The most comprehensive Firefox user.js has been updated

We released a first version of a user.js file for Firefox that concentrated on privacy and security settings back in 2015.
It was the most comprehensive undertaking of its kind back then, and was made possible by Ghacks regular Pants who spend months researching entries and putting them in context.
Firefox, unlike the majority of non-Firefox browsers out there, comes with an extensive under-the-hood section of preferences that users can control.
A large part of those are for privacy and security features which you can control. While it makes sense to keep some in default state, you may benefit with better security or privacy by modifying others.
The most comprehensive Firefox user.js has been updated
The update introduces a massive list of changes to the list. Some preferences have been removed by Mozilla, others added or changed.
Check out the updated Ghacks user.js version 0.11 list here
Without further ado, lets here it from the girl who created the list: Pants
It's been over a year since I started my own user.js, over ten months since I shared it here at ghacks and the overwhelming support and feedback led to Martin kindly publishing it, and a whopping six months since the last update was published.
That was version 0.8. I don't think a day has gone by in all that time where I haven't researched or read something or tinkered with Firefox or edited my user.js. Some days I have spent up to 10 hours on it. I am by no means an expert (despite over a year of reading), and some of the really technical stuff, especially new tech, just flies over my head (I do not have the time to invest in everything), but I have gone to great lengths to research, cite, understand and justify any settings - this includes debunking / disregarding / correcting / setting-the-record-straight on dozens of preferences that are incorrectly described across the web. Don't believe everything you read.
While this list is unique, it has been compiled from hundreds of sources and from my own research. But without the help of those sources, and indeed Mozilla for building the preferences in, we could not have done it. So with that in mind, I would like to specifically thank the following:
- pyllyukko, CHEF-KOCH, fmarier (especially for his insights into safebrowsing - see the new revamped 0410 section) and the many contributors and followers at https://github.com/pyllyukko/user.js . These guys are awesome.
- the ghacks community and commentators for suggestions, information, and for pushing this list to even greater heights. Guys such as Just me, Conker, earthling, & Rockin' Jerry. They put me through the wringer. Thanks guys (and gals!).
- Martin for putting up with me and hosting the list and writing the articles.
- and last but not least, Bob. Thanks Bob.
I would also like to share with you, thanks to fmarier (Francois Marier, a Firefox Security Engineer), what I consider to be great news (its old news, but why don't these things get more attention?
I only found out a few days ago). Don't get me wrong, I love Firefox and know it to be the best browser in terms of "power users" and the ability to tweak and protect privacy. And I'm excited for e10s.
But I have also at times bemoaned Mozilla's urgency to get on with patching some privacy/fingerprinting issues (just one example being the resource://URI's leak, the Proof of Concept has been around for over three years). So it came as some surprise for Francois to link me to this ( https://wiki.mozilla.org/Security/Tor_Uplift/Tracking ).
I have long wished for some of the work that the TBB (Tor Browser Bundle) has built, to be incorporated into the firefox core. Looks like somewhere, someone, got busy; contacts were made, people got excited, and stuff is happening, fast. These guys are working hard and making great strides.
Look at the completed bugs (blocking SSL session IDs, spoofing various screen/window measurements, permissions caching ). Look at the assigned ones (white-listing fonts, blocking plugin enumeration and mime types (again), reducing precision timing attacks with random microseconds, disabling MathML ).
Look at the ones still left to be assigned, which will almost certainly be addressed (isolating favicons, isolating DOM, canvas fingerprinting, disabling SVG). This is AWESOME!!!! And a lot of the hard work has already been done by TBB. Thanks TBB.
I also find this comment very interesting. What's your take on it?
"Our primary goal is to un-fork the Tor Browser." - Dave Huseby
So here at last, I present to you the ghacks user.js version TEN. Yup, that's right, v.10. There is no version nine. I posted a number of different version nine betas in the wild and I would like to signify this release with a new number.
I will attempt to list some things in the changelog, but quite frankly, there is just way too much (I did a file compare and its over half the lines - I will not be listing that).
