A comprehensive list of Firefox privacy and security settings

Martin Brinkmann
Aug 18, 2015
Updated • Feb 12, 2017

Mozilla Firefox is without doubt the web browser that gives the most control to users in regards to privacy and security. Firefox users find some of those options listed in the graphical user interface, but full control over the browser is only granted if changes are made to the browser's configuration.

This can be done on the about:config page, or by placing a user.js file in the profile directory of the Firefox user.

The following list is a work in progress. Firefox is updated regularly and preferences may change because of this. There may be new features and new preferences as well, and the idea of this guide is to get a discussion going that improves this list on a continuous basis.

I'd like to thank Ghacks' reader Pants for creating the list and giving me permission to publish it here on the site.

Note: If you prefer to use about:config to manipulate those entries, check out our overview of Firefox privacy and security about:config settings which lists all preferences and values you can set them to.

How to get started

If you have used the list in the past, start with the changelog to find out what is new and changed.

If this is your first time, read the introduction below first, backup your user.js file as instructed below, and go through the listing one by one to modify it according to your needs.

Loading the list

It is highly suggested to go through the list before you place it in the Firefox profile folder as you may disable features that you require in the process.

You may edit the list in any plain text editor, and use comment syntax // at the beginning of each line to block a preference from being set.

Make sure you save it as a user.js file in the end.

  1. Type about:support in the Firefox address bar.
  2. Click the show folder link under application basics to open the profile folder on the computer system.
  3. Backup the prefs.js file.
  4. Copy the user.js file into the root of the profile folder.
  5. Restart Firefox.

Why backup prefs.js prior to this? Because any user.js preference that is legitimate is written to prefs.js when you place the user.js file in the profile folder. This means that the changes remain even if you delete it afterwards.

The privacy and security list

You can download the most recent version of the list with a click on the following link: (Download Removed)

Alternatively, you may load a custom HTML version of the list: User.js Light or User.js Dark, and load the changelog directly as well.

Please Note: Always use the latest download, as the many changes may get out of sync with what's on display in the article. Expect future versions to be less frequent, as the magnificent Pants (who is this guy? is he a wizard?) has decided to take charge of all changes, and will let the comments build up for at least a few days at a time.

Make sure you check the changelog that is included in the download as it lists changes made in recent versions.

* name: ghacks user.js
* date: 11 Feb 2017
* version: 0.11 FINAL : The [White?] House of the Rising Pants
*   "My mother was a tailor, she sewed my new blue pants"
* FF version: 51 (DESKTOP)
* authors:  FLOTUS: Pants
VICE PRESIDENT: earthling (birth certificate on request)
SECRETARY: Martin Brinkmann
SPEAKER: Tom Hawack
CABINET: Just me, Conker, Rockin' Jerry, Ainatar, Parker Lewis
* url: https://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/
* required reading: http://kb.mozillazine.org/User.js_file


End users of this list/file are expected to know what they are doing. These are the author's settings.

The author does NOT expect (or indeed want) end users to just run with it as is.
Use it as a comprehensive list, or as a template for your own.

Extensive links and comments have been added to help. Before using this user.js, if necessary, you should change, remove or comment out with two forward slashes any preferences you're not happy with or not sure about.

The settings in this file (user.js) OVERWRITE the ones in your prefs (prefs.js - these are accessed via about:config) when FF is started. See the required reading above.


Backup your profile first, or even just the PREFS.JS. Go to your profile directory and copy  prefs.js, rename it (eg to prefs.js.backup). That way, if you have problems, to restore FF   to the state it was in beforehand, close FF, delete the prefs.js, rename your backup copy of  prefs back to prefs.js, RENAME the user.js so it doesn't overwrite everything again, then  start FF. IF you have any problems, you can also ask in the comments at ghacks.


This is not a "comprehensive" list of ALL things privacy/security (otherwise it would be huge)  It is more like a list of settings that generally differ from their defaults, and is aimed at  improving security and privacy, at making a "quieter" FF, and at reducing fingerprinting and  tracking; while allowing functionality. There will be trade-offs and conflicts between these.


Some prefs will break some sites (it's inevitable). If you are having issues search for  "WARNING:" in this document, especially the ones listed just below.

This user.js uses the author's settings, so you need to check these EACH release because
the author prefers anonymity, security, and privacy over functionality [eg being able to
paste in Facebook, downloadable fonts, and other minor inconveniences]. You have been warned.

  • 0202 & 0204 & 0207 & 0208: search, language and locale settings
  • 0903 & 0904: master password (author set his up to last 5 minutes, default is once per session)
  • 1007 & 1008: disabling/reducing session store saves affects recently closed tabs history
  • 1204: security.ssl.require_safe_negotiation
  • 1206: security.OCSP.require
  • 1208: security.cert_pinning.enforcement_level
  • 1209: TLS min and max
  • 1210: disable 1024-DH Encryption
  • 1211: disable SHA-1
  • 1212: disable SSL session tracking
  • 1401 & 1406: browser.display.use_document_fonts [author blocked fonts]
  • 1404: default fonts [author changed default fonts]
  • 1805: plugin.scan.plid.all [author blocked all plugins]
  • 1807: disable auto-play of HTML5 media (may break some sites' playback)
  • 2025: enable/disable media types [author's settings, choose your own]
  • 2201: dom.event.contextmenu.enabled
  • 2300's: workers/service.workers/push notifications etc may affect twitter, street view and other sites
  • 2402: dom.event.clipboardevents.enabled
  • 2404: dom.indexedDB.enabled [author killed indexedDB]
  • 2415b: limit popup events
  • 2421: two JS preferences that cause the odd issue (commented out, not worth the performance loss)
  • 2507: keyboard fingerprinting (android + physical keyboard)
  • 2508: hardware acceleration (performance vs lots of video, also fonts render differently)
    [author killed hardware acceleration]
  • 2509: dom.w3c_touch_events.enabled (you will want to change this if you use touch)
  • 2619: network.http.redirection-limit
  • 2627: various User Agent and navigator objects
  • 2662: browser.download.forbid_open_with
  • 2698: privacy.firstparty.isolate
  • 2705: dom.storage.enabled


Special thanks to Martin Brinkmann and the ghacks community
Lots of websites, lots of people, too many to list but here are some excellent resources

  • https://github.com/pyllyukko/user.js
  • https://www.wilderssecurity.com/threads/firefox-lockdown.368003/
  • http://12bytes.org/articles/tech/firefoxgecko-configuration-guide-for-privacy-and-performance-buffs
  • https://www.privacy-handbuch.de/handbuch_21.htm (German)


// START: internal custom pref to test for syntax errors (thanks earthling)
// Yes, this next pref setting is redundant, but I like it!
// https://en.wikipedia.org/wiki/Dead_parrot
// https://en.wikipedia.org/wiki/Warrant_canary
user_pref("ghacks_user.js.parrot", "Oh yes, the Norwegian Blue... what's wrong with it?");


user_pref("ghacks_user.js.parrot", "0100 syntax error: the parrot's dead!");

// 0101: disable "slow startup" options
// warnings, disk history, welcomes, intros, EULA, default browser check
user_pref("browser.slowStartup.notificationDisabled", true);
user_pref("browser.slowStartup.maxSamples", 0);
user_pref("browser.slowStartup.samples", 0);
user_pref("browser.rights.3.shown", true);
user_pref("browser.startup.homepage_override.mstone", "ignore");
user_pref("startup.homepage_welcome_url", "");
user_pref("startup.homepage_welcome_url.additional", "");
user_pref("startup.homepage_override_url", "");
user_pref("browser.laterrun.enabled", false);
user_pref("browser.shell.checkDefaultBrowser", false);
user_pref("browser.usedOnWindows10.introURL", "");

// 0102: set start page (0=blank, 1=home, 2=last visited page, 3=resume previous session)
// home = browser.startup.homepage preference
// You can set all of this from Options>General>Startup
// user_pref("browser.startup.page", 0);


user_pref("ghacks_user.js.parrot", "0200 syntax error: the parrot's definitely deceased!");

// 0201: disable location-aware browsing
user_pref("geo.enabled", false);
user_pref("geo.wifi.uri", "");
user_pref("geo.wifi.logging.enabled", false); // (hidden pref)
user_pref("browser.search.geoip.url", "");
user_pref("geo.wifi.xhr.timeout", 1);
user_pref("browser.search.geoip.timeout", 1);

// 0202: disable GeoIP-based search results
// NOTE: may not be hidden if Mozilla have changed your settings due to your locale
// https://trac.torproject.org/projects/tor/ticket/16254
user_pref("browser.search.countryCode", "US"); // (hidden pref)
user_pref("browser.search.region", "US"); // (hidden pref)

// 0203: disable using OS locale, force APP locale
user_pref("intl.locale.matchOS", false);

// 0204: set APP local
user_pref("general.useragent.locale", "en-US");

// 0206: disable geographically specific results/search engines eg: "browser.search.*.US"
// i.e ignore all of Mozilla's multiple deals with multiple engines in multiple locales
user_pref("browser.search.geoSpecificDefaults", false);
user_pref("browser.search.geoSpecificDefaults.url", "");

// 0207: set language to match
// WARNING: reset this to your default if you don't want English
user_pref("intl.accept_languages", "en-US, en");

// 0208: enforce US English locale regardless of the system locale
// https://bugzilla.mozilla.org/show_bug.cgi?id=867501
user_pref("javascript.use_us_english_locale", true); // (hidden pref)

0300: QUIET FOX [PART 1]

No auto-phoning home for anything. You can still do manual updates. It is still important to do updates for security reasons. If you don't auto update, make sure you do manually.

There are many legitimate reasons to turn off AUTO updates, including hijacked monetized    extensions, time constraints, legacy issues, and fear of breakage/bugs

user_pref("ghacks_user.js.parrot", "0300 syntax error: the parrot's not pinin' for the fjords!");

// 0301: disable browser auto update
// Options>Advanced>Update>Never check for updates

user_pref("app.update.enabled", false);
// Options>Advanced>Update>Use a background service to install updates
user_pref("app.update.service.enabled", false);
// ensure update information is not suppressed
user_pref("app.update.silent", false);
// disable background update staging
user_pref("app.update.staging.enabled", false);

// 0302: disable browser auto installing update when you do a manual check
user_pref("app.update.auto", false);

// 0303: disable search update (Options>Advanced>Update>Automatically update: search engines)
user_pref("browser.search.update", false);

// 0304: disable add-ons auto checking for new versions
user_pref("extensions.update.enabled", false);

// 0305: disable add-ons auto update
user_pref("extensions.update.autoUpdateDefault", false);

// 0306: disable add-on metadata updating
// sends daily pings to Mozilla about extensions and recent startups
user_pref("extensions.getAddons.cache.enabled", false);

// 0307: disable auto updating of personas (themes)
user_pref("lightweightThemes.update.enabled", false);

// 0309: disable sending Flash crash reports
user_pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false);

// 0310: disable sending the URL of the website where a plugin crashed
user_pref("dom.ipc.plugins.reportCrashURL", false);

// 0320: disable extension discovery
// featured extensions for displaying in Get Add-ons panel
user_pref("extensions.webservice.discoverURL", "");

// 0330a: disable telemetry
// https://gecko.readthedocs.org/en/latest/toolkit/components/telemetry/telemetry/preferences.html
// the pref (.unified) affects the behaviour of the pref (.enabled)
// IF unified=false then .enabled controls the telemetry module
// IF unified=true then .enabled ONLY controls whether to record extended data
// so make sure to have both set as false
user_pref("toolkit.telemetry.unified", false);
user_pref("toolkit.telemetry.enabled", false);

// 0330b: set unifiedIsOptIn to make sure telemetry respects OptIn choice and that telemetry
// is enabled ONLY for people that opted into it, even if unified Telemetry is enabled
user_pref("toolkit.telemetry.unifiedIsOptIn", true); // (hidden pref)

// 0331: remove url of server telemetry pings are sent to
user_pref("toolkit.telemetry.server", "");

// 0332: disable archiving pings locally - irrelevant if toolkit.telemetry.unified is false
user_pref("toolkit.telemetry.archive.enabled", false);

// 0333a: disable health report
user_pref("datareporting.healthreport.uploadEnabled", false);
user_pref("datareporting.healthreport.documentServerURI", ""); // (hidden pref)
user_pref("datareporting.healthreport.service.enabled", false); // (hidden pref)

// 0333b: disable about:healthreport page (which connects to Mozilla for locale/css+js+json)
// If you have disabled health reports, then this about page is useless - disable it
// If you want to see what health data is present, then these must be set at default
user_pref("datareporting.healthreport.about.reportUrl", "data:text/plain,");

// 0334a: disable new data submission, master kill switch (FF41+)
// If disabled, no policy is shown or upload takes place, ever
// https://bugzilla.mozilla.org/show_bug.cgi?id=1195552
user_pref("datareporting.policy.dataSubmissionEnabled", false);

// 0335: remove a telemetry clientID
// if you haven't got one, be proactive and set it now for future proofing
user_pref("toolkit.telemetry.cachedClientID", "");

// 0336: disable "Heartbeat" (Mozilla user rating telemetry)
// https://trac.torproject.org/projects/tor/ticket/18738
user_pref("browser.selfsupport.enabled", false); // (hidden pref)
user_pref("browser.selfsupport.url", "");

// 0340: disable experiments
// https://wiki.mozilla.org/Telemetry/Experiments
user_pref("experiments.enabled", false);
user_pref("experiments.manifest.uri", "");
user_pref("experiments.supported", false);
user_pref("experiments.activeExperiment", false);

// 0341: disable Mozilla permission to silently opt you into tests
user_pref("network.allow-experiments", false);

// 0350: disable crash reports
user_pref("breakpad.reportURL", "");

// 0351: disable sending of crash reports (FF44+)
user_pref("browser.tabs.crashReporting.sendReport", false);

// 0360: disable new tab tile ads & preload & marketing junk
user_pref("browser.newtab.preload", false);
user_pref("browser.newtabpage.directory.ping", "data:text/plain,");
user_pref("browser.newtabpage.directory.source", "data:text/plain,");
user_pref("browser.newtabpage.enabled", false);
user_pref("browser.newtabpage.enhanced", false);
user_pref("browser.newtabpage.introShown", true);

// 0370: disable "Snippets" (Mozilla content shown on about:home screen)
// https://wiki.mozilla.org/Firefox/Projects/Firefox_Start/Snippet_Service
// MUST use HTTPS - arbitrary content injected into this page via http opens up MiTM attacks
user_pref("browser.aboutHomeSnippets.updateUrl", "");

// 0373: disable "Pocket" (third party "save for later" service) & remove urls for good measure
// NOTE: Important: Remove the pocket icon from your toolbar first
// https://www.gnu.gl/blog/Posts/multiple-vulnerabilities-in-pocket/
user_pref("extensions.pocket.enabled", false);
user_pref("extensions.pocket.api", "");
user_pref("extensions.pocket.site", "");
user_pref("extensions.pocket.oAuthConsumerKey", "");

// 0374: disable "social" integration
// https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Social_API
user_pref("social.whitelist", "");
user_pref("social.toast-notifications.enabled", false);
user_pref("social.shareDirectory", "");
user_pref("social.remote-install.enabled", false);
user_pref("social.directories", "");
user_pref("social.share.activationPanelEnabled", false);
user_pref("social.enabled", false); // (hidden pref)

// 0375: disable "Reader View"
user_pref("reader.parse-on-load.enabled", false);

// 0376: disable FlyWeb, a set of APIs for advertising and discovering local-area web servers
// https://wiki.mozilla.org/FlyWeb
// https://www.ghacks.net/2016/07/26/firefox-flyweb/
user_pref("dom.flyweb.enabled", false);

// 0380: disable sync
user_pref("services.sync.enabled", false); // (hidden pref)

0400: QUIET FOX [PART 2]

This section has security & tracking protection implications vs privacy concerns.

These settings are geared up to make FF "quiet" & private. I am NOT advocating no protection.

If you turn these off, then by all means please use something superior, such as uBlock Origin.

IMPORTANT: This entire section is rather contentious. Safebrowsing is designed to protect users from malicious sites. Tracking protection is designed to lessen the impact of third parties on websites to reduce tracking and to speed up your browsing experience. These are both very good features provided by Mozilla. They do rely on third parties: Google for safebrowsing and Disconnect for tracking protection (someone has to provide the information).

Additionally, SSL Error Reporting helps makes the internet more secure for everyone. If you do not understand the ramifications of disabling all of these, then it is advised that you enable them by commenting out the preferences and saving the changes, and then in about:config find each entry and right-click and reset the preference's value.

user_pref("ghacks_user.js.parrot", "0400 syntax error: the parrot's passed on!");

// 0401: DON'T disable extension blocklist, but sanitize blocklist url - SECURITY
// It now includes updates for "revoked certificates" - security trumps privacy here
// https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl
// https://trac.torproject.org/projects/tor/ticket/16931
user_pref("extensions.blocklist.enabled", true);
user_pref("extensions.blocklist.url", "https://blocklist.addons.mozilla.org/blocklist/3/%APP_ID%/%APP_VERSION%/");

// 0402: disable/enable various Kinto blocklist updates (FF50+)
// What is Kinto?: https://wiki.mozilla.org/Firefox/Kinto#Specifications
// As FF transitions to Kinto, the blocklists have been broken down (more could be added). These contain
// block entries for certs to be revoked, add-ons and plugins to be disabled, and gfx environments that
// cause problems or crashes. Here you can remove the collection name to prevent each specific list updating
user_pref("services.blocklist.update_enabled", true);
user_pref("services.blocklist.signing.enforced", true);
user_pref("services.blocklist.onecrl.collection", "certificates"); // Revoked certificates
user_pref("services.blocklist.addons.collection", "addons");
user_pref("services.blocklist.plugins.collection", ""); // I have no plugins
user_pref("services.blocklist.gfx.collection", ""); // I have gfx hw acceleration disabled

// 0410: disable safe browsing
// I have redesigned this sub-section to differentiate between "real-time"/"user initiated"
// data being sent to Google from all other settings such as using local blocklists/whitelists
// and updating those lists. There SHOULD be NO privacy issues here. Even *IF* an URL was sent
// to Google, they swear it is anonymized and only used to flag malicious sites/activity. Firefox
// also takes measures such as striping out identifying parameters and storing safe browsing
// cookies in a separate jar. (#Turn on browser.safebrowsing.debug to monitor this activity)
// To use safebrowsing but not "leak" binary download info to Google, only use 0410e and 0410f
// #Required reading: https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/
// https://wiki.mozilla.org/Security/Safe_Browsing

// 0410a: disable "Block dangerous and deceptive content" This setting is under Options>Security
// in FF47 and under this is was titled "Block reported web forgeries"
// this covers deceptive sites such as phishing and social engineering
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.phishing.enabled", false); // (FF50+)

// 0410b: disable "Block dangerous downloads" This setting is under Options>Security
// in FF47 and under this was titled "Block reported attack sites"
// this covers malware and PUPs (potentially unwanted programs)
user_pref("browser.safebrowsing.downloads.enabled", false);
// disable "Warn me about unwanted and uncommon software" Also under Options>Security (FF48+)
user_pref("browser.safebrowsing.downloads.remote.block_potentially_unwanted", false);
user_pref("browser.safebrowsing.downloads.remote.block_uncommon", false);
// yet more prefs added (FF49+)
user_pref("browser.safebrowsing.downloads.remote.block_dangerous", false);
user_pref("browser.safebrowsing.downloads.remote.block_dangerous_host", false);

// 0410c: disable Google safebrowsing downloads, updates
user_pref("browser.safebrowsing.provider.google.updateURL", ""); // update google lists
user_pref("browser.safebrowsing.provider.google.gethashURL", ""); // list hash check
user_pref("browser.safebrowsing.provider.google4.updateURL", ""); // (FF50+)
user_pref("browser.safebrowsing.provider.google4.gethashURL", ""); // (FF50+)

// 0410d: disable mozilla safebrowsing downloads, updates
// NOTE: These two prefs are also used for Tracking Protection (see 0420)
user_pref("browser.safebrowsing.provider.mozilla.gethashURL", ""); // resolves hash conflicts
user_pref("browser.safebrowsing.provider.mozilla.updateURL", ""); // update FF lists

// 0410e: disable binaries NOT in local lists being checked by Google (real-time checking)
user_pref("browser.safebrowsing.downloads.remote.enabled", false);
user_pref("browser.safebrowsing.downloads.remote.url", "");

// 0410f: disable reporting URLs
user_pref("browser.safebrowsing.provider.google.reportURL", "");
user_pref("browser.safebrowsing.reportMalwareMistakeURL", "");
user_pref("browser.safebrowsing.reportPhishMistakeURL", "");
user_pref("browser.safebrowsing.reportPhishURL", "");
user_pref("browser.safebrowsing.provider.google4.reportURL", ""); // (FF50+)

// 0410g: show=true or hide=false the 'ignore this warning' on Safe Browsing warnings which
// when clicked bypasses the block for that session. This is a means for admins to enforce SB
// https://bugzilla.mozilla.org/show_bug.cgi?id=1226490
// tests: see APPENDIX A: TEST SITES - Section 06
// user_pref("browser.safebrowsing.allowOverride", true);

// 0420: disable tracking protection
// There SHOULD be NO privacy concerns here, but you are better off using an extension such as
// uBlock Origin which is not decided by a third party (disconnect) and is far more effective
// (when used correctly). NOTE: There are two prefs (see 0410d) shared with Safe Browsing
// https://wiki.mozilla.org/Security/Tracking_protection
// https://support.mozilla.org/en-US/kb/tracking-protection-firefox
user_pref("privacy.trackingprotection.enabled", false); // all windows pref (not just private)
user_pref("privacy.trackingprotection.pbmode.enabled", false); // private browsing pref

// 0421: enable more Tracking Protection choices under Options>Privacy>Use Tracking Protection
user_pref("privacy.trackingprotection.ui.enabled", true);

// 0430: disable SSL Error Reporting - PRIVACY
// https://gecko.readthedocs.org/en/latest/browser/base/sslerrorreport/preferences.html
user_pref("security.ssl.errorReporting.automatic", false);
user_pref("security.ssl.errorReporting.enabled", false);
user_pref("security.ssl.errorReporting.url", "");

// 0440: disable Mozilla's blocklist for known Flash tracking/fingerprinting (48+)
// If you don't have Flash, then you don't need this enabled
// NOTE: if enabled, you will need to check what prefs (safebrowsing URLs etc) this uses to update
// https://www.ghacks.net/2016/07/18/firefox-48-blocklist-against-plugin-fingerprinting/
// https://bugzilla.mozilla.org/show_bug.cgi?id=1237198
user_pref("browser.safebrowsing.blockedURIs.enabled", false);

0600: BLOCK IMPLICIT OUTBOUND [not explicitly asked for - eg clicked on]

user_pref("ghacks_user.js.parrot", "0600 syntax error: the parrot's no more!");

// 0601: disable link prefetching
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Link_prefetching_FAQ
user_pref("network.prefetch-next", false);

// 0602: disable dns prefetching
// https://www.ghacks.net/2013/04/27/firefox-prefetching-what-you-need-to-know/
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Controlling_DNS_prefetching
user_pref("network.dns.disablePrefetch", true);
user_pref("network.dns.disablePrefetchFromHTTPS", true); // (hidden pref)

// 0603: disable Seer/Necko
// https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Necko
user_pref("network.predictor.enabled", false);

// 0603a: disable more Necko/Captive Portal
// https://en.wikipedia.org/wiki/Captive_portal
// https://wiki.mozilla.org/Necko/CaptivePortal
user_pref("captivedetect.canonicalURL", "");
user_pref("network.captive-portal-service.enabled", false); // (FF52+?)

// 0604: disable search suggestions
user_pref("browser.search.suggest.enabled", false);

// 0605: disable link-mouseover opening connection to linked server
// http://news.slashdot.org/story/15/08/14/2321202/how-to-quash-firefoxs-silent-requests
// https://www.ghacks.net/2015/08/16/block-firefox-from-connecting-to-sites-when-you-hover-over-links
user_pref("network.http.speculative-parallel-limit", 0);

// 0606: disable pings (but enforce same host in case)
// http://kb.mozillazine.org/Browser.send_pings
// http://kb.mozillazine.org/Browser.send_pings.require_same_host
user_pref("browser.send_pings", false);
user_pref("browser.send_pings.require_same_host", true);

// 0607: stop links launching Windows Store on Windows 8/8.1/10
// https://www.ghacks.net/2016/03/25/block-firefox-chrome-windows-store/
user_pref("network.protocol-handler.external.ms-windows-store", false);

// 0608: disable predictor / prefetching (FF48+)
user_pref("network.predictor.enable-prefetch", false);


Not ALL of these are strictly needed, some are for the truly paranoid, but included for a more comprehensive list (see comments on each one)

user_pref("ghacks_user.js.parrot", "0800 syntax error: the parrot's ceased to be!");

// 0801: disable location bar using search - PRIVACY
// don't leak typos to a search engine, give an error message instead
user_pref("keyword.enabled", false);

// 0802: disable location bar domain guessing - PRIVACY/SECURITY
// domain guessing intercepts DNS "hostname not found errors" and resends a
// request (eg by adding www or .com). This is inconsistent use (eg FQDNs), does not work
// via Proxy Servers (different error), is a flawed use of DNS (TLDs: why treat .com
// as the 411 for DNS errors?), privacy issues (why connect to sites you didn't
// intend to), can leak sensitive data (eg query strings: eg Princeton attack),
// and is a security risk (eg common typos & malicious sites set up to exploit this)
user_pref("browser.fixup.alternate.enabled", false);

// 0803: disable locationbar dropdown - PRIVACY (shoulder surfers,forensics/unattended browser)
user_pref("browser.urlbar.maxRichResults", 0);

// 0804: display all parts of the url
// why rely on just a visual clue - helps SECURITY
user_pref("browser.urlbar.trimURLs", false);

// 0805: disable URLbar autofill -  PRIVACY (shoulder surfers, forensics/unattended browser)
// http://kb.mozillazine.org/Inline_autocomplete
user_pref("browser.urlbar.autoFill", false);
user_pref("browser.urlbar.autoFill.typed", false);

// 0806: disable autocomplete - PRIVACY (shoulder surfers, forensics/unattended browser)
user_pref("browser.urlbar.autocomplete.enabled", false);

// 0808: disable history suggestions - PRIVACY (shoulder surfers, forensics/unattended browser)
user_pref("browser.urlbar.suggest.history", false);

// 0809: limit history leaks via enumeration (PER TAB: back/forward) - PRIVACY
// This is a PER TAB session history. You still have a full history stored under all history
// default=50, minimum=1=currentpage, 2 is the recommended minimum as some pages
// use it as a means of referral (eg hotlinking), 4 or 6 may be more practical
user_pref("browser.sessionhistory.max_entries", 4);

// 0810: disable css querying page history - css history leak - PRIVACY
// NOTE: this has NEVER been fully "resolved": in Mozilla/docs it is stated it's only in
// 'certain circumstances', also see latest comments in the bug link
// https://dbaron.org/mozilla/visited-privacy
// https://bugzilla.mozilla.org/show_bug.cgi?id=147777
// https://developer.mozilla.org/en-US/docs/Web/CSS/Privacy_and_the_:visited_selector
user_pref("layout.css.visited_links_enabled", false);

// 0811: disable displaying javascript in history URLs - SECURITY
user_pref("browser.urlbar.filter.javascript", true);

// 0812: disable search and form history
// Under Options>Privacy> if you set Firefox to "use custom settings" there will be a
// setting called "remember search and form history".
// You can clear formdata on exiting Firefox (see 2803)
// user_pref("browser.formfill.enable", false);

// 0813: disable saving form data on secure websites - PRIVACY (shoulder surfers etc)
// For convenience & functionality, this is best left at default true.
// You can clear formdata on exiting Firefox (see 2803)
// user_pref("browser.formfill.saveHttpsForms", false);

// 0815: disable live search suggestions in the urlbar and toggle off the Opt-In prompt (FF41+)
// Setting: Options>Privacy>Location Bar>Related searches from the default search engine
user_pref("browser.urlbar.suggest.searches", false);
user_pref("browser.urlbar.userMadeSearchSuggestionsChoice", true);

// 0816: disable browsing and download history
// Under Options>Privacy> if you set Firefox to "use custom settings" there will be a
// setting called "remember my browsing and download history"
// You can clear history and downloads on exiting Firefox (see 2803)
// user_pref("places.history.enabled", false);

// 0817: disable Jumplist (Windows7+)
user_pref("browser.taskbar.lists.enabled", false);
user_pref("browser.taskbar.lists.frequent.enabled", false);
user_pref("browser.taskbar.lists.recent.enabled", false);
user_pref("browser.taskbar.lists.tasks.enabled", false);

// 0818: disable taskbar preview
user_pref("browser.taskbar.previews.enable", false);

// 0819: disable one-off searches from the addressbar (FF51+)
// https://www.ghacks.net/2016/08/09/firefox-one-off-searches-address-bar/
user_pref("browser.urlbar.oneOffSearches", false);

// 0820: disable search reset (about:searchreset) (FF51+)
// https://www.ghacks.net/2016/08/19/firefox-51-search-restore-feature/
user_pref("browser.search.reset.enabled", false);
user_pref("browser.search.reset.whitelist", "");


user_pref("ghacks_user.js.parrot", "0900 syntax error: the parrot's expired!");

// 0901: disable saving passwords
// Options>Security>Logins>Remember logins for sites
// NOTE: this does not clear any passwords already saved
// user_pref("signon.rememberSignons", false);

// 0902: use a master password (recommended if you save passwords)
// There are no preferences for this. It is all handled internally.
// https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins

// 0903: set how often Mozilla should ask for the master password
// 0=the first time, 1=every time it's needed, 2=every n minutes (as per the next pref)
// WARNING: the default is 0, author changed his settings
user_pref("security.ask_for_password", 2);

// 0904: how often in minutes Mozilla should ask for the master password (see pref above)
// in minutes, default is 30
user_pref("security.password_lifetime", 5);

// 0905: disable auto-filling username & password form fields - SECURITY
// can leak in cross-site forms AND be spoofed
// http://kb.mozillazine.org/Signon.autofillForms
// password will still be auto-filled after a user name is manually entered
user_pref("signon.autofillForms", false);

// 0906: ignore websites' autocomplete="off" (FF30+)
user_pref("signon.storeWhenAutocompleteOff", true);

// 0907: force warnings for logins on non-secure (non HTTPS) pages
// https://bugzilla.mozilla.org/show_bug.cgi?id=1217156
user_pref("security.insecure_password.ui.enabled", true);

// 0908: When attempting to fix an entered URL, do not fix an entered password along with it
// i.e do not turn ~http://user:password@foo into ~http://user:password@(prefix)foo(suffix)
// but instead ~http://user@(prefix)foo(suffix))
user_pref("browser.fixup.hide_user_pass", true);

// 0909: disabling for now (FF51+)
user_pref("signon.formlessCapture.enabled", false);

1000: CACHE

user_pref("ghacks_user.js.parrot", "1000 syntax error: the parrot's gone to meet 'is maker!");

// 1001: disable disk cache
user_pref("browser.cache.disk.enable", false);
user_pref("browser.cache.disk.capacity", 0);
user_pref("browser.cache.disk.smart_size.enabled", false);
user_pref("browser.cache.disk.smart_size.first_run", false);

// 1002: disable disk caching of SSL pages
// http://kb.mozillazine.org/Browser.cache.disk_cache_ssl
user_pref("browser.cache.disk_cache_ssl", false);

// 1003: disable memory cache as well IF you're REALLY paranoid
// I haven't tried it, but I'm sure you'll take a performance/traffic hit
// user_pref("browser.cache.memory.enable", false);

// 1004: disable offline cache
user_pref("browser.cache.offline.enable", false);

// 1005: disable storing extra session data 0=all 1=http-only 2=none
// extra session data contains contents of forms, scrollbar positions, cookies and POST data
user_pref("browser.sessionstore.privacy_level", 2);

// 1006: disable pages being stored in memory. This is not the same as memory cache.
// Visited pages are stored in memory in such a way that they don't have to be
// re-parsed. This improves performance when pressing back/forward.
// For the sake of completeness, this option is listed for the truly paranoid.
// 0=none, -1=auto (that's minus 1), or any other positive integer
// http://kb.mozillazine.org/Browser.sessionhistory.max_total_viewers
// user_pref("browser.sessionhistory.max_total_viewers", 0);

// 1007: disable the Session Restore service completely
// WARNING: This also disables the "Recently Closed Tabs" feature
// It does not affect "Recently Closed Windows" or any history.
user_pref("browser.sessionstore.max_tabs_undo", 0);
user_pref("browser.sessionstore.max_windows_undo", 0);

// 1008: IF you use session restore (see 1007 above), increasing the minimal interval between
// two session save operations can help on older machines and some websites.
// Default is 15000 (15 secs). Try 30000 (30sec), 60000 (1min) etc - your choice.
// WARNING: This can also affect entries in the "Recently Closed Tabs" feature:
// i.e the longer the interval the more chance a quick tab open/close won't be captured
// this longer interval *MAY* affect history but I cannot replicate any history not recorded
// user_pref("browser.sessionstore.interval", 30000);

// 1009: DNS cache and expiration time (default 400 and 60 - same as TBB)
// user_pref("network.dnsCacheEntries", 400);
// user_pref("network.dnsCacheExpiration", 60);

// 1010: disable randomized FF HTTP cache decay experiments
// https://trac.torproject.org/projects/tor/ticket/13575
user_pref("browser.cache.frecency_experiment", -1);

// 1011: disable permissions manager from writing to disk (requires restart)
// https://bugzilla.mozilla.org/show_bug.cgi?id=967812
// user_pref("permissions.memory_only", true); // (hidden pref)

// 1012: disable resuming session from crash
user_pref("browser.sessionstore.resume_from_crash", false);


Note that your cipher and other settings can be used server side as a fingerprint attack vector:  see https://www.securityartwork.es/2017/02/02/tls-client-fingerprinting-with-bro/ .

You can either strengthen your encryption/cipher suite and protocols (security) or keep them at default and let Mozilla handle them (dragging their feet for fear of breaking legacy sites)

user_pref("ghacks_user.js.parrot", "1200 syntax error: the parrot's a stiff!");

// 1201: block rc4 fallback (default is now false as of at least FF45)
user_pref("security.tls.unrestricted_rc4_fallback", false);

// 1203: enable OCSP stapling
// https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
user_pref("security.ssl.enable_ocsp_stapling", true);

// 1204: reject communication with servers using old SSL/TLS - vulnerable to a MiTM attack
// https://wiki.mozilla.org/Security:Renegotiation
// WARNING: tested Jan 2017 - still breaks too many sites
// user_pref("security.ssl.require_safe_negotiation", true);

// 1205: display warning (red padlock) for "broken security"
// https://wiki.mozilla.org/Security:Renegotiation
user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);

// 1206: require certificate revocation check through OCSP protocol
// This leaks information about the sites you visit to the CA (cert authority)
// It's a trade-off between security (checking) and privacy (leaking info to the CA)
// WARNING: Since FF44 the default is false. If set to true, this may/will cause some
// site breakage. Some users have previously mentioned issues with youtube, microsoft etc
// user_pref("security.OCSP.require", true);

// 1207: query OCSP responder servers to confirm current validity of certificates (default=1)
// 0=disable, 1=validate only certificates that specify an OCSP service URL
// 2=enable and use values in security.OCSP.URL and security.OCSP.signing
user_pref("security.OCSP.enabled", 1);

// 1208: enforce strict pinning
// https://trac.torproject.org/projects/tor/ticket/16206
// PKP (public key pinning) 0-disabled 1=allow user MiTM (such as your antivirus), 2=strict
// WARNING: If you rely on an AV (antivirus) to protect your web browsing
// by inspecting ALL your web traffic, then leave at current default =1
user_pref("security.cert_pinning.enforcement_level", 2);

// 1209: control TLS versions with min and max
// 1=min version of TLS 1.0, 2-min version of TLS 1.1, 3=min version of TLS 1.2 etc
// WARNING: FF/chrome currently allow TLS 1.0 by default, so this is your call.
// http://kb.mozillazine.org/Security.tls.version.*
// https://www.ssl.com/how-to/turn-off-ssl-3-0-and-tls-1-0-in-your-browser/
// user_pref("security.tls.version.min", 2);
// user_pref("security.tls.version.fallback-limit", 3);
// user_pref("security.tls.version.max", 4); // allow up to and including TLS 1.3

// 1210: disable 1024-DH Encryption
// https://www.eff.org/deeplinks/2015/10/how-to-protect-yourself-from-nsa-attacks-1024-bit-DH
// WARNING: may break obscure sites, but not major sites, which should support ECDH over DHE
user_pref("security.ssl3.dhe_rsa_aes_128_sha", false);
user_pref("security.ssl3.dhe_rsa_aes_256_sha", false);

// 1211: disable or limit SHA-1
// 0 = all SHA1 certs are allowed
// 1 = all SHA1 certs are blocked (including perfectly valid ones from 2015 and earlier)
// 2 = deprecated option that now maps to 1
// 3 = only allowed for locally-added roots (e.g. anti-virus)
// 4 = only allowed for locally-added roots or for certs in 2015 and earlier
// WARNING: when disabled, some man-in-the-middle devices (eg security scanners and antivirus
// products, are failing to connect to HTTPS sites. SHA-1 will eventually become obsolete.
// https://blog.mozilla.org/security/2016/10/18/phasing-out-sha-1-on-the-public-web/
// https://github.com/pyllyukko/user.js/issues/194#issuecomment-256509998
user_pref("security.pki.sha1_enforcement_level", 1);

// 1212: disable SSL session tracking (36+)
// SSL session IDs speed up HTTPS connections (no need to renegotiate) and last for 48hrs.
// Since the ID is unique, web servers can (and do) use it for tracking. If set to true,
// this disables sending SSL3 Session IDs and TLS Session Tickets to prevent session tracking
// WARNING: This will slow down TLS connections (personally I don't notice it at all)
// https://tools.ietf.org/html/rfc5077
// https://bugzilla.mozilla.org/show_bug.cgi?id=967977
user_pref("security.ssl.disable_session_identifiers", true); // (hidden pref)

// 1213: disable 3DES (effective key size < 128)
// https://en.wikipedia.org/wiki/3des#Security
// http://en.citizendium.org/wiki/Meet-in-the-middle_attack
// http://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html
user_pref("security.ssl3.rsa_des_ede3_sha", false);

// 1214: disable 128 bits
user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false);
user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false);

// 1215: disable Microsoft Family Safety cert (Windows 8.1)
// 0: disable detecting Family Safety mode and importing the root
// 1: only attempt to detect Family Safety mode (don't import the root)
// 2: detect Family Safety mode and import the root
user_pref("security.family_safety.mode", 0);

// 1216: disable insecure active content on https pages - mixed content
user_pref("security.mixed_content.block_active_content", true);

// 1217: disable insecure passive content (such as images) on https pages - mixed context
// current default=false, leave it this way as too many sites break visually
// user_pref("security.mixed_content.block_display_content", true);

// 1218: disable HSTS Priming (FF51+)
// RISKS: formerly blocked mixed-content may load, may cause noticeable delays eg requests
//  time out, requests may not be handled well by servers, possible fingerprinting
// https://bugzilla.mozilla.org/show_bug.cgi?id=1246540#c145
user_pref("security.mixed_content.send_hsts_priming", false);
user_pref("security.mixed_content.use_hsts", false);

// 1219: disable HSTS preload list
// recommended enabled, unless you fully understand the risks and trade-offs
// user_pref("network.stricttransportsecurity.preloadlist", false);

// 1220: disable intermediate certificate caching (fingerprinting attack vector)
// NOTE: This affects login/cert/key dbs. AFAIK the only effect is all active logins start anew
// per session. This may be better handled under FPI (ticket 1323644, part of Tor Uplift)
// https://bugzilla.mozilla.org/show_bug.cgi?id=1334485 // related bug
// https://bugzilla.mozilla.org/show_bug.cgi?id=1216882 // related bug (see comment 9)
// user_pref("security.nocertdb", true); // (hidden pref)

1400: FONTS

user_pref("ghacks_user.js.parrot", "1400 syntax error: the parrot's bereft of life!");

// 1401: disable websites downloading their own fonts (0=block, 1=allow)
// This setting is under Options>Content>Font & Colors>Advanced>Allow pages to choose...
// If you disallow fonts, this drastically limits/reduces font enumeration (by JS) which
// is a high entropy fingerprinting vector.
// WARNING: Disabling fonts can uglify the web a fair bit.
user_pref("browser.display.use_document_fonts", 0);

// 1402: allow icon fonts (glyphs) (FF41+)
user_pref("gfx.downloadable_fonts.enabled", true);

// 1403: disable rendering of SVG OpenType fonts
// https://wiki.mozilla.org/SVGOpenTypeFonts - iSECPartnersReport recommends to disable this
user_pref("gfx.font_rendering.opentype_svg.enabled", false);

// 1404: use more legible default fonts
// WARNING: These are the author's settings, comment out if you do not require them
// Been using this for over a year, it really grows on you
user_pref("font.name.serif.x-unicode", "Georgia");
user_pref("font.name.serif.x-western", "Georgia"); // default Times New Roman
user_pref("font.name.sans-serif.x-unicode", "Arial");
user_pref("font.name.sans-serif.x-western", "Arial");  // default Arial
user_pref("font.name.monospace.x-unicode", "Lucida Console");
user_pref("font.name.monospace.x-western", "Lucida Console"); // default Courier New

// 1405: disable woff2
user_pref("gfx.downloadable_fonts.woff2.enabled", false);

// 1406: disable CSS Font Loading API
// WARNING: Disabling fonts can uglify the web a fair bit.
user_pref("layout.css.font-loading-api.enabled", false);

// 1407: remove special underline handling for a few fonts which you will probably never use.
// Any of these fonts on your system can be enumerated for fingerprinting. Requires restart.
// http://kb.mozillazine.org/Font.blacklist.underline_offset
user_pref("font.blacklist.underline_offset", "");

// 1408: disable graphite which FF49 turned back on by default
// In the past it had security issues - need citation
user_pref("gfx.font_rendering.graphite.enabled", false);


Except for 1601 and 1602, these can all be best handled by an extension to block/spoof all and then whitelist if needed, otherwise too much of the internet breaks.

