The most comprehensive Firefox user.js has been updated
We released a first version of a user.js file for Firefox that concentrated on privacy and security settings back in 2015.
It was the most comprehensive undertaking of its kind back then, and was made possible by Ghacks regular Pants who spend months researching entries and putting them in context.
Firefox, unlike the majority of non-Firefox browsers out there, comes with an extensive under-the-hood section of preferences that users can control.
A large part of those are for privacy and security features which you can control. While it makes sense to keep some in default state, you may benefit with better security or privacy by modifying others.
The most comprehensive Firefox user.js has been updated
The update introduces a massive list of changes to the list. Some preferences have been removed by Mozilla, others added or changed.
Without further ado, lets here it from the girl who created the list: Pants
It's been over a year since I started my own user.js, over ten months since I shared it here at ghacks and the overwhelming support and feedback led to Martin kindly publishing it, and a whopping six months since the last update was published.
That was version 0.8. I don't think a day has gone by in all that time where I haven't researched or read something or tinkered with Firefox or edited my user.js. Some days I have spent up to 10 hours on it. I am by no means an expert (despite over a year of reading), and some of the really technical stuff, especially new tech, just flies over my head (I do not have the time to invest in everything), but I have gone to great lengths to research, cite, understand and justify any settings - this includes debunking / disregarding / correcting / setting-the-record-straight on dozens of preferences that are incorrectly described across the web. Don't believe everything you read.
While this list is unique, it has been compiled from hundreds of sources and from my own research. But without the help of those sources, and indeed Mozilla for building the preferences in, we could not have done it. So with that in mind, I would like to specifically thank the following:
- pyllyukko, CHEF-KOCH, fmarier (especially for his insights into safebrowsing - see the new revamped 0410 section) and the many contributors and followers at https://github.com/pyllyukko/user.js . These guys are awesome.
- the ghacks community and commentators for suggestions, information, and for pushing this list to even greater heights. Guys such as Just me, Conker, earthling, & Rockin' Jerry. They put me through the wringer. Thanks guys (and gals!).
- Martin for putting up with me and hosting the list and writing the articles.
- and last but not least, Bob. Thanks Bob.
I would also like to share with you, thanks to fmarier (Francois Marier, a Firefox Security Engineer), what I consider to be great news (its old news, but why don't these things get more attention?
I only found out a few days ago). Don't get me wrong, I love Firefox and know it to be the best browser in terms of "power users" and the ability to tweak and protect privacy. And I'm excited for e10s.
But I have also at times bemoaned Mozilla's urgency to get on with patching some privacy/fingerprinting issues (just one example being the resource://URI's leak, the Proof of Concept has been around for over three years). So it came as some surprise for Francois to link me to this ( https://wiki.mozilla.org/Security/Tor_Uplift/Tracking ).
I have long wished for some of the work that the TBB (Tor Browser Bundle) has built, to be incorporated into the firefox core. Looks like somewhere, someone, got busy; contacts were made, people got excited, and stuff is happening, fast. These guys are working hard and making great strides.
Look at the completed bugs (blocking SSL session IDs, spoofing various screen/window measurements, permissions caching ). Look at the assigned ones (white-listing fonts, blocking plugin enumeration and mime types (again), reducing precision timing attacks with random microseconds, disabling MathML ).
Look at the ones still left to be assigned, which will almost certainly be addressed (isolating favicons, isolating DOM, canvas fingerprinting, disabling SVG). This is AWESOME!!!! And a lot of the hard work has already been done by TBB. Thanks TBB.
I also find this comment very interesting. What's your take on it?
"Our primary goal is to un-fork the Tor Browser." - Dave Huseby
So here at last, I present to you the ghacks user.js version TEN. Yup, that's right, v.10. There is no version nine. I posted a number of different version nine betas in the wild and I would like to signify this release with a new number.
I will attempt to list some things in the changelog, but quite frankly, there is just way too much (I did a file compare and its over half the lines - I will not be listing that).
So just treat this as a whole new experience to explore things. I have created new sections (such as hardware fingerprinting), revamped sections (such as safebrowsing), made a very very few number changes (sorry if that upsets anyone), moved a few things around, corrected some data type errors, and of course added tons of new stuff, more information and sources.
All items were checked in a vanilla FF, to see if they existed in about:config - anything not shown, was then searched for in the MXR and DXR current release, and inspected. This led to items being moved to deprecated, and for a lot of items to be confirmed as hidden prefs. Anything that is a hidden pref has been marked as such - currently there are 12 - just search for "(hidden pref)".
Lastly, please remember that this is my user.js as it is today. I do not expect or want anyone to just run with it. You should know what you are doing. That said, I have kept the warning list at the top up to date, but I will never catch everything for everybody. This list is meant to be a TEMPLATE, please treat it as such.