So just treat this as a whole new experience to explore things. I have created new sections (such as hardware fingerprinting), revamped sections (such as safebrowsing), made a very very few number changes (sorry if that upsets anyone), moved a few things around, corrected some data type errors, and of course added tons of new stuff, more information and sources.
All items were checked in a vanilla FF, to see if they existed in about:config - anything not shown, was then searched for in the MXR and DXR current release, and inspected. This led to items being moved to deprecated, and for a lot of items to be confirmed as hidden prefs. Anything that is a hidden pref has been marked as such - currently there are 12 - just search for "(hidden pref)".
Lastly, please remember that this is my user.js as it is today. I do not expect or want anyone to just run with it. You should know what you are doing. That said, I have kept the warning list at the top up to date, but I will never catch everything for everybody. This list is meant to be a TEMPLATE, please treat it as such.
Check out the updated Ghacks user.js version 0.11 list here


Since I’ve rarely wanted to transfer more than one tab between browsers, I’m not inclined to install another extension just for that — especially one that (according to your description) closed all my tabs in the process. In the past I’ve just copied and pasted the URL, but (even for just one tab) that is a little tedious.
I just tried an interesting little experiment, with a useful result. (I did this on my Mac, but I’m guessing it would work on other platforms too.) I’m reading this article in Firefox, so I opened a new blank window in Chrome. At the top of both browser windows, at the far-left end of the URL bar, there’s a little icon of the letter “i” in a circle. (If you hover over it in Firefox, it says “Show site information”; in Chrome, hovering it says “View site information” — that’s the icon I’m talking about.)
I simply dragged the Firefox “i” icon from the top of this page, into the Chrome window — and this page loaded in Chrome! It worked! Then I tried something just a bit trickier, in the other direction — I first (from a bookmark) loaded into Chrome a page from my local web-development server (i.e. not online)… then dragged the “i” icon from the Chrome toolbar into this Firefox window — and it worked then too!
So, although I have no interest in the OneTab extension, I just learned something useful! I hope other people find this trick useful too. (Later I’ll try it in Safari — maybe it works in every browser?)
Interresting find Jonas, thanks for sharing!
Your comment doesn’t appear to be one of the real @Martin, because there is no black label rounding the entire title of the comment as before. :S
I also used onetab already and didn’t even know they had this feature. Thanks so much.
Exporting tabs to FF: “The address wasn’t understood. Firefox doesn’t know how to open this address, because one of the following protocols (chrome-extension) isn’t associated with any program or is not allowed in this context.”
Useless.
And the most important information was left out of the article or it don’t even exist in the first place: how to completely disable such functionality.
Your comment doesn’t make any sense at all. It’s an explicit user action to import data from other add-ons. If you don’t want it you just don’t do it.
This comment actually does make a lot of sense, and I am actually searching for this. Some people do NOT want websites to be (badly) translated, so they never use such a feature. The things is, every time I visit a non-english website this annoying menu pops up, and the button is another element in the URL bar cluster of useless unused features. I do not want to add all languages to a “do not translate” list, instead I want a “hide button” or “disable translations completely” setting.
This comment actually does make a lot of sense, and I am currently searching for this. Some people do NOT want websites to be (badly) translated, so they never use such a feature. The things is, every time I visit a non-english website this annoying menu pops up, and the button is another element in the URL bar cluster of useless unused features. I do not want to add all languages to a “do not translate” list, instead I want a “hide button” or “disable translations completely” setting.
my bad. somehow my, and I think DMoRiaM’s comment got mixed into the wrong article. Haha.
go to about:config and set browser.translations.automaticallyPopup to false.
Does this hack still work on FF 107 or whatever is most current?
Firefox 118 seems to be officially rolling this out by default: https://support.mozilla.org/en-US/kb/website-translation
Hoping Mozilla won’t remove the option altogether in the future as they already did for other, ahem, unwanted features… Why don’t they listen to their users instead?
@zed,
your reply seems to be Addlibs (according to your RSS reader),
Addlibs did not intend to comment on this article “OneTab browser extension”, but regarding Firefox’s new built-in fullpage translation “Firefox Translation”.