Improve online privacy by controlling referrer information

Required reading: https://feeding.cloud.geek.nz/posts/tweaking-referrer-for-privacy-in-firefox/

user_pref("ghacks_user.js.parrot", "1600 syntax error: the parrot rests in peace!");
// 1601: disable referer from an SSL Website
// to be deprecated in FF52+? - https://bugzilla.mozilla.org/show_bug.cgi?id=1308725
user_pref("network.http.sendSecureXSiteReferrer", false);

// 1602: DNT HTTP header - essentially USELESS - default is off. I recommend off.
// NOTE: "Options>Privacy>Tracking>Request that sites not track you"
// if you use NoScript MAKE SURE to set your noscript.doNotTrack.enabled to match
// http://kb.mozillazine.org/Privacy.donottrackheader.value (pref required since FF21+)
// user_pref("privacy.donottrackheader.enabled", true);
// user_pref("privacy.donottrackheader.value", 1); // (hidden pref)

// 1603: referer, WHEN to send
// 0=never, 1=send only when links are clicked, 2=for links and images (default)
// user_pref("network.http.sendRefererHeader", 2);

// 1604: referer, SPOOF or NOT (default=false)
// user_pref("network.http.referer.spoofSource", false);

// 1605: referer, HOW to handle cross origins
// 0=always (default), 1=only if base domains match, 2=only if hosts match
// user_pref("network.http.referer.XOriginPolicy", 0);

// 1606: referer, WHAT to send (limit the information)
// 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port
// user_pref("network.http.referer.trimmingPolicy", 0);


user_pref("ghacks_user.js.parrot", "1800 syntax error: the parrot's pushing up daisies!");

// 1801: set default plugin state (i.e new plugins on discovery) to never activate
// 0=disabled, 1=ask to activate, 2=active - you can override individual plugins

user_pref("plugin.default.state", 0);
user_pref("plugin.defaultXpi.state", 0);

// 1802: enable click to play and set to 0 minutes
user_pref("plugins.click_to_play", true);
user_pref("plugin.sessionPermissionNow.intervalInMinutes", 0);

// 1802a: make sure a plugin is in a certain state: 0=deactivated 1=ask 2=enabled (Flash example)
// you can set all these plugin.state's via Add-ons>Plugins or search for plugin.state in about:config
// NOTE: you can still over-ride individual sites eg youtube via site permissions
// https://www.ghacks.net/2013/07/09/how-to-make-sure-that-a-firefox-plugin-never-activates-again/
// user_pref("plugin.state.flash", 0);

// 1804: disable plugins using external/untrusted scripts with XPCOM or XPConnect
user_pref("security.xpconnect.plugin.unrestricted", false);

// 1805: disable scanning for plugins
// http://kb.mozillazine.org/Plugin_scanning
// plid.all = whether to scan the directories specified in the Windows registry for PLIDs
// includes: RealPlayer, Next-Generation Java Plug-In, Adobe Flash, Antivirus etc
// WARNING: The author turned off plugins, try it one day. You are not missing much.
user_pref("plugin.scan.plid.all", false);

// 1806: Acrobat, Quicktime, WMP are handled separately from 1805 above.
// The string refers to min version number allowed
user_pref("plugin.scan.Acrobat", "99999");
user_pref("plugin.scan.Quicktime", "99999");
user_pref("plugin.scan.WindowsMediaPlayer", "99999");

// 1807: disable auto-play of HTML5 media
// WARNING: This may break youtube video playback (and probably other sites). If you block
// autoplay but occasionally would like a toggle button, try the following add-on
// https://addons.mozilla.org/en-US/firefox/addon/autoplay-toggle
user_pref("media.autoplay.enabled", false);

// 1808: disable audio auto-play in non-active tabs (FF51+)
// https://www.ghacks.net/2016/11/14/firefox-51-blocks-automatic-audio-playback-in-non-active-tabs/
user_pref("media.block-autoplay-until-in-foreground", true);

// 1820: disable all GMP (Gecko Media Plugins)
// https://wiki.mozilla.org/GeckoMediaPlugins
user_pref("media.gmp-provider.enabled", false);
user_pref("media.gmp.trial-create.enabled", false);

// 1825: disable widevine CDM
user_pref("media.gmp-widevinecdm.visible", false);
user_pref("media.gmp-widevinecdm.enabled", false);
user_pref("media.gmp-widevinecdm.autoupdate", false);

// 1830: disable all DRM content (EME: Encryption Media Extension)
user_pref("media.eme.enabled", false); // Options>Content>Play DRM Content
user_pref("browser.eme.ui.enabled", false); // hides "Play DRM Content" checkbox, restart required
user_pref("media.eme.apiVisible", false); // block websites detecting DRM is disabled

// 1840: disable the OpenH264 Video Codec by Cisco to "Never Activate"
// This is the bundled codec used for video chat in WebRTC
// Disable pings to the external update/download server
user_pref("media.gmp-gmpopenh264.enabled", false); // (hidden pref)
user_pref("media.gmp-gmpopenh264.autoupdate", false);
user_pref("media.gmp-manager.url", "data:text/plain,");

// 1850: disable the Adobe EME "Primetime CDM" (Content Decryption Module)
// https://trac.torproject.org/projects/tor/ticket/16285
user_pref("media.gmp-eme-adobe.enabled", false);
user_pref("media.gmp-eme-adobe.visible", false);
user_pref("media.gmp-eme-adobe.autoupdate", false);


user_pref("ghacks_user.js.parrot", "2000 syntax error: the parrot's snuffed it!");

// 2001: disable WebRTC
// https://www.privacytools.io/#webrtc
user_pref("media.peerconnection.enabled", false);
user_pref("media.peerconnection.use_document_iceservers", false);
user_pref("media.peerconnection.video.enabled", false);
user_pref("media.peerconnection.identity.enabled", false);
user_pref("media.peerconnection.identity.timeout", 1);
user_pref("media.peerconnection.turn.disable", true);
// disable video capability for WebRTC
user_pref("media.navigator.video.enabled", false);

// 2001a: pref which improves the WebRTC IP Leak issue, as opposed to completely
// disabling WebRTC. You still need to enable WebRTC for this to be applicable (FF42+)
// https://wiki.mozilla.org/Media/WebRTC/Privacy
user_pref("media.peerconnection.ice.default_address_only", true); // (FF41-FF50)
user_pref("media.peerconnection.ice.no_host", true); // (FF51+)

// 2010: disable WebGL, force bare minimum feature set if used & disable WebGL extensions
// http://www.contextis.com/resources/blog/webgl-new-dimension-browser-exploitation/
// https://security.stackexchange.com/questions/13799/is-webgl-a-security-concern
user_pref("webgl.disabled", true);
user_pref("pdfjs.enableWebGL", false);
user_pref("webgl.min_capability_mode", true);
user_pref("webgl.disable-extensions", true);
user_pref("webgl.disable-fail-if-major-performance-caveat", true);

// 2011: don't make WebGL debug info available to websites
// https://bugzilla.mozilla.org/show_bug.cgi?id=1171228
// https://developer.mozilla.org/en-US/docs/Web/API/WEBGL_debug_renderer_info
user_pref("webgl.enable-debug-renderer-info", false);

// 2012: two more webgl preferences (FF51+)
user_pref("webgl.dxgl.enabled", false);
user_pref("webgl.enable-webgl2", false);

// 2021: disable speech recognition
user_pref("media.webspeech.recognition.enable", false);
user_pref("media.webspeech.synth.enabled", false);

// 2022: disable screensharing
user_pref("media.getusermedia.screensharing.enabled", false);
user_pref("media.getusermedia.screensharing.allowed_domains", "");
user_pref("media.getusermedia.screensharing.allow_on_old_platforms", false);
user_pref("media.getusermedia.browser.enabled", false);
user_pref("media.getusermedia.audiocapture.enabled", false);

// 2023: disable camera stuff
user_pref("camera.control.face_detection.enabled", false);

// 2024: enable/disable MSE (Media Source Extensions)
// https://www.ghacks.net/2014/05/10/enable-media-source-extensions-firefox/
user_pref("media.mediasource.enabled", true);
user_pref("media.mediasource.mp4.enabled", true);
user_pref("media.mediasource.webm.audio.enabled", true);
user_pref("media.mediasource.webm.enabled", true);

// 2025: enable/disable various media types - end user personal choice
// WARNING: this is the author's settings, choose your own
user_pref("media.mp4.enabled", true);
user_pref("media.flac.enabled", true); // (FF51+)
user_pref("media.ogg.enabled", false);
user_pref("media.ogg.flac.enabled", false); // (FF51+)
user_pref("media.opus.enabled", false);
user_pref("media.raw.enabled", false);
user_pref("media.wave.enabled", false);
user_pref("media.webm.enabled", true);
user_pref("media.wmf.enabled", true); // https://www.youtube.com/html5 - for the two H.264 entries

// 2026: disable canvas capture stream
// https://developer.mozilla.org/en-US/docs/Web/API/HTMLCanvasElement/captureStream
user_pref("canvas.capturestream.enabled", false);

// 2027: disable camera image capture
// https://trac.torproject.org/projects/tor/ticket/16339
user_pref("dom.imagecapture.enabled", false);

// 2028: disable offscreen canvas
// https://developer.mozilla.org/en-US/docs/Web/API/OffscreenCanvas
user_pref("gfx.offscreencanvas.enabled", false);


 see http://kb.mozillazine.org/Prevent_websites_from_disabling_new_window_features

user_pref("ghacks_user.js.parrot", "2200 syntax error: the parrot's 'istory!");

// 2201: disable website control over right click context menu
// WARNING: This will break some sites eg Dropbox, Google Docs? gmail?
user_pref("dom.event.contextmenu.enabled", false);

// 2202: UI SPOOFING: disable scripts hiding or disabling the following on new windows
user_pref("dom.disable_window_open_feature.location", true);
user_pref("dom.disable_window_open_feature.menubar", true);
user_pref("dom.disable_window_open_feature.resizable", true);
user_pref("dom.disable_window_open_feature.status", true);
user_pref("dom.disable_window_open_feature.toolbar", true);

// 2203: POPUP windows - prevent or allow javascript UI meddling
user_pref("dom.disable_window_flip", true); // window z-order
user_pref("dom.disable_window_move_resize", true);
user_pref("dom.disable_window_open_feature.close", true);
user_pref("dom.disable_window_open_feature.minimizable", true);
user_pref("dom.disable_window_open_feature.personalbar", true); //bookmarks toolbar
user_pref("dom.disable_window_open_feature.titlebar", true);
user_pref("dom.disable_window_status_change", true);
user_pref("dom.allow_scripts_to_close_windows", false);

// 2204: disable links opening in a new window
// https://trac.torproject.org/projects/tor/ticket/9881
// test url: https://people.torproject.org/~gk/misc/entire_desktop.html
// You can still right click a link and select open in a new window
// This is to stop malicious window sizes and screen res leaks etc in conjunction
// with 2203 dom.disable_window_move_resize=true | 2418 full-screen-api.enabled=false
// user_pref("browser.link.open_newwindow.restriction", 0);


user_pref("ghacks_user.js.parrot", "2300 syntax error: the parrot's off the twig!");

// 2301: disable workers API and service workers API
// https://developer.mozilla.org/en-US/docs/Web/API/Worker
// https://developer.mozilla.org/en-US/docs/Web/API/ServiceWorker_API
// https://www.ghacks.net/2016/03/02/manage-service-workers-in-firefox-and-chrome/
// WARNING: WILL break sites as this gains traction: eg mega.nz requires workers
user_pref("dom.workers.enabled", false);
user_pref("dom.serviceWorkers.enabled", false);

// 2302: disable service workers cache and cache storage
user_pref("dom.caches.enabled", false);

// 2303: disable push notifications (FF44+) [requires serviceWorkers to be enabled]
// web apps can receive messages pushed to them from a server, whether or
// not the web app is in the foreground, or even currently loaded
// https://developer.mozilla.org/en/docs/Web/API/Push_API
// WARNING: may affect social media sites like Twitter
user_pref("dom.push.enabled", false);
user_pref("dom.push.connection.enabled", false);
user_pref("dom.push.serverURL", "");
user_pref("dom.push.userAgentID", "");

// 2304: disable web/push notifications
// https://developer.mozilla.org/en-US/docs/Web/API/notification
// NOTE: you can still override individual domains under site permissions (FF44+)
// WARNING: may affect social media sites like Twitter
user_pref("dom.webnotifications.enabled", false);
user_pref("dom.webnotifications.serviceworker.enabled", false);


user_pref("ghacks_user.js.parrot", "2400 syntax error: the parrot's kicked the bucket!");

// 2402: disable website access to clipboard events/content
// https://www.ghacks.net/2014/01/08/block-websites-reading-modifying-clipboard-contents-firefox/
// WARNING: This will break some sites functionality such as pasting into Facebook
// this applies to onCut, onCopy, onPaste events - i.e is you have to interact with
// the website for it to look at the clipboard
user_pref("dom.event.clipboardevents.enabled", false);

// 2403: disable clipboard commands (cut/copy) from "non-priviledged" content
// this disables document.execCommand("cut"/"copy") to protect your clipboard
// https://bugzilla.mozilla.org/show_bug.cgi?id=1170911
user_pref("dom.allow_cut_copy", false); // (hidden pref)

// 2404: disable JS storing data permanently
// If you block indexedDB but would like a toggle button, try the following add-on
// https://addons.mozilla.org/en-US/firefox/addon/disable-indexeddb/
// This setting WAS under about:permissions>All Sites>Maintain Offline Storage
// NOTE: about:permissions is no longer available since FF46 but you can still override
// individual domains: use info icon in urlbar etc or right click on a web page>view page info
// WARNING: If set as false (disabled), this WILL break some [old] add-ons and DOES break
// a lot of sites' functionality. Applies to websites, add-ons and session data.
user_pref("dom.indexedDB.enabled", false);

// 2405: https://wiki.mozilla.org/WebAPI/Security/WebTelephony
user_pref("dom.telephony.enabled", false);

// 2410: disable User Timing API
// https://trac.torproject.org/projects/tor/ticket/16336
user_pref("dom.enable_user_timing", false);

// 2411: disable resource/navigation timing
user_pref("dom.enable_resource_timing", false);

// 2412: disable timing attacks - javascript performance fingerprinting
// https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI
user_pref("dom.enable_performance", false);

// 2414: disable shaking the screen
user_pref("dom.vibrator.enabled", false);

// 2415: max popups from a single non-click event - default is 20!
user_pref("dom.popup_maximum", 3);

// 2415b: limit events that can cause a popup
// default is "change click dblclick mouseup notificationclick reset submit touchend"
// WARNING: Author killed all methods but does this with Popup Blocker Ultimate
// in Strict mode with whitelist. Or you can allow all but blacklist. Either way,
// Popup Blocker Ultimate overwrites this pref with a blank (or allows everything!).
// http://kb.mozillazine.org/Dom.popup_allowed_events
user_pref("dom.popup_allowed_events", "click dblclick");

// 2416: disable idle observation
user_pref("dom.idle-observers-api.enabled", false);

// 2418: disable full-screen API
// This setting WAS under about:permissions>All Sites>Fullscreen
// NOTE: about:permissions is no longer available since FF46 but you can still override
// individual domains: use info icon in urlbar etc or right click on a web page>view page info
// set to false=block, set to true=ask
user_pref("full-screen-api.enabled", false);

// 2420: disable support for asm.js ( http://asmjs.org/ )
// https://www.mozilla.org/en-US/security/advisories/mfsa2015-29/
// https://www.mozilla.org/en-US/security/advisories/mfsa2015-50/
// https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2712
user_pref("javascript.options.asmjs", false);

// 2421: in addition to 2420, these settings will help harden JS against exploits such as CVE-2015-0817
// https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817
// WARNING: causes the odd site issue and there is also a performance loss
// Update: Jan-2017: commented out for now, as performance gains outweigh extra security
// user_pref("javascript.options.ion", false);
// user_pref("javascript.options.baselinejit", false);

// 2425: disable ArchiveAPI i.e reading content of archives, such as zip files, directly
// in the browser, through DOM file objects. Default is false.
user_pref("dom.archivereader.enabled", false);

// 2450: force FF to tell you if a website asks to store data for offline use
// https://support.mozilla.org/en-US/questions/1098540
// https://bugzilla.mozilla.org/show_bug.cgi?id=959985
user_pref("offline-apps.allow_by_default", false);
// Options>Advanced>Network>Tell me when a website asks to store data for offline use
user_pref("browser.offline-apps.notify", true);
// change size of warning quota for offline cache (default 51200)
// Offline cache is only used in rare cases to store data locally. FF will store small amounts
// (default <50MB) of data in the offline (application) cache without asking for permission.
// user_pref("offline-apps.quota.warn", 51200);


user_pref("ghacks_user.js.parrot", "2500 syntax error: the parrot's shuffled off 'is mortal coil!");

// 2501: disable gamepad API - USB device ID enumeration
// https://trac.torproject.org/projects/tor/ticket/13023
user_pref("dom.gamepad.enabled", false);

// 2502: disable Battery Status API. Initially a Linux issue (high precision readout) that is now fixed.
// However, it is still another metric for fingerprinting, used to raise entropy.
// eg: do you have a battery or not, current charging status, charge level, times remaining etc
// http://techcrunch.com/2015/08/04/battery-attributes-can-be-used-to-track-web-users/
// https://bugzilla.mozilla.org/show_bug.cgi?id=1124127
// https://www.w3.org/TR/battery-status/
// https://www.theguardian.com/technology/2016/aug/02/battery-status-indicators-tracking-online
// NOTE: From FF52+ Battery Status API is only available in chrome/privileged code.
// https://bugzilla.mozilla.org/show_bug.cgi?id=1313580
user_pref("dom.battery.enabled", false);

// 2503: disable giving away network info
// eg bluetooth, cellular, ethernet, wifi, wimax, other, mixed, unknown, none
// https://developer.mozilla.org/en-US/docs/Web/API/Network_Information_API
// https://wicg.github.io/netinfo/
// https://bugzilla.mozilla.org/show_bug.cgi?id=960426
user_pref("dom.netinfo.enabled", false);

// 2504: disable virtual reality devices
// https://developer.mozilla.org/en-US/docs/Web/API/WebVR_API
user_pref("dom.vr.enabled", false);
user_pref("dom.vr.oculus.enabled", false);
user_pref("dom.vr.osvr.enabled", false); // (FF49+)
user_pref("dom.vr.openvr.enabled", false); // (FF51+)

// 2505: disable media device enumeration (FF29+)
// NOTE: media.peerconnection.enabled should also be set to false (see 2001)
// https://wiki.mozilla.org/Media/getUserMedia
// https://developer.mozilla.org/en-US/docs/Web/API/MediaDevices/enumerateDevices
user_pref("media.navigator.enabled", false);

// 2506: disable video statistics - JS performance fingerprinting
/ https://trac.torproject.org/projects/tor/ticket/15757
user_pref("media.video_stats.enabled", false);

// 2507: disable keyboard fingerprinting (FF38+) (physical keyboards)
// The Keyboard API allows tracking the "read parameter" of pressed keys in forms on
// web pages. These parameters vary between types of keyboard layouts such as QWERTY,
// AZERTY, Dvorak, and between various languages, eg German vs English.
// WARNING: Don't use if Android + physical keyboard
// UPDATE: This MAY be incorporated better into the Tor Uplift project (see 2699)
// https://developer.mozilla.org/en-US/docs/Web/API/KeyboardEvent/code
// https://www.privacy-handbuch.de/handbuch_21v.htm
user_pref("dom.keyboardevent.code.enabled", false);
user_pref("dom.beforeAfterKeyboardEvent.enabled", false);
user_pref("dom.keyboardevent.dispatch_during_composition", false);

// 2508: disable graphics fingerprinting (the loss of hardware acceleration is negligible)
// These prefs are under Options>Advanced>General>Use hardware acceleration when available
// NOTE: changing this option changes BOTH these preferences
// https://wiki.mozilla.org/Platform/GFX/HardwareAcceleration
// WARNING: This changes text rendering (fonts will look different)
// If you watch a lot of video, this will impact performance
user_pref("gfx.direct2d.disabled", true);
user_pref("layers.acceleration.disabled", true);

// 2509: disable touch events
// https://developer.mozilla.org/en-US/docs/Web/API/Touch_events
// https://trac.torproject.org/projects/tor/ticket/10286
// fingerprinting attack vector - leaks screen res & actual screen coordinates
// WARNING: If you use touch eg Win8/10 Metro/Smartphone reset this to default
user_pref("dom.w3c_touch_events.enabled", 0);

// 2510: disable Web Audio API (FF51+)
// https://bugzilla.mozilla.org/show_bug.cgi?id=1288359
user_pref("dom.webaudio.enabled", false);

// 2511: disable MediaDevices change detection (FF51+) (enabled by default starting FF52+)
// https://developer.mozilla.org/en-US/docs/Web/Events/devicechange
// https://developer.mozilla.org/en-US/docs/Web/API/MediaDevices/ondevicechange
user_pref("media.ondevicechange.enabled", false);


user_pref("ghacks_user.js.parrot", "2600 syntax error: the parrot's run down the curtain!");

// 2601: disable sending additional analytics to web servers
// https://developer.mozilla.org/en-US/docs/Web/API/navigator.sendBeacon
user_pref("beacon.enabled", false);

// 2602: CIS 2.3.2 disable downloading on desktop
user_pref("browser.download.folderList", 2);

// 2603: always ask the user where to download - enforce user interaction for security
user_pref("browser.download.useDownloadDir", false);

// 2604: https://bugzil.la/238789#c19
user_pref("browser.helperApps.deleteTempFileOnExit", true);

// 2605: don't integrate activity into windows recent documents
user_pref("browser.download.manager.addToRecentDocs", false);

// 2606: disable hiding mime types (Options>Applications) not associated with a plugin
user_pref("browser.download.hide_plugins_without_extensions", false);

// 2607: disable page thumbnail collection
// look in profile/thumbnails directory - you may want to clean that out
user_pref("browser.pagethumbnails.capturing_disabled", true); // (hidden pref)

// 2608: disable JAR from opening Unsafe File Types
user_pref("network.jar.open-unsafe-types", false);

// 2611: disable WebIDE to prevent remote debugging and add-on downloads
// https://trac.torproject.org/projects/tor/ticket/16222
user_pref("devtools.webide.autoinstallADBHelper", false);
user_pref("devtools.webide.autoinstallFxdtAdapters", false);
user_pref("devtools.debugger.remote-enabled", false);
user_pref("devtools.webide.enabled", false);

// 2612: disable SimpleServiceDiscovery - which can bypass proxy settings - eg Roku
// https://trac.torproject.org/projects/tor/ticket/16222
user_pref("browser.casting.enabled", false);
user_pref("gfx.layerscope.enabled", false);

// 2613: disable device sensor API - fingerprinting vector
// https://trac.torproject.org/projects/tor/ticket/15758
user_pref("device.sensors.enabled", false);

// 2614: disable SPDY as it can contain identifiers
// https://www.torproject.org/projects/torbrowser/design/#identifier-linkability (no. 10)
user_pref("network.http.spdy.enabled", false);
user_pref("network.http.spdy.enabled.deps", false);

// 2615: disable http2 for now as well
user_pref("network.http.spdy.enabled.http2", false);

// 2617: disable pdf.js as an option to preview PDFs within Firefox
// see mime-types under Options>Applications) - EXPLOIT risk
// Enabling this (set to true) will change your option most likely to "Ask" or "Open with
// some external pdf reader". This does NOT necessarily prevent pdf.js being used via
// other means, it only removes the option. I think this should be left at default (false).
// 1. It won't stop JS bypassing it. 2. Depending on external pdf viewers there is just as
// much risk or more (acrobat). 3. Mozilla are very quick to patch these sorts of exploits,
// they treat them as severe/critical and 4. for convenience
user_pref("pdfjs.disabled", false);

// 2618: when using SOCKS have the proxy server do the DNS lookup - dns leak issue
// http://kb.mozillazine.org/Network.proxy.socks_remote_dns
// https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers
// eg in TOR, this stops your local DNS server from knowing your Tor destination
// as a remote Tor node will handle the DNS request

user_pref("network.proxy.socks_remote_dns", true);

// 2619: limit HTTP redirects (this does not control redirects with HTML meta tags or JS)
// WARNING: a low setting of 5 or under will probably break some sites (eg gmail logins)
// To control HTML Meta tag and JS redirects, use an add-on (eg NoRedirect). Default is 20
user_pref("network.http.redirection-limit", 10);

// 2620: disable middle mouse click opening links from clipboard
// https://trac.torproject.org/projects/tor/ticket/10089
// http://kb.mozillazine.org/Middlemouse.contentLoadURL
user_pref("middlemouse.contentLoadURL", false);

// 2621: disable IPv6 (included for knowledge ONLY - not recommended)
// This is all about covert channels such as MAC addresses being included/abused in the
// IPv6 protocol for tracking. If you want to mask your IP address, this is not the way
// to do it. It's 2016, IPv6 is here. Here are some old links
// 2010: https://www.christopher-parsons.com/ipv6-and-the-future-of-privacy/
// 2011: https://iapp.org/news/a/2011-09-09-facing-the-privacy-implications-of-ipv6
// 2012: http://www.zdnet.com/article/security-versus-privacy-with-ipv6-deployment/
// NOTE: It is a myth that disabling IPv6 will speed up your internet connection
// http://www.howtogeek.com/195062/no-disabling-ipv6-probably-wont-speed-up-your-internet-connection
// user_pref("network.dns.disableIPv6", true);
// user_pref("network.http.fast-fallback-to-IPv4", true);

// 2622: ensure you have a security delay when installing add-ons (milliseconds)
// default=1000, This also covers the delay in "Save" on downloading files.
// http://kb.mozillazine.org/Disable_extension_install_delay_-_Firefox
// http://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/
user_pref("security.dialog_enable_delay", 1000);

// 2623: ensure Strict File Origin Policy on local files
// The default is true. Included for completeness
// http://kb.mozillazine.org/Security.fileuri.strict_origin_policy
user_pref("security.fileuri.strict_origin_policy", true);

// 2624: enforce Subresource Integrity (SRI) (FF43+)
// The default is true. Included for completeness
// https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
// https://wiki.mozilla.org/Security/Subresource_Integrity
user_pref("security.sri.enable", true);

// 2625: Applications [non Tor protocol] SHOULD generate an error
// upon the use of .onion and SHOULD NOT perform a DNS lookup.
// https://bugzilla.mozilla.org/show_bug.cgi?id=1228457
user_pref("network.dns.blockDotOnion", true);

// 2626: strip optional user agent token, default is false, included for completeness
// https://developer.mozilla.org/en-US/docs/Web/HTTP/Gecko_user_agent_string_reference
user_pref("general.useragent.compatMode.firefox", false);

// 2627: Spoof default UA & relevant (navigator) parts (also see 0204 for UA language)
// NOTE: may be better handled by an extension (eg whitelisitng), try not to clash with it
// NOTE: this is NOT a complete solution (feature detection, some navigator objects leak, resource URI etc)
// AIM: match latest TBB settings: Windows, ESR, OS etc
// WARNING: If you do not understand fingerprinting then don't use this section
// test: http://browserspy.dk/browser.php
//       http://browserspy.dk/showprop.php (for buildID)
//       http://browserspy.dk/useragent.php
// ==start==
// A: navigator.userAgent leaks in JS, setting this also seems to break UA extension whitelisting
// user_pref("general.useragent.override", "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0"); // (hidden pref)
// B: navigator.buildID (see gecko.buildID in about:config) reveals build time
// down to the second which defeats user agent spoofing and can compromise OS etc
// https://bugzilla.mozilla.org/show_bug.cgi?id=583181
user_pref("general.buildID.override", "20100101"); // (hidden pref)

// C: navigator.appName
user_pref("general.appname.override", "Netscape"); // (hidden pref)

// D: navigator.appVersion
user_pref("general.appversion.override", "5.0 (Windows)"); // (hidden pref)

// E: navigator.platform leaks in JS
user_pref("general.platform.override", "Win32"); // (hidden pref)

// F: navigator.oscpu
user_pref("general.oscpu.override", "Windows NT 6.1"); // (hidden pref)

// 2628: disable UITour backend so there is no chance that a remote page can use it
user_pref("browser.uitour.enabled", false);
user_pref("browser.uitour.url", "");

// 2629: disable remote JAR files being opened, regardless of content type
// https://bugzilla.mozilla.org/show_bug.cgi?id=1215235
user_pref("network.jar.block-remote-files", true);

// 2650: start the browser in e10s mode (48+)
// After restarting the browser, you can check whether it's enabled by visiting
// about:support and checking that "Multiprocess Windows" = 1
// use force-enable and extensions.e10sblocksenabling if you have add-ons
// user_pref("browser.tabs.remote.autostart", true);
// user_pref("browser.tabs.remote.autostart.2", true); // (FF49+)
// user_pref("browser.tabs.remote.force-enable", true); // (hidden pref)
// user_pref("extensions.e10sBlocksEnabling", false);

// 2651: control e10s number of container processes
// https://www.ghacks.net/2016/02/15/change-how-many-processes-multi-process-firefox-uses/
// https://bugzilla.mozilla.org/show_bug.cgi?id=1207306
// user_pref("dom.ipc.processCount", 4);

// 2652: enable console shim warnings for extensions that don't have the flag
// 'multiprocessCompatible' set to true
user_pref("dom.ipc.shims.enabledWarnings", true);

// 2660: enforce separate content process for file://URLs (FF53+?)
// https://bugzilla.mozilla.org/show_bug.cgi?id=1147911
// https://www.ghacks.net/2016/11/27/firefox-53-exclusive-content-process-for-local-files/
user_pref("browser.tabs.remote.separateFileUriProcess", true);

// 2662: disable "open with" in download dialog (FF50+)
// This is very useful to enable when the browser is sandboxed (e.g. via AppArmor)
// in such a way that it is forbidden to run external applications.
// WARNING: This may interfere with some users' workflow or methods
// https://bugzilla.mozilla.org/show_bug.cgi?id=1281959
user_pref("browser.download.forbid_open_with", true);

// 2663: disable MathML (FF51+)
// https://bugzilla.mozilla.org/show_bug.cgi?id=1173199
// test: http://browserspy.dk/mathml.php
user_pref("mathml.disabled", true);

// 2664: disable DeviceStorage API
// https://wiki.mozilla.org/WebAPI/DeviceStorageAPI
user_pref("device.storage.enabled", false);

// 2665: sanitize webchannel whitelist
user_pref("webchannel.allowObject.urlWhitelist", "");

// 2666: disable HTTP Alternative Services
// https://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/#comment-3970881
user_pref("network.http.altsvc.enabled", false);
user_pref("network.http.altsvc.oe", false);

// 2667: disable various developer tools in browser context
// Devtools>Advanced Settings>Enable browser chrome and add-on debugging toolboxes
// http://github.com/pyllyukko/user.js/issues/179#issuecomment-246468676
user_pref("devtools.chrome.enabled", false);

// 2668: lock down allowed extension directories
// https://mike.kaply.com/2012/02/21/understanding-add-on-scopes/
// archived: http://archive.is/DYjAM
user_pref("extensions.enabledScopes", 1); // (hidden pref)
user_pref("extensions.autoDisableScopes", 15);

// 2669: strip paths when sending URLs to PAC scripts (FF51+)
// CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC)
// https://bugzilla.mozilla.org/show_bug.cgi?id=1255474
user_pref("network.proxy.autoconfig_url.include_path", false);

// 2670: close bypassing of CSP via image mime types (FF51+)
// https://bugzilla.mozilla.org/show_bug.cgi?id=1288361
user_pref("security.block_script_with_wrong_mime", true);

// 2671: disable SVG (FF53+)
// https://bugzilla.mozilla.org/show_bug.cgi?id=1216893
user_pref("svg.disabled", true);


// 2698a: enable first party isolation pref and OriginAttribute (FF51+)
// WARNING: breaks lots of cross-domain logins and site funtionality until perfected
// https://bugzilla.mozilla.org/show_bug.cgi?id=1260931
// 2698b: this also isolates OCSP requests by first party domain
// https://bugzilla.mozilla.org/show_bug.cgi?id=1264562
// user_pref("privacy.firstparty.isolate", true);

2699: TOR UPLIFT: privacy.resistFingerprinting

     This preference will be used as a generic switch for a wide range of items.
This section will attempt to list all the ramifications and Mozilla tickets

// 2699a: limit window.screen & CSS media queries providing large amounts of identifiable info.
// POC: http://ip-check.info/?lang=en (screen, usable screen, and browser window will match)
// https://bugzilla.mozilla.org/show_bug.cgi?id=418986
// NOTE: does not cover everything yet - https://bugzilla.mozilla.org/show_bug.cgi?id=1216800
// NOTE: this will probably make your values pretty unique until you resize or snap the
// inner window width + height into standard/common resolutions (mine is at 1366x768)
// To set a size, open a XUL (chrome) page (such as about:config) which is at 100% zoom, hit
// Shift+F4 to open the scratchpad, type window.resizeTo(1366,768), hit Ctrl+R to run. Test
// your window size, do some math, resize to allow for all the non inner window elements
// test: http://browserspy.dk/screen.php
// Common resolutions: http://www.rapidtables.com/web/dev/screen-resolution-statistics.htm

// 2699b: spoof screen orientation
// https://bugzilla.mozilla.org/show_bug.cgi?id=1281949
// 2699c: hide the contents of navigator.plugins and navigator.mimeTypes (FF50+)
// https://bugzilla.mozilla.org/show_bug.cgi?id=1281963
user_pref("privacy.resistFingerprinting", true); // (hidden pref)


user_pref("ghacks_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin' choir invisible!");

// 2701: disable cookies on all sites
// you can set exceptions under site permissions or use an extension (eg Cookie Controller)
// 0=allow all 1=allow same host 2=disallow all 3=allow 3rd party if it already set a cookie
user_pref("network.cookie.cookieBehavior", 2);

// 2702: ensure that third-party cookies (if enabled, see above pref) are session-only
// https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/
// http://kb.mozillazine.org/Network.cookie.thirdparty.sessionOnly
user_pref("network.cookie.thirdparty.sessionOnly", true);

// 2703: set cookie lifetime policy
// 0=until they expire (default), 2=until you close Firefox, 3=for n days (see next pref)
// If you use custom settings for History in Options, this is the setting under
// Privacy>Accept cookies from sites>Keep until <they expire/I close Firefox>
// user_pref("network.cookie.lifetimePolicy", 0);

// 2704: set cookie lifetime in days (see above pref) - default is 90 days
// user_pref("network.cookie.lifetime.days", 90);

// 2705: disable dom storage
// WARNING: this will break a LOT of sites' functionality.
// You are better off using an extension for more granular control
// user_pref("dom.storage.enabled", false);

// 2706: disable Storage API (FF51+) which gives sites' code the ability to find out how much space
// they can use, how much they are already using, and even control whether or not they need to
// be alerted before the user agent disposes of site data in order to make room for other things.
// https://developer.mozilla.org/en-US/docs/Web/API/StorageManager
// https://developer.mozilla.org/en-US/docs/Web/API/Storage_API
user_pref("dom.storageManager.enabled", false);

// 2707: clear localStorage and UUID when a WebExtension is uninstalled
// NOTE: both preferences must be the same
// https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/storage/local
// https://bugzilla.mozilla.org/show_bug.cgi?id=1213990
user_pref("extensions.webextensions.keepStorageOnUninstall", false);
user_pref("extensions.webextensions.keepUuidOnUninstall", false);


user_pref("ghacks_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!");

// 2802: enable FF to clear stuff on close
// This setting is under Options>Privacy>Clear history when Firefox closes
user_pref("privacy.sanitize.sanitizeOnShutdown", true);

// 2803: what to clear on shutdown
// These settings are under Options>Privacy>Clear history when Firefox closes>Settings
// These are the settings of the author of this user.js, chose your own
user_pref("privacy.clearOnShutdown.cache", true);
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.downloads", true);
user_pref("privacy.clearOnShutdown.formdata", true);
user_pref("privacy.clearOnShutdown.history", true);
user_pref("privacy.clearOnShutdown.offlineApps", true);
user_pref("privacy.clearOnShutdown.sessions", false); // active logins
user_pref("privacy.clearOnShutdown.siteSettings", false);

// 2803a: include all open windows/tabs when you shutdown
// user_pref("privacy.clearOnShutdown.openWindows", true);

// 2804: (to match above) - auto selection of items to delete with Ctrl-Shift-Del
user_pref("privacy.cpd.cache", true);
user_pref("privacy.cpd.cookies", false);
user_pref("privacy.cpd.downloads", true);
user_pref("privacy.cpd.formdata", true);
user_pref("privacy.cpd.history", true);
user_pref("privacy.cpd.offlineApps", true);
user_pref("privacy.cpd.passwords", false);
user_pref("privacy.cpd.sessions", false);
user_pref("privacy.cpd.siteSettings", false);

// 2804a: include all open windows/tabs when you run clear recent history
// user_pref("privacy.cpd.openWindows", true);

// 2805: reset default 'Time range to clear' for 'clear recent history' (see 2804 above)
// Firefox remembers your last choice. This will reset the value when you start FF.
// 0=everything 1=last hour, 2=last 2 hours, 3=last 4 hours, 4=today
user_pref("privacy.sanitize.timeSpan", 0);


Settings that are handy to migrate and/or are not in the Options interface. Users can put their own non-security/privacy/fingerprinting/tracking stuff here

user_pref("ghacks_user.js.parrot", "3000 syntax error: this is an ex-parrot!");

// 3001: disable annoying warnings
user_pref("general.warnOnAboutConfig", false);
user_pref("browser.tabs.warnOnClose", false);
user_pref("browser.tabs.warnOnCloseOtherTabs", false);
user_pref("browser.tabs.warnOnOpen", false);

// 3001a: disable warning when a domain requests full screen
// https://developer.mozilla.org/en-US/docs/Web/Guide/API/DOM/Using_full_screen_mode
// user_pref("full-screen-api.warning.delay", 0);
// user_pref("full-screen-api.warning.timeout", 0);

// 3002: disable closing browser with last tab
user_pref("browser.tabs.closeWindowWithLastTab", false);

// 3004: disable backspace (0 = previous page, 1 = scroll up, 2 = do nothing)
user_pref("browser.backspace_action", 2);

// 3005: disable autocopy default (use extensions autocopy 2 & copy plain text 2)
user_pref("clipboard.autocopy", false);

// 3007: open new windows in a new tab instead
// This setting is under Options>General>Tabs
// 1=current window, 2=new window, 3=most recent window
user_pref("browser.link.open_newwindow", 3);

// 3008: disable "Do you really want to leave this site?" popups
// https://support.mozilla.org/en-US/questions/1043508
user_pref("dom.disable_beforeunload", true);

// 3009: turn on APZ (Async Pan/Zoom) - requires e10s
// https://www.ghacks.net/2015/07/28/scrolling-in-firefox-to-get-a-lot-better-thanks-to-apz/
// user_pref("layers.async-pan-zoom.enabled", true);

// 3010: enable ctrl-tab previews
user_pref("browser.ctrlTab.previews", true);

// 3011: don't open "page/selection source" in a tab. The window used instead is cleaner
// and easier to use and move around (eg developers/multi-screen).
user_pref("view_source.tab", false);

// 3012: spellchecking: 0=none, 1-multi-line controls, 2=multi-line & single-line controls
user_pref("layout.spellcheckDefault", 1);

// 3013: disable automatic "Work Offline" status
// https://bugzilla.mozilla.org/show_bug.cgi?id=620472
// https://developer.mozilla.org/en-US/docs/Online_and_offline_events
user_pref("network.manage-offline-status", false);

// 3015: disable tab animation, speed things up a little
user_pref("browser.tabs.animate", false);

// 3016: disable fullscreeen animation. Test using F11.
// Animation is smother but is annoyingly slow, while no animation can be startling
user_pref("browser.fullscreen.animate", false);

// 3017: submenu in milliseconds. 0=instant while a small number allows
// a mouse pass over menu items without any submenus alarmingly shooting out
user_pref("ui.submenuDelay", 75); // (hidden pref)

// 3018: maximum number of daily bookmark backups to keep (default is 15)
user_pref("browser.bookmarks.max_backups", 2);

// 3020: FYI: urlbar click behaviour (with defaults)
user_pref("browser.urlbar.clickSelectsAll", true);
user_pref("browser.urlbar.doubleClickSelectsAll", false);

// 3021: FYI: tab behaviours (with defaults)
// open links in a new tab immediately to the right of parent tab, not far right
user_pref("browser.tabs.insertRelatedAfterCurrent", true);
// switch to the parent tab (if it has one) on close, rather than to the adjacent right tab if
// it exists or to the adjacent left tab if it doesn't. NOTE: requires browser.link.open_newwindow
// set to 3 (see pref 3007). NOTE: does not apply to middle-click or Ctrl-clicking links.
user_pref("browser.tabs.selectOwnerOnClose", true);

// Options>General>When I open a link in a new tab, switch to it immediately
// default is unchecked = DON'T switch to it = true
user_pref("browser.tabs.loadInBackground", true);

// set behavior of pages normally meant to open in a new window (such as target="_blank"
// or from an external program), but that have instead been loaded in a new tab.
// true: load the new tab in the background, leaving focus on the current tab
// false: load the new tab in the foreground, taking the focus from the current tab.
user_pref("browser.tabs.loadDivertedInBackground", false);

// 3022: hide recently bookmarked items (you still have the original bookmarks) (FF49+)
user_pref("browser.bookmarks.showRecentlyBookmarked", false);

// 3023: disable automigrate, current default is false but may change (FF49+)
// need more info, but lock down for now
user_pref("browser.migrate.automigrate.enabled", false);

// END: internal custom pref to test for syntax errors
user_pref("ghacks_user.js.parrot", "No no he's not dead, he's, he's restin'! Remarkable bird, the Norwegian Blue");

 9996: PALEMOON SPECIFIC ( https://www.palemoon.org/ )

     Full list maintained by Moonchild: https://forum.palemoon.org/viewtopic.php?f=24&t=3357
If you have issues or questions about any of these, please use the palemoon forums
NOTE: This section is no longer maintained [after version 10]

// 9996-1: (v25.6+) disable canvas fingerprinting
// user_pref("canvas.poisondata", true);

// 9996-2: (v25.2+) control HSTS
// If editing this in about:config PM needs to be fully closed and then restarted
// NOTE: This is a trade-off between privacy vs security. HSTS was designed to increase
// security to stop MiTM attacks but can also be misused as a fingerprinting vector, by
// scrapping previously visited sites. Recommended: security over privacy. Your choice.
// user_pref("network.stricttransportsecurity.enabled", true);

// 9996-3: (v25.0+) controls whether to ignore an expired state of stapled OCSP responses
// If set to true, breaks with RFC6066 (like Firefox) and ignores the fact that stapled
// OCSP responses may be expired. If false (the default) aborts the connection.
// user_pref("security.ssl.allow_unsafe_ocsp_response", false);

// 9996-4: (v25.6+) Controls whether to completely ignore "autocomplete=off" on login fields
// user_pref("signon.ignoreAutocomplete", false);

// 9996-5: (v26.0+) read Moonchild's description on the palemoon forum thread linked above
// user_pref("dom.disable_beforeunload", true);


     Personally confirmed by resetting as well as via documentation and DXR searches.
NOTE: numbers may get re-used

// 2607: (23+) disable page thumbnails, it was around v23, not 100% sure when
// this pref was replaced with browser.pagethumbnails.capturing_disabled
// user_pref("pageThumbs.enabled", false);

// 2408: (31+) disable network API - fingerprinting vector
// user_pref("dom.network.enabled", false);

// 2620: (35+) disable WebSockets
// https://developer.mozilla.org/en-US/Firefox/Releases/35
// user_pref("network.websocket.enabled", false);

// 2023: (37+) disable camera autofocus callback (was in 36, not in 37)
// Not part of any specification, the API will be superceded by the WebRTC Capture
// and Stream API ( http://w3c.github.io/mediacapture-main/getusermedia.html )
// https://developer.mozilla.org/en-US/docs/Mozilla/Firefox_OS/API/CameraControl/
// user_pref("camera.control.autofocus_moving_callback.enabled", false);

// 1804: (41+) disable plugin enumeration
// user_pref("plugins.enumerable_names", "");

// 0420: (42+) disable tracking protection
// this particular pref was never in stable
// labelled v42+ because that's when tracking protection landed
// user_pref("browser.polaris.enabled", false);

// 2803: (42+) what to clear on shutdown
// https://bugzilla.mozilla.org/show_bug.cgi?id=1102184#c23
// user_pref("privacy.clearOnShutdown.passwords", false);

// 0411: (43+) disable safebrowsing urls & download
// user_pref("browser.safebrowsing.gethashURL", "");
// user_pref("browser.safebrowsing.malware.reportURL", "");
// user_pref("browser.safebrowsing.provider.google.appRepURL", "");
// user_pref("browser.safebrowsing.reportErrorURL", "");
// user_pref("browser.safebrowsing.reportGenericURL", "");
// user_pref("browser.safebrowsing.reportMalwareErrorURL", "");
// user_pref("browser.safebrowsing.reportMalwareURL", "");
// user_pref("browser.safebrowsing.reportURL", "");
// user_pref("browser.safebrowsing.updateURL", "");

// 0420: (43+) disable tracking protection. FF43+ URLs are now part of safebrowsing
// https://wiki.mozilla.org/Security/Tracking_protection (look under Prefs)
// NOTE: getupdateURL = WRONG / never existed. updateURL = CORRECT and has been added FYI
// user_pref("browser.trackingprotection.gethashURL", "");
// user_pref("browser.trackingprotection.getupdateURL", "");
// user_pref("browser.trackingprotection.updateURL", "");

// 1803: (43+) remove plugin finder service
// http://kb.mozillazine.org/Pfs.datasource.url
// user_pref("pfs.datasource.url", "");

// 2403: (43+) disable scripts changing images - test link below
// http://www.w3schools.com/jsref/tryit.asp?filename=tryjsref_img_src2
// WARNING: will break some sites such as Google Maps and a lot of web apps
// user_pref("dom.disable_image_src_set", true);

// 2615: (43+) disable http2 for now as well
// user_pref("network.http.spdy.enabled.http2draft", false);

// 3001a: (43+) disable warning when a domain requests full screen
// replaced by setting full-screen-api.warning.timeout to zero
// user_pref("full-screen-api.approval-required", false);

// 3003: (43+) disable new search panel UI [Classic Theme Restorer can restore the old search]
// user_pref("browser.search.showOneOffButtons", false);

// 1201: (44+) block rc4 whitelist
// https://developer.mozilla.org/en-US/Firefox/Releases/44#Security
// user_pref("security.tls.insecure_fallback_hosts.use_static_list", false);

// 2417: (44+) disable SharedWorkers, which allow the exchange of data between iFrames that
// are open in different tabs, even if the sites do not belong to the same domain.
// https://www.torproject.org/projects/torbrowser/design/#identifier-linkability (no. 8)
// https://bugs.torproject.org/15562
// is used in FF 45and 46 code once, to set it for a test
// user_pref("dom.workers.sharedWorkers.enabled", false);

// 1005: (45+) disable deferred level of storing extra session data 0=all 1=http-only 2=none
// user_pref("browser.sessionstore.privacy_level_deferred", 2);

// 0334b: (46+) disable FHR (Firefox Health Report) v2 data being sent to Mozilla servers
// user_pref("datareporting.policy.dataSubmissionEnabled.v2", false);

// 0373: (46+) disable "Pocket". FF46 replaced these with extensions.pocket.*
// user_pref("browser.pocket.enabled", false);
// user_pref("browser.pocket.api", "");
// user_pref("browser.pocket.site", "");
// user_pref("browser.pocket.oAuthConsumerKey", "");

// 0410e: (46+) safebrowsing
// user_pref("browser.safebrowsing.appRepURL", ""); // Google application reputation check

// 0333b: (47+) disable about:healthreport page UNIFIED
// user_pref("datareporting.healthreport.about.reportUrlUnified", "data:text/plain,");

// 0807: (47+) disable history manipulation
// https://developer.mozilla.org/en-US/docs/Web/Guide/API/DOM/Manipulating_the_browser_history
// WARNING: if set to false it breaks some sites (youtube) ability to correctly show the
// url in location bar and for the forward/back tab history to work
// user_pref("browser.history.allowPopState", false);
// user_pref("browser.history.allowPushState", false);
// user_pref("browser.history.allowReplaceState", false);

// 0806: (48+) disable 'unified complete': 'Search with [default search engine]'
// this feature has been added back in Classic Theme Restorer
// http://techdows.com/2016/05/firefox-unified-complete-aboutconfig-preference-removed.html
// user_pref("browser.urlbar.unifiedcomplete", false);

// 3006: (48+) disable enforced add-on signing
// NOTE: the preference is still in FF48+, but it's legacy code and does not work in stable
// user_pref("xpinstall.signatures.required", false);

// 0372: (49+) disable "Hello" (TokBox/Telefonica WebRTC voice & video call PUP) WebRTC (IP leak)
// https://www.mozilla.org/en-US/privacy/firefox-hello/
// https://security.stackexchange.com/questions/94284/how-secure-is-firefox-hello
// https://support.mozilla.org/en-US/kb/hello-status
// user_pref("loop.enabled", false);
// user_pref("loop.server", "");
// user_pref("loop.feedback.formURL", "");
// user_pref("loop.feedback.manualFormURL", "");
// additional facebook loop settings
// user_pref("loop.facebook.appId", "");
// user_pref("loop.facebook.enabled", false);
// user_pref("loop.facebook.fallbackUrl", "");
// user_pref("loop.facebook.shareUrl", "");
// https://groups.google.com/d/topic/mozilla.dev.platform/nyVkCx-_sFw/discussion
// user_pref("loop.logDomains", false);

// 2202: (49+) ONE of the new window UI prefs
// user_pref("dom.disable_window_open_feature.scrollbars", true);

// 2431: (49+) disable ONE of the push notification prefs
// user_pref("dom.push.udp.wakeupEnabled", false);

// 0308: (50+) disable update plugin notifications
// if using Flash/Java/Silverlight, it is best to turn on their own auto-update mechanisms.
// See 1804 below: Mozilla only checks a few plugins and will soon do away with NPAPI
// user_pref("plugins.update.notifyUser", false);

// 0410a: (50+) "Block dangerous and deceptive content" pref name change
// user_pref("browser.safebrowsing.enabled", false); // FF49 and earlier

// 1202: (50+) disable rc4 ciphers
// https://www.fxsitecompat.com/en-CA/docs/2016/rc4-support-has-been-completely-removed/
// https://trac.torproject.org/projects/tor/ticket/17369
// user_pref("security.ssl3.ecdhe_ecdsa_rc4_128_sha", false);
// user_pref("security.ssl3.ecdhe_rsa_rc4_128_sha", false);
// user_pref("security.ssl3.rsa_rc4_128_md5", false);
// user_pref("security.ssl3.rsa_rc4_128_sha", false);

// 1809: (50+) remove Mozilla's plugin update URL
// user_pref("plugins.update.url", "");

// 1851: (51+) delay play of videos until they're visible
// https://bugzilla.mozilla.org/show_bug.cgi?id=1180563
// user_pref("media.block-play-until-visible", true);

// 2504: (51+) disable virtual reality devices
// user_pref("dom.vr.oculus050.enabled", false);

// 2614: (51+) disable SPDY
// user_pref("network.http.spdy.enabled.v3-1", false);



// 1400's: set whitelisted system fonts only (FF52+)
// If whitelist is empty, then whitelisting is considered disabled and all fonts are allowed.
// https://bugzilla.mozilla.org/show_bug.cgi?id=1121643
// user_pref("font.system.whitelist", "");

// 2698-append: privacy.firstparty.isolate.restrict_opener_access
// https://bugzilla.mozilla.org/show_bug.cgi?id=1319773

// 1200's: Isolate the HSTS and HPKP cache by first party domain
// https://bugzilla.mozilla.org/show_bug.cgi?id=1323644

