-security-privacy-preferences/
Firefox offers end-users a remarkable degree of local control.
1. How often does Mozilla expand/reduce/modify these options?
2. How many other web browsers offer this level of local user control?
1. Everytime an update is done.
2. Palemoon, K-meleon, Seamonkey and other mozilla-chrome related browsers.
Note that chrome here is the engine from mozilla and NOT the google stolen browser’s name
can soneone please tell my where to place the user.js file and how to tell if its in fact running?
hello Martin, where are you?
First of all, locate your profile directory (it’s explained in the link at the top of the article)
Type about:support into the urlbar and hit enter. On the resulting page will be an item listed called “Profile Folder” with a “Show Folder” button next to it. Click the “Show Now” button and it will open your profile folder in Windows Explorer.
One: In your profile folder, COPY your prefs.js file, and rename it as prefs.js.backup or just leave it as “prefs – Copy.js” <- this is important, because if you want to get back to how you were before the user.js, this must be done.
Two: before you move the user.js file, I suggest you open it in an editor (a text editor, notepad if you want), and comment out any preferences that you don;t want. Preferences are the lines that have user_pref("… in them
A commented out pref has two forward slashes in front of it. An active pref that will change your FF settings doesnt. The pref is under the number and description
eg an active pref
// 0301: disable browser auto update
user_pref("app.update.enabled", false);
eg an active pref that UNLESS you comment it out will leave you with NO PLUGINS
// 1805: disable scanning for plugins
// http://kb.mozillazine.org/Plugin_scanning
// plid.all = whether to scan the directories specified in the Windows registry for PLIDs
// includes: RealPlayer, Next-Generation Java Plug-In, Adobe Flash, Antivirus etc
// WARNING: The author turned off plugins, try it one day. You are not missing much.
user_pref("plugin.scan.plid.all", false);
so you would change the preference line it to
// user_pref("plugin.scan.plid.all", false);
The preferences that would affect you the most are the ones listed at the top of the file under "COMMON ISSUES". I suggest you locate those prefs in the file and comment them out or you will drive yourself mad. The file as is, has plugins blocked, fonts blocked, clipboard disabled and so on. So make changes first in the user.js file.
Three: rename the file to just user.js (don;t leave it as user.js [ghacks]-0.08.js) – it needs to be named "user.js". Copy that to your profile folder, the same one you have the pref.js and the prefs.js copy you made.
Close FF. Restart FF. When FF starts, it reads all active preferences in the user.js, and loads them into prefs.js. And it is in prefs.js that FF stores all your custom settings.
IF you need to go back to how you were, because it's all just too hard, or you don't like it, then FIRST of all, and this is important – RENAME the user.js to user.js.old or something so FF doesn't use it again. Then close FF. FF must be closed. Then delete the prefs.js and rename your copy back to prefs.js, and then restart FF.
It's not that complicated to backup prefs.js, to comment out preferences in user.js, to put the user.js in your profile and use it. Its not hard to revert back if you hate it or whatever.
The only thing that is hard. is understanding all those 285 preferences and what they do and how they affect your browsing. Which is why it is not recommended to just jump in and use it. However, you learn by doing, and its easier to revert back if you save a copy of your prefs.js
Thanks for your work and for sharing this valuable resource.
Thanks Pants for your effort.Its appreciated very much.
Do I have a groupie? Dedicated followers and apostles are encouraged to use official channels…
/*** 0400: QUIET FOX [PART 2]
This section has security & tracking protection implications vs privacy concerns. These settings are geared up to make FF “quiet” & private. If you want safebrowsing & tracking protection then don’t use this section (or parts of it)
What is the difference between “security & tracking protection” and privacy. I assume “S&T” protects against what is coming in and “Privacy” is about what goes out. Is it not possible to have both?
This is too hard and messy to explain. Between security + privacy there will be overlap. Eg implementing HTTPS increases privacy by using end to end encryption, this cutting out the middle man snooping. But it’s primary objective is securing your connection so you can’t be spoofed – that it when you go to https google, you know its google. Tracking can be allowed (eg cookies for gmail) but may start to invade your privacy (allowing XSS google cookies on other sites) – but remember that gmail is an opt-in service.
Downloading up to date safebrowsing files and allowing safebrowsing will increase your security (from malicious sites, downloads etc). Every time you visit a website or download a file, FF will consult the safebrowsing lists stored locally on your PC – if the item is not listed, then a third party (google in this case) is contacted to make sure you will be safe. This allows a third party, google, to amass data about you. Imagine how much stuff isn’t listed in those local files. You might as well just use google’s DNS servers. They already know your IP from your gmail activity (in this example we’ll assume you have some sort of google/gmail/g+/youtube etc account). This is an example of increasing security but decreasing privacy.
Do you get the difference now?
Yup, I see the difference. It’s basically a balancing act.
For something that is “too hard and messy to explain’ you did a pretty good job.
Great work, Pants. Moreover updating this list (as old settings are deprecated and new ones, mainly tied to updated FF versions, arise) makes it even more valuable, reliable. A lot of work contributing to what most of us aim for, a browser tailored to our own preferences, in terms of privacy and of security. A user.js file has never been so extensively taken care of, to my knowledge. Much appreciated.
Of course, many thanks as well to Martin for hosting the project.
Thanks Pants. You are a WORKAHOLIC (like Martin) :-D
NB just because I used capitals does not mean that I am a troll ;)
I love using CAPITALS to emphasize a word when there are no options to style it, just as long as it’s consistent :)
One of the biggest points of the changes is that is the paragraph in red under common issues. These are my settings and they’re rather tight and will cause site breakage (I’m not really interested in maintaining two versions) – but to compensate every contentious setting has a red warning, and is also indexed under common issues. End users should know how to comment out or change setting and how to reset to default in about:config.
Enjoy. I also keep an eye on the original url, so keep suggestions coming in.