// 2400's: reduce precision of time exposed by javascript
// https://bugzilla.mozilla.org/show_bug.cgi?id=1217238
// user_pref("javascript.options.privacy.reduce_time_precision", true);

// 2699-append: resource://URIs leak
// https://trac.torproject.org/projects/tor/ticket/8725
// https://bugzilla.mozilla.org/show_bug.cgi?id=863246
// test: https://www.browserleaks.com/firefox

// 2001: preference to fully disable WebRTC JS API
// https://bugzilla.mozilla.org/show_bug.cgi?id=1314443

// 2699-append: enable fingerprinting resistence to WebGL
// https://bugzilla.mozilla.org/show_bug.cgi?id=1217290

// 2699-append: checkbox in about#preferences#privacy for privacy.resistFingerprinting
// when this lands, add note to 2699
// https://bugzilla.mozilla.org/show_bug.cgi?id=1308340

// 2699-append: use UTC timezone (spoof as UTC 0)
// https://bugzilla.mozilla.org/show_bug.cgi?id=1330890

// 2699-append: new window sizes to round to hundreds
// Note: override values, future may enforce a select set of (inner) window measurements
// If override values are too big, the code falls back and determines it for you
// https://bugzilla.mozilla.org/show_bug.cgi?id=1330882
// user_pref("privacy.window.maxInnerWidth", 1366);
// user_pref("privacy.window.maxInnerHeight", 768);

// 1400's: prevent local font enumeration
// https://bugzilla.mozilla.org/show_bug.cgi?id=732096

// 1800's: disable "This Plugin is Disabled" overlay
// https://bugzilla.mozilla.org/show_bug.cgi?id=967979
// user_pref("privacy.plugin_disabled_barrier.enabled", false);

// 2500's: disable/mitigate canvas fingerprinting
// https://bugzilla.mozilla.org/show_bug.cgi?id=1041818

// 2500's: enable prompt (site permission) before allowing canvas data extraction
// https://bugzilla.mozilla.org/show_bug.cgi?id=967895

// 2600's: window.name
// https://bugzilla.mozilla.org/show_bug.cgi?id=444222

// 2698-append: checkbox in about:preferences#privacy for privacy.firstparty.isolate
// when this lands, add note to 2611
// https://bugzilla.mozilla.org/show_bug.cgi?id=1312655

// 2698-append: FPI and HTTP Alternative Services (see 2666)
// https://bugzilla.mozilla.org/show_bug.cgi?id=1334690

// 2698-append: FPI and SPDY/HTTP2
// https://bugzilla.mozilla.org/show_bug.cgi?id=1334693

// 2699-append: disable keyboard fingerprinting
// Test: https://w3c.github.io/uievents/tools/key-event-viewer.html
// https://bugzilla.mozilla.org/show_bug.cgi?id=1222285

// 2699-append: disable WebSpeech API
// https://bugzilla.mozilla.org/show_bug.cgi?id=1333641
// see also: web speech exposes TTS engines
// https://bugzilla.mozilla.org/show_bug.cgi?id=1233846

// 2699-append: spoof Navigator API
// https://bugzilla.mozilla.org/show_bug.cgi?id=1333651

// 2699-append: set and enforce various prefs with privacy.resistFingerprinting
// https://bugzilla.mozilla.org/show_bug.cgi?id=1333933

// 2699-append: bundle and whitelist fonts with privacy.resistFingerprinting
// https://bugzilla.mozilla.org/show_bug.cgi?id=1336208


// 1600's: restrict the contents of referrers attached to cross-origin requests (FF52+)
// 0- 1- 2-scheme+hostname+port
// user_pref("network.http.referer.XOriginTrimmingPolicy", 2);

// 1600's: default referrer fallback override? (FF52+?)
// 0-no-referer 1-same-origin 2-strict-origin-when-cross-origin
// 3-no-referrer-when-downgrade (default)
// https://bugzilla.mozilla.org/show_bug.cgi?id=1304623
// user_pref("network.http.referer.userControlPolicy", 3);

// 3000's: show system add-ons in about:addons (so you can enable/disable them) - NOT landed yet
// https://bugzilla.mozilla.org/show_bug.cgi?id=1231202
// user_pref("extensions.hideSystemAddons", false); // (hidden pref)
// ^^ keep an eye on extensions.systemAddon* prefs
// dom.presentation.*
// privacy.userContext.* (Containers)
// use a private container for thumbnail loads (FF51+)
// user_pref("privacy.usercontext.about_newtab_segregation.enabled", true);
// browser.newtabpage.remote*
// user_pref("browser.formfill.expire_days", 1);
// user_pref("javascript.options.shared_memory", false);
// user_pref("plugin.disable_full_page_plugin_for_types", "application/pdf");
// network.http.enablePerElementReferrer
// history.length XSHM fix
// https://bugzilla.mozilla.org/show_bug.cgi?id=1315203
// sandbox levels (recommended to leave at what Firefox sets it to)
// https://www.ghacks.net/2017/01/23/how-to-change-firefoxs-sandbox-security-level/
// security.sandbox.content.level


Here is an exhaustive list of various websites in which to test your browser. You should enable JS on these sites for the tests to present a worse-case scenario. In reality, you should control JS and XSS (cross site scripting) on sites with add-ons such as NoScript, uMatrix, uBlock Origin, among others, to reduce the possibility of fingerprinting attacks.

url: https://www.ghacks.net/2015/12/28/the-ultimate-online-privacy-test-resource-list/

01: Fingerprinting

  • Panopticlick      https://panopticlick.eff.org/
  • JoDonym           http://ip-check.info/?lang=en
  • Am I Unique?      https://amiunique.org/
  • Browserprint      https://browserprint.info/test

02: Multiple Tests [single page]

  • Whoer             https://whoer.net/
  • 5who              http://5who.net/?type=extend
  • IP/DNS Leak       https://ipleak.net/
  • IP Duh            http://ipduh.com/anonymity-check/

03: Multiple Tests [multi-page]

  • BrowserSpy.dk     http://browserspy.dk/
  • BrowserLeaks      https://www.browserleaks.com/
  • HTML Security     https://html5sec.org/
  • PC Flank          http://www.pcflank.com/index.htm

04: Encryption / Ciphers / SSL/TLS / Certificates

  • BadSSL            https://badssl.com/
  • DCSec             https://cc.dcsec.uni-hannover.de/
  • Qualys SSL Labs   https://www.ssllabs.com/ssltest/viewMyClient.html
  • Fortify           https://www.fortify.net/sslcheck.html
  • How's My SSL      https://www.howsmyssl.com/
  • RC4               https://rc4.io/
  • Heartbleed        https://filippo.io/Heartbleed/
  • Freak Attack      https://freakattack.com/clienttest.html
  • Logjam            https://weakdh.org/
  • Symantec          https://cryptoreport.websecurity.symantec.com/checker/views/sslCheck.jsp

05: Other

  • AudioContext      https://audiofingerprint.openwpm.com/
  • Battery           https://pstadler.sh/battery.js/
  • DNS Leak          https://www.dnsleaktest.com/
  • DNS Spoofability  https://www.grc.com/dns/dns.htm
  • Evercookie        https://samy.pl/evercookie/
  • Firefox Add-ons   http://thehackerblog.com/addon_scanner/
  • localStorage      http://www.filldisk.com/
  • HSTS Supercookie  http://www.radicalresearch.co.uk/lab/hstssupercookies
  • HSTS [sniffly]    https://zyan.scripts.mit.edu/sniffly/
  • HTML5             https://www.youtube.com/html5
  • Keyboard Events   https://w3c.github.io/uievents/tools/key-event-viewer.html
  • rel=noopener      https://mathiasbynens.github.io/rel-noopener/
  • Popup Killer      http://www.kephyr.com/popupkillertest/index.html
  • Popup Test        http://www.popuptest.com/
  • Redirects         https://jigsaw.w3.org/HTTP/300/Overview.html
  • Referer Headers   https://www.darklaunch.com/tools/test-referer
  • Resouce://URI     https://www.browserleaks.com/firefox
  • WebRTC IP Leak    https://www.privacytools.io/webrtc.html

06: Safe Browsing, Tracking Protection

  • Attack            https://itisatrap.org/firefox/its-an-attack.html
  • Blocked           https://itisatrap.org/firefox/blocked.html
  • Malware           https://itisatrap.org/firefox/unwanted.html
  • Phishing          https://itisatrap.org/firefox/its-a-trap.html
  • Tracking          https://itisatrap.org/firefox/its-a-tracker.html


A massive thank you to all the developers and online communities who provide and maintain these.

Sometimes preferences alone are not enough. Here is a list of some essential addons for security, privacy, and fingerprinting protection. This is not a debate, it's just a list covering JS, XSS,  AdBlocking, cookies, DOM Storage, UTM, redirects, and other items. Some are global, others allow  granular control. While I believe most of these are the very best of the best, this can be subjective  depending on your needs. Some of these may become obsolete with upcoming FF changes (canvas,  resource://URI), some of these are debatable (should we UA spoof?), some I'm still looking for a better solution, and some I do not use but they will suit a lot of users.

  • NoScript                  https://addons.mozilla.org/en-US/firefox/addon/noscript/
  • uBlock Origin             https://addons.mozilla.org/en-US/firefox/addon/ublock-origin/
  • uMatrix                   https://addons.mozilla.org/en-US/firefox/addon/umatrix/
  • *Cookie Controller        https://addons.mozilla.org/en-US/firefox/addon/cookie-controller/
  • *Self-Destructing Cookies https://addons.mozilla.org/en-US/firefox/addon/self-destructing-cookies/
  • HTTPS Everywhere          https://addons.mozilla.org/en-US/firefox/addon/https-everywhere/
  • CanvasBlocker             https://addons.mozilla.org/en-US/firefox/addon/canvasblocker/
  • No Resource URI Leak      https://addons.mozilla.org/en-US/firefox/addon/no-resource-uri-leak/
  • Decentraleyes             https://addons.mozilla.org/en-US/firefox/addon/decentraleyes/
  • NoRedirect                https://addons.mozilla.org/en-US/firefox/addon/noredirect/
  • UAControl                 https://addons.mozilla.org/en-US/firefox/addon/uacontrol/
  • User-Agent JS Fixer       https://addons.mozilla.org/en-US/firefox/addon/user-agent-js-fixer/
  • Popup Blocker Ultimate    https://addons.mozilla.org/en-US/firefox/addon/popup-blocker-ultimate/
  • Pure URL                  https://addons.mozilla.org/en-US/firefox/addon/pure-url/
  • **Google Privacy          https://addons.mozilla.org/en-US/firefox/addon/google-privacy/
  • ***Quick Java             https://addons.mozilla.org/en-US/firefox/addon/quickjava/

* Don't use both cookie add-ons
** Yes, I use google search sometimes (my choice). I have some global add-ons that address       tracking in URLS, but am still looking for a working, comprehensible solution.
*** It's not just Java! Covers JS, Cookies, Java, Flash... and more. Customisable controls and defaults

NOTE: At the time of publication the following are not e10s compatible: Google Privacy, NoRedirect, UAControl, User-Agent JS Fixer, Popup Blocker Ultimate

Now You: Please leave comments below suggesting new entries and changes. Feel free to add other information, such as compatibility, links to resources or suggestions on how to organize the list better.

Article Name
A comprehensive list of Firefox privacy and security settings
A list of Firefox privacy and security preferences in a user.js file to modify the browser and harden it against privacy and security leaks.
Ghacks Technology News

Tutorials & Tips

Previous Post: «
Next Post: «


  1. Anonymous said on December 21, 2022 at 5:58 am

    Time for an update to this article, plus the other three ‘popular posts’ on the front page. FF 57, 66 and 89?

  2. new user said on November 11, 2021 at 8:46 am

    Hello Martin
    Is it safe to use arkenfox user.js
    Should we configure the tor browser ?

  3. hategrc said on September 15, 2018 at 8:41 am

    Please never, ever advertise a GRC service. That guy is an insane snakeoil salesman.

  4. Calloused Iris said on July 31, 2018 at 10:33 pm


    I am troubleshooting a broken website, https://speedof.me/

    I’ve done a multitude of the settings here. I’ve avoided most of sections 1200 , 1600 , 2201+ (UI Meddling), 2300. speedof.me is my favorite HTML5 speedtest website.

    I’ve applied tons of settings from here before and unfortunately had to reset my Profile (I’ve got a clean FF install going & would hate to revert the many settings, and hours spent tweaking).

    Why might HTML5 speedof.me be broken? Is it a GEO setting? DOM? I can’t figure it out. It’s not my Add-Ons b/c I’ve tried in Safe Mode… it’s a recent setting.

    Thank you!~

    PS – I didn’t see the tweak…
    network.IDN_show_punycode ;true
    (default=false, possible security. Toggle to True). Thanks again.

  5. Andrei Borac said on December 31, 2017 at 12:15 am

    Pants, you’re a genius. You just forgot one thing: specifying the license that these files are released under. This is important for me, as, assuming the license is reasonably permissive, I would like to include it in my FOSS project http://www.deityguard.org that relates to secure GNU/Linux installations on platforms with fully open source firmware. I would humbly suggest the BSD 2-clause or MIT licenses, which include all necessary legal liability disclaimers while imposing very few restrictions on redistribution.

    1. Pants said on January 2, 2018 at 1:25 am

      It’s using MIT – help yourself Andrei :)

  6. anon said on December 28, 2017 at 6:11 pm

    There are problems with Ublock origin update when I add userjs

    1. Pants said on December 30, 2017 at 9:36 am

      the user.js blocks all cookies by default – you need to configure that – either allow and use a cookie extension (which will fail due to first party isolation, so you will want that off as well) or keep blocking all cookies and allow on a site by site basis via site exceptions

      Extensions (such as uBO and uMatrix, Stylus, ViolentMonkey etc) that use IDB also require a cookie even though they do not set one, because cookies control access to localstorage and IDB etc – see https://github.com/ghacksuserjs/ghacks-user.js/wiki/4.1.1-Setting-Extension-Permission-Exceptions on how to do this. This will not need to be done once FF59 lands

      I do not monitor this page – use GitHub in future thanks :)

      1. anon said on December 30, 2017 at 4:44 pm

        thank you

  7. KeZa said on December 17, 2017 at 4:55 pm

    Hi Pants, I got it. It was the ‘hidden’ pref ‘permissions.memory_only’ it must be on false or it do not hold on to the exception in FF.

    Kz from Belgium

    1. Pants said on December 30, 2017 at 9:40 am

      Yup, that’s why its inactive – its a pretty hardcore way to go – it’s for making sure nothing is written to disk, eg computer forensics would be able to determine some sites you visit. Hence the pref is hidden (by Mozilla) and inactive in our user.js. It is something I would use in an ultra-hardened profile.

      PS: Say hi to Belgium for me :)

  8. User_404 said on December 17, 2017 at 2:45 pm

    Hi guys,

    I’m trying to solve follow issue :

    I use Mozilla (57.0.2 x64) with several profiles (….firefox.exe” -P -no-remote) and I have a lot of tabs (~25-40). I do not “touch” any of this tabs except the active one (current tab) after start.

    On start of Mozilla I see pretty much the same number of connections (outgoing IP’s) per monitor of firewall. After ~1 minute the number of connections is reduced to one (current tab).

    How I can prevent this “ping” or “pre-load” behavior of Mozilla?

    Kind regards

  9. KeZa said on December 15, 2017 at 5:31 pm

    Hé Thnx Pants. Now I know what to do with it…

    Kind regards,

    Kz from Belgium

  10. KeZa said on December 8, 2017 at 2:00 pm

    What’s up with these ‘Hidden Prefs’ Pants? I have done your ghacks-user.js step for step in a couple of weeks and FF 48 on Xp is now good to go but I do not understand the Hidden Prefs. How can we changes these and what are the most important to change?

    Kind regards,

    Kevin z. from Belgium

    1. Pants said on December 15, 2017 at 4:44 pm

      a “hidden pref” is one that does not show in about:config UNLESS you assign a “user set” or “modified” value.

      Example: The pref “extensions.getAddons.showPane” will not show in about:config on a new profile, because it is “hidden” i,.e the developers decided to “hide” it from everyone for whatever reason – not because they are being sneaky, it is still documented like most prefs, in bugzilla – they just don’t want to make it that easy for people to mess with it. In this example, because the “get more addons” panel is good for AMO (addons mozilla org) and some metrics and pushing featured addons. The reasons behind making each pref hidden differ, but generally, its to make it a little harder for people to mess with.

      Anyway, back to “extensions.getAddons.showPane”. So it doesn’t show in a new profile. In order to set its value, you would need to create it: i.e right click in about config, select “New”>”Boolean” and so on. It does not matter if you set it as true (which the code in Mozilla already exhibits) or false, it will now be in about:config as a “user set” value. (In FF55+ it is denoted as “modified”).

      If you reset a hidden pref, i.e you right click it and select “reset” – the value will be blank. If you close and reopen about:config, the entry will now be gone.

      PS: In future, use github for any Q’s, as I do not bother with this article any more — it is out of date and we moved

      1. KeZa said on December 17, 2017 at 3:26 pm

        Pants, I got it and there are not so many hidden prefs to setup but I have a big problem here. When I set an exception for cookies in Firefox it is every time cleared after shut down and I’m trying to figuring out which setting is the cause of that but I do not find it. Have all the Addons disabled and so on and every pref that I can find with cook, privacy, and so in it in about:config but I would not stick. It’s annoying to every time log in when I’m on a site where I want to read more articles than one and every time for a new article I need to log in. This is new to me because I have set it up like this that I have those sites in exceptions so that Auto Destruct. cookies does nog delete these cookies on … seconds and it uses the white-list of FF exceptions but it clears every time so Auto Destruct. cleans it all every time and so I must every time log in. Now when I shut down the browser the cookies are always cleared but those sites remain under FF Exceptions and so when I go to that site in the future I need to log in once but now every article I must log in. Do you know what the problem is here?

      2. Pants said on December 17, 2017 at 1:51 am

        ^^ “extensions.getAddons.showPanel” << I missed the l, it's panel, not pane

      3. Pants said on January 4, 2018 at 3:38 pm

        ^^ “extensions.getAddons.showPanel” << I missed the l, it's panel, not pane

        Damnit .. it's "pane" not "panel", I had it right the first time – see https://dxr.mozilla.org/mozilla-central/search?q=extensions.getAddons.showPane&redirect=false

  11. Just A Random Guy said on October 28, 2017 at 4:26 pm

    // user_pref(“security.nocertdb”, true); // (hidden pref)

    could break “master password+” add-ons. can’t login even can’t change for password.

    1. Pants said on November 11, 2017 at 9:51 am

      This webpage is old – we moved to github – https://github.com/ghacksuserjs/ghacks-user.js

      /* 1221: disable intermediate certificate caching (fingerprinting attack vector)
      * [NOTE] This may be better handled under FPI (ticket 1323644, part of Tor Uplift)
      * [WARNING] This affects login/cert/key dbs. The effect is all credentials are session-only.
      * Saved logins and passwords are not available. Reset the pref and restart to return them.
      * [TEST] https://fiprinca.0x90.eu/poc/
      * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1334485 – related bug
      * [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1216882 – related bug (see comment 9) ***/
      // user_pref(“security.nocertdb”, true); // (hidden pref)

  12. miki said on August 15, 2017 at 7:15 am

    what this ?

  13. Johnny said on June 25, 2017 at 3:09 pm


    Ever since I started using user.js, the interface for Tutanota mail has been horribly slow. Has anyone else experienced this and does anyone have an idea which exact setting(s) could be causing that?


  14. PP said on May 12, 2017 at 8:08 am

    I have also had problems with PayPal recently, you’re not alone.

  15. PP said on May 12, 2017 at 8:07 am

    I have also experienced PayPal problems recently, you`re not alone.

  16. Piecevcake said on May 11, 2017 at 11:17 am

    PS- Oh dear, paypal seems to be blocked by my recent changed privacy settings hahaha- I don’t know how to unblock it… can you provide a bank account on your donation page that we can ebank a donation to?

    (Another good example of why it would be nice to just block OTHERS – not cut off our own services…)

  17. Piecevcake said on May 11, 2017 at 11:05 am

    Um I’d kinda like to KEEP my history and other data, just STOP anyone else accessing it???

    Why should we have to delete useful, sometimes essential stuff because the stupid app/OS LEAKS it?

    Deleting the data isn’t enhancing privacy, it’s dumbing down…

    Any ideas about fixing the LEAKS???

    (Donation provided – your hard work is appreciated)

  18. earthling said on April 25, 2017 at 2:37 pm

    WTF! someone impersonated me?! it wasn’t me, the original earthling, that replied to pszemek! Don’t fucking do that!!

  19. pszemek said on April 25, 2017 at 9:15 am

    if the RC4 is blocked by FF, the setting 1201 (security.tls.unrestricted_rc4_fallback) can be removed from the config.

    1. earthling said on April 25, 2017 at 2:29 pm
  20. Jess said on April 16, 2017 at 11:06 pm

    The setting below has been suggested a few times, but never adopted. There is new evidence of its benefit.

    set network.IDN_show_punycode = TRUE

    The default is being exploited in the wild to fool users so I would consider it a security issue: https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/

  21. Pants said on March 22, 2017 at 12:31 am

    NOTICE: I will no longer monitor any of the comments on the various ghacks user.js articles. If you have any suggestions or questions, use the official repo at github: https://github.com/ghacksuserjs/ghacks-user.js/issues

  22. earthling said on March 10, 2017 at 1:04 pm


    hey how are you – long time no see ;)
    Do you remember when I explained how to get your old addons signed for personal use?
    You said you copied it all into a local file for later reference – do you still have that around by any chance?
    If so, could you please repost it here or pastebin or so, because I can’t find it anymore and would really hate to needing to write it all down again myself.

    1. Pants said on March 10, 2017 at 3:50 pm

      Here ya go: https://www.ghacks.net/2016/07/15/those-unbranded-firefox-version-coming/#comment-3941758

      Took me a while to find it .. you can thank me later

  23. Anonymous said on March 8, 2017 at 10:18 pm

    Are user set preferences for datareporting.sessions., urlclassifier.keyupdatetime.https://sb-ssl.google.com/safebrowsing/newkey and xpinstall.whitelist.add deprecated, needed or unneeded? Leave as is or reset?

    1. Pants said on March 9, 2017 at 7:45 am

      datareporting.sessions is still in the code ( just use this link, bookmark it: https://dxr.mozilla.org/mozilla-central/source/ to check things – just paste in the pref name). Looking at the code I can see it is called once (in TelemetryController.jsm) to set a PREF_SESSIONS_BRANCH const which in turn is used to start a session recording. Note the period or full stop in the code const PREF_SESSIONS_BRANCH = “datareporting.sessions.”; that’s not calling a single pref.

      Looking in my about:config for “datareporting.sessions”, I have a swag of entries (specifically datareporting.sessions.previous* range from 114 to 153 (so looks like it keeps a rolling index of 40 items). We control telemetry with the master switchs in 330a, but more importantly, we kill it dead by removing the URL it reports to. All these datareporting.sessions* entries are generated and controlled by firefox, they are not preferences for flipping.

      urlclassifier.keyupdatetime ( https://dxr.mozilla.org/mozilla-central/search?q=urlclassifier.keyupdatetime&redirect=false ) seems dead to me

      xpinstall.whitelist.add ( https://dxr.mozilla.org/mozilla-central/search?q=xpinstall.whitelist.add&redirect=false ) – ignore the test modules and all I see is one reference to mobile.js where it is set, and that’s it. So it’s not being used AFAIK. I’ve never seen this before, so I have no idea if it’s legacy or upcoming

  24. Anonymous said on March 7, 2017 at 9:34 pm

    It was previously suggested to set general.buildID.override to 20100101. Is this no longer the case?

    1. Pants said on March 8, 2017 at 6:30 am

      Just to be clear. I rather belatedly added the UA spoofing info to v11 and have regretted it ever since. Personally, I have only ever spoofed as the latest ESR, and the v10 info was for information but also to mimic what TBB did. On reflection – I wish I had never brought it up (although now I at least get to tell everyone to not do it by way of correction). Now that the Tor Uplift is proposing to enforce a UA via the privacy.resistFingerprinting subset, this makes even more sense (to not do it yourself). But, they really need to close those holes such as navigator objects, isindex locale, resource://URI etc.

      Just to be ultra clear .. I am talking about LOWERING entropy, so don’t all you RAS lovers start bitchin and screamin’ at me.

  25. David said on March 7, 2017 at 3:15 am

    Hate to ask, but since Seamonkey is based on a previous FF version (2.46=49) I’ve been looking for js version .10, but all download links in each article seem to lead to v11. Can the v.10 download be made available again?
    Thank you kindly.

  26. earthling said on March 4, 2017 at 4:21 pm

    Thanks @BH45, it’s fixed in the latest github version.


  27. BH45 said on March 4, 2017 at 12:05 pm

    2627 has a spelling mistake. “whitelisitng” should be “whitelisting”.

  28. Just me said on February 22, 2017 at 3:12 pm

    kinto – according to my firewall no further changes are required.
    FF is silent even without services.settings.server
    Thanks, earthling!

  29. Just me said on February 21, 2017 at 11:27 pm

    Why disable DRM content? Is it a security or privacy issue? What about entropy?
    user_pref(“media.eme.enabled”, false); // Options>Content>Play DRM Content
    user_pref(“browser.eme.ui.enabled”, false); // hides “Play DRM Content” checkbox, restart required
    user_pref(“media.eme.apiVisible”, false); // block websites detecting DRM is disabled

    Why are these not included?
    user_pref(“browser.privatebrowsing.autostart”, true);
    user_pref(“browser.sessionstore.max_resumed_crashes”, 0);

    What are these for? Should they be used (in older FF versions)?
    user_pref(“dom.server-events.enabled”, false);
    user_pref(“security.enable_tls_session_tickets”, false);

    Are these the correct prefs to disable Kinto completely?
    user_pref(“services.blocklist.addons.collection”, “”);
    user_pref(“services.blocklist.onecrl.collection”, “”);
    user_pref(“services.blocklist.signing.enforced”, false);
    user_pref(“services.blocklist.update_enabled”, false);

    /*** TYPOS ***/

    – (PFI) should be (FPI)

    – 1825: disable widevine CDM
    Please add “(Content Decryption Module)” for clarity.

    – “DNT HTTP header – essentially USELESS – default is off. I recommend off.”
    yet the pref is enabled – true (even though it’s commented out).

    1. MakePantsGreatAgain said on February 22, 2017 at 1:09 am

      – DRM is both: companies use this to lock users in and control content. that’s all they care about, security is always a slap happy token affair, if at all. Privacy loses all round, they want to know who you are, did you pay for it .. and more. How about the printer with GPS that when they moved it 10 feet for maintenance, it locked them out and required the vendor to come unlock it. True story that.
      – media.eme.apiVisible woudl be more about fingerprinting
      – browser.eme.ui.enabled – cosmetic

      – browser.privatebrowsing.autostart IS included (I’ll tell you at the end of this post)
      – browser.sessionstore.max_resumed_crashes has a default of 1. We already have 1012 which is the pref to disable resuming from a crash .. MAX_resumed_crashed is the umber of crashes before an about:sessionrestore page is displayed, and has no effect if more than 6 hours have passed since the last crash. Thats fromt he kb article, and that kb.mozillazine.org is like a decade old and full of piles of crap. But MAX is a counter, not a master switch. That’s my take on it.

      – dom.server-events.enabled – deprecated, old, not backtracking dozens of versions
      – security.enable_tls_session_tickets – deprecated, old, ditto – pretty sure it was replaced with 1212 = security.ssl.disable_session_identifiers

      – kinto: read 0402 – what’s in there is all of them at the time of publication. Your list is does not match the user.js. If any new kinto types turn up, we’ll pick up on them. WHY would you disable them all. Read the description – onecrl is for revoked certificates, etc

      – PFI -< FPI (already done, will tell you at the end)
      – add Content Decryption Module – done, tell you shortly

      DNT header. OK, been thru all of this with earthling. I shall refer you up six comments to the trump nuclear button preference example. Yes, that section is basically all start with a noun rather than a verb. I will amend it as
      // enable DNT HTTP header so the active pref matches that. The whole 1600 section is being revamped as I type because …

      … because .. there is a new version .. on github, and you are already 25 user.js commits, including new prefs :)

      Go here: https://github.com/ghacksuserjs/ghacks-user.js

      1. Pants said on February 22, 2017 at 1:04 pm

        hmmm .. where did my last comment go, I hope it shows up

      2. earthling said on February 22, 2017 at 11:44 am

        “Isn’t disabling DRM like disabling video” – yes, video that you normally have to pay for fe. netflix.
        Another reason to disable them is that they need a plugin, those are in the folders ‘gmp-eme-adobe’, gmp-gmpopenh264 and gmp-widevinecdm in your profile folder.

        kinto – services.blocklist.update_enabled should theoretically be all you need, but if you want to make sure, clear the url in ‘services.settings.server’, I think you can leave the rest untouched.

      3. PantsPantsPants said on February 22, 2017 at 10:12 am

        As long as you are making INFORMED decisions, then I have no problems with what you do. This js is mean to be a template – so comprehensive, informative and easy descriptions, accurate with references, structured and numbered, etc. That said, I also want by default for security to trump privacy – it;s not about US (or rather ME) anymore, its about decent default settings that match the purpose – I am still fleshing out the readme.

        Users who are a bit more knowledgeable about FF and user.js and add-ons can eassily adapt, but defaults shouldn’t put “newbies” at risk – that said, I am still going to assume a minimum set of knowledge and common sense.

        I highly encourage users to fork it, then customize their own – that way you can easily compare and merge in what you want, and then even change it. It’s so easy. And to join in at the repo.

      4. PantsPantsPants said on February 22, 2017 at 10:04 am

        25 user.js commits, but only 3? are new prefs

      5. Just me said on February 22, 2017 at 9:01 am

        I spent half a day adapting my current prefs to the user.js v0.11 published on February 10, 2017 and now you’re telling me I’m already 25 user.js commits, including new prefs behind? Damn! Will have a look at the github repository. Thank you very much, Pants!

        DRM – maybe I don’t understand the concept. Isn’t disabling DRM like disabling video / images in your browser? Isn’t that rising entropy drastically? Is my browser leaking some information if I accidentally visit a website that provides DRM content? Is it like having WebGL enabled?

        kinto – I prefer a silent Firefox that doesn’t create outbound connections and download stuff. I don’t support OCSP because I prefer privacy over “security”. So I don’t care about revoked certificates, etc.

        Are these the correct prefs to disable Kinto completely?
        user_pref(“services.blocklist.addons.collection”, “”);
        user_pref(“services.blocklist.gfx.collection”, “”);
        user_pref(“services.blocklist.onecrl.collection”, “”);
        user_pref(“services.blocklist.plugins.collection”, “”);
        user_pref(“services.blocklist.signing.enforced”, false);
        user_pref(“services.blocklist.update_enabled”, false);

  30. b said on February 19, 2017 at 8:20 pm

    I don’t understand your warning regarding 2507:
    “/ WARNING: Don’t use if Android + physical keyboard” . what will happen?

    1. MakePantsGreatAgain said on February 20, 2017 at 4:25 am

      If enough people do it, apparently someone will release their tax returns xD

      I would expect possible unintended keyboard behavior eg press ẞ and get ? – in other words, the key mappings may be a little screwed (i am not an expert with chars and isos and collations and languages and keyboard events) . see https://github.com/pyllyukko/user.js/issues/159 – chef-koch links to something about android (which is not just rasp pi and emulators, but smartphones/tablets with bluetooth keyboards etc)

      1. b said on February 20, 2017 at 9:32 am


  31. earthling said on February 19, 2017 at 5:31 pm

    re: browser.privatebrowsing.autostart

    should we add a note that it’s the same as Options->Privacy->>History->>>Always use private browsing mode

    When you enable it in FF Options it asks for a restart, so maybe a note about that wouldn’t be bad either.
    Maybe a recommendation to enable it under Options instead of the user.js?
    pyllyukko also included the ghostery pref, so we might as well include it too, just to make him happy if for nothing else ;)

    could you make up your mind about the f-ing punycode, pls?! xD

  32. MakePantsGreatAgain said on February 19, 2017 at 4:07 pm

    “privacy.clearOnShutdown.openWindows -> 2803a but commented out. I think we could include this in 2803, and 2804a in 2804, but both set to false. Pants?”

    Not as false. The description says “include all..” the pref says “clearOnShutdown”, not “saveOnSutdown” … the corresponding setting to match those is true.

    Yup, cuz it was my user.js and when those two prefs are on, I get double window launches – weird as. Couldn’t be arsed working it out, yet. But now we are githubbed, my local file can be whatever I want. Sub-numbers because they 2803 is explicitly “These settings are under Options>Privacy>Clear history when Firefox closes>Settings”. But for sure, turn those two prefs on as TRUE on the repo man. hehe.. I said repo man. Do your first commit.

    If you want, and we need to do it at some stage, set up an issue for looking at the author’s biased selfish settings (and also remove where he says it’s his settings), and instead choose the best solution for the best balance – read the draft readme and look at the goals. This js is to be as tight as we dare go, with some incovenience, but almost no breakage. I call that middle-to-high. One day I will fork a Pants-Is-a-Bastard-Super-Hardened-Go-to-Hell user.js – just you wait. I’ve said as much in the readme.

    user_pref(“network.IDN_show_punycode”, true) .. f***k .. not that punycode one again. Its notlonger applicable and is becoming one of those bad myths that won’t die. It is listed in these comments 7 times (FIndBar Tweak told me so). I’ll paste the rest into my shit to look at file..

    1. MakePantsGreatAgain said on February 20, 2017 at 10:36 am

      I commented on your patch… I’ll give you an example

      // 666: disable Trump pushing the nuclear button
      // user_pref(“button.nuclear.enable”, false)
      ^^ that is if we enable it, the action taken as described by 666 happens – the button is disabled

      and you want to change it to
      // 666: disable Trump pushing the nuclear button
      user_pref(“button.nuclear.enable”, true)
      ^^ that is the complete opposite behavior expected when you make the pref active


  33. guest23 said on February 18, 2017 at 4:15 pm

    Thanks for v0.11. I changed some settings to true/false and I also additionally have/had these (some may be outdated):

    user_pref(“browser.bookmarks.restore_default_bookmarks”, false);
    user_pref(“browser.cache.compression_level”, 1);
    user_pref(“browser.newtab.url”, “about:blank”);
    user_pref(“browser.startup.homepage”, “about:blank”);
    user_pref(“dom.serviceWorkers.interception.enabled”, false);
    user_pref(“loop.showPartnerLogo”, false);
    user_pref(“media.cache_size”, 0);
    user_pref(“media.hardware-video-decoding.enabled”, false); //hardware acceleration. the graphics hardware can be used for tracking. you are not going to notice it if you set this so false.
    user_pref(“network.cookie.prefsMigrated”, true); //warnung: if “false”, .lifetimePolicy is ignored (?)
    user_pref(“noscript.ABE.migration”, 1);
    user_pref(“noscript.ABE.wanIpAsLocal”, false);
    user_pref(“noscript.doNotTrack.enabled”, false);
    user_pref(“noscript.firstRunRedirection”, false);
    user_pref(“noscript.forbidIFrames”, true);
    user_pref(“noscript.forbidWebGL”, true);
    user_pref(“plugins.notifyMissingFlash”, false);
    //user_pref(“privacy.clearOnShutdown.openWindows”, false);
    user_pref(“privacy.sanitize.migrateClearSavedPwdsOnExit”, true);
    user_pref(“toolkit.telemetry.rejected”, true); //Disable telemetry
    user_pref(“toolkit.telemetry.infoURL”, “”); //Disable telemetry
    user_pref(“xpinstall.whitelist.add”, “”);
    user_pref(“xpinstall.whitelist.add.180”, “”);

    //Disable ‘safe browsing’ aka. Google tracking/logging
    user_pref(“browser.safebrowsing.maleware.enabled”, false);

    /* https://gist.github.com/haasn/69e19fc2fe0e25f3cff5 */

    //Disable Resource Timing APIs
    user_pref(“dom.performance.enable_user_timing_logging”, false);

    user_pref(“browser.toolbarbuttons.introduced.pocket-button”, true);

    user_pref(“network.IDN_show_punycode”, true);

    user_pref(“browser.zoom.siteSpecific”, false); //zoom each page independently

    1. earthling said on February 19, 2017 at 2:49 pm

      Thanks guest23

      browser.newtab.url -> removed months ago, unfortunately

      browser.startup.homepage -> is mentioned in the user.js (0102) but not set because we don’t want to mess with people’s homepage setting. if you want to set startup page to about:blank you can set 0102 to ‘0’.

      dom.serviceWorkers.interception.enabled -> removed in FF47 according to this list:
      -> its not in my about:config and it’s only in mobile.js for android on DXR

      loop.showPartnerLogo -> removed in FF42 (see list above), and 0 results for ‘showPartnerLogo’ on DXR

      plugins.notifyMissingFlash -> removed in FF35, and 0 results for ‘notifyMissingFlash’ on DXR

      xpinstall.whitelist.add(.180) -> removed in FF35, some results, but in mobile.js for android only

      network.cookie.prefsMigrated -> set to true by Firefox itself, probably used and needed if someone updates a very old FF and the cookie storage needed to be migrated. best left untouched

      noscript.* -> we don’t want to include prefs for extensions (at least for now)

      privacy.clearOnShutdown.openWindows -> 2803a but commented out. I think we could include this in 2803, and 2804a in 2804, but both set to false. Pants?
      –> it’s not in the UI (yet?) so I see why you put them into their own sub-number. I don’t mind the extra numbers but I do think we could set them to false and uncomment them, regardless of what you prefer/decide for the numbering.

      privacy.sanitize.migrateClearSavedPwdsOnExit -> 0 results for ‘migrateClearSavedPwdsOnExit’ in mozilla-central DXR

      dom.performance.enable_user_timing_logging -> default is false already atm, we’ll deal with it as soon as that changes

      user_pref(“toolkit.telemetry.infoURL”, “”); // opens https://www.mozilla.org/legal/privacy/firefox.html#telemetry when you click the “Learn more” link under Options->Advanced->Data Choices->Share additional data (i.e., Telemetry). It’s a simple GET request with no suspicious headers or parameters or anything. This is totally safe and IMO we shouldn’t break “Learn more” buttons/links

      browser.safebrowsing.maleware.enabled -> typo in pref name (maleware -> malware). the correct one is in 0410a

      browser.toolbarbuttons.introduced.pocket-button -> also set to true automatically by FF

      user_pref(“browser.zoom.siteSpecific”, false); //zoom each page independently
      -> default is true, and wouldn’t ‘true’ “zoom each page independently”?
      -> sitespecific zoom settings are part of siteSettings and can be cleared with 2802 and setting “privacy.clearOnShutdown.siteSettings” to true.
      —> IMO ‘true’ is preferable isn’t it?

      remaining ones:
      user_pref(“browser.bookmarks.restore_default_bookmarks”, false);
      user_pref(“browser.cache.compression_level”, 1);
      user_pref(“media.cache_size”, 0);
      user_pref(“media.hardware-video-decoding.enabled”, false);
      user_pref(“network.IDN_show_punycode”, true);
      user_pref(“toolkit.telemetry.rejected”, true); //Disable telemetry

  34. earthling said on February 17, 2017 at 5:56 pm

    invited me? do I have to accept it or something first? because I didn’t receive anything and I can’t seem to find a list of admins, and my profile also shows no indication that I’m now part of your project. I guess there is none, idk?
    I tried to create a new branch as per the Hello world tutorial so I could make a change and then send a pull request, but I can’t get it to work. It’s just for a typo, but I think for things like that, creating a branch and a pull request would make your job easier, and I wanted to test it, but yeah, I’m probably too stupid, idk.

    1. Pants said on February 17, 2017 at 6:02 pm

      yup .. stupid .. I had troubles as well .. couldn’t even add the user.js .. because until you add a file, the “add a file” button doesn’t exist – go figure. Git will take a short learning curve.

      The invite is on the organisation, not the repo. There are two types: member and owner. A member can see other members and create repos and teams and shit, and basically has lots of control, which I assume gives you more rights than most people in the org’s repos.

      “Invitations are sent via email and can be accepted at https://github.com/ghacksuserjs” – so basically go to the org page and you should get a prompt or alert. If not, try the people tab.

      1. earthling said on February 18, 2017 at 4:03 pm

        Ohhhh, you’re so cute, thx mate ;)

        Just to clarify, I didn’t merge the pull request. I didn’t have the permissions at that point anyway.
        It says nopantski merged the pull-request. And yes, I also don’t want branches and now found this…

        “Pull request successfully merged and closed
        You’re all set—the earthlng:patch-1 branch can be safely deleted.”

        I can delete it now, but I had to create a temporary branch or I couldn’t have submitted a pull request afaik.
        I’d be fine without write access tbh, in fact I’d prefer it that way so I don’t accidentally fuck something up, but I just saw that you ‘want and need earthling to have full access’, so I’m fine with that too. I’ll be extra careful!

      2. Pants said on February 18, 2017 at 11:01 am

        PS: I followed you.. I didn’t want to feel all lonely – you looked so sad with no followers. Please don’t think I’m being all cyberstalky xD.

        Wonder who else will turn up – we already have the guy from 12bytes (atomGit), and I’ve told him to create a fork and add his stuff to it for his site ( http://12bytes.org/articles/tech/firefoxgecko-configuration-guide-for-privacy-and-performance-buffs#comment-667 ).

      3. Pants said on February 17, 2017 at 7:31 pm

        I saw that there was a fork .. yours .. so I went to your fork and saw a pull, so I clicked on Pull .. and it ended up in my repo under pull requests, but there was no merge option .. so after 30 minutes of farting around and changing some repo settings, I finally got a merge option and did it .. only to find you had already pushed it .. look at the commits .. prolly screwing up all the terms here too.

        I don’t really want branches TBH.

        I found the section to give you admin rights to the repo – you have been invited .. https://github.com/ghacksuserjs/ghacks-user.js/invitations – this will give you write access to directly make commits I assume

      4. earthling said on February 17, 2017 at 7:01 pm

        Made my first pull request. I couldn’t create a new branch directly in the project page (no write access), so I had to fork it, but since for most things apart from typos I’ll submit an ‘issue’, I think it’s fine this way.

      5. earthling said on February 17, 2017 at 6:28 pm

        ‘go to the org page’ – oh, ok, thanks, that worked

  35. earthling said on February 17, 2017 at 3:58 pm

    Wow, really cool! my github name is ‘earthlng’. So every admin can make changes to the master branch I assume? Do you want us to do that or should we create issues and you commit them to the master? Looking forward to see how this goes!

    1. Pants said on February 17, 2017 at 4:09 pm

      the dude on the bicycle? Well, only two admins so far, and I will probably cap it at 3 once you’re in. Always create issues and then we can work out wording, settings, warning etc and where it goes etc. And probably best for one person to do commits. When I went add member and typed earthling a bunch came up, but only one “earthling” with nothing else .. its just the name after that threw me. Confirm that’s you, and you’re in bro.

      1. Pants said on February 17, 2017 at 5:38 pm

        OMG .. lulz at the avatar

      2. Pants said on February 17, 2017 at 5:35 pm

        Oh noes .. the dude on the bike has taken over .. I’ve lost control :p .. ps: you still look lovely xxx

        Holy crap .. 900 comments .. and yeah, I already invited you u plonker.

      3. earthling said on February 17, 2017 at 5:16 pm

        ‘recently traced a dude’s real ID by reverse image searching his rather unique avatar’

        omg, are you that guy from MTV’s catfish show? xD

      4. earthling said on February 17, 2017 at 5:10 pm

        hmmmm, what? Dude, I’m not the guy on the bike, lol. I’m now a stargazer on your project so you should easily find the real me.

      5. Pants said on February 17, 2017 at 4:42 pm

        Just a f’kin well I checked then .. seems weird for you to supply a name, even if it is obfuscation .. on a side note .. I recently traced a dude’s real ID by reverse image searching his rather unique avatar and burrowing into 10yr+ old archived crap. PS: You look lovely on that bike “)

      6. earthling said on February 17, 2017 at 4:33 pm

        Attention to detail my friend: ‘earthlng’ not ‘earthling’ – my handle was already taken by that guy on the bike ;(

  36. Pants said on February 17, 2017 at 7:26 am

    githubbed: https://github.com/ghacksuserjs/ghacks-user.js . I set up an organization with a repository, as this seems the easiest way to allow multiple authors/admins and members. pyllyukko and the guys have been excellent. I’m don’t have to run the github client, so I’m happy as a pig in sh*t.

    earthling – I want to add you as as admin (pyllyukko is also an admin) – you will need to email Martin, or just let me know via here, of your guthub name. I’m not 100% sure why people need/should be members (its more an organisation setting I think) – the repository is public, and anyone can post issues, comments etc. The repo can also be assigned teams/members. I will have to read up on what exactly all these levels means.

    I didn’t mention the new release at pyllyukko, but someone else did as a new issue and then some users starting asking me why I couldn’t github it so they could use it for comparisons etc (and all the other obvious reasons) – so for better or worse, its now there in an ugly bare bones single file :) Over time we can add a readme, tags, description, etc

  37. John said on February 14, 2017 at 2:46 am

    FF 51.0.1 & version 11. Excellent work!
    But… Roboform not working with defaults. Any clues?

    I’m chopping out sections to narrow down the problem. Will report back if success.

    1. Pants said on February 14, 2017 at 6:52 am

      2404: indexeddb? – maybe robo needs some local storage to work its magic?
      0909 is new in 51, default is true, i have it set as false – probably not the cause

      1. Pants said on February 14, 2017 at 8:50 pm

        Wow … thanks for nailing that one down John – excellent work. I will add it to the troubleshooting section with some info

      2. John said on February 14, 2017 at 7:54 pm

        It is 2668. Roboform (and Internet Download Manager) store their .xpi files in their own directories
        (surprise! :)

        Lots of cutting, saving and opening FF found the right entry to comment out. All is good now.

  38. b said on February 13, 2017 at 10:19 pm

    just checked my settings to disable telemetry experiments. found this one: experiments.manifest.fetchintervalSeconds and a number that counts 86400. any idea what this is about?

    1. earthling said on February 14, 2017 at 4:21 pm

      basically it’s for stuff running in the background from time to time. If you have the feature itself disabled you can also safely set a higher interval. Here are some of mine:

      31536000 = 365 days in seconds

    2. Pants said on February 14, 2017 at 1:38 am

      Its just a timer. Things like updating the app, updating blocklists, kinto, experiments, telemetry etc all need (different) timers – eg 86400 = 24 hrs. They can’t all run at startup and besides, who knows how long someone keeps their FF open (I’ve been know to leave mine for a week) – so some mechanism is needed to make sure these things are done in a timely and regular fashion. It’s harmless.

  39. Conker said on February 13, 2017 at 4:12 am

    Thanks you guys masterful work!

  40. Martin Brinkmann said on February 12, 2017 at 12:23 pm

    User.js Version 11 comments Start.

  41. crssi said on February 10, 2017 at 6:59 pm

    You say you use uMatrix… it has best spoof referal all around, by my opinion ;)
    And spoofing UA is futile, unfortunatelly.

    Can you tell me where the setting index number is got from? like 1602,1603, etc
    Do you have a good source of FF prefs to share it.

    I had done quite a lot user prefs a bit less than year ago and I need a refreshement. ;)
    Maybe I can contribute some, when I am done with my current project in a week/two or so.


  42. earthling said on February 9, 2017 at 9:19 pm

    Re: referer prefs (7 prefs total, incl. one landing in FF52 and one to be deprecated in FF52)

    1. I think uMatrix’s “Spoof HTTP referrer string of third-party requests.” is preferable over network.http.referer.XOriginTrimmingPolicy = 2, because it doesn’t leak the source domain at all ie. it spoofs it.

    2. network.http.referer.spoofSource – IMO is not recommendable because it *always* spoofs, and that can cause a lot of breakage. From your “required reading” link:
    “While spoofing does solve many the breakage problems mentioned above, it also effectively disables the anti-CSRF protections that some sites may rely on and that have tangible user benefits”

    3. network.http.sendRefererHeader – I’ve just now set it to 1 and will see how it goes. I don’t expect much breakage from this.

    4. network.http.referer.trimmingPolicy – again, is used for both same-origin and cross-origin, so IMHO not to be recommended. should best be left on 0 to not interfere with the other prefs.

    5. network.http.referer.XOriginPolicy – if I understand this one correctly, if set to 1 or 2 it never sends the referrer header to 3rd-party domains. Which is perhaps even better than using uMatrix to spoof 3rd-party requests.
    Because contrary to the uMatrix way, it will appear as if the domain/resource was loaded directly and not via a link-click.

    6. network.http.sendSecureXSiteReferrer – I’ve currently set it to false, will be removed in FF52, should be covered by the remaining ones. IMO if (5) is set to 1 or 2, this should be properly covered.

    7. network.http.enablePerElementReferrer – I’m not sure about this one, but I think if the other ones are setup in a good way, it doesn’t matter what we set it to, BUT don’t take my word for it, it’s only my humble opinion ;)

    So, when (5) is set to 1 or 2, we could limit what the same-origin sees even further with XOriginTrimmingPolicy, but I’m not sure that’s a good idea, because it can look strange and stand out, compared to leaving it intact. If a site really wanted to, they could get the unspoofed information from their logfiles anyway.

    IMO the referrer prefs deserved some love and attention, and I hope I did it justice ;)

    1. Pants said on February 9, 2017 at 11:20 pm

      I use uMatrix’s sppof as well. I don’t know what to say .. 1602+1603+1604+1605+1606 are all inactive and the header says use an extension. I don’t want to write a book, and Francois’ article covers it (bit techie though for the average punter)

      point1: I haven’t set those new prefs up yet, the values will probably be defaults and they will probably be inactive.
      point2: network.http.referer.spoofSource is set as false
      point3: feel free to activate and change it, but if you’re already spoofing (uMatrix) ..
      point4: is set a default 0
      point5: IDK .. why is it cross origin if the domain is the same .. yeah yeah i know
      point6: it’ll be gone soon
      point7: its in to investigate

      I would really like a decent granular control over referrers. I used to block all and then whitelist each domain with a preference. It really didn’t affect that many sites. Shame the add-on broke about a year ago. RefControl. Another I looked at some time ago was SmartReferrer but I don’t trust the smarts in these things. now we have e10s and then the dreaded WE. So I’ve stopped looking.

      1. Pants said on February 10, 2017 at 3:00 pm

        Do you want a hug bro? :)

      2. earthling said on February 10, 2017 at 2:16 pm

        Ok, nvm. I just wanted to look into the ref-prefs and give you my take on it, and perhaps start a discussion how to improve it or use them. I haven’t looked at the ref-prefs for a while and was wondering why there are 8 (yeah yeah I forgot one) prefs for something as stupid as referrers. I should’ve written it down in a textfile for personal use instead of posting it here I guess. nvm

  43. earthling said on February 9, 2017 at 7:03 pm

    re: nocertdb
    1. it requires JS, always will, no other way to listen to ‘onerror’
    2. the testsite tells me …
    Testing 334 different intermediate CAs (334 images created). 0 results still pending.
    324 cached intermediate CAs identified.
    … but that’s totally incorrect because uMatrix blocked all 334 images, so the test is flawed.
    uMatrix, the way I run it, protects me from that FP technique (at least good enough) even when I allow JS for a site.
    Not that I still have anything to worry about at this point but just for shits and giggles, let’s continue…
    3. //bugzilla.mozilla.org/show_bug.cgi?id=629558#c6 -> Private browsing doesn’t store the intermediate CA certs
    –> I’m almost exclusively using PB-mode for most of my browsing, mostly to prevent polluting my cache and history, but of course the other benefits are very welcome too.
    4. if you look at the comments from ?id=1216882, the patch although working in a way, is faaaar from perfect.
    Nobody seems to really know how to properly deal with that patch or how to handle it without breaking every db (keys, etc)
    f.e. “entirely skips initialization of the underlying systems when security.nocertdb = true.”

    I’m not saying that pref shouldn’t be included, only why I’m not gonna put it in mine. (4) alone would be enough reason for me not to use it.

    1. earthling said on February 9, 2017 at 7:30 pm

      re: (1) the “always will” part isn’t entirely correct, it could theoretically also be done by getting a ton of intermediate certs and use all of them on their own site, so it wouldn’t require an “onerror” event. But yeah, the threat of that happening are slim to none for most “attackers” IMO, especially given the fact that this FP technique isn’t very accurate in the first place. I mean, why bother when there are far easier methods for FP already anyway.

      re: (3) PB doesn’t store new intermediate CA certs but of course everything already in the certdb could still be fingerprinted.

    2. Pants said on February 9, 2017 at 7:15 pm

      Agreed. I exclusively use non-PB windows, because I like a very short history, and I like my saved logins/passwords and active logins. I control all the stuff PB does natively (default block all cookies (i have about 5 i keep and about 5 i allow for session), constantly emptying of cache-history-forms-search-etc (about every 10 minutes) and of course the key is block all JS by default, block all XSS by default, block all indexeddb etc etc. While we might do this, the above is more about worse case scenarios. But i still see it as overkill, I included it for info/completeness, and its inactive.

  44. earthling said on February 9, 2017 at 1:44 pm

    @Pants, please enclose 9998 and 9999 in two big JS comments, ie move the ***/ to the end of each block, so they nicely collapse like Appendix A and B

    1. Pants said on February 9, 2017 at 3:15 pm

      Damn .. I use that for my html color coding. I’ve changed them to the same as Appendix A&B with a /**- and will just remember to change the color code on those manually
      ^^ Q1: SHOULD I make deprecated and palemoon the same?

      I have also made some slight changes. I moved 2661 FPI into a new section 2698 like I did with privacy.resistFingerprinting as there are numerous changes being applied to it such as OCSP, AltSrv, SPDY, HTTP2, and I think HSTS/HPKP

      Funny how you brought up cipher fingerprinting, because CA fingerprinting is a thing too. I have added this:
      // 1220: disable intermediate certificate caching (fingerprinting attack vector)
      // NOTE: This affects login/cert/key dbs. AFAIK the only effect is all active logins start anew
      // per session. This may be better handled under FPI (ticket 1323644, part of Tor Uplift)
      // https://bugzilla.mozilla.org/show_bug.cgi?id=1334485 // related bug
      // https://bugzilla.mozilla.org/show_bug.cgi?id=1216882 // related bug (see comment 9)
      // user_pref(“security.nocertdb”, true); // (hidden pref)

      I also updated the tor uplift. Rounded windows to 100’s and UTC time zone spoof are now assigned and seem pretty simple patches. Can’t wait for them to land. I know the uplift project has done a lot of work in the last 7 months since v10 was published, but I gotta say it *seems* like very little has come through (all the existing resistFingerprinting was already there – screen, plugins/mime types – nothing has been added to 2699 for seven months). Still waiting for closure on timing attacks, resource://URIs, windows.name, SVG (almost here), MathML (only just landed).

      I was also wondering about adding the two referrer prefs from the to investigate section as active since they land in FF52.
      ^^ Q2: YES or NO?

      ^^ Q3: Should I post a one day pastebin for final perusal (not that hardly anyone else bothered to comment, or maybe they found nothing wrong)

      Gimme the heads up on the three Qs.

      1. Pants said on February 9, 2017 at 7:09 pm

        Now I know what you mean. I (and by I, I mean everybody) don;t need to wrap every single pref in /* */ because you can visually parse every single new pref as it starts with a column1 “// number”. I do get that by doing what you did, that all the prefs have there own little collapsible indicators, which is nice visually. And I guess it’s neat you can collapse all, and what’s left are the prefs. I’m tempted.

      2. earthling said on February 9, 2017 at 6:31 pm

        “like this?” – yes
        “Makes little difference to me. I’m just using Notepad++”
        well, okay, my editor handles it differently. And I like it better that way. Look at 1206, 1207 for example.
        I guess NP++ shows your 1206 line and then the 1207 pref, right?
        Or 0812, I assume you see 0812 and then the 0815 prefs, with 0813 completely hidden?
        Now I think that’s confusing.
        My editor shows me everything (it handles JS comments correctly if you will), but if you’re happy with NP++ behavior there’s no need for you to change it to /* … */

      3. Pants said on February 9, 2017 at 5:28 pm

        “I hope referrers from secure->insecure is still blocked.” – grrr, not what I meant.
        “I hope referrers from secure to any other site is still blocked” – that’s what I meant, which is what 1601 was about..

      4. Pants said on February 9, 2017 at 5:24 pm

        network.http.enablePerElementReferrer (default is true). From what I can tell, it allows image and anchor elements to set a referrer. Its been around since 42: https://developer.mozilla.org/en-US/Firefox/Releases/42 . And something about 50 being when it became compatible: https://developer.mozilla.org/en-US/docs/Web/API/HTMLAnchorElement/referrerPolicy – have added it to the to investigate list

      5. Pants said on February 9, 2017 at 5:13 pm

        I’ve left it inactive. Its a lot of work for someone to unmask you via CA’s from what I can glean (and its not so much about a unique ID than about reducing you to a small subset) – read those tickets. Might be something a state actor could use. And no, if I read it correctly, if you cache nothing then you will be less fingerprintable (think of why someone would attack you this way – to see if you had a specific CA).

        I have read up on those 2 FF52 referrer prefs but I might just leave em where there are. 1601 deprecates in 52, and the 2 new ones kick in. I’m still a little confused. I hope referrers from secure->insecure is still blocked.

        I will send Martin all the files in the next 24hrs (I hope) – might even do so it can maybe be posted for the weekend

        PS: Not ever gonna github. TBH, I don’t want to install github client. But if anyone else ever wanted to “fork” this on there, I’d jump on board, as long as they retain the ghacks name.

      6. Pants said on February 9, 2017 at 4:40 pm

        like this?
        /* 0101: disable “slow startup” options
        // warnings, disk history, welcomes, intros, EULA, default browser check */
        Makes little difference to me. I’m just using Notepad++

      7. earthling said on February 9, 2017 at 4:36 pm

        I’ve now converted all multi-line comments in my user.js into single blocks ( /* 2012: … */ ), and it’s such a great change, makes it much easier to read, easier to organize, less scrolling, I love it.

      8. earthling said on February 9, 2017 at 4:28 pm

        A1: No, it could be confusing if someone wants to re-enable some of them.
        Once github-ed I would be in favor of moving the Palemoon stuff into a separate file.
        A2: idk, haven’t researched them. A lot of new things are coming with FF52.
        – there’s also still ‘network.http.enablePerElementReferrer’ from FF50, which I’m still not sure about.
        If you think they are ready, you’ve looked into it and you know what the best value for them is, by all means – include them.
        A3: No, I can wait for final

        Q1: Isn’t it less fingerprintable when a cache is used for certs? Fewer requests to CA’s, or not?
        I’ll look at the bugzilla’s you mentioned, but just from my current understanding, caching is better.

  45. earthling said on February 8, 2017 at 4:01 pm

    0371 could be 0336b; or merge them both together under 0336

    1. Pants said on February 8, 2017 at 7:27 pm

      ^merged under 0336

  46. unregistered said on February 8, 2017 at 1:51 am

    I see some mentions that this will move to github before too long. Would someone explain how that site works in basic terms of just being able to read and follow your conversations? It seems more techincal minded then a setup like this or a typical forum setup.

    I wanted to ask now just in case because the other day ghacks loaded a new site design and I couldn’t get any comments to show for articles. ghacks is back to its familar design right now so I don’t know how much longer the comments might appear.

    1. Martin Brinkmann said on February 8, 2017 at 5:10 am

      Comments won’t go away, don’t worry. They often add more to the topic than the article itself.

  47. earthling said on February 7, 2017 at 9:25 pm

    So what about your iTunes problem? Was ‘security.ssl.require_safe_negotiation’ really what caused it, or those 2 prefs?

    “This pref controls the behaviour during the initial negotiation between client and server.
    If set to true, a Mozilla client will reject all connection attempts to servers that are still using the old SSL/TLS protocol and which might be vulnerable to the attack.
    Setting this preference to “true” is the only way to guarantee full protection against the attack. Unfortunately, as of time of (initial) writing, this would break nearly all secure sites on the web. (Update: As of December 2010, this still applies for a majority of web sites.) ”

    If something as major as iTunes still hasn’t adopted to this, 6 years (!) later, they honestly deserve to lose some users!
    I really think we should set 1204 to true and see how it goes. I don’t expect too many sites still use “the old SSL/TLS protocol”.

    1. Pants said on February 7, 2017 at 9:54 pm

      1. Clear your cache
      2. about:config set security.ssl.require_safe_negotiation to true
      3. visit https://itunes.apple.com/us/album/donald-trump-single/id438785802 (it should be missing all styling)
      4. about:config set security.ssl.require_safe_negotiation to false
      5. reload itunes page, all styling now loaded

      GET (Error) null https://s.mzstatic.com/htmlResources/16d8/web-storefront-base.css
      GET (Error) null https://s.mzstatic.com/htmlResources/16d8/frameworks/images/p.png

      s.mzstatic is the issue

  48. Pants said on February 7, 2017 at 8:54 pm

    Working for HTTP now for me as well. Can you check and let me know?

    On HTTPS, clicking Reply on comment 4123847 (the one you said “test”), doesn’t do anything now (before it would display the reply fields within the thread, like when I relied with “test reply to test”)

    1. Martin Brinkmann said on February 7, 2017 at 9:29 pm

      Strange, both working for me know. Can you force clear cache of the page and try again, or better, try here: https://www.ghacks.net/2017/02/07/opera-43-better-performance-classic-link-selection/

  49. Pants said on February 7, 2017 at 8:37 pm

    Worked it out. I copied the prefs.js, clicked the “Restore Default (network) Settings” on the error page (I had backed up my entire FF just in case, but it only resets security.ssl3.* ). The page loaded fine with no issues. A quick compare showed 7 security.ssl3.* changes – 5 of which are in the user.js (1210, 1213 and 1214). I changed these back to false. Tested, still worked. I restarted FF (settings as per user.js, as false), tested, still worked.

    It was the other two settings, which are not in the user.js. For some reason I had these set as false
    user_pref(“security.ssl3.rsa_aes_128_sha”, false);
    user_pref(“security.ssl3.rsa_aes_256_sha”, false);
    Maybe it was an extension I tested, maybe it was me, no idea. But they have never been part of the user.js.

  50. Pants said on February 7, 2017 at 8:11 pm

    Whats with the no threading of replies? https://support.mozilla.org/en-US/questions/1148536 .. that’s from Nov 28 last year. That particular support answer (about outdated RC4) relates to that site listed in the problem Overall, it all comes down to SSL/TLS versions and fallback. I did test this, but I got the same error. Maybe nilla needs a restart for tit to take effect. Will test. If if is that, then I will deactivate the setting. I blame Tom.

    1. Tom Hawack said on February 8, 2017 at 10:44 am

      Pants blames Tom, ” I blame Tom”
      “You talkin’ to me” à la De Niro, even if I ain’t no taxi driver.

      Now what’ that blame for? i’m always extra cautious with settings and even more when sharing mine …

      By the way, Ghacks.net running fine again after these 2 days of aggression, be it in http or https, even if https is still longer, at this time.

    2. Martin Brinkmann said on February 7, 2017 at 8:27 pm


      1. Pants said on February 7, 2017 at 8:38 pm

        test reply to “test”

      2. Martin Brinkmann said on February 7, 2017 at 8:41 pm

        Use https, comment nesting works fine there. I have to investigate ;)

      3. Martin Brinkmann said on February 7, 2017 at 8:46 pm

        Working for HTTP now for me as well. Can you check and let me know?

  51. earthling said on February 7, 2017 at 6:43 pm

    SSL_ERROR_NO_CYPHER_OVERLAP – perhaps because of TLS1.3? I can’t think of anything else where my prefs differ to yours apart from that max-version pref. Mozilla plans to enable it by default soon anyway, and Tom said something somewhere that he also had to adjust the fallback-version pref I think to unbreak sites due to TLS1.3 incompatibilities.
    Maybe you could also retry iTunes with 1204 enabled and TLS1.3 disabled. TLS1.3 last I heard is still in draft-phase.

  52. earthling said on February 7, 2017 at 6:36 pm

    ‘SSL_ERROR_NO_CYPHER_OVERLAP’ – lol, that site works fine for me, weird.

    1204 – ok, np, sorry to break your iTunes ;) I don’t remember when I toggled it on, must have been a while, but it never caused me any problems.

  53. Pants said on February 7, 2017 at 6:09 pm

    earthling: I’m not going to set 1204 as active sorry – after using it myself for half an hour, it just breaks a lot of sites – css fails to load for eg itunes. I think it’s way too early to foist this on users. I reckon it’ll be years :-(

  54. Pants said on February 7, 2017 at 5:57 pm

    – 0209 moved to 0820, yeah that makes more sense, WTF was i thinking..
    – svg.disabled added as active
    – info added to 1200 header section

    Note that your cipher and other settings can be used server side as a fingerprint attack vector: see https://www.securityartwork.es/2017/02/02/tls-client-fingerprinting-with-bro/ . You can either strengthen your encryption/cipher suite and protocols (security) or keep them at default and let Mozilla handle them (dragging their feet for fear of breaking legacy sites) ***/

    Ironically.. I have to use one of my other browsers to view that link :) In FF I get a SSL_ERROR_NO_CYPHER_OVERLAP error

  55. earthling said on February 7, 2017 at 4:22 pm

    0209: I disagree. Everything in 0200 deals with Geolocation. IMO it would fit perfectly under 0800, because that also deals with SEARCH and mentions that “Not ALL of these are strictly needed”

    ciphers: Agreed. Idk how easy or hard it would be for a site to include that kind of information (from packets) into their FP toolkit, but I suspect or hope that it’s non-trivial. A note would still be nice though IMO.

    svg.disabled lands in FF53 and I’d include it already

  56. Pants said on February 7, 2017 at 3:55 pm

    0209: I think it fits in this section with any other search/language/locale items. I get what you say that it only changes the engines (as per zilla agreements per zone/deal), at least I think that’s all it does.

    1204: good to know, I’ll turn it on

    1210-13-14: I’d rather enforce better security than worry about server side fingerprinting. There are already a ton of non-JS FP holes still unresolved – some will never be closed, they’re a trade off.

  57. earthling said on February 7, 2017 at 3:27 pm

    0209 has nothing to do with Geolocation afaik

    1204 – used it for a while now without any problems so far

    1210, 1213, 1214 – disabled ciphers can be used for fingerprinting. Idk what’s worse, allowing “broken” and/or weak ciphers or letting every server know that we have disabled them. see: //www.securityartwork.es/2017/02/02/tls-client-fingerprinting-with-bro/
    IMO we should leave those items as are, but maybe add a note that it can be used for fingerprinting.
    I’m generally not very worried about fingerprinting when it requires JS, because all the dom.* prefs etc already put is an a very small group, but this one works without JS

  58. Latetotheparty said on February 5, 2017 at 12:57 pm

    Thanks Pants for the complete reply – i will certainly attempt to differentiate between the two myself first…

    if it gets to the point where I hit the vodka and valium, I may ask for further help.


  59. Latetotheparty said on February 5, 2017 at 9:36 am

    Is it possible to create a new user.js file consisting of all my self set preferences collected over the years from the existing prefs.js file ?

    I`m late to the party with regard to using a user.js but have a lot of manually altered prefs in about:config

    The thought of starting again from scratch is a little overwhelming.

    1. Pants said on February 5, 2017 at 11:43 am

      “Is it possible to create a new user.js file consisting of all my self set preferences collected over the years from the existing prefs.js file?” – of course it’s possible, but you’d have to be careful, knowledge helps (and it would only be a list, with no relevant order or information).

      Your prefs.js is full of other stuff. You need to differentiate between what is “mozilla” set (eg some graphics card and related settings are determined by the software I think, along with other specific OS/HW stuff). And there will be a lot of specific prefs which do not have a default, such as version numbers (gmps etc), last update etc, stuff that is local, eg languages, search engines etc). Aaaaand you need to weed out the specific extension prefs (eg “extensions.https_everywhere.*”), and be careful, not all “extension.*” are actually in use by a specific extension). And then there are other bits and bobs you would want to leave alone

      There are ways you could compare. Find the differences in your prefs.is vs the ghacks user.js – i.e take a ghacks user.js copy and sort the entire file by column 1 – this will put all lines starting with user_pref together in alphabetical order, remove all other lines. Now take these 416 or so lines of ACTIVE ghacks prefs and compare it to your prefs.js (which is also in alphabetical order). This will at least show you:
      1. what I have set that you haven’t. Note: items set via user.js are in prefs.js and thus deemed as “user set” is about:config – even if the value is the default value. Quite a number or prefs will meet this criteria (they were added for enforcement, future proofing, completeness). So not all items missing in yours but in mine, means that they are different. You could actually ignore this side of the equation.
      2. what you have set that I haven’t: again, you need to know what is important and what isn’t.
      3. we both have the pref, but different values?

      As I said, you really just want steps 2 and 3. When you work out what you set that I haven’t, as well as what has a different value, then you can manually add/edit them to the ghacks user.js.

      [If you are REALLY really really stuck, do a pastebin dump of your prefs.js for me, I’ll give you a pastebin list back of what you have that is truly “user set” that I don’t already have covered, as well as anything that has a different value. I will only look at active prefs from the ghacks js]

      1. earthling said on February 5, 2017 at 7:09 pm

        I’m pretty sure the user.js gets loaded last out of all the different pref.js files, and I assume that when something changes it gets written to prefs.js. But it’s not always true that when user.js values === default it doesn’t get written to prefs.js. Some do, others don’t. No idea why. But every pref from user.js will show up as “user set” unless you make the same mistake I did and use ‘pref’ instead of ‘user_pref’ ;)

        “Are you talking about like 20 or 30 little js files” – yes, more or less. fe. noscript.js, ublock.js, etc.
        Maybe I’ll just do it for each addon, idk yet. It would make it easy to just copy that file into another profile fe.

        “How do you load em all” – Damn son, 800+ comments and it took me waaaay too long to find this one again: //www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/#comment-4028557

        “to lock prefs” – afaik that would be applied to every profile though, right?

        “more than one file for end users” – once you move this to github, I don’t think that should be a problem anymore. If we do end up with more than one file, we could reconsider multiple js files. fe. moving the deprecated stuff into a separate file and still leaving all those prefs active would maybe be nice, idk.

      2. Pants said on February 5, 2017 at 4:53 pm

        My understanding (assumption damnit) was that user.js (yes I did say that there WAS a user.js) is parsed into prefs.js, which in turn is used to override the default values in about:config. Because it shows as “user set”, I assumed it was in prefs.js. Clearly, the other way, changing a default in about:config, goes to pref.js as well.. So, security.block_script_with_wrong_mime is in my user.js .. as true, which is the default .. and shows as “user set” in about:config – aaand, its not in prefs.js .. Wooo!. So I guess user.js values === default are kept out of prefs.js but still tagged as “user set”.

        Can’t please everyone. We could slice and dice in a dozen ways. The DOM/JS is becoming too unwieldy – without looking at 12bytes again, at least I think most of my stuff is in the same area (2400, 2500, 2600 etc).

        Not sure on the idea of splitting stuff (personally I don’t need a user.js for extension prefs, I backup my entire FF portable every day or so – copypasta, done in 20 seconds, as ell as offline backup every so often – IF my FF ever got corrupted, most of my extensions I can export/import or just copy over directories or files, after I reinstall them in a new nilla). Not sure what you mean by “cache” .. that would be small ass. For me, I am happy for now with a single file, as a means to keep this going as a single file/single search etc for end users. Are you talking about like 20 or 30 little js files. How do you load em all .. in .cfg?

        The one thing I would like to do is move a lot of stuff to lock prefs. But then that is the same issue – more than one file for end users. Plus it makes it a pain to test some stuff.

      3. earthling said on February 5, 2017 at 2:45 pm

        “Note: items set via user.js are in prefs.js and thus deemed as “user set” is about:config – even if the value is the default value” – that’s not always the case though. And if he didn’t have a user.js so far, it’s not even possible to “user set” a value to the default value in about:config.
        security.block_script_with_wrong_mime;true is only one example. It’s enforcing the default value but it’s not written to prefs.js. If you need more than one to believe me, here have another one: xpinstall.signatures.required;true and there are plenty more.
        Because my script compares my user.js, prefs.js plus one more 3rd-party user.js, I can easily see which ones aren’t written to prefs.js.

        @Pants, I recently thought about splitting my user.js up into several files for different categories/sections, fe. one with all my extensions prefs, one with only Cache stuff, one for all the safebrowsing/trackingprotection stuff, etc. It has pros and cons. I’d love to hear your thoughts about it.
        Also, one thing I really like and still use is the DOM/JS section from 12bytes user.js. Your user.js has them all spread around to different, maybe more fitting sections like HW-fingerprinting and stuff, but IMO adding them all together is quite nice.

  60. Montegua said on February 4, 2017 at 7:11 pm

    TLWR; Starting and ending versions: only if it is easy and you have the info readily available.

    I agree it’d be a lot of work to attempt to go back and add in any missing starting versions. (There maybe someone who is willing to do this to add to the project, but I digress.) Ideally, if an item has been deprecated, it’d be nice to have both the starting version and final version (if known).

    Knowing the starting version just means a user can skip the item if they’re on an older FF version.

    Knowing the ending version (if an item has been moved to deprecated list) means a user may still want to use the item if they’re on an older FF version.

    For example, I’m currently using FF38 for regression testing on a very unusual project. If I would like to add your user.js to FF38, I could potentially use any configuration setting starting before FF39 (using the starting version number), and I could check the deprecated section for any settings that would still be effective (and not yet deprecated by FF38 using the ending version).

    Sorry if this is too complicated or too much work. I’m probably the exception, or part of a very limited and small audience, and I can work this out for myself. :)

    Carry on! As you were!

    But, if you still have a small bit of interest, somewhere I’ve recently seen someone’s work where they evaluated a large number of past FF versions and created a list of removed profile settings (Linux FF26-FF50). Found it … post by TheWindBringeth:


    I don’t want to make any more work for you; you already have a lot to do. I think what you’ve created is badly needed, and will become wildly popular with privacy and security minded users. :)

    Personally, I started staying on the ESR releases because the churn with FF was becoming too much to try to keep up with (and I’m a bit lazy). Your project helps greatly by making it easy to keep up with the latest settings churn. :)

    Thanks again! Absolutely brilliant!

    1. Pants said on February 4, 2017 at 7:55 pm

      Here’s the thing though .. if the preference is yet to be introduced, or it is deprecated .. makes little difference to the version. If it isn’t supported, it will have no impact. All it will do is add a useless preference. So in reality, you could just activate every single pref. Also, as earthling said “there’s no rule as to when something makes it to ESR”. From a purist standpoint I where you’re coming from.

  61. Pants said on February 4, 2017 at 2:47 pm

    For a couple of sites I have had to implement JS that I didn’t really want to (otherwise you end up in an infinite loop of having to prove you’re not a robot). Some sites are just really being a-holes now (they know who they are). They do this so they can enforce their shitty experience of popups and ads and stuff on people. Anyway, f**k i hate popups (I’ve hardly seen any for a few years). The content in the popup is not the problem (its always blocked thanks to lists)… but the popup takes focus, and requires closing .. its just so annoying. I thought about using middle click, or right click and open in new tab (that stops the popup but if its a download, it leaves a new blank tab to close). I want a solution, not a band-aid.

    So I played around with 2415b (user_pref(“dom.popup_allowed_events). Not sure where the info about having to use a single space came from. I tested with a single space and with a null and both work – I guess that was a legacy issue at some time. If you can’t already guess .. I disabled all methods. This then leads to a lot of legit sites having issues. Not really a solution.

    So I installed Popup Blocker Ultimate (why did I not know about this before?). I’m using it in Strict mode. You can either block all and whitelist, or allow all and blacklist. I’m doing the former for now, but it may be easier to maintain the other way. This add-on (not sure if it’s e10s, not listed on arewee10syet despite 37K users) will play with the 2415b setting. If you block all and whitelist it sets the value to a null (and obviously flips it based on domains). If you allow all but blacklist, it sets the default value as the full default string (hence why I think I’ll stick with block all but whitelist). Regardless of what you have in the user.js, this add-on will overwrite it.

    I’ve left the pref setting in the user.js as “click dbclick”. I have sent the add-on developer an email asking him to build in a default string option.

  62. Montegua said on February 3, 2017 at 4:47 pm

    @pants, @earthling – Thanks! Very impressive work! A small suggestion for the deprecated section: please include both the starting version along with the ending version (i.e. please don’t delete the starting version when moving the item to the deprecated list). I may be the exception, but I usually stay on the ESR version and have been known to run old versions of FF (on various platforms for regression testing). So far, I’ve been testing modified versions your smashing user.js on FF51, TB45, FF45ESR and PM27.

    1. earthling said on February 3, 2017 at 6:34 pm

      Thanks! I recently made a similar suggestion (to move items to the deprecated section but keep them active ie. not commented out) but we both agreed that people who don’t use the latest stable can do that themselves, if they feel inclined to do so.
      As for including the starting version also, that would require a lot of additional work to get that info for every pref.
      But I agree with you that for items where we already had a starting version info, we could/should keep that available when moved to the deprecated section.

      1. earthling said on February 4, 2017 at 12:39 pm

        I’m also not gonna do a backlog of every pref we have without starting version. Frankly I don’t see the usefulness anyway. I do have an ESR next to my main stable FF that I use for single-purpose and was recently kinda surprised to see some of the latest prefs from FF51 already in ESR too. BUT and this is a big BUTT, there’s no rule as to when something makes it to ESR as well. If a pref gets added in FF51 lets say, it doesn’t automatically mean that pref will also be in ESR45.7. It’s feature-dependent and feature-dependent only.
        Nothing afaik can be deducted from a starting version in terms of applicability for other releases/channels/PalemoonVersion and whatnot. So, while I think having them in the user.js is valuable I don’t think it justifies the amount of work required to get them for all the older prefs. But I don’t think that’s what Montegua wanted us to do, so we should be gucci by just continuing doing what you already do i.e. add the starting version for new prefs and don’t remove that info once it gets moved to the deprecated section.

      2. Pants said on February 3, 2017 at 7:03 pm

        “please don’t delete the starting version when moving the item to the deprecated list” – I don’t.

        A number of prefs already have the starting version, but its only something I have done in the last IDK, 4 or so FF releases when I was certain that was when they were new – the diff-dumpies from earthling help immensely:
        // 0351: disable sending of crash reports (FF44+)
        // 0402: disable/enable various Kinto blocklist updates (FF50+)
        // 0608: disable predictor / prefetching (FF48+)
        There are 15 for FF51+ alone.

        When something deprecates, I add the version dropped at the front. This then gives us a version timeline for history’s sake and legacy versions.

        Two issues with that
        – I am not going to even attempt to work out the backlog, and that includes some of them being introduced in minor updates. It could be done, get all FF portable releases, diff-dump for all changes between releases but only output new – combine into a single file. Now it’s searchable. I’m personally NOT doing this.
        – Some prefs may not be introduced to the user.js until a later version (so I won’t automagically append eg those 15 examples of FF51+ mentioned above, which came from the last diff-dumpie – see the above point, if we kept a rolling diff-dumpie-NEW it could be feasible to add to the working rules for when adding a new pref)

  63. earthling said on February 3, 2017 at 2:00 pm

    user_pref(“browser.enable_automatic_image_resizing”, false); // personal choice; annoyed the shit out of me
    user_pref(“browser.newtabpage.remote”, false); // default false atm but sounds terrible! probably irrelevant with 0360
    // lovely features, why hide it mozilla? …
    user_pref(“devtools.dom.enabled”, true);
    user_pref(“devtools.command-button-screenshot.enabled”, true);
    user_pref(“devtools.storage.enabled”, true);

    user_pref(“findbar.highlightAll”, true);
    user_pref(“media.gmp-eme-adobe.autoupdate”, false);
    user_pref(“media.gmp-gmpopenh264.autoupdate”, false);
    user_pref(“media.gmp-widevinecdm.autoupdate”, false);
    user_pref(“narrate.enabled”, false); // for Reader, maybe irrelevant with ReaderView disabled

    1. Pants said on February 3, 2017 at 7:49 pm

      user_pref(“media.gmp-eme-adobe.autoupdate”, false); – added under 1850
      user_pref(“media.gmp-gmpopenh264.autoupdate”, false); – added under 1840
      user_pref(“media.gmp-widevinecdm.autoupdate”, false); – added under 1825

      browser.newtabpage.remote* – added to investigate, and yup, sounds like sh*t. Like I mentioned earlier, all that WebFunnel shit is coming – it may never activate for some of use, but we’ll need to lock it down to cover all users.

      browser.enable_automatic_image_resizing – yeah, mine is set the same (for those reading, this is stand-alone images). I think its being controlled by my “Zoom Page” config. I’m not adding it, its personal choice. Whatever I have going on, if an image is too small, it does not resize, if its too big, it shrinks to fit. Perfect – I don’t want to see tiny images blown up, and huge images I can see the DL progress as it fills in and see it all in one glance when finished, and then you can toggle full/fit views with a click.

      findbar.highlightAll – mine is the same as yours. I think mine must have been set in FindBar Tweak. Toggling them on and off in the actual findbar (whole word, highlight all) is having weird stickiness – probably due to findbar tweak. And I have no idea where match case is kept. Not going to add this.

      devtools personal options .. not adding, but thanks for the info

      1. earthling said on February 4, 2017 at 5:00 pm

        “no idea where match case is kept” – it’s ‘accessibility.typeaheadfind.casesensitive’ but it never updates the pref and only keeps it in memory.
        //dxr.mozilla.org/mozilla-central/source/toolkit/content/widgets/findbar.xml#607 // _setCaseSensitivity
        //dxr.mozilla.org/mozilla-central/source/toolkit/content/widgets/findbar.xml#575 // _updateCaseSensitivity
        You can however set it yourself if you want to make if permanent or change the default:
        0 – case insensitive
        1 – case sensitive
        2 – auto = case sensitive if match string contains upper case letters

        This might be useful to someone, so here’s how you can find something like that for any given button…
        The button is labeled “Match Case” and to support localization those labels are kept in .dtd files…
        1. search DXR for ‘file:*.dtd Match Case’ without the quotes -> only one result found, neat.
        –> without needing to click on it, we can see that the label we’re interested in is ‘caseSensitive.label’
        2. search for ‘caseSensitive.label’ -> results found in 3 files, one is the same as in (1), and one is for linux, so click the remaining one (make sure to click on the line with the searched text in it, not the file itself)
        3. we’re now at //dxr.mozilla.org/mozilla-central/source/toolkit/content/widgets/findbar.xml#191 and we’re interested in the oncommand parameter -> it calls a function called ‘_setCaseSensitivity’
        4. search DXR for ‘_setCaseSensitivity’ -> 6 results in 2 files, one is again for linux, so we’re left with 3 lines of code …
        line 194 – is the oncommand line that lead us to this point
        line 342 – has something to do with ‘accessibility.typeaheadfind.casesensitive’
        line 607 – shows all the supported values for that pref

  64. earthling said on February 3, 2017 at 1:39 pm

    Is likely irrelevant anyway with 0360 in place

  65. earthling said on February 3, 2017 at 1:34 pm

    ‘privacy.usercontext.about_newtab_segregation.enabled’ I’m not sure this works without (“privacy.userContext.enabled”, true)

    1. earthling said on February 3, 2017 at 1:37 pm

      Also the branch should be with uppercase C to match the others (mozilla’s mistake atm)
      This is likely to get replaced with a properly named new pref with the same name, I assume.

  66. earthling said on February 3, 2017 at 12:37 pm

    I still need to check out a few things and I also still want to run your latest beta thru my script to compare with my own user.js but here are a few things I noticed so far:

    1808 – says “disable auto-play” but is set to false – mistake or by choice? You had 1851 set to true.
    2669 – I added an additional note in mine:
    // added in FF51 to fix CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC)
    3024 – extensions extensions -> double pasta. And would maybe fit better under e10s stuff, perhaps create a new category for all things e10s? idk

    I also noticed that you discarded a bunch of prefs from the latest diff-dump, admittedly some are probably not necessary because they are already disabled by other prefs (WebGL2), and a lot of others are still disabled by default for now (firstRunURL); most notably:

    I’m not sure about how I feel adding even more (unnecessary?) lines to an already quite massive and overwhelming file (more debug prefs and Appendix B)

    1. Pants said on February 3, 2017 at 6:47 pm

      1808 – yeah, I meant true (I blame copypasta’ing then from your diff dumpie)
      2669 – done
      3024 – fixed double pasta. moved to 2652, and 2652->2660 to leave more room for e10s stuff in the 50s. We have e10s now as 2650+2651+2652 (doesn’t warrant a section yet)

      Lines .. debug options (make up ya mind), I think I’ll leave them in as at least an experiment and get user feedback, end users can always chop them out. Yeah, I don’t want this to become an encyclopedia, but I like a small Appendix B (its just a list) and may spark some discussion. The final parrot line since the last full pastebin, I moved it up from line 1485 and put immediately after the end of all the live stuff around line 1330 on pastebin. Now people can just remove all the “dead” sections if they want their file to be smaller. People are encouraged to edit and I consider this to be a template.

      That list of items, at default, are already what we want them at. We can add them as we get each diff-dumpie. The only one I am confused about is why it seems you feel signon.formlessCapture.enabled should be false.
      – browser.crashReports.unsubmittedCheck.* = default false
      – datareporting.policy.firstRunURL = default blank
      – dom.permissions.revoke.enable = default false
      – dom.presentation.* = default false (but added to investigate section)
      – security.block_script_with_wrong_mime = default true
      – signon.formlessCapture.enabled = default true (I set mine to false, give me reasons to add it as false)
      – webgl.dxgl.enabled + webgl.enable-webgl2 = default true (isn’t this what we wanted?)
      ^^ added tot he stuff to check list so I never forget about them. We may not pick up on these if mozilla flip them in minor updates. I’m all for future-proofing but some seem stable eg security.block_script_with_wrong_mime is unlikely to flip, crash reports will never be sent if we have killed the url and control the master switch etc.
      ^^ a case can be made for signon.formlessCapture.enabled : can you give the reason/link and text to use to add it as false
      ^^ am also confused about webgl2, since we block webgl

      2662: I have to admit I never use “open with”. Is now activated, but I added a warning (and to troubleshooting) because I can see a lot of users complaining (broken workflow etc)

      2025: yeah look, I get anty pantsy about this section. Way back I included some bits of it so I could get webm (default was false at the time I think), and also some way of helping control that html5 youtube test page so it was all sweet. It all really doesn’t belong there. In the end this is what I came up with. I have now made ogg.flac false (it was true because flac was true, can’t please everyone). I will edit the description to make it clear this is a FYI with the author’s settings and also stick it on the troubleshooting

      2607a: I added “// likely requires privacy.userContext.enabled (containers) enabled” and added privacy.userContext.* to investigate list – we’re not ready for containers yet. Re comment about 0360: yeah, I don’t even ever see a new tab let alone allow tiles or have any history at startup. It’s about locking down everything we can to cater for most people. Information is power. We also have all that WebFunnel stuff coming I think in 56.

      1. Pants said on February 4, 2017 at 4:41 pm

        – signon.formlessCapture.enabled – added false (with zero info or links!)
        – webgl.dxgl.enabled + webgl.enable-webgl2 – added false
        – security.block_script_with_wrong_mime – added true
        – privacy.usercontext.about_newtab_segregation.enabled – removed, stuck it down with the container stuff in to investigate section. It felt wrong in that spot anyway. I think in future we could have a PB (private browsing), e10s, and containers section. 2600 is becoming a mess.

        “I personally would rather add too many (potentially unnecessary) prefs than too few.” – I hear ya. I’m the same. Not just future-proofing, but also in the past there has been an example of a bug that without this fallback let something through – this is why I not only eg turn off a switch, I remove the URL as well. Also your example of situations where it makes sense for background tasks to still do it.

      2. earthling said on February 4, 2017 at 3:58 pm

        Oh boy, where do I even start here…??!

        ‘That list of items, at default, are already what we want them at.’ – yeah, I assumed that was the reason you discarded them.

        ‘We can add them as we get each diff-dumpie.’ – agree.

        ‘signon.formlessCapture.enabled’ – I don’t use the built-in password manager, and therefore don’t need FF to parse every site with a login form for potential ‘formlessCapture’.
        Ideally FF wouldn’t do that anyway when the whole ‘signon.*’ thing is disabled but I don’t know for sure.
        I don’t think it’s possible to exploit that feature in any way, but you never know.
        In technical terms, it adds a new code-path with potential vulnerabilities, idk if that code-path is reachable when the PM is disabled, but I don’t need it anyway so why risk it.
        If we don’t want to bloat the user.js too much, this is likely a candidate to dismiss.

        ‘webgl stuff – default true (isn’t this what we wanted?)’ – I think if set at all we would want those to be false.
        Since it’s still a ‘webgl.*’ pref I’d assume it builds on webgl which is already disabled, and hence those 2 can be safely dismissed IMO.

        See, there are things that I would expect not to happen because IMO the context is already disabled, but the code is not always perfect and without looking at the code in detail, we don’t know for sure.
        One example is ‘browser.newtabpage.directory.source’ – ideally this would never run when the newtabpage and the shitty ‘enhanced’ part are disabled, but it still does. I understand why it is coded this way (so it’s ready when someone flips it back to ‘enhanced’), but I would still prefer it to not do that.
        Because of all that I personally would rather add too many (potentially unnecessary) prefs than too few.

        ‘security.block_script_with_wrong_mime is unlikely to flip’ – true; many prefs only exist so moz://a can test the feature, and this is most likely one of them. I still included it in mine, so I don’t totally forget about it, and because it’s a ‘security.*’ pref. I might play with it too, to see if there are ways around it or whatnot, and then I don’t have to worry about it in case I forget to toggle it back to true.

        2607a – if we don’t want to bloat the file unnecessarily, IMO we can ignore the ‘privacy.userContext.*’ stuff and just wait until mozilla sets them all to true by default as soon as it’s ready to use.
        2607 makes 2607a obsolete anyway. But just in case someone comments-out 2607, they might still want 2607a, so yeah, tricky situation. You decide.

        If I didn’t comment on something you’d like me to, let me know.

    2. earthling said on February 3, 2017 at 1:43 pm

      2662 should be activated IMO

    3. earthling said on February 3, 2017 at 1:29 pm

      enabling ‘media.ogg.flac’ when ‘media.ogg’ is disabled doesn’t make sense

  67. Pants said on February 3, 2017 at 5:04 am

    I have fleshed out a nice small reasonably comprehensive list for Appendix B. Pastebin self-destructs in 7 days (PS, after posting it, I have fixed the three grammar mistakes) – http://pastebin.com/qkq0WxGt

  68. Pants said on February 2, 2017 at 3:39 pm

    @everyone .. without typing it all out again : http://12bytes.org/articles/tech/firefoxgecko-configuration-guide-for-privacy-and-performance-buffs#comment-650 .. Proposal to expand the ghacks parrot for every section. Vote … NOW

    1. earthling said on February 2, 2017 at 4:16 pm

      Sure, why not. I’m fine with whatever you decide but then again I’m using my own user.js and I only have two such entries in mine, so either way your decision won’t impact me.

      Grunt suggested to 12bytes to github his user.js, and you plan to do the same. It would be great if more people would work on the same user.js instead of having different versions. And in reply to your comment he mentioned that he might just start using your user.js, so maybe he’s on board with abandoning his list and start helping out with yours.

      1. earthling said on February 3, 2017 at 1:18 pm

        DAMN, I think I should rename myself to “Justin”, just because I put a “just” in so many of my sentences xD
        And then there’s “Just Me” — Is “Just Me” === earthling === Pants? Who knows! Tom? ;)

      2. earthling said on February 3, 2017 at 12:46 pm

        “is it easy to assign rights/permissions to others. I assume there’s levels right?”
        idk. Only worked once on a github’d project but it wasn’t my own, so I was just submitting commits.
        I think you should stay fully in control and we others just keep making issue-reports and comments that you can decide to implement or not. I’m not gonna install git and everything just to submit commits for a single file.

      3. Pants said on February 2, 2017 at 4:33 pm

        Right .. lets github it after this version. We’ll invite 12bytes as well. He’s already talking about using our version (its a lot to keep shit up to date for one person). I’ve never used github .. is it easy to assign rights/permissions to others. I assume there’s levels right?

        here’s what i’ve inserted so far .. I assume you know the skit
        “START: Oh yes, the Norwegian Blue… what’s wrong with it?”);
        “section 0100 syntax error: the parrot’s dead!”);
        “section 0200 syntax error: the parrot’s definitely deceased”);
        “section 0300 syntax error: the parrot’s passed on!”);
        “section 0400 syntax error: the parrot’s no more!”);
        “section 0600 syntax error: the parrot’s ceased to be!”);
        “section 0800 syntax error: the parrot’s expired!”);
        “section 0900 syntax error: the parrot’s gone to meet ‘is maker!”);
        “section 1000 syntax error: the parrot’s a stiff!”);
        “section 1200 syntax error: the parrot’s bereft of life!”);
        “section 1400 syntax error: the parrot rests in peace!”);
        “section 1600 syntax error: the parrot’s pushing up daisies!”);
        “section 1800 syntax error: the parrot’s ‘istory!”);
        “section 2000 syntax error: the parrot’s off the twig!”);
        “section 2200 syntax error: the parrot’s kicked the bucket!”);
        “section 2300 syntax error: the parrot’s shuffled off ‘is mortal coil!”);
        “section 2400 syntax error: the parrot’s run down the curtain!”);
        “section 2500 syntax error: the parrot’s joined the bleedin’ choir invisible!”);
        “section 2600/2699 syntax error: this is an ex-parrot!”);
        “section 2700 syntax error: the parrot’s snuffed it!”);
        “section 2800 syntax error: the parrot’s snuffed it!”);
        “END: No no he’s not dead, he’s, he’s restin’! Remarkable bird, the Norwegian Blue”);

        struggling for the last two .. I could use not pinin’ for the fjords
        The whole things seems excessive and a little silly now.

  69. grauenwölfe said on February 2, 2017 at 8:33 am

    // 2707: clear localStorage when a WebExtension is uninstalled
    user_pref(“extensions.webextensions.keepStorageOnUninstall”, true);

    This should be set to false if you don’t want to keep uninstalled WebExtensions’ storage, right?

    From MDN:
    “…Also in Firefox, you can prevent the browser from clearing local storage on uninstall by visiting “about:config” and setting the following two browser preferences to true: “keepUuidOnUninstall” and “keepStorageOnUninstall”.”

    1. Pants said on February 2, 2017 at 11:10 am

      Cheers .. silly me, I meant false, which is the default. Ticket says “clear”, pref says “keep” – sheesh. Was kinda in a rush. I did see that other preference and then promptly forgot it. Many thanks

      // 2707: clear localStorage and UUID when a WebExtension is uninstalled
      // NOTE: both preferences must be the same
      // https://developer.mozilla.org/en-US/Add-ons/WebExtensions/API/storage/local
      // https://bugzilla.mozilla.org/show_bug.cgi?id=1213990
      user_pref(“extensions.webextensions.keepStorageOnUninstall”, false);
      user_pref(“extensions.webextensions.keepUuidOnUninstall”, false);

  70. joshie said on February 1, 2017 at 9:28 pm

    Regarding HSTS, I don’t want to disable it for security reasons, but is clearing Site Preferences on shutdown the only way to clear it completely? I think someone said you can clear SiteSecurityServiceState.txt file when Firefox is closed, but it doesn’t completely clear the ID?

    1. Pants said on February 1, 2017 at 9:46 pm

      CCleaner cleans it – it treats those entries under cookies.

      From my experience, and i did some tests way up there in the comments, the “id” sticks with you for the entire FF session. EVEN when I have disabled access to the SiteSecurityServiceState.txt file, the information is still there, and I could not find it in any sql (eg site prefs etc), so it must be in memory. I am not an expert.

      However, if you open FF in a normal mode, and you then open a private browsing window, you then get a different “id”. This “id” sticks until you close all private browsing windows – i.e it is not a per PB window setting but a per PB session.

      There is also this (and I have yet to test anything) … an “HSTS Preload” setting which is in the new beta linked above in my last comment. It is:
      // 1219: disable HSTS preload list
      user_pref(“network.stricttransportsecurity.preloadlist”, false);

      Additionally, there also this active ticket as part of the tor uplift, and Jonathan Hao has powered through related bugs to get to this one and its looks like it will wrap soon. This may also have an effect. We’ll have to wait and see.
      // 1200’s: Isolate the HSTS and HPKP cache by first party domain
      // https://bugzilla.mozilla.org/show_bug.cgi?id=1323644

      1. earthling said on February 3, 2017 at 12:51 pm

        ‘the “id” doesn’t persist between firefox instances’ – Doesn’t it act like a super-cookie? Maybe the testsite doesn’t do it that way but I think it’s definitely possible.

      2. earthling said on February 2, 2017 at 5:01 pm

        ‘I think I’ll try to get the latest preload list and then make it read-only.’
        sooo, more fake news from me today! Damn, it never stops!

        It looks like the preload list is hardcoded into FF (and chrome) and the SiteSecurityServiceState.txt has nothing to do with it.
        I think this is it: //dxr.mozilla.org/mozilla-central/source/security/manager/ssl/nsSTSPreloadList.inc

        At least I can stand behind my opinion that we should discard 1219. I think there are only Pros and no Cons in terms of the ‘network.stricttransportsecurity.preloadlist’

      3. Pants said on February 2, 2017 at 4:55 pm

        “if users either have the txt-file write-protected or cleared on shutdown.” – the “id” doesn’t persist between firefox instances, closing firefox does the same job as clearing the txt file and clearing site preferences.

      4. Pants said on February 2, 2017 at 4:46 pm

        Its all a bit over my head, but I’m inclined to agree to remove the 1219 pref (hsts preload). security should trump here, and the preload whatever is in it would surely be well known domains (i.e common targets like gmail, f*book, amazon etc). Where do you get the list from? I also doubt not loading it would change that “id”, and besides, there are HSTS tickets which may fix all this, some are already marked fixed, but not landed. I blame all this on Tom – he brought it up.

      5. earthling said on February 2, 2017 at 4:38 pm

        From looking at the HSTS Preload site (//hstspreload.org/), IMO that’s a 100% bulletproof protection because the requirements to be included effectively prevent the shenanigans that the radicalresearch testsite does.
        Namely ‘The includeSubDomains directive must be specified.’ and ‘you must support HTTPS for the www subdomain if a DNS record for that subdomain exists.’
        So IMHO 1219 should be discarded. It’s useless anyway if users either have the txt-file write-protected or cleared on shutdown.
        I think I’ll try to get the latest preload list and then make it read-only.
        That’s perhaps the best approach atm.

      6. earthling said on February 2, 2017 at 4:02 pm

        At least Firefox did something to slightly mitigate the problem (maybe the others did too in the meantime):
        “Unlike Google Chrome, Firefox has chosen to prefer privacy over security and no longer carries HSTS over to private windows.”

      7. earthling said on February 2, 2017 at 3:59 pm

        I found what you referred to:
        OK, you were right, I’m the Fake News now ;) But I had to allow JS for dozens of subdomains for the trick to work, and the trick only works when used on a http site because otherwise the mixed-content blocking would prevent it. I didn’t consider that it could/would be done from a http site.
        Sorry guys, I admit it, I spread fake news :(
        We’ll have to wait and see if isolating the cache will mitigate this problem.
        Until then we would need to periodically check the SiteSecurityServiceState.txt for a bunch of entries of subdomains without an entry for the main domain.
        Since MITM shouldn’t be such a big problem for most of us anyway and fingerprinting definitely is, I think I will reconsider my decision to start using HSTS (ie. not clear siteSettings on shutdown) until those problems are addressed.

      8. Pants said on February 2, 2017 at 3:20 pm

        That’s why I put “id” in quotes .. when I said it out loud I used air quotes, true story.

        That’s what this is all about, so objections can be raised, more info added, values changed, items removed/added, items commented out

        Also, line 83 also needs fixing :)

      9. earthling said on February 2, 2017 at 2:51 pm

        Oh wow, now that’s what I call a promotion!
        Ladies and Gentlemen, please welcome the Vice President of the United Sexists of Ghacks *applause*
        Thank you, thank you, thank you – now shut up and sit down! YOU – FAKE NEWS!!

        Dude, what are you talking about? Which “id”? Yes, the parsed header information is kept in memory and written to SiteSecurityServiceState.txt when FF closes. There’s no id in HSTS.

        The first “problem” they list only works when mixed-content isn’t blocked. The second problem (cookies) may be a problem with HSTS (yes it’s probably not perfect yet) but would also be a problem without HSTS.
        So I don’t see how that could be used as an argument against HSTS.

        Re: “HSTS Preload” – Its a list maintained by Chrome, and it’s also mentioned on the page linked above, and here under limitations:
        That list makes sense IMHO for users who want to use HSTS. It prevents MITM for the very first access to a site in that list, which would otherwise not be protected.

        ps. it will take me a while to go over your final pastebin, but don’t worry, I grabbed a copy and will get back to you when I’m done with it ;)

  71. Pants said on February 1, 2017 at 9:28 pm

    * version: 0.11 FINAL BETA REVIEW : The [White?] House of the Rising Pants
    * “My mother was a tailor, she sewed my new blue pants”

    – pastebin expires in 7 days.
    – I have included a v11 changelog at the end just for this pastebin to help you all
    – No excuses for not noticing new prefs. I want testing and feedback. Typos, spelling mistakes, missing warnings, stuff that needs to be explained better, whatever.

    AltSrv already done: https://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/#comment-4094004

    I already commented out FPI. Did that about 2 days into using 51. See my comment here https://www.ghacks.net/2017/01/24/firefox-51-find-out-what-is-new/#comment-4106551 . FPI is a mess.

    network.captive-portal-service.enabled – you won’t see it in the final beta review I just dumped on pastebin, but I have now added this as live under 0603a:
    user_pref(“network.captive-portal-service.enabled”, false); // (FF52+?)

    oneOffSearches – what do u want me to do. As far as I am concerned, we already kill auto suggestions for history/search etc and items displayed and the dropdown can’t even display. The setting in the user.js is false. Its dead Jim. Problem solved (for this user.js).

    1. earthling said on February 2, 2017 at 2:55 pm

      network.http.altsvc – I checked your last beta (date: 08 Jan 2017) and it wasn’t in there thus my comment

      oneOffSearches – Was just a general FYI for everyone. I enabled it to see if I like it but it didn’t work at all and I had to know why. I don’t have the dropdown disabled and forgot that you do, so yeah.. this doesn’t affect you at all then.

      ps. I created a bugzilla account – can you find me? xD
      I think I already found yours, (Mod: name protection kicking in) . (?)

  72. earthling said on February 1, 2017 at 5:50 pm

    @Pants, while casually looking through mozilla-central’s firefox.js I noticed this…
    // Enable captive portal detection.
    pref(“network.captive-portal-service.enabled”, true);
    Looks like this is coming soon (either 52 or 53: //bugzilla.mozilla.org/show_bug.cgi?id=1313706), and since we already clear ‘captivedetect.canonicalURL’ we may as well already set that other pref to false for your next release version IMO.

    1. Pants said on February 1, 2017 at 9:50 pm

      ” while casually looking through mozilla-central’s firefox.js ” … I think u need help buddy xD

  73. earthling said on February 1, 2017 at 5:28 pm

    @Pants, if you haven’t already done so, I’d urge you to include and disable HTTP Alternative-Services ie. ‘network.http.altsvc.*’ for your next version.

    Also, unfortunately, there are still too many open bugs in ‘firstparty.isolate’ for my taste, so I’ll have to abstain for now from using it just yet.
    //bugzilla.mozilla.org/show_bug.cgi?id=1299996 ( [META] Support Tor first-party isolation )

  74. earthling said on February 1, 2017 at 5:15 pm

    FYI ‘privacy.firstparty.isolate’;true crashes your tab if you enter any ‘illegal’ url characters in the urlbar and press enter (things like * ” etc)

  75. earthling said on February 1, 2017 at 4:51 pm

    FYI the ‘oneOffSearches’ feature doesn’t work atm when ‘keyword.enabled’ is set to false :(

  76. Tom Hawack said on January 31, 2017 at 7:23 pm

    user_pref(“network.stricttransportsecurity.preloadlist”, false); // Default = false

    Well, integration does include mistakes :)

    Moreover I didn’t conceive this setting for what it was. Corrected.

    Merci beaucoup, Pants.

    1. Pants said on January 31, 2017 at 8:10 pm

      Sheesh Tom, are you on acid or something? network.stricttransportsecurity.preloadlist is DEFAULT true

      Scroll up a few comments, where I corrected the OTHER one for you as well:
      security.mixed_content.use_hsts is DEFAULT false

      I think you mistook the first pref in that comment with the second one – they are different prefs

      PS: Keep smoking that pipe brother.

      1. Tom Hawack said on January 31, 2017 at 8:35 pm

        I simply copy/pasted the wrong setting when answering your January 31, 2017 at 6:37 pm # comment, all is ok in my user.js file :

        user_pref(“security.mixed_content.use_hsts”, false); // Default = false
        user_pref(“network.stricttransportsecurity.preloadlist”, false); // default = true

        I’ve been sharing this thread with several other occupations, obviously too much in a hurry.
        Thanks for correcting, especially for other users who could get it wrong. All is fine here.

  77. earthling said on January 31, 2017 at 5:45 pm

    Pants: “Maybe someone else can work it out.”
    Pants: “Waiting on earthling to get his shit together with that HSTS Priming”

    Okay, okay, I see things clearly now! xD
    “someone” is done for today

    1. Tom Hawack said on January 31, 2017 at 6:05 pm

      Stand up and fight (you’re in the army now) LOL

  78. earthling said on January 31, 2017 at 5:29 pm

    Oh boy! So I took a look at the new mixed-content prefs and TL;DR: I will enforce both prefs to false in my user.js, and I already block *all* mixed-content.

    Some explanations of what HSTS Priming does (from the patch’s author):

    IMO the new prefs are considered “a new security feature” by the patch author, but I don’t see any “security” improvements at all. It’s a convenience thing at best and potentially a new fingerprinting vector at worst.
    It helps to unblock some resources that would otherwise be blocked by mixed-content blocking. (see links above)
    I tried so see if I can get the HEAD request (which in itself seems to cause some problems) on a page that has a HSTS entry in my cache file but it never sent one.
    I tried it on this page: h t t p s ://people.mozilla.com/~mkelly/mixed_test.html
    It may be the case that it only sends the HEAD request if the resource is not a document but an image or css or whatnot. I couldn’t find another test-page to get to see one of those HEAD requests.

    The “caching for 24h part” could IMHO be a problem for TBB, so I checked the latest TBB but they don’t have those 2 new prefs yet AND curious enough they don’t even block mixed-content at all! Not even with the security level set to High?!

    Some interesting statements from the patch author:
    “Mixed-content blocking may prevent some sites from moving from HTTP to HTTPS. In order to help sites opportunistically move to HTTPS, we introduce the concept of HSTS Priming.”

    “More exploratory testing would be helpful as not many sites are expected to be able to take advantage of HSTS priming today.”

    “The server we create can’t handle the priming HEAD requests” (from one of the mozilla tests) – lol


    HSTS Priming can also cause a shitload of additional requests, when all I really want is block mixed-content!

    Ps: the “super-cookie” HSTS fingerprinting doesn’t work when you block all mixed-content, and you still get the benefits of HSTS.

    DAMN, and here I was, thinking I could get a bunch of prefs off my back today! 2 whole prefs done!
    Thanks Pants and anonymous! :)

    1. Tom Hawack said on January 31, 2017 at 6:03 pm

      I’ve set,
      // diasble HSTS Priming
      user_pref(“security.mixed_content.send_hsts_priming”, false); // Default = true
      user_pref(“security.mixed_content.use_hsts”, false); // Default = true

      because I’ve blocked SiteSecurityServiceState.txt (0bytes, read-only) and that I use HTTPSEverywhere.
      Hence, as well,

      // disable HSTS preload list
      user_pref(“network.stricttransportsecurity.preloadlist”, false);

      Anyway I have,
      // user_pref(“security.mixed_content.block_display_content”, true); // Toggle Mixed Display Content -> KEEP USERS CHOICE

      That is, I block Mixed Content Display and toggle it if required with FF ‘Toggle Mixed Display Content’ add-on’s toolbar button.

      1. Pants said on January 31, 2017 at 6:37 pm

        FYI: security.mixed_content.use_hsts is default false (in FF51)

        // 1219: disable HSTS preload list
        user_pref(“network.stricttransportsecurity.preloadlist”, false);

        I searched for mUsePreloadList – read the bits in green underneath that link. There is no HSTS master switch AFAIK, and to be honest, this preload list might be sites I never visit, IDK. I have stuck it in and will await the security experts screaming at me :)

    2. Pants said on January 31, 2017 at 6:01 pm

      Thanks earthling (so glad you investigated it and not me!! hehe) .. I agree .. turn this feature off – too many connects for some possible extra content (which if I read it right is still https) – i.e some previously mixed content may now load. Personally I allow mixed passive (images etc) but block active (js etc)

      “Mixed-content blocking may prevent some sites from moving from HTTP to HTTPS. In order to help sites opportunistically move to HTTPS, we introduce the concept of HSTS Priming”
      ^^ while I can see mozilla’s side of trying to help the web migrate and be user convenient (I too think the pref will do SFA for end users), I think I would rather both FF and Chrome just start sticking up red warnings and alarms for non HTTPS sites and mixed content (except ghacks of course!, we know Martin is trying to overcome that hurdle – someone needs to MAKE all the advertising networks go https).

      // moved & renumbered 2609+2610 as 1216+1217 (these are the mixed active and passive prefs)
      // 1218: disable HSTS Priming (FF51+)
      // RISKS: formerly blocked mixed-content may load, may cause noticeable delays eg requests
      // time out, requests may not be handled well by servers, possible fingerprinting
      // https://bugzilla.mozilla.org/show_bug.cgi?id=1246540#c145
      user_pref(“security.mixed_content.send_hsts_priming”, false);
      user_pref(“security.mixed_content.use_hsts”, false);

      Meanwhile, while you did 2 prefs .. I covered almost 80 tonight – cleaned up a lot of Ainatar’s suggestions. Most were deprecated, but picked up a couple. Also finished off the diff-dumpie. So almost ready for a final vet.

      1. Pants said on January 31, 2017 at 7:36 pm

        “That bugzilla was a mess!” — hehehe .. that’s WHY I delegated it to you in my oh so subtle manner. Excellent management skillz :)

      2. earthling said on January 31, 2017 at 6:41 pm

        “which if I read it right is still https” – I think they try to send a HTTPS HEAD request for every HTTP resource (if some conditions are met), and that will stand out in most servers logfiles like a black guy at a KKK meeting

        “Meanwhile, while you did 2 prefs .. I covered almost 80 tonight” – I was just joking of course, but I just didn’t expect that it would take me that long to check 2 prefs. That bugzilla was a mess!
        Appreciate the work you did in the meantime and I look forward to seeing your new version.

        “Also finished off the diff-dumpie” – That’s awesome, will take a lot of things off my list.

  79. Pants said on January 31, 2017 at 2:51 pm

    Quote: Tom Hawack January 31, 2017 at 12:10 pm #

    “Don’t you guys think it would be a good thing to ask Martin to open a ‘Comprehensive list of Firefox and Security Settings – 2″ because this page with over 700 comments is getting heavy.”

    Up to Martin. I think the comments and links in comments etc is making this a very high-profile page in search results. Why kill it off? But yeah .. getting rather big in terms of comments. Just imagine in a years time when we’re into FF 57 and even all the ESR versions of that. With version 11, I can see us cracking a 1000.

    Am almost done. Waiting on earthling to get his shit together with that HSTS Priming and I’ll dump a paste for final vetting

    1. Tom Hawack said on January 31, 2017 at 5:56 pm

      A second page with a link to the first, this one…
      Anyway there is definitely an advantage in having the whole story in one chapter.
      Remains the Guiness Book of Records.

  80. unregistered said on January 30, 2017 at 11:34 pm

    I know that Firefox can sometimes reset user preferences when upgrading, https://www.ghacks.net/2016/12/05/beware-firefox-updates-may-reset-preferences/, but can Firefox, or web sites, do so unrelated to upgrading?

    I had backed up my preferences file before version 51 and again after the upgrade and there was no changes checking the preferences at that time. The following day I noticed that two preferences were reset back to default.

    The two preferences were dom.push.enabled and dom.serviceworkers.enabled from false to true.

    1. earthling said on January 31, 2017 at 2:24 pm

      I don’t think websites can change preferences in your config unless there’s a severe unknown vulnerability in FF.
      I’m not aware that Firefox just randomly changes preferences outside of upgrades.
      If those 2 prefs you listed changed suddenly then I’d suspect that one or more of your addons have caused it.
      Or you have an error in your user.js and the values you intended for those prefs never actually got applied.

      1. earthling said on January 31, 2017 at 9:35 pm

        “copying is not stealing” – indeed ;) And you didn’t even steal it anyway, I had offered it to you.

        OMG, Pants, we gotta stop or everyone who will ever read this shit will think we are truly one and the same batshit-fucking-crazy person! xD
        AND now you put in a reference to the white house, ROFL! OMG! hahaha! WTF!
        If only we were american, that house could be ours now!! xD

      2. Tom Hawack said on January 31, 2017 at 8:45 pm

        If you say so, Pants! I had in mind that a debate between two users (that was before your answer) regarding the ownership of what is basically a simple good-sense little trick was in a way inconsistent because, being so basic, anyone could have found it.

        So you and Earthling are one? Who cares? But I admire even more the work it must represent. Good for your brains (cannot say both this time!).

        No evidence IMO, but I would have been asked, before your coming-out, I would have answered “maybe”.
        I’ll keep that answer because yours hasn’t truly convinced me °_°

      3. earthling said on January 31, 2017 at 8:27 pm

        Yeah, that’s a weird theory. From the link you posted earlier:

        That ghacks page causes people no end of headaches. Or maybe they’re
        all the same person, “protecting privacy” by posting with a different
        name each time. (I keep a list of the names, in case the NSA ever
        needs it. ;)

        LOL, what a waste of time that would be …

      4. earthling said on January 31, 2017 at 8:23 pm

        Wow, how incredibly fitting that you bring up Einstein, arguably one of the most famous alleged plagiarist in recent human history. xD

      5. Pants said on January 31, 2017 at 8:15 pm

        Wait … I have the answer … apparently we’re the same person. This theory has been postulated a number of times now. So earthling === Pants. So we, I mean I, came up with the idea, and by me, I mean you .. or us.

        [now that’ll really mess with Tom’s head]

      6. Tom Hawack said on January 31, 2017 at 7:57 pm

        It’s handy but at the same time it’s not E-mc^2 … I mean handy and so good sense at the root that presumably many have had, have and will always have this comparison trick in mind. Not to underestimate your skills, gentlemen.

      7. Pants said on January 31, 2017 at 7:35 pm

        Awww … Do you want a hug bro? :) OK, I remember that ever so vaguely maybe, but what I do remember really strongly was the use of canaries – see https://groups.google.com/d/topic/mozilla.support.firefox/0j4J_JoolQQ – way down the comments, admittedly dated AFTER yours, this one on 14th April:
        “Make the first line of your user.js
        user_pref(“00-user.js-canary”, “canary dead due to syntax error in user.js”);
        and make the last line
        user_pref(“00-user.js-canary”, “canary lives — user.js was read to the end”);”

        And in fact, these are the exact comments suggested to 12bytes (copypasta’d) by me. So it is entirely plausible (and highly likely) that the same workaround was achieved from different sources/inspiration/perspiration.

        Also, copying is not stealing. If I did take it from you, I left you the original. :D

      8. earthling said on January 31, 2017 at 7:29 pm

        True story:
        That’s actually one of my alter-ego’s which I posted when I switched from Opera 12 to Firefox back then, and because he didn’t reply and the comment section only had 5 comments at that point, I decided to post my stuff here in your awesome article because you had a lot more comments and you yourself replied to users comments fairly often. And you’re stuck with me ever since xD

      9. earthling said on January 31, 2017 at 7:12 pm

        Correction: it wasn’t a year prior, that was actually the date of this article, but still – it was in March 2016, so yeah still months before you stole my idea and claimed internet karma for it yourself xD
        You better hand me the white house soon, or I’ll be pissed!

      10. earthling said on January 31, 2017 at 6:55 pm

        JUL-2016 huh?
        “I actually read about this somewhere else, maybe a troubleshooting reddit sub-thread of some sort” – nah bro, was likely right here, and one year prior too maybe? …


        I read all the available user.js sites back then and nobody had it until I suggested it to you right here on ghacks. Don’t mean to sound cocky, but brah!, this was totally my idea brah! ;)

        quote me: “History is always written by the winners” :finger: xD

      11. Tom Hawack said on January 31, 2017 at 6:53 pm

        You’re a poet, Pants. As for me, I guess my ego is too small to bear itself at every user.js syntax check.

        One thing we didn’t mention is of course not to mistake in the syntax when writing,

        user_pref(“pants.testing”, 100);

        user_pref(“pants.testing”, 999);

        Imagine searching the whole list when the only mistake would be, i.e. user.pref(“pants.testing”, 100);

        Those things happen. Even with a copy/paste if the original was incorrect. Be careful.

      12. Pants said on January 31, 2017 at 6:22 pm

        – quote earthling: “”as recommended to 12bytes” – excuse me??!! I’m pretty sure that whole shabang was my idea originally?! xD” . See http://12bytes.org/articles/tech/firefoxgecko-configuration-guide-for-privacy-and-performance-buffs#revision-history and scroll down to JUL-2016
        – quote me: “History is always written by the winners” :finger: xD

        in reality: I actually read about this somewhere else, maybe a troubleshooting reddit sub-thread of some sort, and did it myself because I actually had a syntax issue of my own (read 12bytes comments way back). It’s not even unique, I remember using this sort of stuff for debugging my own code back before Tom was a twinkle.

        Besides, I have a higher honor for you .. you’ll see, and when you do, you’ll go .. screw that recognition for the parrot, this is better :) .. who needs FAKE NEWS when you can have the white house (reference applicable to upcoming version)

        Yes Tom, you could use anything – text or integer. – https://en.wikipedia.org/wiki/Tom,_Tom,_the_Piper's_Son
        user_pref(“ghacks_user.js.tomtom”, “Tom saw a cross fellow was beating an ass, heavy laden with pots, pans, dishes, and glass”);

        user_pref(“ghacks_user.js.tomtom”, “He took out his pipe and he played them a tune, and the poor donkey’s load was lightened full soon”

        What more could you want? Your own rhyme, an ass, and a pipe.

      13. Tom Hawack said on January 31, 2017 at 5:53 pm

        You mean, Pants, that pants.testing is a variable? Why change? I could fit in a pseudo I was thinkin’ about, Yearling, so young, far from the Earth’s old age …

        user_pref(“yearling.life”, “bla”);

        user_pref(“yearling.life.”, “blabla”);

        But it would be a variable as well. Algebra is life, heavens are geometry. I prefer geometry!

      14. earthling said on January 31, 2017 at 5:35 pm

        “Helps to repair, i.e. a forgotten ‘user_'” – no, no Tom, I wish it did! ;)

      15. earthling said on January 31, 2017 at 5:34 pm

        “as recommended to 12bytes” – excuse me??!! I’m pretty sure that whole shabang was my idea originally?! xD

      16. Tom Hawack said on January 31, 2017 at 4:33 pm

        I meant editing the user.js file had to be done once Firefox closed. I should rather have written that Firefox needs to be restarted because the user.js file can be edited whenever and; indeed, once restarted the settings will be applied … on startup. I did mention to start Firefox afterwards.

        Reminds me school °_°

        Anyway, handy. Helps to repair, i.e. a forgotten ‘user_’
        Smile, you’re on candid camera 8D

      17. earthling said on January 31, 2017 at 4:23 pm

        “once Firefox closed of course” – you should see 9999 right after FF started; the prefs are applied on startup.

      18. Pants said on January 31, 2017 at 2:59 pm

        Tom, Tom, Tom .. dear Tom … my silly boy .. it’s been the Monty Python parrot for the last 6 months (canaries? who wants f**kin canaries when you can have a parrot?!!)

        // START: internal custom pref to test for syntax errors
        user_pref(“ghacks_user.js.parrot”, “This parrot is no more! He has ceased to be! This is an ex-parrot!”);

        // END: internal custom pref to test for syntax errors
        user_pref(“ghacks_user.js.parrot”, “No no he’s not dead, he’s, he’s restin’! Remarkable bird, the Norwegian Blue”);

        However, as recommended to 12bytes, you can modify this value throughout your user.js (eg at the start or end of each section) to help automagically pinpoint a syntax error. eg

        user_pref(“ghacks_user.js.syntaxcheck”, “Starting 0100”);
        user_pref(“ghacks_user.js.syntaxcheck”, “Starting 0200”);

        user_pref(“ghacks_user.js.syntaxcheck”, “Success. 100% Complete”);

      19. Tom Hawack said on January 31, 2017 at 2:50 pm

        For those of us who ignore this “trick” (part of Pants’ user.js files), in order to be sure you haven’t faulted with a syntax error, and once Firefox closed of course,

        Before the first setting, add:
        user_pref(“pants.testing”, 100);

        After the last setting, add:
        user_pref(“pants.testing”, 9999);

        Start Firefox, go to about:config, type pants.testing and if the displayed value is 100 then you’ve got a syntax mistake in your settings. If you have neither 100 nor 9999 then you’ve got an alien among your relatives °_°

    2. Tom Hawack said on January 31, 2017 at 11:27 am

      I guess you’re aware that the very purpose of this article/thread is to emphasize on the user.js file which will always keep your settings when prefs.js (bot to be edited in principle) may be modified by a Firefox update.

      Regarding the settings you mention, all is already in pants’ user.js file which is the purpose of this article. On this very topic regarding Firefox Service Workers, I’ve concatenated settings into one group and modified maybe one or two values from my experience. Include that in a user.js file (created by you) in your Firefox profile and whatever the new Firefox version these settings will remain intact (Firefox integrates them at every start) :

      // disable workers API and service workers API – WARNING: WILL break sites as this gains traction -> ENABLE?
      user_pref(“dom.workers.enabled”, true); // REQUIRED BY GOOGLE STREET VIEW
      user_pref(“dom.serviceWorkers.enabled”, false);
      // disable SharedWorkers (SharedWorker violates first party isolation)
      user_pref(“dom.workers.sharedWorkers.enabled”, false);
      // disable service workers cache and cache storage
      user_pref(“dom.caches.enabled”, false);
      // disable push notifications – push requires serviceWorkers to be enabled
      user_pref(“dom.push.enabled”, false);
      user_pref(“dom.push.connection.enabled”, false);
      user_pref(“dom.push.serverURL”, “”);
      user_pref(“dom.push.udp.wakeupEnabled”, false);
      user_pref(“dom.push.userAgentID”, “”);
      // disable web/push notifications
      user_pref(“dom.webnotifications.enabled”, false);
      user_pref(“dom.webnotifications.serviceworker.enabled”, false);

      1. Tom Hawack said on January 31, 2017 at 1:21 pm

        // user_pref(“dom.push.udp.wakeupEnabled”, false); // deprecated in FF49
        OK, thanks, Pants!

        About user.js-version-0.11 beta, the last one I integrated to mine was bohemian_pants. I do say “integrated” because I always have to do things my way! I don’t copy/paste the entire content nor rename a given this.user.js to the user.js file in my profile, I rather read the introduction of your great user.js whatever codename, Pants, read what is new, removed (that’s also quite a nicely achieved part of your work) and start working on, understanding those settings, eventually integrating them in my personal organization of the sections. Not that I do better but because when several tags can apply to a setting the very tag (section) is correlated to our way of moving around our data … just to find my way more easily.

        Codenames? “Play With Me” (Extremes) -> Play_With_Pants ? °_°
        I just love that song.

      2. Pants said on January 31, 2017 at 11:46 am

        // user_pref(“dom.push.udp.wakeupEnabled”, false);
        deprecated in FF49

        Also, if you see comment https://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/#comment-4086673 .. you will notice the pastebin version (don’t use it, it has a syntax typo I think from memory) from Jan 7 (codename Pants Konami) has a “Now with Tom’s special section 2300” .. which is Service Workers, and I have to admit, begrudgingly, that mine is sexier.

        We are well past “Pants Konami” and into “The House of the Rising Pants”. Previously retired versions include “Pants Oddity/Space Pants”, “Born to be Pants”, and “Pants Rhapsody” .. if you have a special rock anthem, let me know :)

  81. earthling said on January 30, 2017 at 3:55 pm

    The two new ‘security.mixed_content.*’ prefs are in my list to investigate but I didn’t have time yet to do so, and I don’t have any spare time today either, but I’ll probably do some research tomorrow and will let you know what I found.

  82. Anonymous said on January 29, 2017 at 9:48 pm

    Should the new security.mixed_content.send_hsts_priming be left as the default true or changed to false?

    I noticed that a site that requires Flash added an entry to the ‘SiteSecurityServiceState’ file from Adobe after the Firefox 51 upgrade when it never did so before. Is that a beneficial HSTS entry or no user benefit so change that setting to false?

    1. Tom Hawack said on January 31, 2017 at 12:17 am

      An interesting article on HSTS Priming, including an explanation of security.mixed_content.send_hsts_priming
      and security.mixed_content.use_hsts : https://lists.w3.org/Archives/Public/public-webappsec/2016Sep/0088.html

      If the user has blocked his SiteSecurityServiceState.txt (0byte, Read-only) I don’t see the need to have these two settings set to true… first impression.

    2. Pants said on January 30, 2017 at 5:30 am

      I don’t know the answer right now. I need to check out what it does. Maybe someone else can work it out.
      // 2600’s: HSTS Priming
      // https://lists.w3.org/Archives/Public/public-webappsec/2016Sep/0088.html
      // security.mixed_content.send_hsts_priming
      // security.mixed_content.use_hsts

  83. earthling said on January 27, 2017 at 5:16 pm

    I just noticed that ‘webgl.dxgl.enabled’ and ‘webgl.enable-webgl2’ still default to false in my now updated main FF (v51.0.1)
    Perhaps because we already have WebGL disabled in every possible way, idk?!
    I don’t see a change in https://hg.mozilla.org/mozilla-central/filelog/1e0e193b0812f68a12fbd69198552af62347af1e/modules/libpref/init/all.js that would explain why those are not set to true as they clearly should be.
    Hell, I don’t have a fucking clue what’s happening anymore!
    I guess that’s how the human-genome guys must feel all the time xD

    1. Ainatar said on January 27, 2017 at 7:12 pm

      I’m on 51.0.1 and I have ‘webgl.dxgl.enabled’ and ‘webgl.enable-webgl2’ set to true as default, and I didn’t touched anything. I have ‘webgl.disabled’ set to true on my user.js D:

      1. earthling said on January 28, 2017 at 6:19 pm

        fo shizzle my nizzle

      2. Pants said on January 28, 2017 at 1:53 pm

        sticky is always good .. I mean, who doesn’t like sticky?

      3. earthling said on January 28, 2017 at 1:36 pm

        Thanks guys, I figured out what the problem was.
        I had copied those 2 prefs from my diff into my user.js and forgot to prepend ‘user_’!
        My assumption was that shouldn’t work but it does. I blame mozillazine xD

        “A valid preference entry always begins with user_pref and always ends with a semi-colon;”

        “All preferences files may call pref(), user_pref() and sticky_pref(), while the config file in addition may call lockPref().”

        sticky_pref is interesting for people who use different channels with the same profile.

      4. Pants said on January 28, 2017 at 7:02 am

        I’m the same as Ainatar. Haven’t touched them, they are both set as true as default. And webgl.disabled = true via user.js for years.

  84. earthling said on January 27, 2017 at 3:07 pm

    “that last one, filed today by Arthur, is starting to scare me a little” – I think I would much prefer to have one or more prefs for every single feature bundled behind privacy.resistFingerprinting, and privacy.resistFingerprinting just toggling all of them on/off. That way we could just look at the observer code for privacy.resistFingerprinting to keep track of new features. And it would perhaps make it possible to opt-out of certain things. Like atm anyone who doesn’t know how to properly deal with enabling privacy.resistFingerprinting will just make himself more unique (because of the window sizes). Might as well rename that pref to privacy.enableFingerprinting! It’s an all-or-nothing approach atm and I’m not sure that’s the best way to go. But it would obviously need to be implemented in a way that just having resistFingerprinting;true in user.js wouldn’t re-enable every feature on every FF start. Maybe privacy.resistFingerprinting would need to be turned into an integer-pref with 3 possible values: 0=force-disable, 1=force-enable, 2=do-nothing (ie keep all the features prefs as is)

  85. earthling said on January 27, 2017 at 2:43 pm

    The country faces numerous challenges. Important sociopolitical issues includes widespread poverty, pervasive corruption, lack of political freedoms, low human development, and a high rate of hunger.
    Cambodia also faces environmental destruction as an imminent problem.

  86. earthling said on January 27, 2017 at 2:39 pm

    Thanks for the update on privacy.resistFingerprinting. But dude, all those tickets are currently assigned to ‘Nobody; OK to take it and work on it’ – I don’t expect much progress from those 2 guys!
    Those two also have a shitload of tickets assigned to them, and the second guy, possibly a Cambodian, probably has more serious problems at home to solve, than to care much about some bugzilla tickets!

  87. Pants said on January 26, 2017 at 5:05 pm

    This privacy.resistFingerprinting is beefing up .. but that last one, filed today by Arthur, is starting to scare me a little (wonder how that’s going to work exactly with user.js expectations). It’s also funny that a few days after I mention an old bug leaking TTS engines, Arthur sticks up disabling WebSpeech API. And @earthling: yeah, so remember our discussion on spoofing window resolutions … you may find 1330882 interesting

    // 2699-append: use UTC timezone (spoof as UTC 0)
    // https://bugzilla.mozilla.org/show_bug.cgi?id=1330890
    // 2699-append: new window sizes to round to hundreds
    // Note: override values, future may enforce a select set of (inner) window measurements
    // If override values are too big, the code falls back and determines it for you
    // https://bugzilla.mozilla.org/show_bug.cgi?id=1330882
    // user_pref(“privacy.window.maxInnerWidth”, 1366);
    // user_pref(“privacy.window.maxInnerHeight” 768);
    // 2699-append: disable WebSpeech API
    // https://bugzilla.mozilla.org/show_bug.cgi?id=1333641
    // 2699-append: spoof Navigator API
    // https://bugzilla.mozilla.org/show_bug.cgi?id=1333651
    // 2699-append: set and enforce various prefs with privacy.resistFingerprinting
    // https://bugzilla.mozilla.org/show_bug.cgi?id=1333933

  88. earthling said on January 26, 2017 at 3:51 pm

    We should probably enforce pref(“network.proxy.autoconfig_url.include_path”, false); because that’s the fix for …

    CVE-2017-5384: Information disclosure via Proxy Auto-Config (PAC)

    // Strip off paths when sending URLs to PAC scripts
    see here: https://bugzilla.mozilla.org/show_bug.cgi?id=1255474
    and here: https://hg.mozilla.org/releases/mozilla-aurora/rev/5139b0dd7acc

  89. earthling said on January 26, 2017 at 3:30 pm

    Aaaand here we go again….

    CVE-2017-5380: A potential use-after-free found through fuzzing during DOM manipulation of SVG content.

    Also the second time in a row now that there’s a critical bug in Skia, whatever that is!

    CVE-2017-5389: WebExtensions can install additional add-ons via modified host requests
    At least WebExtensions can still do SOMETHING?!?! And …
    CVE-2017-5386: WebExtension scripts can use the data: protocol to affect pages loaded by other web extensions using this protocol, leading to potential data disclosure or privilege escalation in affected extensions.

    Good stuff! lol


    CVE-2017-5383: Location bar spoofing with unicode characters — I guess this explains the change to network.IDN.blacklist_chars, but I can’t be sure because all I get is “Access Denied”!

  90. earthling said on January 25, 2017 at 4:46 pm

    Lol, nvm, all my code is 100% correct and it’s just my editor that can’t display some of those very exotic blacklisted characters. xD
    I’ll just add that pref to my ignore-list as well, because I don’t think we should ever touch that pref anyway.

  91. earthling said on January 25, 2017 at 4:26 pm

    Turns out my script handles Unicode correctly and it’s my addon that doesn’t properly write the output file although I already had some convert-to-utf stuff in there, but I must have done it wrong or it gets lost somewhere.
    Classic case of 80-20. You can do 80% of the work in 20% of the time but to get the remaining 20% of work done requires 80% additional time.

    I recently tried to convert my addon to WebExtension but unfortunately WebExtension addons don’t get access to global prefs anymore, at least at the moment. I don’t know if that’s ever gonna change though, so I’ll might have to find another way to create the diffs, maybe extracting the omni.ja’s and parse all the settings.js files, but that will result in less accurate diffs because some prefs get written by other JS code and are not in any of the settings.js files.

    Beginning to lose faith in mozilla and starting to hate WebExtensions more and more. It’s only the second time I tried to do something with WebExtensions and both times it didn’t support what I needed! Really hate the direction this is going!

  92. earthling said on January 25, 2017 at 3:10 pm

    Ok, next time I’ll have to adjust the URL so we don’t have to wait for Martin to check and publish my comment.
    It should already be up, but here is the link again in a hopefully non-intrusive way that will get my comment published immediately:


  93. earthling said on January 25, 2017 at 2:54 pm

    I added ‘media.getusermedia.screensharing.allowed_domains’ to my script’s ignore-list, because that seems to change with every version, is a shit long value and we have already covered it in the user.js by setting it to empty string.
    My script will still let me know if and when that pref ever gets removed, so we should be Gucci.
    ‘network.IDN.blacklist_chars’ also changed in FF51 but I removed it from the diff because it has a lot of unicode characters that frankly I didn’t account for in my diff-script, and we shouldn’t tamper with that pref anyway IMO. I’ll have to see that I make my script Unicode-compatible.
    But for the sake of getting this diff out there asap so you can start working on the new article, I simply removed it instead of trying to fix it for now.
    FYI I also left part of the header in there this time to give you an idea about the total number of prefs in FF.

    1. Pants said on January 26, 2017 at 4:43 pm

      user_pref(” occurs 435 times currently in “House of the Rising Pants” .. that’s everything from section 0100 to 3000 inclusive. So no deprecated, no custom parrot, no palemoon, no to investigate. Just straight up live preferences. Firefox seems to ship with around 3000 prefs, and we have 435 of them right here .. man, sometimes this feels like mapping the human genome

      Thanks for the diff dumpie.

      Also, always remember to wrap your exploits in an SVG, because that way you get two holes for the price of one, and who doesn’t like that!

      1. earthling said on January 27, 2017 at 2:52 pm

        I exclusively “exploit” the two-hole types – everything else is just nasty xD

  94. earthling said on January 25, 2017 at 2:49 pm

    diffs between FF prefs 50.0 and 51.0: http://pasted.co/6c14b044

  95. Pants said on January 25, 2017 at 8:28 am

    OK .. got my portable updated to 51. Lost all my active logins (all five of them, boo!), had to login again. But all else so far seems fine. One extensions broke (that I know of) – password tags. Its was “unknown” for e10s compliance and I guess I could ditch it. We’ll see what happens. I’m not e10s yet. I have 53 extensions, 29 are compatible, a few should be either shimmed or they are non content items that shouldn’t break. About 5 I could live without.

    Moved three items to deprecated, added a few things. Awaiting earthlings diff-dump. And then when a pastebin final has been reviewed we’ll do another article and update – but only if Tom doesn’t describe it as “just fine”.

    Get ready for “version: 0.11 : The House of the Rising Pants”
    (no Martin .. no dropping pants here buddy, the pants stay on :) )

    1. Tom Hawack said on January 31, 2017 at 12:10 pm

      ‘The House of the Rising Pants’ will be just great, Pants °_°

      Don’t you guys think it would be a good thing to ask Martin to open a ‘Comprehensive list of Firefox and Security Settings – 2″ because this page with over 700 comments is getting heavy.

      Heavy, but alive.

  96. earthling said on January 19, 2017 at 4:14 pm

    *expect* instead of *except* – damn, wish I could blame auto-correct for that one ;)

  97. Pants said on January 18, 2017 at 7:35 am

    hmmm .. a 2 year old tor ticket (fingerprinting) with recent activity .. access denied to bugzilla details … something to do with printers maybe .. the mind boggles: https://trac.torproject.org/projects/tor/ticket/14390
    ^^ Earthling .. sort it out quick stat buddy

    1. earthling said on January 19, 2017 at 3:36 pm

      Yeeeah, I don’t know what you except me to do. Hack into the bugzilla and while I’m at it why not make a couple millions by creating and selling some 0days?
      I don’t have a printer connected to my machine so I couldn’t care less about printer fingerprinting anyway.
      I’m much more concerned with issues like this: https://insert-script.blogspot.ch/2016/12/firefox-svg-cross-domain-cookie.html
      Man, fuck those SVG’s. I stopped counting the bugs and exploits that were possible thanks to that retarded SVG format. Looks like FF53 will finally give us an option to disable that shitty format (at least in-content?). We’ll see how good a solution that turns out to be. I’m sure the next SVG exploit is just around the corner even with that new pref.
      Why the fuck would an image format support setting a damn cookie is beyond me!

      1. Pants said on January 19, 2017 at 4:59 pm

        Ditto on the printer, don’t have one “installed” or attached or wifi’d or blue-toothed etc to, but it may not be related to that exactly – it might mean “printers” listed in yur devices – but probably not since it’s under wraps. I was just intrigued, since its under wraps but is fairly old. And yes .. share those zero days buddy.

        Yup .. can’t wait to block SVGs. If you want to reduce the attack surface, analyze the CVE’s and get rid of the biggest offenders.

        PS: cookies/dom etc .. I would like to see each domain use it’s own cookie jar (and dom jar?), so you can have 30 google cookies given to you if you visit 30 different domains (eg 30 google analytics cookies as 3rd party), and none of them can talk to each other. I haven’t exactly read up on this, but I assume FPI does some of this. Personally I don’t really care about cookies or dom since all but about 9 domains and their dom now are blocked (and I don’t allow any of those 9 to talk to each other because those 9 sites never XSS).

        PPS: If you follow some of the meta bugs, you can scope out a lot of related tickets. How about this one: https://bugzilla.mozilla.org/show_bug.cgi?id=1315203 (history.length cross domain leaks) or even old ones like this: https://bugzilla.mozilla.org/show_bug.cgi?id=1233846 (webspeech API leaks TTS engines). There are others I haven’t listed anywhere, but makes for exciting reading when bored – just find a tor or fingerprint or security meta bug and browse away.

  98. Pants said on January 17, 2017 at 10:14 am

    @Ainatar re: drop down menus ( https://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/#comment-4051073 )

    See: https://bugzilla.mozilla.org/show_bug.cgi?id=1320801
    This is now resolved fixed. Looks like it will be in FF53, maybe FF52

    1. Ainatar said on January 17, 2017 at 4:51 pm

      Good news finally! :D Thanks for the info Pants!

  99. earthling said on January 16, 2017 at 3:51 pm


    regarding deprecated prefs, I like that you move them to a special section but some of them might still be used in the latest ESR release. Maybe it would be better to not comment them out, or only after they are confirmed deprecated in ESR too. Too much work? Whaddaya think?

    1. Pants said on January 16, 2017 at 5:42 pm

      Nah .. anyone using ESR can easily just read the when deprecated numbers in the deprecated section and un-comment anything they still want. Besides, I’m gonna need more numbers available :) .. so the faster I get stuff out, the sooner I can reuse their spot if needed – 2600’s is getting pretty full … still have 999 prefs left to check

  100. Pants said on January 14, 2017 at 5:57 pm

    Man … my list of things to do is so long

    Got round to adding this (apologies Parker Lewis)
    // 2666: disable HTTP Alternative Services
    // https://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/#comment-3970881
    user_pref(“network.http.altsvc.enabled”, false);
    user_pref(“network.http.altsvc.oe”, false);

    @Earthling .. do you want to check the pref values and number it for me for these scope settings, maybe word it better
    // lock down allowed extension directories
    // https://mike.kaply.com/2012/02/21/understanding-add-on-scopes/
    user_pref(“extensions.enabledScopes”, 1); // (hidden pref)
    user_pref(“extensions.autoDisableScopes”, 15)

    @Earthling .. should we add this. If so, please number and pretty it up for me, cheers
    // http://github.com/pyllyukko/user.js/issues/179#issuecomment-246468676
    user_pref(“devtools.chrome.enabled”, false);

    1. earthling said on January 16, 2017 at 3:18 pm

      IMO they both fit best under 2600, maybe the Scope ones under 3000.
      Those are all “expert” prefs so I don’t think they need a lot of info. Everyone who has ever used the devtools pref will likely know what it does (more or less) and for everyone else it just re-enforces the default value anyway.
      For the scopes prefs I would simply create an archived version of the article and add both links as comments.
      // https://mike.kaply.com/2012/02/21/understanding-add-on-scopes/
      // (archived: http://archive.is/DYjAM)

      Btw. I noticed that 2421 slows down FF (startup) considerably. In my case my startup time went down from ~14secs to 4secs after enabling both prefs. And I don’t even have that many addons installed. The prefs disable 2 of the JS compilers when set to false and I think you won’t get the benefits of all the pre-compiled JS files (in omni.ja’s + startupCache for example) without them.
      Since I think it’s pretty hard to find a vulnerability in one of those JS compilers AND find a way to exploit them, and because I block JS for websites by default anyway, I prefer the faster speed over security in this case.
      Most of the JS that get a lot of speed improvements are all the files that are part of FF and in some cases addons.
      F.e. before, when I changed a rule in uBlock FF would freeze for a while, but with both compilers enabled the changes are applied immediately.
      Also, the link under 2421 points to https://bugzilla.mozilla.org/show_bug.cgi?id=1145255 and that was a problem in asm.js (ie. 2420) and not for 2421.


      1. Pants said on January 19, 2017 at 3:44 pm

        if anyone copies and pastes that from above, I left the ; off the end of the pref line for “extensions.autoDisableScopes”

        I only picked it up when I checked my config parrot, so sorry about that

      2. Pants said on January 16, 2017 at 7:48 pm

        roger roger, over

        // 2667: disable various developer tools in browser context
        // Devtools>Advanced Settings>Enable browser chrome and add-on debugging toolboxes
        // http://github.com/pyllyukko/user.js/issues/179#issuecomment-246468676
        ^^ reworded

        2421: reworded it, you can check it out at a later date


      3. earthling said on January 16, 2017 at 6:23 pm

        ‘did I word that OK?’ – I certainly don’t understand that sentence.
        The checkbox in the devtools Advanced settings reads “Enable browser chrome and add-on debugging toolboxes”. I think the added command line in the console is just one part of that pref.
        So why not reuse the same sentence, f.e. “Force disable ‘browser chrome and add-on debugging toolboxes'”
        Perhaps add a sentence that it can be found under “Devtools > Toolbox Options > Advanced Settings”

        ‘will block the system addons’ – unfortunately they changed that because they rely on the default theme being available which is also in that folder. I mentioned it in some of my earlier posts:
        So I think 1 is a good value, effectively the same as 5 anyway. (ATM!)

        *possible* – It *definitely* adds extra security to disable the JS compilers, so I would remove that word or write it differently. “Performance gains outweigh extra security” or something like that perhaps.

      4. Pants said on January 16, 2017 at 5:33 pm

        2421 .. yup, looks like I copypasta’d the same link from 2420, so I took it out. I have also commented the two prefs out and reset mine, and also noticed a bit of a startup boost. I’m pretty heavy on the visual elements (flagfox, some foxclocks, status bar, scrapbook X with loads of crap, quite a few icons on status bar, a quick launch toolbar for uber common sites and a dirty big-ass speed dial etc) … so my startup wasn’t improved as much. I’ve gone to near instantly showing up, but it takes 6 or 8 seconds to fill everything in. Still, a marked improvement from 12-14 seconds.

        // 2667: tighten console (devtools) chrome prvileged JS to browser context
        // http://github.com/pyllyukko/user.js/issues/179#issuecomment-246468676
        user_pref(“devtools.chrome.enabled”, false);
        ^^ did I word that OK?

        // 2668: lock down allowed extension directories
        // https://mike.kaply.com/2012/02/21/understanding-add-on-scopes/
        // (archived: http://archive.is/DYjAM)
        user_pref(“extensions.enabledScopes”, 1); // (hidden pref)
        user_pref(“extensions.autoDisableScopes”, 15)
        ^^ interesting .. I wonder if enabledScopes at 1 (locking to current profile only) will block the system addons (which would be an application scope).. maybe 5 might be better (that is 1 profile + 4 application).

        // 2421: in addition to 2420, these settings will help harden JS against exploits such as CVE-2015-0817
        // https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0817
        // WARNING: update Jan-2017 *possible* extra security does not warrant performance loss
        // user_pref(“javascript.options.ion”, false);
        // user_pref(“javascript.options.baselinejit”, false);
        ^^ removed lines and that link, shortened text, changed warning etc

        Thanks earthling .. excellent stuff. Only 999 more prefs to go…

  101. grauenwölfe said on January 12, 2017 at 6:10 am

    Thanks Earthling, I’ll look for privacy.firstparty.isolate in a few weeks then.

  102. grauenwölfe said on January 11, 2017 at 4:19 am

    Pants & Co.,

    Thanks for the updated version, always anticipated and appreciated.

    Quick question, there were two entries that didn’t appear in about:config and they weren’t marked as hidden or for future releases.

    0301: app.update.service.enabled
    2661: privacy.firstparty.isolate

    Are these hidden, and just need to be created or are they for upcoming releases? I don’t know why that aren’t existing unless they are Windows OS specific. Using FF 50.1.0 on macOS 10.12.2.

    1. earthling said on January 11, 2017 at 4:45 pm

      ‘app.update.service.enabled’ is only created if the maintenance update service is installed…
      I’m not 100% sure but I think that service is only installed optionally in Windows.

      ‘privacy.firstparty.isolate’ according to the bugzilla (https://bugzilla.mozilla.org/show_bug.cgi?id=1260931) and one of the final commits (https://hg.mozilla.org/integration/mozilla-inbound/rev/d173cefba1e1) will be added in FF51.
      Pants has been using it for a while now but I’m not sure that’s to be recommended because that feature wasn’t fully implemented and likely not quite ready yet in versions before FF51. But Pants is generally very bleeding edge :)
      She already enabled TLS1.3 support even though that protocol specification is still in development.

      I love the new groupings under 9998. Much more readable and easier to keep track. Great job as usual. Thanks!

  103. Just me said on January 7, 2017 at 5:24 pm

    Happy New Year everyone! Thanks for the new beta, Pants :) 25 new prefs for me.

    1. user_pref(“privacy.trackingprotection.ui.enabled”, true); – please remove the blank space at the end.
    2. user_pref(“security.tls.version.max”, 4); – is this pref actively protecting us or it’s for completeness only?

    1. Pants said on January 8, 2017 at 2:37 am

      Happy New Year Just me …
      I added the max version pref in 1209 which with the min version sets your entire TLS scope.
      eg min=2 and max=3 means you would only ever accept TLS 1.1 & 1.2

      I added max because its default is 3 (in FF50) and by setting it to 4 it allows you to accept TLS 1.3. No idea exactly how widespread 1.3 is being used, and at the end of the day, we can reply on Mozilla to control the upper bounds, the real pref for security is the minimum value. That said, it’s added more for completeness than anything else.

  104. Longtime Lurker said on January 7, 2017 at 10:58 am

    A very BIG Thanks to all involved and certainly Pants specifically – not a task I would like to try (or be able) to upkeep !

    My head spins from just *looking* at the list, nevermind trying to maintain it.

    Happy New Year

    1. Pants said on January 7, 2017 at 3:07 pm

      Looking at the new few FF release notes and the state of the Tor Uplift, I don’t think much more will come out in the next 2 versions. And since the above list is now over 6 months old, I might as well paste a latest version (set to never expire)

      * version: 0.11 BETA : Pants Konami
      * “Up, Up, Pants, Pants, Left, Right, Left, Right, B, A, Start..”

      ^^ Now with Tom’s special section 2300

  105. earthling said on December 30, 2016 at 5:08 pm

    Happy New Year guys! A big thank you to you as well Pants!
    Glad I could contribute with a few inputs here and there.

  106. Pants said on December 30, 2016 at 7:29 am

    Happy New Year guys (and ladies!!). Rest assured, I have not been sleeping .. keeping tabs on all the TOR uplift tickets and making a few changes … the thing is nothing has happened .. even pyllyukko hasn’t had a commit for since Nov 8th

    Just rest assured, I am on the case … and always check this article for new comments on a daily basis

    Earthling and ALL others … thanks for all your help and comments, much appreciated .. two heads are better than one for sure… I appreciate it more than you will know, and 2017 will be a monumental upheaval in terms of FF .. we can do it. I can only see it getting more secure and more options for privacy/tracking. Truck on brothers and sisters …

  107. Pants said on December 16, 2016 at 4:51 am


    Interesting info from a fingerprinting perspective (let’s just say that you cannot hide your browser model from the truly determined – eg feature detection) .. the top 2 resolutions for FF are 1366x768px (~33%) and 1920x1080px (~17%).

    While FF may collect such telemetry data, I wonder exactly how many more of these metrics can be determined. GPU model? Number of cores? CPU (Intel, AMD)? CPU speeds? Memory?

  108. Anonymous said on December 7, 2016 at 4:51 am

    “network.http.sendSecureXSiteReferrer” when set to false breaks the ability to play videos on Google Drive.

    1. Ainatar said on December 7, 2016 at 3:58 pm

      It also broke some other pages for me. I have it set to true since months.

  109. Drop down menus said on November 28, 2016 at 3:54 am

    I am not sure but I think it is a combination of multi-process being enabled and the privacy.resistFingerprinting True setting. I thought I checked that setting before the previous post but now when I set that to False, the drop down menus seem to work again.

    1. Ainatar said on December 7, 2016 at 3:56 pm

      I have found that deactivating all the preferences related to multi-process makes drop down menus to work fine again (having privacy.resistFingerprinting set to true). The reason? Who knows, maybe another preference that interferes with the multiprocess is the real cause.

  110. Drop down menus said on November 26, 2016 at 11:31 pm


    Re: https://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/#comment-3934501

    Did you ever find the culprit for your issue that you started to describe with that post and the conversation that follows up until July 9th (drop down menus not working correctly on sites but fine in the Firefox UI)?

    I started to experience the same issue after Firefox 50 but only after Noscript updated to The issue was not present with Firefox 50 and Noscript Since Noscript wasn’t around in July when you noticed the issue, my guess is that it has something to do with e10s and/or the mult-process thing Firefox started in 50 as Noscript enabled that for me but didn’t. It started immediately after Noscript updated to (and loading sites seems buggier/delayed in general also). It does appear to me that the font is either different or fuzzier in the drop down menus also (but only the drop down menus as everything else is fine).

    Though I can’t figure it out, I am guessing it is either some preference in general or in combination with Noscript or maybe adblock plus. I don’t use Pants’ user.js as is but manually set some preferences based on it. Any chance one can help me troubleshoot potential settings to check? My comfort level on these things is limited but I can test about:config preferences with no issues. Any way to sort Pants’ user.js by preference name so that I could easily compare that list versus the ones listed as user set in my about:config? Would that help in case I have any that differ that may be causing the issue or is it some setting I have the interacts with Noscript/Adblock Plus that others don’t have?

    Here are some I thought might be possible causes. I have already tried indexedDB, dom.storage and resistfingerprinting individually (not all at once, one at a time) to no avail.

    browser.cache.memory.enable false (Pants is true)
    dom.caches.enabled false
    dom.workers.enabled true (Pants is false)
    dom.serviceWorkers.enabled false
    webgl.disabled true

    1. Tom Hawack said on December 3, 2016 at 12:20 pm

      dom.workers.enabled (default=true) when set to false blocks Google Maps -> Google Street View BUT Google Maps seems unaffected, In Google Street View setting dom.workers.enabled set to false blocks image rotation.

    2. Ainatar said on November 28, 2016 at 12:19 am

      I still have the same issue. I don’t use NoScript, I use Ublock Origin and others, but even after disabling all of them to see if it have something to do with e10s, drop down menus still don’t work. Maybe, altough having them disabled, one or more preferences are still applied on about:config, I don’t know. I will keep searching for a solution.

  111. earthling said on November 21, 2016 at 4:15 pm

    Jacob Applebaum: To Protect And Infect, Part 2 [30c3]

  112. Anonymous said on November 21, 2016 at 1:50 am

    “RE: Flash and resistFingerprinting — https://www.fxsitecompat.com/en-CA/docs/2016/navigator-plugins-and-navigator-mimetypes-no-longer-list-flash-when-it-s-click-to-activate/

    I am not very bright so please forgive what is likely an obtuse question. With privacy.resistFingerprinting set to True and Flash set to always activate (under Add-ons -> Plugins -> Flash -> Always Activate) I still get the unrecognized Flash Player installed notice on Flash content. Setting privacy.resistFingerprinting to False allows it to work as mentioned again.

    Is that supposed to be the case the same as the way that link states “Starting with Firefox 50, Adobe Flash Player will be hidden from the navigator.plugins and navigator.mimeTypes properties when the plug-in has been set to click-to-activate.” when Flash Player is set to always activate?

    I got confused because it read to me as specifically mentioning when Flash is set to click to activate rather than no matter what it is set to which is how it seems to function for me.

    1. earthling said on November 21, 2016 at 1:52 pm

      “it read to me as specifically mentioning when Flash is set to click to activate” – That was my take on it too, but as I said above I’m not sure if that link actually helped with the resistFingerprinting pref set to true.
      I don’t have Flash and therefore couldn’t test it myself, but I thought maybe it helps to set Flash to always activate.
      Thank you for clarifying that it clearly doesn’t help.

  113. Pants said on November 20, 2016 at 11:55 pm

    * date: 21 Nov 2016
    * version: 0.11 BETA : Born to Be Pants
    * “Get your pants runnin’. Head out on the highway. Lookin’ for adventure. And whatever comes our way.”

    ~Diffs from A Horse with No Pants
    =moved to deprecated
    0308 – plugin notification
    1202 – rc4 ciphers
    1809 – plugin update url

    0402 – kinto blocklists
    0410b – added 2 FF49 prefs ( *safebrowsing.downloads.remote.block* )
    1215 – MS family safety cert
    2665 – webchannel

    1820 + 1825 – GMP and widevine, cleaned it up and got round to uncommenting them
    2025 – turned on media.wmf.enabled so now the youtube HTML5 test is all blue ticks
    ^^ eartling, I included sections 2024+2025 because webm used to be disabled by default and it annoyed me, and I dunno, people dump so many prefs at me .. seemed like a good idea at the time, fits in under MEDIA nicely, dunno, just shoot me now.

    I also had two section 9998’s so fixed that as well.

    1. earthling said on November 21, 2016 at 3:07 pm

      I would maybe clarify that wmf.enabled is only necessary for Windows, for everyone who maybe doesn’t know what WMF stands for. You never replied to some of my earlier posts, so I’m glad to see that those helped fix your HTML5 test page problems. ;)
      Personally, I couldn’t convince myself to enable 2661 just yet. It still seems unfinished to me.
      2663 will land in FF51, not FF50.

      2024+2025 – It could be a potential security risk enforcing all the codecs to enabled, but since you disabled the more “exotic” formats it’s probably fine. I’ll just let YOU help everyone who posts about having media playback problems xD — no need to shoot you for that^^
      I only gave you my 2 cents and you seemed kinda salty about it – but hey, we’re all just human.

      Other than that I’d say ‘version: 0.11 BETA : Born to Be Pants’ gets an ‘Approved by earthling’ :)

      Have a nice day, everyone!

  114. Pants said on November 20, 2016 at 11:31 pm

    earthling: services.blocklist.update_enabled << https://wiki.mozilla.org/Firefox/Kinto

    "Currently the blocklist system relies on a big XML file that is downloaded every day. It contains block entries for certificates to be revoked, addons and plugins to be disabled, and gfx environments that cause problems or crashes."

    revoked certs (when transition is completed), are we sure we want to disable updates for this?

    The collection for OneCRL entries is certificates
    The collection for Add-ons entries is addons
    The collection for Plugins entries is plugins
    The collection for Gfx entries is gfx

    I'm inclined to not include the gfx, plugins blanking prefs and the certs pref (*onecrl.collection) should never be changed, and I guess leaving add-ons pref alone is not a bad idea because, eg malicous code changes eg WoT.

    But where is the master switch for this – I guess it's still going to be 0401: extensions.blocklist.enabled – the only change is the delivery mechanism

    Imma gonna post another pastebin, because I have just added heaps. All those deprecated items u listed, added kinto, added 2 prefs from 49 ( *downloads.remote.block_dangerous* ), added the kinto stuff, added security.family_safety.mode, added webchannels etc. Might as well all get on the same page. .. Pastebin to follow

    1. earthling said on November 21, 2016 at 2:20 pm

      “are we sure we want to disable updates for this?” – sorry, maybe my post wasn’t very clear….
      In my own user.js I added the following two, enforcing both to be always ‘true’
      user_pref(“services.blocklist.signing.enforced”, true);
      user_pref(“services.blocklist.update_enabled”, true);
      … as well as adding ‘services.blocklist.plugins.collection’ and ‘services.blocklist.gfx.collection’ to empty string.
      I think you did a really great job with 0402! If anything, maybe also enforce the 2 prefs above to ‘true’, just because we wanna make sure the non-cleared lists will get updated.

      “But where is the master switch for this” – that’s a really good question that didn’t even occur to me.
      I just assumed that ‘services.blocklist.update_enabled’ will replace ‘extensions.blocklist.enabled’.
      I can take a diff with FF51beta and see if the ‘extensions.blocklist.*’ prefs get removed and also do a bit of DXR-ing to see if I can find something.

    1. Tom Hawack said on November 20, 2016 at 6:58 pm

      Nice find. Wow, you’re the champion tonight!

      1. earthling said on November 21, 2016 at 3:30 pm

        Hey Tom,

        Thank you very much for that last paragraph! I appreciate it a lot mate!

      2. Tom Hawack said on November 20, 2016 at 7:49 pm

        It does help, earthling, it helps because it gives a context to the
        // user_pref(“privacy.resistFingerprinting”, true); // (hidden pref)
        setting which prevents sites from recognizing installed Flash when set to ‘true’

        I had not one plug-in until I re-installed the Flash plug-in (plug-in only, not the activeX) because a handful only of sites I cherish still don’t run HTML5, and I really hesitated. Now I have to deal with it, hence your link is useful.

        I always joke but when I say I appreciate I don’t joke no more. Really, if you knew how much I’ve got to understand, and modify consequently, some of the so numerous FF settings thanks to your comments together with those of Pants’, you’d be surprised. And I’m far from being the only one, escpeaciialy in consideration of the number of users who never comment. Frankly, this is great.

      3. earthling said on November 20, 2016 at 7:26 pm

        I don’t know if it helps because I don’t go anywhere near Flash, but I thought I’d share it anyway.

  115. earthling said on November 20, 2016 at 5:42 pm

    a few more…
    new in v50.0:
    // The supported values of this pref are:
    // 0: disable detecting Family Safety mode and importing the root
    // 1: only attempt to detect Family Safety mode (don’t import the root)
    // 2: detect Family Safety mode and import the root (default in FF50)
    // (This is only relevant to Windows 8.1)
    pref(“security.family_safety.mode”, 2); // set to 0 in user.js

    ‘webchannel.allowObject.urlWhitelist’ — I set this to empty string

    removed in v50.0:
    pref(“browser.safebrowsing.forbiddenURIs.enabled”, false);
    pref(“security.ssl3.ecdhe_ecdsa_rc4_128_sha”, true);
    pref(“security.ssl3.ecdhe_rsa_rc4_128_sha”, true);
    pref(“security.ssl3.rsa_rc4_128_md5”, true);
    pref(“security.ssl3.rsa_rc4_128_sha”, true);
    pref(“plugins.update.notifyUser”, false);

    They also now started using kinto for the blocklists…
    pref(“services.blocklist.signing.enforced”, true); // prev: false
    pref(“services.blocklist.update_enabled”, true); // prev: false

    I’ve set ‘services.blocklist.plugins.collection’ and ‘services.blocklist.gfx.collection’ to empty string to disable those 2 blocklists, because I don’t have any plugins and HW-accel disabled.

    1. Tom Hawack said on November 20, 2016 at 6:17 pm

      Thanks, earthling.

      I’m just puzzled with the four RC4 CIPHERS which indeed have been removed (resetting those four that I had set to ‘false’ returned an empty value) : have they been removed or hidden only? Because if they’re hidden I’d have no reason to remove them from my user.js file …

      ‘services.blocklist.plugins.collection’ and ‘services.blocklist.gfx.collection’ : good to have the settings’ names corresponding to the brand new blocklists.

      FF 50.0 is quite a new version …

      1. Tom Hawack said on November 20, 2016 at 6:56 pm

        “a few secs of ixquicking Tom, just sayin’ … ;)”

        I don’t ixquick, I Searx.me :)
        OK, OK … I relied on you, I’ve been lazy. No one is perfect, not even me!

        The beat goes on!

      2. earthling said on November 20, 2016 at 6:35 pm

        You’re welcome, Tom.

        Re: RC4 — https://www.fxsitecompat.com/en-CA/docs/2016/rc4-support-has-been-completely-removed/

        a few secs of ixquicking Tom, just sayin’ … ;)

  116. Pants said on November 20, 2016 at 5:48 am

    * date: 20 Nov 2016
    * version: 0.11 BETA : A Horse with No Pants
    * “I’ve been through the desert on a horse with no pants. It felt good to be out of the rain.”

    http://pastebin.com/Gzm7gQ1Q (expires in 2 weeks)

    1. Tom Hawack said on November 20, 2016 at 10:12 am

      From space_pants_oddity to a_horse_with_no_pants, a pants’ odyssey :)

      Two other settings which I believe are new with Firefox 50.0 :

      together with the three you already mentioned above :

      By the way, I’m wondering if modifying safebrowsing provider related settings has much sense if browser.safebrowsing.enabled has been set to false …

  117. Pants said on November 20, 2016 at 5:08 am

    Those 3 new google4 URL prefs. I sammiched them into the 0410’s .. the previous prefs still exist, so not sure exactly what the difference is in terms of how mozilla uses them

    – added to 0410c
    user_pref(“browser.safebrowsing.provider.google4.updateURL”, “”); // FF50+
    user_pref(“browser.safebrowsing.provider.google4.gethashURL”, “”); // FF50+

    -added to 0410f
    user_pref(“browser.safebrowsing.provider.google4.reportURL”, “”); // FF50+

  118. Pants said on November 20, 2016 at 4:28 am
  119. Pants said on November 20, 2016 at 4:17 am

    If you allow Safe Browsing, then when you get a Safe Browser warning, there is, in little text, in the bottom right corner, a link for “Ignore this warning”, which then let’s you bypass (for the session) that site being blocked. As a way for admins to enforce safe browsing blocks (eg thru a lock pref), the following pref was added, which I’ve wedgied into the 0410’s section

    // 0410g: show=true or hide=false the ‘ignore this warning’ on Safe Browsing warnings which
    // when clicked bypasses the block for that session. This is a means for admins to enforce SB
    // https://bugzilla.mozilla.org/show_bug.cgi?id=1226490
    // test: http://www.itisatrap.org/firefox/unwanted.html
    // user_pref(“browser.safebrowsing.allowOverride”, true);

    Thus meaning naughty students couldn’t self-inflict dirty porn on themselves, unless the school IT admin hadn’t been properly bribed

  120. Pants said on November 20, 2016 at 3:02 am

    If you check version 11 beta code at http://pastebin.com/sW3H1xKU (expires in 21 more days)
    – see // 0410a
    user_pref(“browser.safebrowsing.enabled”, false); // FF49 and earlier
    user_pref(“browser.safebrowsing.phishing.enabled”, false); // FF50 and later
    – see 0336: browser.selfsupport.enabled has been around for a while
    – see 2022: media.getusermedia.browser.enabled pretty sure it too has been around for a while
    – see 0101: startup.homepage_welcome_url.additional also set as blank in the user.js

    I will scope out the *provider.google4* prefs and the Override (default is true) and post back

  121. Guest said on November 19, 2016 at 9:38 pm

    privacy.resistFingerprinting set to True now blocks Flash Player from being recognized and must be set to False in order to watch any Flash content. Huge thanks to Tom for figuring it out at https://www.ghacks.net/2016/11/15/firefox-50/#comment-4032625

    As earthling post above lists (very helpful seeing th changes between releases, thanks for sharing). 3 new preferences for safebrowsing..


    A couple changes in 50.

    browser.safebrowsing.enabled has disappeared. Is that deprecated or is now a hidden preference?
    startup.homepage_welcome_url.additional is now listed as blank as default.

    Newly created in 50.


    browser.safebrowsing.allowOverride. Is this one to set as true or false?

  122. earthling said on November 18, 2016 at 7:27 pm

    more specifically https://w3c.github.io/webappsec/specs/referrer-policy/#referrer-policy-delivery-referrer-attribute

    “Referer logging is used to allow websites and web servers to identify where people are visiting them from, for promotional or statistical purposes”
    If I was in charge I would get rid of the referrer header completely instead of extending it’s use.

    From the first link: “A policy delivered via a referrer attribute on an element takes precedence over the policy defined for the whole document via CSP or a meta element.”
    I suspect this means that f.e. uMatrix’s referrer spoofing would get overridden and result in less leak-protection.

    In general the whole development behind this pref probably serves a good purpose (see section 1 of the first link) ie giving website authors better control over it, but from a user perspective I think it’s probably best to keep the control in your own hands, disable the new pref and use something like uMatrix or any other addon of your choice to control the referrer header.

    I could be totally wrong about this though and all of the above is just based on a quick research and without any testing. Maybe it would be best to ask the author of uMatrix on his opinion in this matter.

  123. Guest said on November 17, 2016 at 10:09 pm

    Thanks earthling.

    network.http.enablePerElementReferrer;true – Is that better off being changed to false?

    Martin. If you are reading this to approve. A reply I posted as Guest on November 16th never appeared. Was it lost or still pending? Thanks.

  124. earthling said on November 17, 2016 at 2:11 pm

    Fuck pastebin’s captcha protection!

    FF50 pref changes: http://pasted.co/735c5b67

  125. Jay Wooble said on November 16, 2016 at 9:18 am

    Hi guys, thanks for all the work on this. Can anyone tell me how I can enable comments to load ? For example, the comments on youtube never load. I use to noscript, but even when I fully allow, comments still do not load, so it looks like its something in the user.js. Thanks in advance to anyone who can answer this.

    1. Pants said on November 16, 2016 at 4:37 pm

      If I remember rightly (and this was 9 months or so ago so something may have changed), first of all you need to allow dom storage and cookies (neither of which are set in the user.js – instead I recommended using add-ons for more granular control).

      see comment: https://www.ghacks.net/2016/01/04/the-firefox-privacy-and-security-list-has-been-updated/#comment-3821438

      I’ll have a play later to see if I can load comments and what it takes

    2. earthling said on November 16, 2016 at 2:29 pm

      Hi Jay, for youtube comments to load you need to allow cookies for http://www.youtube.com on http://www.youtube.com.
      So if you don’t block anything else I would start looking there, mainly 2701 but also check the whole 2700 section.

      1. earthling said on November 16, 2016 at 6:07 pm

        You can also only allow cookies for youtube.com by changing the site preferences for that domain only, but that would require some other pref changes to make it permanent. ie. ‘privacy.clearOnShutdown.siteSettings’, ‘privacy.cpd.siteSettings’ (but both are set to ‘false’ already by Pants, just in case you changed those)

      2. earthling said on November 16, 2016 at 5:59 pm

        ghacks automatically added the ‘http’ part to the domains I listed.
        In uMatrix I have the line ‘w w w.youtube.com w w w.youtube.com cookie allow’ without the spaces.
        (hopefully ghacks publishing won’t mess with this format)
        Obviously I’m using https when accessing youtube.
        If you don’t control cookies any more than what’s set in the user.js, the domain and whether it’s http or https won’t matter at all. Just allow cookies with 2701 (0 or 1 for the value, I’d recommend 1) and if you want, remove them automatically when FF closes with prefs under 2803 + 2804.
        Let us know if that fixes your problem.

  126. Lazerbeef said on November 16, 2016 at 3:00 am

    Been using the ‘Reset’ method for a while. It’s tedious, just thought there may be a global way to check and clear them out but that link helps takes care of it. Super useful, thanks!

    “(hidden pref)” can be mildly confusing on OS X since some entries just don’t exist for Mac. Examples being; “plugin.scan.plid.all” and “gfx.direct2d.disabled” to name a few. Have to figure out if it’s meant to be nonexistent for OS X or actually a “(hidden pref)”. Whatevs, not a big of a deal.

  127. Lazerbeef said on November 12, 2016 at 11:21 pm

    Pants: “Here is a NEW pastebin: code name: Pants Rhapsody : http://pastebin.com/sW3H1xKU


    Is there way to check globally for any removed pref. entries? I know they’re ignored but there’s an obsessive, and maybe even a little compulsive side to me, like some weird of disorder or something, and it makes me focus on things like obsolete entries hanging around. Only way I know to check is resetting the pref. and seeing if the “Value” column is blank or not.

    !Muchas gracias Señora Pantalones y mi Amigos¡

    1. Pants said on November 13, 2016 at 12:03 pm

      If you reset a preference and the value is null (and it’s no longer in bold), and you restart FF and the preference has vanished from about:config – that does not mean that it is deprecated. Some preferences are “hidden”.

      Use this link ( https://dxr.mozilla.org/mozilla-central/source/ ) and search for example, for geo.wifi.logging.enabled . In a brand spanking new vanilla Firefox, this value will not show in about:config. But as you can see, it does indeed exist and is used in code.

      All preferences that are hidden have been marked with a commented out “(hidden pref)” at the end of the line. There are 22 of them so far.

  128. earthling said on November 12, 2016 at 5:48 pm

    This is the bug where they removed the prefs for History API push/pop/replaceState:
    “These prefs don’t even work properly, and they can break Web content in
    pretty bad ways for the users who have them set.”
    No real way to verify that claim but I guess we’ll have to trust them.

    And this is the one I saw that mentioned “media.mediasource.webm.enabled” but it only seems to be a problem on FF for Android…

  129. P1ssy Pants said on November 12, 2016 at 4:04 pm

    Is there a file i can download for this

  130. earthling said on November 12, 2016 at 3:47 pm

    I know that nobody except for me cares about console errors, but for those it may concern, a better, shorter and more correct way for “data:text/plain,” is “data:,” which prevents some console errors because it defaults to text/plain but with a charset US-ASCII set, while the former doesn’t specify a charset at all. If you want to enforce text/plain and not rely on the default not being changed ‘data:text/plain;charset=US-ASCII,’ is the most explicit way.

  131. earthling said on November 12, 2016 at 3:22 pm

    Why did you comment out 1820 btw?

    1. Pants said on November 12, 2016 at 7:02 pm

      Feel free to do it for me and post the results. I have a post-it note on my desk to deal with it. I moved everything into it from “to investigate” but ran out of time to add links and work out exactly what each one does etc.

      The HTML5 test link (thanks for the typo fix) – I want to actually explain what prefs turn on/off what results there. I used to be all blue ticks, but now H.264 and MSIE & H.264 are red. Kinda annoys (and confuses me) with all this GMP, EME, CDM, widevine, DRM.
      ^^Martin: THIS would be a great article. Link to https://www.youtube.com/html5 and overview/explain what prefs turn this on off for various browsers and the implications.

      PS: I allowed webm from personal choice. I almost never use it except for one site, which to be honest I haven’t been to for at least 3 months now.

      1. earthling said on November 12, 2016 at 9:14 pm

        Pants, you once responded that you wanted to keep your user.js to QuietFox/Security/Privacy etc prefs only or mostly, so I don’t understand why you want to even include 2024 + 2025.
        I would either move them to a personal section or keep them under MEDIA but set them all to disabled/false, and maybe also comment them out, for people who want to disable MEDIA stuff completely.
        HW-accel has an impact too and it’s different for every OS as far as I understand.
        On linux you need different settings and plugins (I think ffmpeg gets used), and afaik there are still some problems with HW-accel on linux, while on Windows you need windows-media-foundation stuff for H.264, etc.
        IMHO it only creates a lot of problems messing with the default values that mozilla sets for each version and OS, and I don’t see a real benefit security/privacy-wise apart from completely disabling everything.
        Just my 2cents

      2. earthling said on November 12, 2016 at 8:36 pm

        As for all the GMP, EME, CDM, widevine, DRM shit, I have everything disabled or removed.
        My gmp profile-folder is empty apart from an empty subfolder.
        gmp-gmpopenh264 is only for WebRTC stuff afaik.
        EME and/or widevine might be required for DRM protected stuff, like netflix maybe.

        Youtube works purely on HTML5 here but I think I mostly or exclusively get webm encoded videos (video/webm; codecs=”vp9″) no matter the resolution, probably because I don’t have hw-accel enabled.
        But I can play mp4 videos directly, fe. https://fat.gfycat.com/WideeyedAccurateFeline.mp4
        And I have all 5 .webm. prefs in FF49.0.2 set to default.

      3. earthling said on November 12, 2016 at 8:16 pm

        You need ‘media.wmf.enabled’ true on Windows for H.264 I think.
        All blue for me.

        ‘media.webm.enabled’ false – disables both WebM ticks
        remaining ‘.webm.’ prefs – no effect at all on ticks

        ‘media.mediasource.mp4.enabled’ false – red tick for MSE & H.264
        ‘media.mp4.enabled’ false – red ticks for both H.264

        ‘media.mediasource.enabled’ – red ticks for the bottom 3 MSE

  132. Conker said on November 12, 2016 at 3:16 pm

    I m lost there a rough estimate to a release date for a new user.js? Ive been out of the loop for a while now. Schooling/women and work and new video games have taken over my life now.

    1. Pants said on November 12, 2016 at 6:46 pm

      Schooling wimmins? .. I see … There is never a new date and never a guaranteed next release. But I might whip one out in the New Year. Meanwhile, the paste-bin dumps should keep all your regulars happy :)

  133. earthling said on November 12, 2016 at 3:08 pm

    Missing posts, well that sucks. Looks like a sign to me to speed up your github project creation ;)
    Nice work as usual – thx for that.
    – I read something about being cautious with enabling ‘media.mediasource.webm.enabled’. Will need to try to find it again.
    Personally I will keep all the prefs under 2024 + 2025 on their default values, and rely on Mozilla enabling/disabling them when they consider them ready or not.
    – Am really curious as to why they removed history manipulation as I said earlier. Will try to find the bugzilla where they changed that.
    – ‘extensions.hideSystemAddons’ is a nice find I wasn’t aware of, but I delete the ones I don’t want anyway, so not too useful for me.
    – ‘browser.safebrowsing.forbiddenURIs’ doesn’t exist anymore in FF50beta, most likely in FF50 release too – we’ll see on Tuesday.
    – Small typo in //* 05: Other –> MTML5 (or just a new IT abbreviation I’ve never heard about?!)
    – ‘it leaves current windows/tabs open, but launches a new window’ – that’s not happening for me, maybe one of your 200 addons is interfering or something? xD

    I’ve created a preliminary diff between 49.0.2 and 50beta to start working on the new prefs, but I think will wait till sometime next week when 50 will be released before posting my results. It looks like there will be around 120 pref-changes.

    Any news on your github page status or plans to release the next non-beta user.js?

    Have a nice weekend

  134. Pants said on November 12, 2016 at 1:23 am

    I have some posts missing for some reason .. earthling, yes I confirmed 1840 is not legacy .. had a nice post asking why it returned zero results from moz central, did the tests like you, showed the plugin activate status changing etc.

    Here is a NEW pastebin: code name: Pants Rhapsody : http://pastebin.com/sW3H1xKU

  135. Pants-in-Waiting said on November 11, 2016 at 9:56 am

    Oy! I have some posts missing from approx 24 hrs ago – including a pastebin that for some strange reason already has 56 views despite no one being told about it

    1. Tom Hawack said on November 20, 2016 at 7:07 pm

      pastebin is scanned, always has been …

  136. Pants said on November 10, 2016 at 4:06 pm

    might as well paste a new current version .. Version 11 BETA: Bohemian Pants .. expires in a month


    1. Tom Hawack said on November 20, 2016 at 7:06 pm

      Roger- Read, downloaded- Cumulative thanks. You and earthling are really doing great work. My role is to congratulate both of you, that’s my job, to congratulate and to motivate, go, men, go (or” go, ladies & gentlemen, go”) :) But stay in peace!

  137. PantsHunt42 said on November 9, 2016 at 6:04 pm

    @Just me : in reply to your post 4th Oct re deprecated/hidden settings ( https://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/#comment-3991851 )

    I mainly MXR when last list came out, DXR was still new, and for some reason I used DXR mozilla-release (? I guess contains all releases (esr/android etc) ? who knows?). But clearly some of this stuff is legacy, that I never picked up on before. As you can see, some of these were deprecated back in version 46 and 47. I now use DXR’s mozilla-central, which seems much more relevant. I have confirmed the following (they are either in DXR code and confirmed hidden in a vanilla FF, or confirmed not in DXR code and also successfully removed from my own FF’s about:config as well as checking in a vanilla FF. I actually downloaded FF44 thru to 49 portable nillas to determine when they became legacy.

    Sorry for the delay, but I wanted Lazerbeef to sweat a little xD

    //** added 2 hidden pref tags AND a note – these were not hidden for me, but this must be because on first start, FF changed the settings from default to match my non-US country (sheesh, now everyone knows I didn’t vote for Trump) **//

    // 0202: disable GeoIP-based search results
    // NOTE: will not be hidden if Mozilla has changed your setting due to your locale
    // https://trac.torproject.org/projects/tor/ticket/16254
    user_pref(“browser.search.countryCode”, “US”); // (hidden pref)
    user_pref(“browser.search.region”, “US”); // (hidden pref)

    //** added two hidden pref tags **//

    // 0333a: disable health report
    user_pref(“datareporting.healthreport.uploadEnabled”, false);
    user_pref(“datareporting.healthreport.documentServerURI”, “”); // (hidden pref)
    user_pref(“datareporting.healthreport.service.enabled”, false); // (hidden pref)

    //** moved to DEPRECATED and slotted into the right places as per order of when deprecated then by number **//
    //** ^^ BE CAREFUL, it’s not always the entire contents of the number **//

    // 0334b: (46+) disable FHR (Firefox Health Report) v2 data being sent to mozilla servers
    // user_pref(“datareporting.policy.dataSubmissionEnabled.v2”, false);
    // 0410e: (46+) safebrowsing
    // user_pref(“browser.safebrowsing.appRepURL”, “”); // google application reputation check
    // 0807: (47+) disable history manipulation
    // https://developer.mozilla.org/en-US/docs/Web/Guide/API/DOM/Manipulating_the_browser_history
    // WARNING: if set to false it breaks some sites (youtube) ability to correctly show the
    // url in location bar and for the forward/back tab history to work
    // user_pref(“browser.history.allowPopState”, false);
    // user_pref(“browser.history.allowPushState”, false);
    // user_pref(“browser.history.allowReplaceState”, false);
    // 0333b: (47+) disable about:healthreport page UNIFIED
    // user_pref(“datareporting.healthreport.about.reportUrlUnified”, “data:text/plain,”);
    // 1840: (49+) disable the OpenH264 Video Codec
    // user_pref(“media.gmp-gmpopenh264.enabled”, false);
    // 2431: (49+) disable ONE of the push notification prefs
    // user_pref(“dom.push.udp.wakeupEnabled”, false);

    –will now work on sorting out this mess–
    // 1820: disable all GMP (Gecko Media Plugins)
    // https://wiki.mozilla.org/GeckoMediaPlugins
    // user_pref(“media.gmp-provider.enabled”, false);
    // user_pref(“media.gmp.trial-create.enabled”, false);
    // user_pref(“media.gmp-widevinecdm.visible”, false);
    // user_pref(“media.gmp-widevinecdm.enabled”, false);
    // user_pref(“media.gmp-manager.buildID”, “20000101000000”);

    1. Ainatar said on November 10, 2016 at 4:34 pm

      Have fun…

      user_pref(“browser.cache.use_new_backend”, 1);
      user_pref(“browser.download.animateNotifications”, false);
      user_pref(“browser.download.manager.retention”, 0);
      user_pref(“browser.formfill.expire_days”, 0);
      user_pref(“browser.history_expire_days”, 0);
      user_pref(“browser.history_expire_days_min”, 0);
      user_pref(“browser.history_expire_sites”, 0);
      user_pref(“browser.history_expire_visits”, 0);
      user_pref(“browser.preferences.animateFadeIn”, false);
      user_pref(“browser.privatebrowsing.autostart”, true);
      user_pref(“browser.search.redirectWindowsSearch”, false);
      user_pref(“browser.sessionstore.enabled”, false);
      user_pref(“browser.sessionstore.postdata”, 0);
      user_pref(“config.trim_on_minimize”, true);
      user_pref(“content.interrupt.parsing”, true);
      user_pref(“devtools.chrome.enabled”, false);
      user_pref(“devtools.gcli.imgurClientID”, “”);
      user_pref(“devtools.gcli.imgurUploadURL”, false);
      user_pref(“firefox-safebrowsing-blocklist”, true);
      user_pref(“full-screen-api.allow-trusted-requests-only”, true);
      user_pref(“full-screen-api.pointer-lock.enabled”, true);
      user_pref(“layers.async-video.enabled”, true);
      user_pref(“layout.css.prefixes.webkit”, true);
      user_pref(“layout.frame_rate.precise”, true);
      user_pref(“media.http.spdy.enabled”, false);
      user_pref(“media.mediasource.whitelist”, false);
      user_pref(“plugin.disable_full_page_plugin_for_types”, “application/futuresplash,application/x-shockwave-flash”);
      user_pref(“plugin.expose_full_path”, false);
      user_pref(“plugin.state.java”, 0);
      user_pref(“plugin.state.npdeployjava1”, 0);
      user_pref(“plugins.hide_infobar_for_outdated_plugin”, false);
      user_pref(“plugins.rewrite_youtube_embeds”, true);
      user_pref(“network.negotiate-auth.allow-insecure-ntlm-v1”, false);
      user_pref(“network.stricttransportsecurity.preloadlist”, true);
      user_pref(“security.csp.enable”, true);
      user_pref(“security.csp.experimentalEnabled”, true);
      user_pref(“security.enable_ssl3”, false);
      user_pref(“security.enable_tls_session_tickets”, false);
      user_pref(“security.ssl.warn_missing_rfc5746”, 1);
      user_pref(“security.warn_entering_weak”, true);
      user_pref(“toolkit.crashreporter.enabled”, false);

    2. earthling said on November 10, 2016 at 2:25 pm

      “sheesh, now everyone knows I didn’t vote for Trump”

      I’m sure you’d have voted for the fellow vagina Killary, since you’re a girl and all, because I guess this is a thing nowadays. :)

      Fucking incredible that Trump got elected, but he can’t possibly be worse than crooked Killary – the turd sandwich xD

    3. earthling said on November 10, 2016 at 2:14 pm

      Just kidding, of course I read it and it looks good except for
      // 1840: (49+) disable the OpenH264 Video Codec
      // user_pref(“media.gmp-gmpopenh264.enabled”, false);
      I’m pretty sure this is still a thing, see:

      I’m quite surprised that // 0807: (47+) disable history manipulation got removed too.
      I certainly can’t find it anymore and also nothing with a similar name in case they renamed it or something.

      1. earthling said on November 11, 2016 at 3:55 pm

        Just tested with a FF49.0.2 and a FF50beta and both still set ‘media.gmp-gmpopenh264.enabled’ to false if you set that plugin to “never activate”.

      2. Pants said on November 10, 2016 at 3:51 pm

        I give up. What am I doing wrong?

        ^^ shows “0 results from the mozilla-central tree”

        BUT, yes you are right. with the pref at default and hidden in about:config, in plugins the OpenH264 Cisco WebRTC is “Always Activate” .. with the preference added, it is “Never Activate”

        So clearly not deprecated. Moved back into the alive and kicking section. PS: #GoTrumpy

    4. earthling said on November 10, 2016 at 1:47 pm

      TL;DR ;)

    5. Ainatar said on November 9, 2016 at 9:49 pm

      Hi Pants, I have a bunch of prefs to check if you want more headaches. Some of them are probably outdated or useless, but… :-)

      1. Pants said on November 10, 2016 at 9:43 am

        Go for it :) I can add em to my list to check in those moments I have some spare time

  138. PantsHunt42 said on November 8, 2016 at 3:50 pm

    Bit of a discussion going on here: https://www.schneier.com/blog/archives/2016/11/firefox_removin.html .. am now advising people to stop spoofing their UA .. while it may work for some sites, the determined will easily find you out and your entropy will be sky high

    1. earthling said on November 10, 2016 at 2:33 pm

      Thx, but to be honest not much of interest in the comment section.
      “Instead of user.js, you can put a ‘preferences’ directory in your profile and firefox will import preferences/*.js at startup. Useful if you want to have different groups of settings applied to different profiles (use symlinks to a common location managed by git).”
      — This is pretty much the only bit of new info (for me) I found useful in all of the comments.

      “Anyone who thinks spoofing their UA is doing ANY good is deluded.”
      Pretty rude for a gal who until very recently used to do exactly that, don’t you think ;)

      1. Pants said on November 10, 2016 at 3:34 pm

        I have never spoofed my browser make .. only the version number to current ESR. Read my comments here on ghacks and on github spanning back a year or more. I have always said spoofing UA is pretty much a waste of time. And gals are allowed to be rude, even “pretty” rude. :)

  139. EuroScept1C said on November 6, 2016 at 12:46 pm

    When I need to sanitize a URL, do I actually put “” or simply leave it blank?

    1. Pants said on November 6, 2016 at 3:19 pm

      You have to pass a string, even it is a blank string, so you need to wrap it in quotes eg:
      user_pref(“track.earthling.url”, “”);

      1. earthling said on November 10, 2016 at 2:34 pm

        track earthling huh?!? what’s that about? you wanna get past my OPsec? Are you NSA now? xD

  140. Anonymous said on November 5, 2016 at 11:21 pm

    Is there an opt out setting for https://bugzilla.mozilla.org/show_bug.cgi?id=1304113?

    1. Pants said on November 6, 2016 at 3:46 pm

      Interesting. I don’t think there’s any new preference, they have just shifted the telemetry type around within their own categories while they decide whether to keep it permanently or expire it in 56. Pretty sure if all the prefs to disable telemetry, health reports, and experiments are set, then nothing is done, certainly nothing is sent.

  141. earthling said on October 26, 2016 at 1:52 pm

    The script isn’t 100% reliable though now that I think about it some more.
    If f.e. a site adds another iframe after you click something it’s likely not going to ‘protect’ that new iframe.
    Only way I see to protect against this leak fully, is mozilla changing the code to always return the same (spoofed) UA that gets returned on window.navigator for frames.contentWindow too.
    Funny thing is that even blocking frames and iframes with NoScript won’t prevent against this leak, because I guess, it only prevents the rendering of the tags not the access to the actual DOM!
    Only real way to protect against this for now is not spoofing the UA and somewhat hide in the crowd that way, unless you’re using Win95 with FF3.6 or something like that xD

    1. PantsHunt42 said on October 26, 2016 at 5:55 pm

      Yeah, besides the hard-coded value, this is a Mozilla fix – which is why I hinted at someone logging a ticket (i have no mozilla account, or I would)

  142. earthling said on October 26, 2016 at 1:03 pm

    Easy! http://pastebin.com/UUKTnTvc

    Since gorhill hasn’t responded yet, this is my temporary solution.
    To be honest it wasn’t that easy, took me a while to make it work. The problem was or is that you can’t use ‘@run-at document-start’ because at that point the iframe(s) don’t exist yet if they get created with javascript.
    So, I’m not 100% sure that this userscript fully works and there aren’t ways to extract the real UA in the small timeframe between ‘document-start’ and ‘document-end’. (https://wiki.greasespot.net/Metadata_Block#.40run-at)
    My userscript is based on uMatrix’s code, but you need to hardcode the UA you want to spoof as.
    I don’t think it’s possible to access the same variable that uMatrix sets.

  143. PantsHunt42 said on October 25, 2016 at 1:49 am

    hah .. https://github.com/pyllyukko/user.js/issues/193
    ^^ Earthling .. get onto that stat

  144. Lazerbeef said on October 20, 2016 at 1:58 am

    No, didn’t want to ask anything other than what’s above. The poop question was more rhetorical / trivial. There hadn’t been any comments in 12 days, thought you guys moved comments to Git or somewhere.

    PS: I only made it through first 5 minutes of ‘Women Aren’t Funny’. I wanted to believe, was ready to believe but it just wasn’t meant to be. Unfair, I know…they are much prettier though, so that’s something.

    1. PantsHunt42 said on October 20, 2016 at 7:29 am

      Ah OK.Did you know that a flamingo can only eat when its head is upside down?

  145. Lazerbeef said on October 19, 2016 at 5:49 am

    Did this conversation get moved to somewhere else? When’s a new js going to be published?

    Also, did you guys know that dogs tend to align themselves with magnetic fields when they poop?

    1. PantsHunt42 said on October 19, 2016 at 10:04 am

      I check this page almost every day .. I remember the comment count for the next visit .. when it changes I I have a look. I also post stuff when it’s exciting. Did you want to ask something .. like how to detect when comments are made and deduce that for a article 14 months old, a slight quiet period in the comments of 11 days is a blip in the universe’s timeline :)

      Also, did you know, if you ask me, I will pastebin my user.js for you. (Long term I intend to github this – but I just have too much stuff going on right now).

      PS: women are funny, get over it :)

  146. Ainatar said on October 7, 2016 at 1:29 am

    I was reading this -> https://nakedsecurity.sophos.com/2016/10/05/unmasking-tor-users-with-dns/ , and i was wondering the following:

    Let’s say i’m a normal Firefox user, that means i don’t use Tor, proxies, vpns or encrypted dns. Would it help if i increase the Firefox value of Network.dnsCacheExpiration? The default value are 60 seconds. If i surf this website for 10 minutes, that are at least 10 calls to resolve the dns of the main domain. Websites ip’s doesn’t change almost never, at least not every 60 seconds, so one call per hour (for example) should be ok i think? Maybe there are some websites that change their ips dynamically and fast each day, I don’t know.

    Any thoughts?

    1. PantsHunt42 said on October 7, 2016 at 8:57 am

      “about a third of all the observed DNS requests coming from the Tor network went to a single entity; Google’s popular resolver – a situation the researchers describe as “alarming”

      ^^ holy f**k! lulz :) I say that, but this really is more of a state actor attack against a small specific set: monitoring 7000 exit nodes, intercepting DNS lookups etc – “This new attack shouldn’t send anyone running for the hills”. This is more of a dig at TOR, and the attack is targeted at a small number of IPs.

      Ignoring tor and VPNs – if your IP is not hidden then I hardly think DNS correlation tracking is an issue. Just enforce DNSCrypt or something (OS level, router level). Do not forget about your system DNS cache. DNS caching occurs at multiple levels: Application asks local system, which asks locally configured resolving DNS server, which asks authoritative DNS servers. Caching by local system is usually an hour. DNS requests also have a TTL (which can run for several days). I don’t see the cache expiration pref being any use. FF might initiate a dns request, but if you system already knows it, it won’t send anything out. FF is 60 secs, I think chrome is 30 secs.

      There are two prefs: network.dnsCacheExpiration and network.dnsCacheExpirationGracePeriod : I wouldn’t play with them. There’s a balance to be had between caching and timing-out.

      1. Ainatar said on October 7, 2016 at 1:53 pm

        Much appreciated Pants. I have been already using DNSCrypt for the last two years, and i’m happy with it, but I always like to search new methods to enforce privacy.

  147. Just me said on October 4, 2016 at 7:15 pm

    prefs not marked as hidden in user.js-ghacks-0.11 beta (01 Oct 2016) that don’t appear in Firefox Portable 49.0.1

    user_pref(“browser.search.countryCode”, “US”);
    user_pref(“browser.search.region”, “US”);
    user_pref(“datareporting.healthreport.documentServerURI”, “”);
    user_pref(“datareporting.healthreport.service.enabled”, false);
    user_pref(“datareporting.healthreport.about.reportUrlUnified”, “data:text/plain,”);
    user_pref(“datareporting.policy.dataSubmissionEnabled.v2”, false);
    user_pref(“browser.safebrowsing.appRepURL”, “”);
    user_pref(“browser.history.allowPopState”, false);
    user_pref(“browser.history.allowPushState”, false);
    user_pref(“browser.history.allowReplaceState”, false);
    user_pref(“media.gmp-gmpopenh264.enabled”, false);
    user_pref(“dom.push.udp.wakeupEnabled”, false);

    And a small typo:
    “default is unchecked = DON’T switch to ti = true”
    should be replaced with:
    “default is unchecked = DON’T switch to it = true”

    Quick question:
    user_pref(“gfx.downloadable_fonts.enabled”, true);
    Is this pref a privacy problem IF 3rd party content is blocked with RequestPolicy / uBlock Origin?

    Pants, did you receive my second email?

    1. Pants said on October 4, 2016 at 8:00 pm

      “Pants, did you receive my second email?” – nope. I replied to your first one. That’s all I’ve seen. Martin, please give Just me my actual email address.

      gfx.downloadable_fonts.enabled: well, if you disable it then you won’t see lots of glyphs including (i think) the icons in uMatrix, uBlockO. I do the same as you, same with dom storage – i.e turning off the feature is not a feasible solution, so we use extensions to block all but then whitelist. So yeah, it’s a possible privacy concern only if you let it thru (and only if the 3rd party can connect the dots).

      Will confirm those prefs as hidden or deprecated later

  148. earthling said on October 4, 2016 at 6:06 pm

    “What exactly does media.navigator.video.enabled do” – I guess disabling video capabilities for WebRTC, but …
    From here: https://wiki.mozilla.org/Media/getUserMedia
    “Can be turned off by setting ‘media.navigator.enabled’ and ‘media.peerconnection.enabled’ to false.”
    With those 2 prefs set to false we don’t have to care about ‘media.navigator.video.enabled’ and we also have the whole ‘media.getusermedia.’ thing covered.
    Test page if you wanna do some testing: http://mozilla.github.io/webrtc-landing/
    -> the ‘Try Canvas Demo’ also mentions ‘canvas.capturestream.enabled’, so while I was at it I also set that pref to false, just in case.
    And with all that, 2 new prefs from FF49 on my “to-investigate” list won’t need any more investigations IMO…
    pref(“media.navigator.video.use_remb”, true);
    pref(“media.navigator.video.use_tmmbr”, false);

  149. PantsHunt42 said on October 3, 2016 at 6:24 pm

    earthling: from your comment: https://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/#comment-3974439

    user_pref(“dom.ipc.plugins.enabled”, false); // (hidden pref)
    doesn’t seem to do much: https://dxr.mozilla.org/mozilla-central/search?q=dom.ipc.plugins.enabled&redirect=false

    this is OOPP (out-of-process plugins crash protection) – see http://kb.mozillazine.org/Plugin-container_and_out-of-process_plugins – if you use flash/silverlight etc then you should leave it on. If you have no plugins, then it makes no difference

    1. earthling said on October 3, 2016 at 6:55 pm

      PantsOnFire today :)

      My bad for suggesting that pref, guess we’re even now after your ‘media.webaudio.enabled’ blunder xD
      I got that pref from 12Bytes.org user.js. Didn’t bother to check every pref from there in depth and it looked good to me at the time.

      1. Tom Hawack said on October 3, 2016 at 8:33 pm

        @Martin, a quite interesting supposition, moreover when no one really knows if Pants is a boy or a girl : we’d have a split personality sex included. I’ll have to pass on this case to my colleagues :)

      2. Tom Hawack said on October 3, 2016 at 8:16 pm

        Tonight, live from Madison Square Gardens … earthling VS PantsX :)
        Meanwhile you guys are doing nice work! I don’t comment much but I don’t miss an ounce of your mosy valuable exchanges (code included)!

      3. earthling said on October 3, 2016 at 7:58 pm

        ROFL, fuuuuuck, sorry mate! In my defense, at the time it still was the valid pref name.
        Am not saying you took waaaay to long to catch up to speed with my dumps… ;-)

        Okay we’re not even then – go on – have me investigate an already long deprecated pref and I promise I’ll investigate the shit out of it :)

      4. Martin Brinkmann said on October 3, 2016 at 8:14 pm

        Sometimes, I have the feeling that Pants is Earthling and communicating with herself all along ;)

      5. PantsHunt42 said on October 3, 2016 at 7:30 pm
      6. PantsHunt42 said on October 3, 2016 at 7:28 pm

        Yes… you have a habit of dumping large lists on me :) a lot of which I had already gotten, eg all of 12btyes .. some stuff I’ve probably researched 2 or 3 times now, after you factor in all the lists and items from other people, like rockin’ jerry, conker, just me, and a couple of others, and I had remember back just prior to v10 being released that my sh*t to check list was well over some 300 hundred items. It’s now down to about 30 groups of items, or individual items.

        // 0209: disable search reset (about:searchreset) FF51+
        // https://www.ghacks.net/2016/08/19/firefox-51-search-restore-feature/
        user_pref(“browser.search.reset.enabled”, false);
        user_pref(“browser.search.reset.whitelist”, “”);

        I assume once 51 lands, that the “reset” button becomes disabled?

  150. earthling said on October 3, 2016 at 6:22 pm

    window.name – is window.name the way that sites use to access history entries? Not sure those 2 things have anything to do with each other.

    Do you have any other good userscripts to share? I tried to look for some but it seems nearly impossible to find anything good within the masses of shitty ones.

    1. PantsHunt42 said on October 3, 2016 at 6:30 pm

      Sorry, I confused myself with history/window.name. Here’s one I wrote based on that other one to hide my history – like I said, security by obscurity

      // ==UserScript==
      // @name Conceal history.length
      // @description Intercepts read access to “history.length property.
      // @namespace localhost
      // @include *
      // @run-at document-start
      // @version 1.0.1
      // @grant none
      // ==/UserScript==

      var _window={name:window.name};
      return ‘2’;

      Test it at JoDonym – regardless of your 0809 pref setting which is tab history items (browser.sessionhistory.max_entries, default is 50), JoDonym detects only 2. The history is there.

      1. Tom Hawack said on October 3, 2016 at 8:05 pm

        Mea culpa, PantsHunt42, I had missed the ” regardless of your 0809 pref setting[…]” which was right under your script… being naturally speedy is a bad habit which never got corrected with time :)

        I get the correlation now, thanks for being a calm teacher!

      2. PantsHunt42 said on October 3, 2016 at 7:46 pm

        @Tom .. and I quote from myself
        “Test it at JoDonym – regardless of your 0809 pref setting which is tab history items (browser.sessionhistory.max_entries, default is 50), JoDonym detects only 2. The history is there.”

        user_pref(“browser.sessionhistory.max_entries”, 4);
        ^^ this entry .. number 0809

        Reset your value in about:config to 50, disable the script and retest, change the value again, retest .. turn the script on, retest .. I think you get the correlation now :)

      3. Tom Hawack said on October 3, 2016 at 7:34 pm

        OK, PantsHunt42. But to what “prefs” are you referring? I don’t understand that … What relationship between an about:config setting and your script?

      4. PantsHunt42 said on October 3, 2016 at 7:19 pm

        @Tom. It shows as protected because it is 2. 2 is the JonDonym recommended value. My actual value (from prefs) is 4, and in that case, without the script, it would be orange medium. In reality you are not really protected (i.e limited to 2), its just any site enumerating them will think it’s 2 and probably not look any further.

      5. earthling said on October 3, 2016 at 7:08 pm

        Oh, I see. Nice. Now the whole “they will likely only find/try to array two items max” part makes sense.
        I was very confused what you meant there.
        Thanks for sharing!

      6. Tom Hawack said on October 3, 2016 at 7:01 pm

        Just tested your script at JonDonym, PantsHunt42, and I get an even better result, though odd : ‘Tab history | Protected.’, not even 2 but ‘protected’. I’ve tested before installing your script and the result corresponded to true tab’s history (4-5 I think). Nice to read ‘Protected’

  151. Pants said on October 1, 2016 at 5:39 pm

    from my “Sh*t to Check” file:

    // disable telemetry for the next few hundred versions
    user_pref(“toolkit.telemetry.notifiedOptOut”, 999);
    user_pref(“toolkit.telemetry.prompted”, 999);
    user_pref(“toolkit.telemetry.rejected”, true);
    ^^ these all look deprecated to me earthling

    user_pref(“privacy.clearOnShutdown.openWindows”, false);
    user_pref(“privacy.cpd.openWindows”, false);
    ^^ these two are in DXR as pref default values but not used at all in any code. Not sure who recommended these but they’re dead, Jim.

    — added—
    // 0421: enable more Tracking Protection choices under Options>Privacy>Use Tracking Protection
    user_pref(“privacy.trackingprotection.ui.enabled”, true);

    // 0336: more health report/telemetry stuff
    // https://trac.torproject.org/projects/tor/ticket/18738
    user_pref(“browser.selfsupport.enabled”, false); // (hidden pref)

    // 0380: disable sync
    user_pref(“services.sync.enabled”, false); // (hidden pref)

    —what’s left—
    I’m still tidying my way thru it, but will dump a pastebin of remaining items so we can decide what to do with them, where to put them etc.

    1. Pants said on October 1, 2016 at 8:43 pm

      â–º updated (added 3 prefs):
      // 2022: disable screensharing
      user_pref(“media.getusermedia.screensharing.enabled”, false);
      user_pref(“media.getusermedia.screensharing.allowed_domains”, “”);
      user_pref(“media.getusermedia.screensharing.allow_on_old_platforms”, false);
      user_pref(“media.getusermedia.browser.enabled”, false);
      user_pref(“media.getusermedia.audiocapture.enabled”, false);

      â–ºadded (note: moved the media.mediasource.webm.enabled from 3014)
      // 2024: enable/disable MSE (Media Source Extensions)
      // https://www.ghacks.net/2014/05/10/enable-media-source-extensions-firefox/
      user_pref(“media.mediasource.enabled”, true);
      user_pref(“media.mediasource.mp4.enabled”, true);
      user_pref(“media.mediasource.webm.audio.enabled”, true);
      user_pref(“media.mediasource.webm.enabled”, true);
      // 2025: enable/disable various media types – end user personal choice
      user_pref(“media.mp4.enabled”, true);
      user_pref(“media.ogg.enabled”, false);
      user_pref(“media.opus.enabled”, false);
      user_pref(“media.raw.enabled”, false);
      user_pref(“media.wave.enabled”, false);
      user_pref(“media.webm.enabled”, true);
      user_pref(“media.wmf.enabled”, false);

      â–º what to do with these – I know where to put the gmp (1800’s) but the other two prefs? What exactly does media.navigator.video.enabled do. I’m sure it’s WebRTC only. And what does webaudio pref affect? Is this speech or playback?
      // is this WebRTC eg 2022 or more like 2505
      user_pref(“media.navigator.video.enabled”, false);
      // more “media” stuff
      user_pref(“media.webaudio.enabled”, false);
      // GMP
      user_pref(“media.gmp.trial-create.enabled”, false);
      user_pref(“media.gmp-widevinecdm.visible”, false);
      user_pref(“media.gmp-widevinecdm.enabled”, false);
      user_pref(“media.gmp-manager.buildID”, “20000101000000”); //?is this readable by 3rd parties/non-update URLs?)

      1. earthling said on October 3, 2016 at 6:36 pm

        Good catch! I was just reading that page today but somehow overlooked that part completely.
        Great – one less pref to investigate. It doesn’t even exist as a pref in about:config anymore, lol.

      2. PantsHunt42 said on October 3, 2016 at 5:48 pm

        media.webaudio.enabled looks dead – its only in a test on DXR and this comment says its old ( https://bugzilla.mozilla.org/show_bug.cgi?id=1288359#c12 ). I ditched my 20 or so old FF vanilla test versions, or I’d check when it vanished

      3. PantsHunt42 said on October 3, 2016 at 5:29 pm

        a lot of the tor uplift was a heap of resolved due to duplication and looks like they have finally worked out all the OriginAttribute, 1st party, regression, tests etc which was holding things up. So yeah … hope they get a wriggle on.

        font.system.whitelist … not sure, we need to let it land and do some tests – i was thinking don’t keep at default (pretty sure it will land as blank), and I quote “If whitelist is empty, then whitelisting is considered disabled and all fonts are allowed”. It may be a case of using a string like *useMono, useSans, useSerif”. I already use 1401, so not sure what else this can do for me (most likely more robust), and could even allow me to disable 1401. There is also the other ticket “1400’s [Backlog]: prevent local font enumeration” – hopefully one day soon we can lock all enumeration but allow all fonts.

        window.name – yeah, I’ve been using that script for ages as well, probably close to the 14 months since it was posted. I mentioned it here on some article, and I also had an email conversation with the guy at JonDonym. I see it as security by obscurity – if sites try to enumerate, they will likely only find/try to array two items max – even though the data is still there. 0809 sets tab history entries anyway (mine is at 4), so it’s pretty tight. If they get window.name sorted across domains, then I could have more history for forward/back – although I learned to live with 4 after all this time.

        ‘security.mixed_content.block_display_content’ – definitely breaks too much stuff, mainly images. Too many companies use CDNs and can’t be arsed HTTPS’ing them for just media: eg: itunes images are all http://*.mzstatic.com. Amazon seems to have moved images to https. Maybe I’ll give it a go in a year.

        browser.download.forbid_open_with – FF50 it is then, cheers.
        resource://URI duplicate – cheers

        // 2510: disable Web Audio API (FF51?+)
        // NOTE: this is DOM.webaudio.enabled not MEDIA.webaudio.enabled!
        // https://bugzilla.mozilla.org/show_bug.cgi?id=1288359
        user_pref(“dom.webaudio.enabled”, false);

        -updated- (new pref for FF51+)
        // 2001a: FF42+ pref which improves the WebRTC IP Leak issue, as opposed to completely
        // disabling WebRTC. You still need to enable WebRTC for this to be applicable.
        // https://wiki.mozilla.org/Media/WebRTC/Privacy
        user_pref(“media.peerconnection.ice.default_address_only”, true); // FF41-FF50
        user_pref(“media.peerconnection.ice.no_host”, true); // FF51+

        -to work in somewhere in the 300s (i’ll have to work out the implications)–
        // FF51+
        // https://www.ghacks.net/2016/08/09/firefox-one-off-searches-address-bar/
        // user_pref(“browser.urlbar.oneOffSearches”, false);

        Man .. I think the sooner I GitHub this, the easier to follow discussions and not miss things. Am thinking of setting up a new account .. PantsHunt42

      4. earthling said on October 3, 2016 at 4:27 pm

        I’m using ‘mozilla-central’ since I noticed that that’s the tree you get redirected to when you browse to https://dxr.mozilla.org/.
        Don’t know exactly what the diff is but many bugzilla comments mention re-basing stuff to mozilla-central, so I think it’s probably best to use that, except if you want to check specific trees, fe. esr45 etc.

      5. earthling said on October 3, 2016 at 4:21 pm

        Wow, they sure made a lot of progress in the TOR Uplift project since I last checked not too long ago!!
        Some results from my latest research…

        ‘security.mixed_content.block_display_content’, true
        — prevents HSTS tracking, see: https://browserprint.info/blog/hstsSupercookie
        –> might break a lot of pages! I’ve set it to true for now and see how it goes.

        ‘window.name’ security/privacy issues:
        Is already in your 9998, but could take a while to be fixed in FF directly.
        Only a problem on pages where JS is allowed.
        Random Agent Spoofer can already block it, but I don’t want to use such a feature-rich extension for this one feature.
        There’s a nice userscript to deal with it here: https://bugzilla.mozilla.org/show_bug.cgi?id=444222#c82

        2662 (browser.download.forbid_open_with) is coming in FF50.

        dom.webaudio.enabled -> disable Web Audio API used for fingerprinting -> added in FF51
        –> https://bugzilla.mozilla.org/show_bug.cgi?id=1288359
        –> NOTE: this is DOM.webaudio.enabled not MEDIA.webaudio.enabled!
        still need to look into ‘media.webaudio.enabled’

        font.system.whitelist -> coming in FF52
        No idea how this is gonna look like and what best to set it to. Probably best to keep it on its default value.

        other stuff:
        in appendix A – 05: Other –> resource://URI is listed twice
        maybe add https://www.youtube.com/html5 under appendix A somewhere or under the media prefs.

      6. Pants said on October 3, 2016 at 8:42 am

        Interesting… I search on mozilla-release. What exactly is the diff between mozilla-release and mozilla-central? I guess I better use central from now on. Meanwhile I’ve added them back in to the Sh*t to Do list and will work them into the 2800’s. Thanks big boy!

      7. earthling said on October 2, 2016 at 5:48 pm

        user_pref(“toolkit.telemetry.notifiedOptOut”, 999);
        user_pref(“toolkit.telemetry.prompted”, 999);
        You’re right, the rest of these 2 got removed in FF47 (-> https://bugzilla.mozilla.org/show_bug.cgi?id=1243435)

        toolkit.telemetry.rejected — can’t find when exactly this got removed but looks deprecated to me too.
        This is likely handled by some ‘datareporting.policy.’ now.

        re: “.openWindows” — I tested it just now in FF48.0.1 portable, and this is definitely not dead, Jim!
        … opened a few windows, toggled both prefs to true then used “clear recent history” and the windows got closed.
        … did the same with the prefs set to false and the windows stayed open.
        There’s some code for it in https://dxr.mozilla.org/mozilla-central/source/browser/base/content/sanitize.js

        media.getusermedia.* — there are a few more, will have a look when I get some spare time.

        Don’t know more than you regarding the remaining ones.

    2. Tom Hawack said on October 1, 2016 at 6:59 pm

      I have none of the toolkit-telemetry mentioned above, they’re either deprecated as mentioned … or hidden settings?
      I’m discovering 0421 and 0336. Added.
      0336 – user_pref(“browser.selfsupport.enabled”, false); // (hidden pref) is a nice one, big fish!

  152. Tom Hawack said on September 30, 2016 at 1:52 pm

    ONE –

    Mentions here of TLS cipher suites using the Triple-DES (3DES) cipher have come more particularly to my attention after discovering a new dedicated Firefox add-on named ‘Disable Triple-DES’ and reading further info at https://sweet32.info/

    Of course I won’t use an add-on when the switch is available in about:config :

    // DISABLE TRIPLE-DES ENCRYPTION – TLS cipher suites using the Triple-DES (3DES) cipher
    user_pref(“security.ssl3.rsa_des_ede3_sha”, false); // WARNING: MAY BREAK SOME SITES

    sweet32.info mentions less than 2% of sites still using 3DES, we’ll see if any major disturbance appears …


    About the IndexDB, said to be required by some sites, add-ons but also by Firefox itself … I’ve always left it to its default value (true) but after discovering another new dedicated Firefox add-on named ‘Disable IndexedDB’ I decided to experience sessions with set IndexDB set to false :

    user_pref(“dom.indexedDB.enabled”, false); // applies to websites, add-ons and session data

    Deleting the storage folder in the user’s Firefox profile was not rebuilt with the above setting set to false.

    Funniest discovery is that I logged into a site which uses normally IndexedDB (posteo.de) filling the user’s storage folder with data. I managed my account on posteo.de without any problem. I’ve encountered up to now no issue with “dom.indexedDB.enabled” set to false …

    END :)

    1. earthling said on September 30, 2016 at 2:41 pm

      ONE – is already in Pants beta.js, I’ve suggested that pref to him, sorry HER, some time ago.

      1. Tom Hawack said on September 30, 2016 at 5:05 pm

        Pants replied to me fast because coming in last grants privileges :) He (she? damn, I don’t know anymore, I was convinced if I ever doubted that someone smoking Cavendish pipe tobacco could not possibly be wearing high heels even if some Scandinavians do) … where was I? Oh yes… It (no, he or she) had been conversing with you for some time when I popped in so I appeared as the guest. Pants has a good education, that’s all!

        Coffee anyone?

        We are (anyone bringing the coffee should be included) a mighty staff and a healthy competition is an excellent teaser.

        Sugar?! — OK, back to work. I’m discovering latest : user.js-ghacks-0.11 beta so to say.

      2. earthling said on September 30, 2016 at 4:46 pm

        DAMN, now Pants made me look like a total attention-whore à la “I posted this pref first, I’m better than you”, because she replied to you so fast. I had already written my reply but got distracted and then later submitted without refreshing the page first. Sorry, it came off totally wrong in hindsight :) Please forgive me! PLEASE xD

      3. Tom Hawack said on September 30, 2016 at 3:17 pm

        Yeps, I had read your comments, earthling. I just had in mind of emphasizing on the setting after having read the article I mentioned and focusing on new readers … if Papa Tom said it then it’s ok :) Not really, just meant for sharing an active thread, rather!

    2. Pants said on September 30, 2016 at 2:28 pm

      Disable IndexedDB – the readme is rather sparse. What exactly does it do? Is it just turning off the pref in about:config? I’m not an extension junkie like you (what are you up to now? 75?) .. I’m at a more modest 57 and could probably lose a few more. I think earthling has 500, just quietly – why else would he be scrimping and saving bytes by removing urls :)

      1. Tom Hawack said on October 1, 2016 at 8:33 pm

        Pants, I read you loud and clear when you state “not aware of 3rd party access to dom storage”.
        I’ve had in mind very shortly that I was maybe wrong assuming 3rd party access to dom storage. As you mention it there is a whole to know about the reality of cross-sites information exchange, and whoever is interested because feeling concerned with privacy and security may extrapolate wrongly on the basis of a general awareness of Web practices. This is obviously what guided me.

        Anyway I did read, even if occasionally (it’s not one of those leading privacy concerns) that dom storage had the potential to include privacy issues. Maybe is the indexedDB storage feature free of any privacy issue, at least in terms of 3rd part access, but then why does the ‘Disable IndexedDB’ FF add-on have its toolbar button tooltip text mention “”IndexedDB is not disabled. Be careful.” when IndexedDB is enabled? I can imagine that it’s not because someone, be it a developer says something that it means it’s true…

        One thing is sure : maintaining a computer and its major applications of which its browsers is becoming more and more complex and, for the non-geek, fastidious, at least when privacy and security concerns oblige any user to think twice before running, be it an OS, be it a browser with default settings, out of the box, and that is really not acceptable, even if we have to do with it …

      2. Pants said on October 1, 2016 at 7:29 pm

        There’s a lot of work going into isolating first party thru OriginAttributes, across workers, storage, fav icons and anything you can think of. And a ton of tests.

        https://bugzilla.mozilla.org/show_bug.cgi?id=1260931 Add 1st party isolation pref and OriginAttribute
        https://bugzilla.mozilla.org/show_bug.cgi?id=1268726 isolate shared worker by first party domain
        https://bugzilla.mozilla.org/show_bug.cgi?id=1270680 image cache should respect originAttributes
        https://bugzilla.mozilla.org/show_bug.cgi?id=1277803 favicon & OriginAttribute
        ^^ tons more. So many regression tests, tests, bugs and duplicate bugs, that I can’t keep track. I also suspect a lot of this will tighten right up when e10s goes per tab process.

        I’m not aware of 3rd party access to dom storage Tom.
        Site A is completely dependent from site B. Site C (let’s say google apis or webfonts or analytics or something) might be used on both A and B. AFAIK, Sites A + B + C can’t see each others storage, right? What if it’s something like A = amazon.co.uk and B = amazon.com and C = ssl-images-amazon?

        I’ll just trust the FF devs to get it right, and in the meantime block it all by default (with cookies thru cookie controller) and allow some if I have to get shit to work. Like you, I’m not even sure if its the cookie or the dom. Some of these sites don’t even use the dom, like you say. cracked.com and cricinfo are two sites that fail miserably without it. Another one (which I coouldn’t care less about) is youtube comments don’t load. I may have to experiment more.

      3. Tom Hawack said on October 1, 2016 at 3:39 pm

        About disabling indexedDB (user_pref(“dom.indexedDB.enabled”, false); // default = true) and to narrate my thrilling adventures on the Web with this indexDB set to false, I’ve encountered one site which doesn’t display correctly : http://www.laposte.fr/particulier

        Funniest thing is that the site’s behavior confirms what I had read previously which is that some sites require indexedDB enabled even if the user’s dedicated storage folder (in the user’s profile) is not affected : the site wants indexedDB but doesn’t use it!

        Another effect of disabling indexedDB is that, in the user’s profile, there is a ‘storage’ folder (with subfolders) and, starting with Firefox 49, a storage.sqlite file which both (folder and file), once deleted once FF is closed are not rebuilt once FF is started as this is the case with indexedDB enabled : the ‘sorage’ folder and the storage.sqlite file are strictly related to the indexedDB feature … I learned it, may be obvious.

        Therefor, at this time, unless to use an add-on such as above mentioned ‘Disable IndexedDB’ to toggle when needed indexedDB, I see no pertinence to propose it as disabled in a user.js file … but here I’ve installed this ‘toggle’ add-on because I wish to block by default what some consider as intrusive (sites’ data in the user’s storage folder, even if cleaned within/after the session) but have it available with a toolbar button should a site require it to display correctly.

        Imagine a site downloading data to the user’s storage folder, and then other sites reading that data : even if the user cleans his storage folder remains the fact that intervals allow cross-site information exchange. Another reason, IMO, to avoid having too many tans opened (on different domains), especially when one/some of the opened pages are secured.

      4. earthling said on September 30, 2016 at 4:59 pm

        damn Sista, now you really went full YOLO with the whole re-sectioning thing, huh?!

        re: ” I won’t be installing it.” — Yeah, no, me neither, I meant the pref in general.
        But I’m not as adventurous as you and Tom, so I’ll let you guys do the testing xD

        “isolating the HSTS/HPKP to OriginAttributes” — so atm every page can basically read that stuff is what you’re saying here? Due to my research for HPKP I’ll need to look into the whole SiteSecurityServiceState.txt tracking-problem again, because although still very rarely used, HPKP is something I’d really like to use.

      5. Tom Hawack said on September 30, 2016 at 4:05 pm

        Alright! Downloaded space_pants_oddity. What a thrilling denomination!
        Point is I’m rather slow-minded today (getting worse day by day), you guys seem to be on a dragster and I feel as a bicycle rider…
        I’m in for having a look at the oddity :) There’s a lot of work and commitment there, as usual- Appreciated.

      6. Pants said on September 30, 2016 at 3:44 pm

        “The disable IndexedDB sounds intriguing but I’m kinda hesitant to try it. Let me know how it goes for you :) ”

        As Tom said, it’s just a toggle for the pref. I won’t be installing it. But same as Tom, this dom storage is always on my mind. I might turn it off again and see what happens to my regular sites .. one day …

      7. Pants said on September 30, 2016 at 3:40 pm

        http://pastebin.com/Cxedk9KK .. damn, I forgot to get it to expire .. oh well

        Get into it Tom … don’t be a pussy :) There’s no time like the present…

      8. Pants said on September 30, 2016 at 3:31 pm

        ^^ this is interesting (part of tor uplift – its listed in the to investigate section, not sure if it will have a pref) – basically isolating the HSTS/HPKP to OriginAttributes – so you get the same behavior as per PB (private browsing) .. I think. Can’t be bothered to scroll up and find all the guff I wrote.

        Speaking of tor uplift. Check out the pastebin (coming). As per discussion – renumbered palemoon and called it quits – but I also split 9999 into “9998 to investigate tor uplift”, and “9999 to investigate other”. I have also taken the old 2630 which is the privacy.resistFingerprinting pref. I gave it it’s own section, not just a number – as it is getting or going to get a lot of tickets attached to it, and I think this is perfect to keep track of them all. It is now section number 2699 with an item number 2699. I fixed any references to it (eg in 2507) and the tor uplift to investigate section matters. I also updated the tor uplift section with status of jobs and I moved the keyboard fingerprinting item out of 2699 back into to investigate.

        The think the only tor uplift items not functional in stable are the mathml (2663) and isolating first party (2661) – they’re resolved and have been for a while. Hopefully they will land next version. Since they already have numbers, not moving them

      9. Tom Hawack said on September 30, 2016 at 3:14 pm

        Pants, the ‘Disable IndexedDB’ plug-in indeed only toggles the dom.indexedDB.enabled on/off (true/false). I mentioned it only to explain that discovering that add-on got me to wonder on the pertinence of having dom.indexedDB.enabled set to true … no point in installing it unless we were in the situation of having to often toggle that setting within a Firefox session. I mentioned it to emphasize on the fact that dom.indexedDB.enabled set to true (default) was maybe a over-evaluated requirement… testing right now with the setting to false …

        Thanks for proposing a pre-version of user.js-ghacks-0.11 but I think I’ll wait, I guess major settings are active and new ones follow.

        I note your,
        // 1214: disable 128 bits
        user_pref(“security.ssl3.ecdhe_ecdsa_aes_128_sha”, false);
        user_pref(“security.ssl3.ecdhe_rsa_aes_128_sha”, false);

        They were still set to true, I’ll add both, hoping no relevant issue.


      10. earthling said on September 30, 2016 at 2:51 pm

        Wait what? You mean removing urls in about:config? That would actually increase the prefs.js size :)
        Oh yeah, 500 sounds about right xD – more like… I won’t give you an exact number, but it’s around 10.
        btw the whole HSTS/HPKP thing actually gets stored in SiteSecurityServiceState.txt, and I remember you having that file set to read-only, ergo …. exactly! xD
        The disable IndexedDB sounds intriguing but I’m kinda hesitant to try it. Let me know how it goes for you :)

    3. Pants said on September 30, 2016 at 2:20 pm

      Tom: would you like me to dump a current version for you? The last copypasta would have expired by now at pastebin.

      already had 3des (in version 11 of course)
      // 1213: disable 3DES (effective key size < 128)
      // https://en.wikipedia.org/wiki/3des#Security
      // http://en.citizendium.org/wiki/Meet-in-the-middle_attack
      // http://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html
      user_pref("security.ssl3.rsa_des_ede3_sha", false);\

      have this one as well Tom if you haven't already
      // 1214: disable 128 bits
      user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false);
      user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false);

      I find that cookie controller controls all the dom storage (unless I'm missing something). the few sites I need dom storage for them function properly, I just allow a session first party cookie only and voila! (sorry about the missing diacritic).

      Will check out "Disable IndexedDB" : https://addons.mozilla.org/en-US/firefox/addon/disable-indexeddb/
      ^^ it says zero users :)

  153. earthling said on September 29, 2016 at 3:25 pm

    Here’s another one of the new prefs in FF49 that I consider worth adding (already added to mine):

    // enable sites to use much higher max-age values for HPKP (HTTP Public Key Pinning) [sites set this in the header]
    // WARNING: can block domains for 1 year after last visit if the domain-owners mess things up or get hacked
    // !! this is only a ‘max-age’ maximum, not enforcing it to one year, only allowing it to be that long if sites choose to use such a long max-age
    // -> also see: https://dxr.mozilla.org/mozilla-central/source/netwerk/base/security-prefs.js#100
    // https://tools.ietf.org/html/rfc7469#section-4.1
    // https://news.netcraft.com/archives/2016/03/22/secure-websites-shun-http-public-key-pinning.html
    user_pref(“security.cert_pinning.max_max_age_seconds”, 31536000); // default value in FF49: 5184000 (60 days) -> 31536000 = 365 days in seconds

    HPKP can be problematic for domain-owners but is a great privacy/security feature for users of those domains.
    If some admins want to set max-age to 1 year f.e., it shows that they are confident in being able to provide and maintain a secure domain-access for that long and are willing to risk huge damages to their companies if they fail in doing so.
    Therefore limiting the usefulness of HPKP for end-users by setting a lower max max-age is not in the interest of more advanced users who know what they are doing and who would like to get the most out of HPKP.

    1. Pants said on September 29, 2016 at 6:09 pm

      Cheers. I think I understand the balance between this being too short vs too long. I’ll add it, not sure when. And I have no idea whether the default is better or not. I need some baby-diagrams and flow-charts to EIL5 how the whole ca, cert, pinning, stapling, checks are done. I mean, if this is set too long, then if the cert is compromised, aren’t you compromised longer?

      1. earthling said on September 30, 2016 at 2:39 pm

        Well, theoretically yes, that’s a possibility but a very rare one I would say.
        And only if the compromised domain uses a longer than the default 60 days max-age.

  154. Just me said on September 29, 2016 at 10:51 am

    Pants, can you please contact me via email. I would like to discuss with you something privately. It’s related to Firefox privacy and fingerprinting.

    contactme2016 [at] abv.bg

    1. Pants said on September 29, 2016 at 5:54 pm

      The last person I shared my email with was Leandro, the guy who built ConfigFox. He contacted me via Martin and he wanted my input or something on his little project. He was inspired by the initial user.js release. I obliged and said I would be happy to offer some opinions and ideas, but that was all. What a waste of (my) time. The guy didn’t take anything on board (his choice), and took my passionate but constructive criticism (which was only online in the ghacks article thread) as a personal attack, and then under an alias has tried to dox me on ghacks ever since. The fact that only about 5 people have my email meant it was easy to nail him as the perp. He has mental issues. Anyway .. ultimately that’s on me, bad OpSec.

      So, no offense Just me, but rather than email, if you trust Martin (I do), then just lay it all out and email him to pass on. I’m intrigued as to what it could be, that can’t be discussed openly.

      1. Just me said on September 29, 2016 at 8:15 pm

        No offense taken. Email sent to news@ghacks.net

      2. Martin Brinkmann said on September 29, 2016 at 6:12 pm

        Sure just use the contact at the top and I forward the info to Pants.

    2. earthling said on September 29, 2016 at 2:56 pm

      Hey Pants, can you please forward me those discussions, now I’m fucking curious xD


  155. earthling said on September 27, 2016 at 10:50 pm

    1408 fits better under 2600, mathml doesn’t really fit under FONTS.
    Likewise 2660 fits better under 2400 IMO.
    These numbers are from your beta-user.js.

    ‘browser.bookmarks.showRecentlyBookmarked’ a possible candidate for 3000.

    user_pref(“browser.migrate.automigrate.enabled”, false); // enforce false (false is default in FF49, might change in the future)
    I assume nobody using this user.js would want anything from another browser migrated automatically into their profiles; I certainly do not!
    –> least possible code running when this is set as user_pref, see (also see init() on line 64):

    Since those ‘browser.migrate.automigrate.*’ are new in FF49 and atm ‘.enabled’ is set to false anway, I don’t think this will break any important features, and AFAIK has nothing to do with migrating places.sqlite etc to a new version or things like that.

    1. Pants said on September 28, 2016 at 5:43 pm

      Thanks :)

      – 2660 dom.archivereader.enabled now moved to 2425

      – browser.bookmarks.showRecentlyBookmarked – already added :)
      // 3022: hide recently bookmarked items (you still have the original bookmarks where you filed them)
      user_pref(“browser.bookmarks.showRecentlyBookmarked”, false);

      – MathML (yeah always felt wrong in fonts) & SVG (slated for fonts, is under to investigate) are both XML based. Moved 1408 to 2663, and changed SVG to investigate to be 2600’s when moved\

      – added (speak up if you think its the wrong place)
      // 3023: disable automigrate (FF49+, current default is false but may change)
      // need more info, but lock down for now
      user_pref(“browser.migrate.automigrate.enabled”, false);

      Yeah, wonder what that’s all about .. browser.migrate.auto* .. turn ui on, days to undo .. the fact it uses “auto” in its name scares me a little :)

      1. Pants said on September 29, 2016 at 5:33 pm

        – Pretty much the “personal settings that have privacy implications” was split out into 2700 cookies and 2800 shutdown
        – section 3000 could be split or renamed (and I’ve already done that to a few items – eg I branced out a hardware fingerprinting section) – and we can add sections (it’s why I used even hundreds after the first 4 sections) like I did with 0900 passwords.
        – 1404 while a user choice just looks silly if not under fonts – and may be needed to sync with upcoming tor lift font white-listing / enumeration prefs. Just seems easier all in one place. Arguably there are a few items not in personal that are debatable if they belong
        – I re-numbered palemoon from 3200 to 9997 and added a note that I’ve dropped it: “NOTE: This section is no longer maintained [after version 10]” – so we have numbers to burn.
        – 3000 section – we have plenty of room to expand “personal” into UI behavior, tweaks or whatever. Most of it is UI behavior (close on last tab, tab stuff, menu delays, click/db-click behavior, warnings etc) with a few odd items such as webm. Its only 20 or so numbered items for now. I think it’s OK. I think the name “personal” sums it up and the description says “non-security/privacy/fingerprinting”. For now I think its ok. We can always revisit it later. I also don’t want it to grow out of control, and I think we’ve done ok for 14 months. That said, its bound to grow with items not in the UI – and this is the best place to keep a record of them all.

      2. earthling said on September 29, 2016 at 2:53 pm

        Hey Pants, didn’t you have a “PERSONAL SETTINGS [that have PRIVACY implications]” section once?
        Did you move all those prefs to different sections?
        Because I still have it in my user.js. I moved 2700 (cookies) and 2800 (shutdown) into that section. I also add new fitting stuff in there that aren’t in your latest js yet and don’t have your lovely descriptions that go with each pref/number. Once you add them I mostly just copy your description and if necessary move them to the category you added them under. I think it would be nice to have 3000 for “PERSONAL SETTINGS [that have PRIVACY implications]” and then maybe 3100 for “PERSONAL SETTINGS [that DON’T have PRIVACY implications]” or similar. If 3100 doesn’t give enough room to grow, 3300 would be nice too (with the double 3’s).
        For example I also have moved 1404 into my “PERSONAL SETTINGS [that DON’T have PRIVACY implications]”, but they fit into both sections.
        As for 3023, I feel the PERSONAL section isn’t perfect but I don’t see a better one atm either.
        Maybe a new section “MISC – ANNOYANCES (no security/privacy/fingerprinting/etc implications)” would cover this the best. Just some ideas.

        “the fact it uses “auto” in its name scares me a little” – yeah me too. I haven’t looked at the code in detail, just had a quick glimpse, but I suspect it will only trigger if no profile is detected.
        I also don’t see the new UI option anywhere, but they also added the flyweb pref and flyweb isn’t even shipped with FF49 yet, so maybe just something that will come in future releases. I will need to look at it in more detail and figure out when exactly this gets triggered.

  156. Pants said on September 23, 2016 at 9:18 am

    Maybe i should github this? Thoughts? I’m 50/50: all the extra info and contributs are awesome, but not really manageable in this context. It would also mean an up-to-date version available for users. But then I also don’t want to tie myself to this long term – that said, who am I kidding, I’ll never stop tinkering – but I just don’t always have the time – then again, it’s pretty comprehensive and more hands make light work.

    I think I might do it. I’ll need a name for it, and I want it to include ghacks in the title, but would need Martin’s permission.

    user.js [gHacks]
    ghacks_user.js (this matches my internal parrot pref)

    So I use a capital H? Martin? Your thoughts? Your blessing? (I would include disclaimers and stuff in the readme.

    What about an article with a poll ? :) If the masses decide yes, I’ll do it.

    1. earthling said on September 23, 2016 at 3:30 pm

      I thought about this some time ago and wanted to suggest it to you but then decided against it.
      What I like about this format is that you can just search for any pref-name and see if anyone already suggested or discussed it, it’s all one big page. But of course over time the page gets huge and it’s also very easy to miss some comments because of it.
      But what made me ultimately deciding against suggesting it, is the no-need-to-login-to-comment that I love so much about ghacks. I hate creating logins and therefore almost never contribute anywhere with very few exceptions. On most pages I’m just one of the silent observers although I would like to chime in from time to time but just can’t be bothered with creating an account. Others might feel the same and we would maybe lose some valuable input because of it, especially because the topic at hand (privacy/security) seems to attract a lot of people who aren’t the social-media/facebook/share-my-whole-life-with-the-whole-world kinda guys.
      But for this, your awesome project here I would definitely be willing to create an account on github to contribute to it.
      And searching on github is also very easy and should find all the relevant discussions/issues too and it’s overall a lot “cleaner” with Issues that can be discussed in the same place and then closed once a decision is made to either include a pref or dismiss it. It would also be easy to look at diffs/patches between versions and see exactly what changed.
      So all in all I’m fine with whatever you choose to do with it. Both have pros and cons.

      1. earthling said on September 23, 2016 at 5:51 pm

        “a local js file I use as my ‘shit to do’ list”
        yeah, I hear you, got way too many of those myself :-(

        “lots of copypasta from earthling”

        Ohhh, I’m sorry for that girl, you have some time now to catch up until the 8th Nov when FF50 gets released. :-)
        Maybe some little posts from me here and there in between but I’ll try to keep them small and well resourced, so you don’t have too much to do for those. (or I’ll simply post off-topic stuff xD)
        And I’d surely do you for anything if there wasn’t the weird “Roman Nopantski” nick, that’s kinda weird for a girl, perhaps a Trans? Or a fan of the pedo Roman Polanski? — either way, not my cup of tea in terms of girls I usually go for^^

        But well, if the willingness to create a github account doesn’t say I’m ready to spend the rest of my life with you, what does?!

      2. Pants said on September 23, 2016 at 5:02 pm

        Awww, you’d do anything me for me .. I know, i know .. you sure do know how to make a gal blush.

        Every single change would be in the commits, so it’s very easy to see every single change, even a typo fix. I’m changing my copy ALL the time. So it would be more work to keep everything in sync. But the trade off is probably more contributions and easier management.

        While it may be a factor, I don’t think a login for github should be an issue for most people. They know how to retain a cookie, but wipe others. They know how to block any XSS or scripts (Github is pretty clean anyway – uMatrix blocks collector.githubapp.com and that’s about all that’s needed). They know how to retain a saved password and protect it. Etc. Well, they should know :)

      3. Pants said on September 23, 2016 at 4:34 pm

        “Oh, btw, did you miss my post @ https://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/#comment-3974439

        ^^ NOPE .. anything you do like that, and the version diffs, I copypasta all that shit into a local js file I use as my “shit to do” list

        — user.js [pants].js = my working copy which I sync with my profile
        — user.js [zCheck].js = everything to follow up on – lots of copypasta from earthling – getting a bit long – maybe mute earthling for a while :jk
        — user.js [zzzdiffs 48-49].js = almost empty now, worked thru most of it

    2. Martin Brinkmann said on September 23, 2016 at 9:21 am

      Pants, I think that this would improve the manageability especially of user contributions. I could still post updates whenever a new version of Firefox gets released for instance to make mirror the user.js.

      You don’t really need to ask for permission, and you’d make me a happy camper if you’d add Ghacks, gHacks, or ghacks to the title ;)

      1. earthling said on September 23, 2016 at 5:09 pm

        Thank you Martin!

      2. Pants said on September 23, 2016 at 5:03 pm

        I apologize on earthling’s behalf – he should have set up an email account for pre-approval. My bad Martin /s

      3. earthling said on September 23, 2016 at 3:43 pm

        Hey Martin, one of my comments from yesterday didn’t get published or maybe something went wrong on my side? Maybe you could check your DB? I think it should have been comment-3981332.
        Or I could just re-write it but I’m not sure if you didn’t let it thru because of an URL it contained to a “competitor” site of yours (with somewhat similar content). But you seem very relaxed in what URLs you allow, so I don’t know what went wrong, it sure seemed to have went over the wire and into your DB. Thx

      4. Martin Brinkmann said on September 23, 2016 at 4:42 pm

        Found it, it was in spam. Sorry for that.

      5. Pants said on September 23, 2016 at 9:50 am

        Noted. Have added to my projects list. One day when it’s all done and running, I’ll let you know so you can tell the world :)

      6. Martin Brinkmann said on September 23, 2016 at 11:03 am

        Aye-Aye my captain!

  157. earthling said on September 22, 2016 at 8:20 pm

    So, before I sign off for today, two more small things I’d like to share.

    I really like the reader feature, especially since my default config in uMatrix makes most pages look weird/broken and I can just get the content I want with one click on the reader icon. I don’t see a privacy/security concern with it either and would recommend to at least temporarily enable it and check it out.

    The other thing I recently found is this:

    –> man, I love my Firefox! xD

    Bye y’all, have a nice day/evening!

  158. earthling said on September 22, 2016 at 8:06 pm

    I’m just looking at the diff between v0.10 and v0.11-beta…
    There’s a typo in 2415b: sero-length
    –> good pref btw, didn’t know that one yet, thx!

    For 2630, it looks like ‘hiding the contents of navigator.plugins and navigator.mimeTypes’ will come with FF50.

    browser.tabs.remote.autostart.2 -> I read somewhere that they are using this pref only for the rollout because they want to use ‘browser.tabs.remote.autostart’ for when everyone gets e10s.

    ‘privacy.firstparty.isolate’ and ‘browser.download.forbid_open_with’ -> good stuff but don’t seem to exist yet in FF49 (maybe for a good reason?!, or simply hidden) -> I’ll wait till they’re officially ready and visible

    I’ve now set ‘dom.workers.enabled’ to false and will see if I notice any problems with it, thx for investigating and moving it out of 9999!

    // resource://URIs leak – now part of tor uplift project -> I sure hope that will come soon because the addon is causing a lot of errors in the console – something seems to be broken and no update available for it so far. Might have to look into it myself and try to fix it.

    // keep an eye on all the services.kinto* stuff -> they were renamed to ‘services.blocklist.’ in FF49 and the url it uses is in ‘services.settings.server’

    dom.flyweb.enabled -> I already added that to my user.js

    I’m still working on going thru the new pref-changes in FF49, but here’s what I got so far:

    >>> new in v49.0:
    pref(“browser.search.reset.enabled”, false); // added to my user.js
    pref(“browser.search.reset.whitelist”, “”); // added to my user.js
    pref(“dom.flyweb.enabled”, false); // added to my user.js
    pref(“dom.vr.osvr.enabled”, false); // added to my user.js
    pref(“media.gmp-eme-adobe.visible”, true); // added to my user.js – set to false
    pref(“media.gmp-widevinecdm.visible”, true); // added to my user.js – set to false
    -> the last two are checked before their ‘*.enabled’ ones in the code, not that it matters much but anyway. 1ms gained^^

    >>> removed (or not yet set) in v49.0:
    pref(“gecko.buildID”, “20160823121617”); // reset in about:config to remove it from prefs.js
    pref(“gecko.mstone”, “48.0.2”); // reset in about:config to remove it from prefs.js

    >>> changed in v49.0:
    pref(“gfx.font_rendering.graphite.enabled”, true); // prev: false // added to my user.js – set to false
    —> only available with HW-accel anyway I think; graphite had some security problems in the past, no thanks to that!

    1. Pants said on September 23, 2016 at 8:15 am

      Good stuff. Edited typo, thanks

      navigator.plugins and navigator.mimeTypes – changed note about release version to (FF50?+). I don’t have any plugins on my system to test it

      browser.tabs.remote.autostart.2 – i’m ignoring all the e10s stuff for at least a few more releases
      PS: my extensions e10s state: compatible: 24 / unknown: 26 / not found: 7 / total: 57
      ^^ from are arewee10s

      privacy.firstparty.isolate was only closed recently – I’m kinda pre-loading prefs in advance because of too much re-checking stuff. I’ve changed comment to (FF50?+)

      browser.download.forbid_open_with – was a while ago. Should be working by now surely. I’m sure someone will test it. I have it commented out – I don’t need that much hardening on my setup.

      dom.workers.enabled – I’ve had the bastards locked up for ages – no issues so far, but time will tell as the web changes

      resource://URIs leak – the addon causes no issues for me (not geeky like you living in the console), and I have kept an eye on this ticket. can;t wait for it to land as it will be a much better all round solution and I can also ditch another extension.

      dom.flyweb.enabled – I want to enforce this, but where should I put it. What section and what wording to use. Please advise.

      services.kinto* stuff renamed to services.blocklist – is there anything to do with these? I still have no idea what kinto etc is/was.

      added this under fonts (is where I should put it). wording needs a cleanup etc. Parker Lewis on some recent threads (he’s very knowledgeable) also expressed concern over this being reintroduced/enabled
      // 1409: disable graphite (FF49 turned this back on).
      // In the past it had security issues. It’s also only with HW-acceleration. Need citation
      user_pref(“gfx.font_rendering.graphite.enabled”, false)

      user_pref(“dom.vr.osvr.enabled”, false); // added to 2504
      user_pref(“media.gmp-eme-adobe.visible”, false) // added to 1850

      these three I will add to my to do list
      pref(“media.gmp-widevinecdm.visible”, false);
      pref(“browser.search.reset.enabled”, false);
      pref(“browser.search.reset.whitelist”, “”);

      1. earthling said on September 23, 2016 at 2:53 pm

        Hey, thx for the detailed reply.
        dom.flyweb.enabled — I would put it maybe near the other extensions settings, like under the pocket ones f.e.
        –> https://wiki.mozilla.org/FlyWeb

        services.kinto* stuff — it’s a json-based updating method for the blocklist mainly to relieve some pressure from their servers I think. I kinda like it because it looks like you can opt-out of certain parts of the blocklist, fe the plugins if you don’t have any. I read somewhere that lots of stuff is running on the same server(s) and it causes a lot of “stress” on them because every FF user downloads the full blocklist every 24h by default.
        I’m not sure if kinto can download only the changes between versions to make the overall bytes sent/received way less, or if it’s just smaller chunks at a time which would also relieve some pressure I guess.
        I haven’t looked at the code yet because its not even used yet anyway, but I think f.e. by setting ‘services.blocklist.plugins.collection’ to empty string you can opt out of the plugins blocklist.

        Parker Lewis on some recent threads (he’s very knowledgeable) — I know, right?! I was very impressed with some of his posts, hope we’ll see him around a lot more.

        It’s also only with HW-acceleration — I just quickly tested it here:
        .. and the “Awami Nastaliq font demo” at the end of the page looked nothing like it should have without HW-accel. I didn’t test if it worked with HW-accel, but since its a “gfx.” pref I just assumed it needs the graphics-card and therefore hw-accel enabled.

        browser.search.reset.* — there’s a new about:searchreset page introduced in FF49, but I haven’t looked at the code to check when or where this page gets loaded.

  159. Anonymous said on September 22, 2016 at 12:43 pm

    Earthling: I don’t get this hello/loop thing. I know its been moved to a system addon. But it doesn’t exist. I unpacked a vanilla FF49 and its nowhere to be found. The loop.* values are non existent (or hidden rather – they are still in the code according to DXR). It’s not listed under system addons (the ones you see listed in about:support – e10s, web compat, etc – in your browser/features folder), and I’m not quite sure what to do with 0372, or how to word it. Should I move it all to deprecated with a note that it’s now a system addon? How do people even get it when its not in the system? What’s your take on it?

    1. earthling said on September 22, 2016 at 7:03 pm

      Pants is that you, girl?
      Loop is gone in FF49, and so are the prefs.
      In my pastebin they are listed under // >>> removed (or hidden, or not yet set) in v49.0.
      They already added a new pref in FF48.0.1:
      pref(“loop.legal.loop_deprecate_url”, “https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/hello-status”); // see my post @ https://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/#comment-3961293
      … and now they removed it in all the new versions released on the 20th, two days ago.
      As far as what to do with them, I would definitely add a note about 0372 being deprecated as of FF49, but if they are still in the code it doesn’t hurt to leave them enabled for now. And maybe with FF50 or so move them to the deprecated section and comment them out, or only after there’s no more code in DXR, idk.
      In mozilla-central DXR I don’t see any code for it though? Which tree did you check?
      In mozilla-esr45 I still see some code for it, but if it’s under ‘browser/extensions/loop/’ then thats the code that was in the loop.xpi itself I’m pretty sure.
      Why do you think loop is now a system addon?

      Oh, btw, did you miss my post @ https://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/#comment-3974439

      1. Pants said on September 23, 2016 at 7:49 am

        “Why do you think loop is now a system addon?” because I misread martin ( https://www.ghacks.net/2016/09/20/firefox-49-release/ ) .. and I quote “Hello was turned into a system add-on” – that’s past tense, not current. Had been up for days man … life is hard on a girl sometimes. I’ve moved the whole thing to deprecated

  160. Anonymous said on September 22, 2016 at 12:49 am

    – I have a new user set preference in 49 (Firefox 49 created it automatically) as browser.tabs.remote.autostart.2;true. Is that okay? It has a browser.tabs.remote.autostart;false (default false) and a browser.tabs.remote.desktopbehavior;true (default true) listed also.

    – New to 49 browser.safebrowsing.blockedURIs.enabled; set as true as default. Is that good?

    – There is a browser.safebrowsing.forbiddenURIs.enabled set as false as default also (not sure if new or not).

    – 2412 user_pref(“dom.enable_performance”, false); New to 49 is a dom.enable_performance_observer;false (default).

    1. Pants said on September 22, 2016 at 11:29 am
      1. Anonymous said on September 24, 2016 at 9:57 pm

        @Ainatar. Thanks for the info. I’ve added a warning to it and listed it in the troubleshooting prefs.
        // WARNING: sites WILL break as this gains traction: eg mega.nz requires workers

        Quite frankly, this sort of thing will become more widespread. Some of the major websites (google owned, twitter, etc) are the first to implement this kind of stuff, and it will become mainstream. I’m not into those kinda sites. I rarely have issues, but I am sure lots of people would. For me, anything that compromises my settings, I have secondary browsers for that.

      2. Ainatar said on September 24, 2016 at 5:05 pm

        user_pref(“dom.workers.enabled”, false); <=== Need to be set to true for downloads in mega.nz to work.

    2. Pants said on September 22, 2016 at 11:26 am

      I’ll slap up a pastebin so you have a copy like mine

      browser.tabs.remote.autostart is to do with e10s, so the
      browser.tabs.remote.autostart.2 will be another step in the e10s roll-out
      At this stage I would ignore it. If you have addons, you’ve fine. If you have opted out of experiements and health reports and calling home etc, you’re fine. e10s has a few versions to go yet, and prefs will come and go until its sorted out.
      Its not in version 10, but it is in my v11 (which is ongoing). Its not new, btw. It came with FF48.
      // 0440: disable mozilla’s blocklist for known FLASH tracking/fingerprinting (48+)
      // If you don’t have flash, then you don’t need this enabled
      // NOTE: if enabled, you will need to check what prefs (safebrowsing URLs etc) this uses to update
      // https://www.ghacks.net/2016/07/18/firefox-48-blocklist-against-plugin-fingerprinting/
      // https://bugzilla.mozilla.org/show_bug.cgi?id=1237198
      user_pref(“browser.safebrowsing.blockedURIs.enabled”, false);

      I don’t even have any plugins, let alone flash, so I disabled it anyway. If you do use flash then I suggest you enable it, as it will block lots of little flash advert and other thingies (assuming any urls required aren’t blanked).
      browser.safebrowsing.forbiddenURIs I’ll have to check .. here’s a link about some stuff https://bugzilla.mozilla.org/show_bug.cgi?id=1269773

      under 401b: (oh yeah, you probably don’t have the same version as: me see top line – will pastebin)
      // FF48+ disable “Warn me about unwanted and uncommon software” Also under Options>Security
      user_pref(“browser.safebrowsing.downloads.remote.block_potentially_unwanted”, false);
      user_pref(“browser.safebrowsing.downloads.remote.block_uncommon”, false);

      I don’t need this stuff, and I hate google’s false positive eg on nirsoft and I’m a big girl who can handle herself. But generally this stuff is good for you

      I see we also have in about:config: Not sure if these have any settings in the user interface
      // browser.safebrowsing.downloads.remote.block_dangerous
      // browser.safebrowsing.downloads.remote.block_dangerous_host
      // 2412: disable timing attacks – javascript performance fingerprinting
      // https://wiki.mozilla.org/Security/Reviews/Firefox/NavigationTimingAPI
      user_pref(“dom.enable_performance”, false);

      dom.enable_performance_observer as false sounds good.
      I only upgraded this morning, haven’t had time to do anything

      Pastebin link coming up

  161. earthling said on September 21, 2016 at 1:29 pm

    here we go again… this time for Harambe!

    diffs between FF prefs 48.0.2 and 49.0: http://pastebin.com/PQmZ1fv3

    Get your dicks out and start investigating! PEACE

    1. Pants said on September 22, 2016 at 10:48 am

      As a girl, how can I do that?

  162. guest said on September 16, 2016 at 9:17 am

    This site is called gHACKS and this post is about “privacy and security settings”, so why doesn’t this site use HTTPS then? It’s very easy to enable and certs from Let’s Encrypt are free.

    1. Martin Brinkmann said on September 16, 2016 at 9:25 am

      Because things are not always as easy as they look.

  163. earthling said on September 13, 2016 at 5:26 pm


    devtools.chrome.enabled doesn’t disable FF’s devtools.
    It toggles “Enable browser chrome and add-on debugging toolboxes” under ‘Advanced settings’.
    “Turning this option on will allow you to use various developer tools in browser context (via Tools > Web Developer > Browser Toolbox) and debug add-ons from the Add-ons Manager”

    Do you ask about Google because it has ‘chrome’ in the name?
    from https://developer.mozilla.org/en-US/docs/Glossary/Chrome:
    “In a browser, the chrome is any visible aspect of a browser aside from the webpages themselves (e.g., toolbars, menu bar, tabs). This should not to be confused with the Google Chrome browser.”

    I’d recommend to only set it to true when you need it to do something and reset it back when you’re done. That’s at least what I do.

    1. jacob said on September 13, 2016 at 9:32 pm

      That’s what I thought chrome meant in this context but I came across this: https://github.com/pyllyukko/user.js/issues/179#issuecomment-246468676

      Which also leads me to believe it’s worth setting devtools.chrome.enabled to false unless you need it. Personally, I set it to false on all my profiles except for a profile dedicated to testing webpages, where the profile has minimal changes to the default settings except tools for testing purposes.

      pyllyukko’s list has it set to false but his list had (has?) a tendency to be overly strict.

    2. Anonymous said on September 13, 2016 at 9:32 pm

      That’s what I thought chrome meant in this context but I came across this: https://github.com/pyllyukko/user.js/issues/179#issuecomment-246468676

      Which also leads me to believe it’s worth setting devtools.chrome.enabled to false unless you need it. Personally, I set it to false on all my profiles except for a profile dedicated to testing webpages, where the profile has minimal changes to the default settings except tools for testing purposes.

      pyllyukko’s list has it set to false but his list had (has?) a tendency to be overly strict.

  164. earthling said on September 13, 2016 at 5:10 pm

    Some new prefs from my list…

    To disable some things more thoroughly and with less stuff running in the background:
    user_pref(“app.update.interval”, 31536000); // 365 days in seconds
    user_pref(“browser.search.update.interval”, 31536000);
    user_pref(“experiments.manifest.fetchIntervalSeconds”, 31536000);
    user_pref(“extensions.update.interval”, 31536000);
    (with those prefs you’ll notice that the 4 related app.update.lastUpdateTime…. prefs won’t get updated)

    user_pref(“browser.laterrun.enabled”, false); // laterrun shows some mozilla pages to “new users”
    user_pref(“browser.safebrowsing.downloads.remote.block_dangerous”, false);
    user_pref(“browser.safebrowsing.downloads.remote.block_dangerous_host”, false);
    user_pref(“browser.safebrowsing.downloads.remote.block_potentially_unwanted”, false);
    user_pref(“browser.safebrowsing.downloads.remote.block_uncommon”, false);
    user_pref(“browser.selfsupport.enabled”, false);
    user_pref(“mathml.disabled”, true); // future-proofing, doesn’t exist yet in FF48.0.2

    user_pref(“browser.uitour.url”, “”);
    user_pref(“devtools.webide.adaptersAddonURL”, “”);
    user_pref(“devtools.webide.adbAddonURL”, “”);
    user_pref(“devtools.webide.addonsURL”, “”);
    user_pref(“devtools.webide.simulatorAddonsURL”, “”);
    user_pref(“devtools.webide.widget.autoinstall”, false);
    user_pref(“dom.ipc.plugins.enabled”, false);
    user_pref(“media.gmp-widevinecdm.enabled”, false);
    user_pref(“privacy.trackingprotection.ui.enabled”, true); // better Tracking Protection choices under Options
    user_pref(“urlclassifier.blockedTable”, “”);
    user_pref(“urlclassifier.disallow_completions”, “”);
    user_pref(“urlclassifier.downloadAllowTable”, “”);
    user_pref(“urlclassifier.downloadBlockTable”, “”);
    user_pref(“urlclassifier.forbiddenTable”, “”);
    user_pref(“urlclassifier.malwareTable”, “”);
    user_pref(“urlclassifier.phishTable”, “”);
    user_pref(“urlclassifier.trackingTable”, “”);
    user_pref(“urlclassifier.trackingWhitelistTable”, “”);

    For extensions that don’t have the flag ‘multiprocessCompatible’ set to true, get console output if a multiprocess shim is required for the extension to work with e10s (setting multiprocessCompatible to true in install.rdf disables the use of shims and the extension either works with e10s or it doesn’t)
    user_pref(“dom.ipc.shims.enabledWarnings”, true);

  165. jacob said on September 12, 2016 at 10:03 pm

    Are Firefox’s dev tools, enabled by setting `devtools.chrome.enabled` to `true`, created by or related to Google? IAre there privacy/security implications in using it, since pyllyukko’s user.js disables dev tools?

  166. Parker Lewis said on September 10, 2016 at 3:49 pm

    You might want to disable HTTP Alternative Services too. They were implemented in Firefox 37, disabled in 37.0.1 because of a security flaw, and enabled again in 38.

    From what I remember from the spec back then, with AltSvc you can end up with the URL in the address bar lying to you.

    Similarly to load balancing where a browser request to a server will in turn have that server pick another server to load resources from, HTTP Alternative Services allow the server that received the browser request to silently tell the browser to grab the resources elsewhere, even from another domain, albeit certified.

    The difference with this method is that the browser is more exposed and it’s lying to the user about the origin it is connected to. The domain is changed within the browser at a low level inaccessible to JavaScript (and perhaps to add-ons as well), so undetectable.

    On the other hand, this enables one useful “alternative service”, opportunistic encryption, which makes HTTP more secure by encrypting it without any guarantee regarding who has the keys. (It’s not meant as a replacement to HTTPS, just hardening HTTP a little)

    Assuming my memories are all correct, I consider the gain not worth the cost, especially with such a recent spec correctness of implementations has not been time tested. I would advise to disable HTTP Alternative Services altogether for now and as an unfortunate side affect, lose opportunistic encryption.

    Downside #2 Fingerprint. Who else disables them on Firefox ? But when it comes to this highly customized user.js, one more setting is way past being a concern :)

    Note: I can’t remember if this is HTTP/2 only or available to HTTP 1.1 as well.


  167. Pants said on September 7, 2016 at 2:03 am

    A swag of html5 attack vectors with tests: https://html5sec.org/

  168. earthling said on August 23, 2016 at 5:15 pm

    >>> diffs between FF prefs 48.0 and 48.0.1:
    >>> new in v48.0.1:
    pref(“loop.legal.loop_deprecate_url”, “https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/hello-status”);

    >>> changed in v48.0.1:
    pref(“e10s.rollout.cohortSample”, “0.102032”); // prev: “0.245302”
    pref(“places.history.expiration.transient_current_max_pages”, 67235); // prev: 67394

  169. guest said on August 19, 2016 at 1:35 pm

    FF48. Can’t upload images on ebay. Which setting is the cause? Does it work for you?

    1. Pants said on August 19, 2016 at 9:03 pm

      I don’t have an ebay account, so I can’t troubleshoot it for you.

      I suggest you download a portable FF 48 ( http://portableapps.com/apps/internet/firefox_portable )
      1. Unpack it
      2. Open it – note you run FirefoxPortable.exe. – so that things such as prefs.js get populated etc. Add an ebay bookmark, login as well. Close FF. This is your extension-free, clean, profile with ebay bookmark+cookie+auto-login etc. Feel free to change the start page to about:blank etc. This is your master profile for testing.
      3. Copy the profile folder a few times, name them however you like eg
      – D:\Portable\FirefoxPortable\Data\profile
      – D:\Portable\FirefoxPortable\Data\profile-copy1
      – D:\Portable\FirefoxPortable\Data\profile-copy2
      – D:\Portable\FirefoxPortable\Data\profile-clean-master
      4. Whenever you need to reset your profile between tests, simply close FF, delete the profile folder, rename or copy a backup clean master version to replace it. Start the next test.
      5. Test by adding the user.js with no changes. If the problem exists (assuming no antivirus interference) then we reset (i.e is close FF, replace the profile folder) and continue (see below). If the problem doesn’t exist anymore then the cause is something else.

      One testing methodology is to add incrementally until the breakage occurs. i.e, create a new blank user.js in your profile, and paste in section 100 and save. Test. Close FF. Paste in section 200 and save. Restart FF and test. etc etc etc until you find the section causing the issue. Some sections you can ignore in your case, eg it won’t be 0100 search, it won’t be 0200 geolocation, it won’t be 0300+0400 updating/safebrowsing etc and so on. It won’t be the plugins section either, or fonts. I’d bet my hat on it. You don’t have to do the sections in order, but use educated guesses. I’ll try to save you some time here – start with sections 1200 (SSL stuff), then 2400 (javascript/dom) and then 2600 ( misc).

      Once you have narrowed down a section, then look at toggling the prefs in about:config one by one. I’d also look at the prefs from latest added. eg – lets say you narrow it down to section 2400, start by looking at the newest added prefs first eg 2440 workers api, then 2431+2430 web/push notifications etc,
      ^^ NOTE: some of these may actually require a restart (let’s face it all this stuff is undocumented), and it would probably be best to clear the cache each time (ctrl-shift-del).

      Let us know how you get on, and good luck.

      1. guest said on August 21, 2016 at 8:38 am

        Thanks. I’m not sure which setting it is, but after resetting it still didn’t work even without any settings. Turns out it that stage that it was FF’s own tracking protection (little shield symbol at left at the URL bar). Well, I had uBlock Origin installed after reset before uploading images there, so it might have been its tracking protection? Sry I didn’t bother to figure it completely out yet since it was quite a hassle. Maybe next time. I’m still using the same user.js because it’s not like I upload daily to there.

        PS: Thanks for your work.

  170. Dubious Hacker said on August 10, 2016 at 10:57 pm

    How can one be sure the user.js has been applied to Seamonkey?
    I see a prefs-1 file but it’s just 0 kb.

    1. Pants said on August 11, 2016 at 12:49 pm

      I’m not sure how much of this user.js applies to Seamonkey. The latest SM is version 2.40 from March 2016 (from wiki), but I do not use it. And FF and SM are quite divergent. However, any settings which do not apply won’t hurt, they’ll just be useless entries that do nothing. Some of the deprecated settings may apply.


      Same as Firefox. The prefs.js holds your custom preferences (eg as you change things in about:config) they get written to prefs.js. The user.js is applied on startup and reads any settings and applies them to prefs.js, then FF, as it starts, loads prefs.js to override default values in about:config.

      1) SM start –> reads user.js –> adds/edits prefs.js –> overwrites defaults in about:config
      2) edit items in about:config, if custom values -> written to prefs.js

      So effectively pref.js is all your custom settings, with user.js resetting values at startup.

      I do not know what this prefs-1 file is. at 0 bytes I would say it is garbage. First of all, you will need the user.js file in your profile folder (and I suggest you read it first and comment some prefs out). I suggest you backup/copy your existing prefs.js first. Alternatively, don’t put the user.js in your profile folder, but rather, one by one, change the settings in about:config and edit your “offline” master user.js file (eg in My Documents, not in your SM profile folder) with notes, remove things, etc as you learn about them. At the end, you will have a user.js that you can use.

      To see if all the entries in the user.js were applied, you could spot check a few entries, or alternatively use the custom preference which in v10 is set as “pants.testing”. Assuming you leave the two entries in (one at the start, one at the end), then if it shows as:
      – 100 then the user.js started but aborted somewhere (syntax error)
      – 9999 then everything when according to plan
      This only covers syntax errors. Data type mismatches get written to prefs.js but ignored by FF.

  171. Pants said on August 8, 2016 at 11:07 am

    FWIW… I have done away with the pants.testing integer syntax check prefs, and changed it to a canary string .. or rather, a parrot. “parrot” is still unique to search for.

    // START: internal custom pref to test for syntax errors
    user_pref(“ghacks_user.js.parrot”, “This parrot is no more! He has ceased to be! This is an ex-parrot!”);

    // END: internal custom pref to test for syntax errors
    user_pref(“ghacks_user.js.parrot”, “No no he’s not dead, he’s, he’s restin’! Remarkable bird, the Norwegian Blue”);

    I’m sure some of you will get the reference :)

  172. Rabbit said on August 8, 2016 at 12:31 am

    You should wrap this user.js file in pre / code tags so it doesn’t look like I’m reading 100 page article.

    1. Pants said on August 8, 2016 at 10:46 am

      Rabbit: please read the part that says:

      “Alternatively, you may load a custom HTML version of the list: User.js Light or User.js Dark, and load the changelog directly as well.”

      The html versions files are also in the downloaded zip, all color coded with urls linkified. I have also kept the lines to around 100 chars maximum (a few lines sneak past that) for this site, as well as eliminating word wrap in IDEs. Martin has his own technical reasons to not use pre tags (mainly text wrapping issues/smaller res/mobile site and maybe some wordpress limitations).

      Link1: the zip file version 10

      Link2+: the online version 10 html files (kindly hosted by Martin – this is the first time he has ever hosted content outside of his own site web pages/design)

  173. earthling said on August 3, 2016 at 2:13 pm

    diffs between FF prefs 47.0.1 and 48.0: http://pastebin.com/a6yFYmjU (-> will expire in a month)

    Created on Windows with PortableFFs and with only PortableFF’s prefs.js and 1 additional extension to export the list.
    Removed some prefs from the list that are different because their values are timestamps, buildID, mstone etc.

    1. Pants said on August 3, 2016 at 4:52 pm

      I do not like the look of all that services.kinto* prefs. More social / sharing stuff. Anyone got any more info on it?

      1. earthling said on August 3, 2016 at 5:09 pm

        Hi, kinto is supposed to replace the blocklist download feature.
        “The goal is to replace the current system based on a single XML file downloaded everyday by several Kinto collections.”

      2. Martin Brinkmann said on August 3, 2016 at 5:08 pm
    2. Pants said on August 3, 2016 at 4:50 pm

      Yikes. All that new predictor stuff ( see https://bugzilla.mozilla.org/show_bug.cgi?id=1016628#c39 ). Its off for 48 (caused some real slowdowns and a fair few bugs), might be on for 49. I’m still trying to work out exactly what this thing does. It’s some sort of internal rolling count of resources loaded so your own history/browsing can drive the smarts about pre-fetching. I don’t quite understand what the heck this is about.

      // 0608: disable predictor / prefetching (FF48+)
      use_pref(“network.predictor.enable-prefetch”, false);

      1. earthling said on August 3, 2016 at 7:09 pm

        https://dxr.mozilla.org/mozilla-release/source/netwerk/base/Predictor.cpp is the file with all this stuff in it.
        I found an awesome way to debug certain modules if MOZ_LOG is used!

        static LazyLogModule gPredictorLog(“NetworkPredictor”);
        #define PREDICTOR_LOG(args) MOZ_LOG(gPredictorLog, mozilla::LogLevel::Debug, args)

        Create 2 environment variables before launching FF…

        set NSPR_LOG_MODULES=timestamp,NetworkPredictor:5
        set NSPR_LOG_FILE=/tmp/NetworkPredictor.log

        we should be good with (‘network.predictor.enabled’, false)

      2. earthling said on August 3, 2016 at 6:22 pm

        Damn, that would be a pretty shitty naming policy then! Are you sure though?
        The comment I have in my user.js (from 12bytes list) for that pref is:
        // [boolean] similar to network.prefetch-next, whether to prefetch resources for sites not yet visited
        I’ll do some dxr-ing to make sure. Normally they have prefBranches ‘network.predictor.’ that then covers all the stuff related to it.
        If not, I’d have to add alot more prefs that I thought would be covered by ‘whatever.enabled’ but maybe are not, just to make sure!
        I recently started looking for some logging.level prefs and some other debug prefs, to see if things are really disabled and/or what is still running in the background. Might need to look for some more now.

      3. Pants said on August 3, 2016 at 6:21 pm

        ^^typo .. don’t copypasta that.. i missed the R in user_pref

      4. Pants said on August 3, 2016 at 5:58 pm

        I’m unsure if “network.predictor.enabled” (0603) which is/was about Seer/Necko has anything to do with the new set of prefetches. Wish we knew more. I though Seer/Necko was dead.This is something different maybe Or it’s been revived. Seer was called Necko “Predictive Network Actions”, so maybe it’s being rebuilt. In some of the bug tickets they talk about the old seer/necko sql database that was going to hold the information. Who knows. Future proof I say.

      5. earthling said on August 3, 2016 at 5:33 pm

        I hope ‘network.predictor.enabled’ covers all that already, but better to be safe than sorry.
        I’ll add ‘network.predictor.enable-prefetch’ to my user.js too.
        No worries about FF49+, I now have everything set-up and ready and will be posting similar lists for each new version from now on, and we’ll catch it when the time comes.

        One other thing I noticed in the new profiles I created for the purpose of creating the diffs-list, and it’s not in the posted list because both profiles were new and therefore had that pref is ‘browser.laterrun.’-stuff.
        I didn’t have it in my user.js and yours is missing it too. I think it’s supposed to show new users some pages.
        (browser.laterrun.pages.) but I couldn’t find any such pages-prefs in dxr except in some test-files. It gets disabled after a while automatically, but I added it to my user.js now anyway because I don’t want that shit. (browser.laterrun.enabled, false)

    3. Pants said on August 3, 2016 at 4:10 pm

      Cheers, am weeding my way thru a few things myself. If you want to update 1211 with the new value of 3, here’s the info ( see https://dxr.mozilla.org/mozilla-release/source/security/manager/ssl/tests/unit/test_cert_sha1.js#74 and the four test states given). Back in Jan Mozilla disabled SHA-1 but it broke for too many people (probably 3rd party AV), and then they reverted to enabled but also created option=2, now they’ve created option=3. I’m actually personally going to disable it: have been at =2 for several months and nothing seems to break. Will give turning it off a spin. Time for it to die.

      // 1211: disable or limit SHA-1
      // 0 = allow SHA-1, 1 = forbid SHA-1, 2 = allow SHA-1 only if before 2016
      // 3 = allow SHA-1 for certificates issued before 2016 OR by an imported root.
      // WARNING: when disabled, some man-in-the-middle devices (eg security scanners and antivirus
      // products, are failing to connect to HTTPS sites. SHA-1 will eventually become obsolete.
      user_pref(“security.pki.sha1_enforcement_level”, 1);

      1. earthling said on August 3, 2016 at 6:09 pm

        Yeah, I’ve never noticed a problem with those 3 (1213, 1214) either, but I only added them not too long ago.
        The sad thing about the TLS pref is that it mostly breaks mozilla-related pages for me :(

      2. Pants said on August 3, 2016 at 5:47 pm

        Yeah, (1209) my TLS is at default variable 1 – might be time for me to revisit it at variable 2, last time would have been 4 or 5 months ago and too much shit broke.

        BTW: I added these – they were on my list, but your earlier post ( https://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/#comment-3943919 ) made me do it

        // 1213: disable 3DES (effective key size < 128)
        // https://en.wikipedia.org/wiki/3des#Security
        // http://en.citizendium.org/wiki/Meet-in-the-middle_attack
        // http://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html
        user_pref("security.ssl3.rsa_des_ede3_sha", false);
        // 1214: disable 128 bits
        user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false);
        user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false);

      3. earthling said on August 3, 2016 at 5:13 pm

        I have it disabled for a while now, never set it to 2 and won’t be setting it to 3 either.
        Pages that sometimes break for me are due to my setting of (‘security.tls.version.min’, 2)

  174. Pants said on August 3, 2016 at 5:01 am

    FF48 safebrowsing changes:

    Note: browser.safebrowsing.malware.enabled was moved from 0410b to 0410a as these two settings now in 0410a are toggled together under the new title “Block dangerous and deceptive content”

    Note: FF renamed “Block reported attack sites” to “Block dangerous downloads”

    Note: 0410b has two new entries which toggle together under “Warn me about unwanted and uncommon software”

    // 0410a: disable “Block reported web forgeries” This setting is under Options>Security
    // this covers deceptive sites such as phishing and social engineering
    // in FF48+ this is now titled “Block dangerous and deceptive content”
    user_pref(“browser.safebrowsing.enabled”, false); // FF49 and earlier
    user_pref(“browser.safebrowsing.malware.enabled”, false);
    // user_pref(“browser.safebrowsing.phishing.enabled”, false); // FF50 and later
    // 0410b: disable “Block reported attack sites” This setting is under Options>Security
    // this covers malware and PUPs (potentially unwanted programs)
    // FF48+ this is now titled “Block dangerous downloads”
    user_pref(“browser.safebrowsing.downloads.enabled”, false);
    // FF48+ disable “Warn me about unwanted and uncommon software” This setting is under Options>Security
    user_pref(“browser.safebrowsing.downloads.remote.block_potentially_unwanted”, false);
    user_pref(“browser.safebrowsing.downloads.remote.block_uncommon”, false);

  175. Emily said on August 2, 2016 at 12:58 am

    Are there similar lists for Chrome and Opera?

    1. Pants said on August 3, 2016 at 5:40 pm

      No – because Chrome is virtually un-configurable :). It has very few “switches” (especially when it comes to ones to do with privacy, tracking, security, fingerprinting – i.e they do not want to allow you to meddle with their ability to monetize you via their other services, and they think you’re a baby who can’t make security decisions). Besides the ones in Options, you can access more by entering chrome://flags/ in the urlbar. Chrome also doesn’t allow for a user.js, but uses switches on your shortcut – you’ll find examples and other info in the chrome articles by Martin ( https://www.ghacks.net/category/google-chrome-browsing/ ). That said, with a few tweaks and some well configured extensions, you can make Chrome way way way better than the default vanilla setup – but nowhere near as good as FF (by which I mean FF with about:config tweaks and also extensions).

      Opera, I don’t really use either – but it’s basically in the same boat as Chrome, AFAIK.

  176. earthling said on July 22, 2016 at 4:30 pm

    a few prefs from pyllyukko I find interesting and might be worth to add, active or commented, for completeness sake.

    // Always use private browsing
    // https://support.mozilla.org/en-US/kb/Private-Browsing
    // https://wiki.mozilla.org/PrivateBrowsing
    user_pref(“browser.privatebrowsing.autostart”, true);

    // CIS Mozilla Firefox 24 ESR v1.0.0 – 3.6 Enable IDN Show Punycode
    // http://kb.mozillazine.org/Network.IDN_show_punycode
    user_pref(“network.IDN_show_punycode”, true);

    // 3DES -> false because effective key size < 128
    // https://en.wikipedia.org/wiki/3des#Security
    // http://en.citizendium.org/wiki/Meet-in-the-middle_attack
    // http://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html
    user_pref("security.ssl3.rsa_des_ede3_sha", false);

    // 128 bits
    user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false);
    user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false);

  177. Pants said on July 21, 2016 at 8:45 am

    Holy cowabunga … we’ve cracked 500 comments. Martin needs to give us a gold star I reckon.

  178. earthling said on July 19, 2016 at 12:31 pm

    some more prefs for your consideration:

    // 2602: CIS 2.3.2 disable downloading on desktop
    user_pref(“browser.download.folderList”, 2); // 2 remembers the lastDir and stores in browser.download.lastDir, 0 or 1 is preferable IMO. 2 and an empty lastDir results in an error message in console when opening Options – not that anyone cares but still ;-) I usually download to Desktop anyway, so one less error message, a few clicks less to choose download dir each time and it won’t store anything in another pref. (0=DesktopDir, 1=DownloadDir)
    user_pref(“network.protocol-handler.external.mailto”, false); // disable mailto handler
    user_pref(“javascript.options.mem.high_water_mark”, 30); // This parameter tells the garbage collector to start running when javascript is using 30 MB of memory. Garbage collection releases memory back to the system.
    user_pref(“extensions.enabledScopes”, 1); // lock down allowed extension directories
    user_pref(“browser.safebrowsing.provider.google.lists”, “”);
    user_pref(“browser.safebrowsing.provider.mozilla.lists”, “”); // found some code in dxr which enumerates those, and “” speeds up FF a tiny bit if we don’t need them anyway.
    user_pref(“media.gmp.trial-create.enabled”, false);
    user_pref(“media.gmp-widevinecdm.enabled”, false);

    user_pref(“privacy.sanitize.timeSpan”, 0); // reset default ‘Time range to clear’ to ‘Everything’ for ‘clear recent history’

    // disable telemetry for the next few hundred versions
    user_pref(“toolkit.telemetry.notifiedOptOut”, 999);
    user_pref(“toolkit.telemetry.prompted”, 999);
    user_pref(“toolkit.telemetry.rejected”, true);

    user_pref(“services.sync.enabled”, false); // disable Sync

    // prevent handlerService overwrites, see chrome://browser-region/locale/region.properties
    user_pref(“gecko.handlerService.defaultHandlersVersion”, “999”);

    // always reset to same as default, stores opened tools (devtools, etc); less junk in prefs.js
    user_pref(“devtools.telemetry.tools.opened.version”, “{}”);

    user_pref(“browser.uitour.url”, “”);
    user_pref(“app.update.silent”, false);
    user_pref(“app.update.staging.enabled”, false);
    user_pref(“privacy.clearOnShutdown.openWindows”, false);
    user_pref(“privacy.cpd.openWindows”, false);

    1. Pants said on July 19, 2016 at 9:21 pm

      working thru them, and others *sigh* – here’s some thoughts on a few of them

      // 2805: reset default ‘Time range to clear’ for ‘clear recent history’ (see 2804 above)
      // 0=everything 1=last hour, 2-last 2 hours, 3=last 4 hours, 4=today
      user_pref(“privacy.sanitize.timeSpan”, 0);

      extension scopes have two settings and it’s a tad confusing – see this (from 2012) https://mike.kaply.com/2012/02/21/understanding-add-on-scopes/ – I need to factor in “extensions.autoDisableScopes” as well, and any ramifications.

      network.protocol-handler.external.mailto – can you explain why we would disable mailto? Does disabling this stop mailto’s being clickable? I use an external application (Thunderbird), so I assume this stops the external launching of my client? I don;t know what happens with mailto being associated with webmail (such as gmail). Is there some security risk here I’m not seeing?
      ^ Side note: not sure if I’ve covered this anywhere (href=”tel:0800-SEXYPANTS”) – it’s handy on a smart phone, useless on a desktop, and I think on a smart phone if you accidently click a phone number, you still have to confirm to make the call. Pretty sure there’s a setting for this somewhere.

      javascript.options.mem.high_water_mark – yikes, 30? default (FF47) for me is 128. I have 8gb of ram. Not sure if this is needed but may add for info. If anyone wants to defeat e-Tags, they can go completely cache stateless (zero disk, zero memory), and the prefs for that are already listed. Is there any real benefit from making the JS garbage collection start early and JS container hold less? I assume this is just JS .. I guess 30gb of JS is hell of a lot. Need more technical info and if there is any info on benefits to security/privacy.

      1. earthling said on July 19, 2016 at 11:13 pm

        scopes: In most cases you want extensions.autoDisableScopes to be 15 which forces FF to always ask if you want to install an extension, no matter where it’s located. enabledScopes can exclude some locations from being able to load addons from in general. The app folder setting (4 (SCOPE_APPLICATION)) is now largely ignored I think, because they rely on the default theme being available.
        Those prefs can be useful in a company environment where the admin wants to always install certain addons for every profile without asking the user for approval. He/she could then change autoDisableScopes to exclude the location where they place the addons. For home computers 15 is default and if you want to include it, I’d set to 15. Now, enabledScopes was useful to suppress all the addons that FF bundled like pocket and hello before they changed it to ignore that location. Hopefully mozilla will include the default theme into one of their omni.ja or similar files if they rely on it being available and that pref would make a bit more sense again. As it is right now, it can perhaps be a bit useful to prevent malware from installing addons into a more “hidden” folder than the profile’s extension folder. But you would still get asked about installing it into your profile either way, so yeah, maybe not the most useful of prefs at the moment for home environment.

        network.protocol-handler.external.mailto – it does indeed stop mailto’s being clickable. They’re still clickable but nothing happens. But you’re right, I can’t think of a security risk. It was probably a stupid suggestion, and it’s more a personal preference in that I don’t want anything being started from inside of FF.

        javascript.options.mem.high_water_mark – I found that one here: https://www.reddit.com/r/linux/comments/39q6xt/some_useful_firefox_tips_to_fix_choppy_scrolling/
        Could be useful for people on older devices with less RAM or for VM’s.
        e-tags has nothing to do with JS and can be read by the server from the request headers.
        It has IMO very little to no benefit to security/privacy, just memory usage reduction.
        I’m sorry, it’s just another stupid suggestion. I mean jesus at this stage you’ve everything covered already and we can only come up with stupid and slightly less stupid suggestions for new prefs :) What do you expect?! It’s your fault – girl! Why did you do such a freaking awesome job with your user.js?!?

        I’m glad you like at least one so far, I’m happy with that :)

        btw. I modified an extension to create a full list of all prefs in about:config, to make it easy to spot changes between FF releases. I’ll be posting the first diff of those lists as soon as FF48 hits.

  179. wtf said on July 11, 2016 at 7:04 pm


    What script or program did you use for the changelog? I’m new to Linux and found out about vim diff but not comfortable using it yet (unless it’s easier than it looks).

    1. earthling said on July 11, 2016 at 10:44 pm

      I wrote a script to deal with multiple user.js files. Only had to adjust it slightly to output the changelog. It parses the files, extracts all the active user_pref(…) values, sort them and then just loop over it and output whatever I’m interested in.

      1. wtf said on July 13, 2016 at 4:14 am

        I’m compiling a documentation on some notes that would benefit from that kind of script–do you mind sharing? :)

  180. jacob said on July 9, 2016 at 7:59 am

    Isn’t user_pref(“network.proxy.type”, 5); /* use system proxy settings, instead of no proxy */ better to avoid potential IP leak or accidental misconfiguration of proxies?

  181. rieje said on July 8, 2016 at 8:21 am


    media.navigator.video.enabled = false // source: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/380024/Browser_Security_Guidance_-_Mozilla_Firefox.pdf
    datareporting.healthreport.service.firstRun = false
    browser.usedOnWindows10 = false
    toolkit.telemetry.reportingpolicy.firstRun = false
    browser.reader.detectedFirstArticle = false
    devtools.devedition.promo.url = https://www.mozilla.org/firefox/developer/
    atareporting.policy.dataSubmissionPolicyAcceptedVersion = 0
    device.storage.enabled = false
    datareporting.policy.dataSubmissionPolicyAcceptedVersion = 0
    datareporting.policy.dataSubmissionPolicyNotifiedTime = “0”
    dom.allow_cut_copy = false // hidden pref?
    dom.archivereader.enabled = false
    gecko.buildID = 20100101 // from 12bytes’s guide–is it only necessary to set general.buildID.override to 20100101 or should this be set as well?

    Is the following deprecated (not from your user.js)? They are not in mozilla-release in the dxr, but I’ve been told that does not necessarily mean it’s not available in the stable version O_o–how can I properly check? Does the FF release notes for the stable version show which about:config entries are added/removed/changed and if not, how do you find a complete list?

    toolkit.telemetry.unifiedIsOptIn = true
    media.websocket.enabled = false
    social.enabled = false
    social.manifest.facebook = “”
    browser.search.param.yahoo-fr = “” (from 12Byte’s config)
    browser.search.param.yahoo-fr-ja = “” (from 12Byte’s config)
    toolkit.telemetry.optoutSample = true
    toolkit.telemetry.prompted = 2
    toolkit.telemetry.rejected = true
    toolkit.crashreporter.enabled = false
    dom.disable_window_open_feature.directories = true
    browser.microsummary.updateGenerators = false

    What does privacy.clearOnShutdown.openWindows = true do? Does it include the current window?

    Is it recommended to lock a pref to ensure it uses the default settings (i.e lock security.csp.enable = true when it’s default value is already true) to prevent potentially malicious addon or third-party (or even FF themselves) from changing it? Or is it not worth it?

    Is there a way to set DuckDuckGo as the only available search engine and remove all others using about:config settings? I played around with browser.search* settings but they seem to have no impact. Do you do anything special to remove searchplugins files from Firefox installation folder, which 12Bytes suggested (CTRL + F “Firefox post install cleanup” in http://12bytes.org/articles/tech/firefoxgecko-configuration-guide-for-privacy-and-performance-buffs)?

    Any sources that say specifically that hardware acceleration is a privacy concern? I know that WebGL is. Someone said this: “Additionally, I think HWA disabled can lead to increased “uniqueness” via timing attacks. Website could test how fast you can for example decode a video (probably slower without acceleration) or measure frame time when doing something reasonably heavy computation – I bet that users without HWA can be identified pretty easily here.”

    P.S. To those wondering whether to disable PDF.js, I actually came across a thread that talked about and the consensus is that external PDF applications also suffer from exploits (i.e. not all exploits are a result of JavaScript) and PDF.js is usually quick to patch these exploits, whereas external PDF applications tend to do it much slower or may not even do anything about it. I am actually going to force enable it.

    1. Pants said on July 9, 2016 at 6:57 am

      Will do the rest later. Meanwhile…