Firefox Fullpage Translation
https://support.mozilla.org/en-US/kb/website-translation
what the heck is going on with comments on this site lately?
first comment on THIS article was 9-2019.
Looks like the comments database is corrupted.
Besides old comments appearing in new articles, the same comment appears in multiple articles.
Also I answered a comment in one article, and the same answer appeared as an answer to a different comment by the same person.
@Martin Brinkmann,
Anyway, please deal with this anomaly ASAP.
Comments are a mess, irrelevant and chaotic.
If there is no prospect, Ghacks Technology News should be put on hiatus until the system is fixed.
It’s the same as before with endless monologues or people telling others why they are wrong.
Actually, Frankel, it’s you who’s wrong
This is all techo-BS. What people want is far simpler: a hotkey toggle: images on/images off. Is that really so complex? Seems so. It’s like autoplay videos on/off. In that case you can set it to off but it doesn’t stick. Typical digiocy.
This isn’t great but it might help people that have moved from chrome to firefox to some extent. I can’t tell you the amount of time I have seen people complain that a certain extension they use on google is not available and the only thing holding them back from moving over when they are actually wrong and the very same developer has a Firefox version also. I would always encourage manually looking as there are always hidden gems.
In regards to the website I have reached out to Martin personally and to his credit he replied very quickly. He has informed me that they are aware of the problems and are attempting to fix it.
Martin is no longer involved in the technical management of the site so I imagine if we want to ask someone then our comments would perhaps be better directed towards Softonic.
I don’t understand what is happening here with the comments. The counter shows zero comments and then inside there are some comments from older dates even since years. And mostly of them are non related by the way with the article. So sad what’s going on and nobody is still fixing it. :S
This site now appears to be mostly be created and run by AI. On the positive side (if there is one), I guess we can assume at some point the AI will be capable of recognizing and fixing corrupted files and the like.
“Import Chrome extensions” …. (by installing comparable Firefox extensions) … (for a small number of extensions).”
What a bunch of bogus PR spin. Someone who liked uBlock Origin on Chrome could already install it just fine on Firefox with a couple of mouse clicks. This just adds extra unnecessarily complicated steps to something that was already dead simple, all in order for Mozilla to claim fake one-to-one compatability that doesn’t actually exist.
It would be interesting if Firefox could install Chrome Addons directly from the Chrome Web Store. Although there would probably be some incompatibility, perhaps there’s a shim to translate some Chrome-specific WebExtension APIs over to Firefox. Microsoft Edge can install extensions directly from the Chrome Web Store, but Edge is using the same Blink web engine as Chrome so that makes things easy.
Don’t really care about importing as I never use that feature.
Just retire Gecko and join the Blink bandwagon already, Mozilla. Then you can guarantee 100% Chrome extension compatibility! /s
Not like your browser is getting much attention let alone budget compared to your other woke social justice initiatives.
Hello,
does anyone know if the STG has issues with the sidebar at the moment? I just added it and can not find any option to use it in the sidebar. I am also using an add-on for tree style tab…this might be the source of the problem?
Greetings, Anja
tried typing- about:config -in the search bar -( I want to enable javascript) but it simply will NOT open!
I tried Firefox Translate, but it doesn’t do Chinese or Japanese, and that’s a deal-breaker for me. I uninstalled it and am sticking with the Google Translate extension.
“…Vivaldi and Brave use self-hosted solutions, which still require connections, but offer better privacy than an integration of Google Translate or other third-party translation services would offer.”
While I like Brave as a browser, their translation “solution” just plain sucks. I’d rather have the data sent to Google or Bing, than have a translate feature that just doesn’t work properly. Not only is it not possible to select just a section of text to translate, but to make it worst, most of the time translating the whole page in Brave is either really unbearably slow, or more often than not, it just won’t translate the page at all and displays a “This page couldn’t be translated” error. It’s pretty pointless if their users need to keep using something else to translate pages and have to give up their privacy anyway.
The native translate feature in Firefox sounds like a much better solution than what Brave use.
Great news, thanx FF devs! Hopefully, more languages will be available in the future. So happy!
Floorp comes with its own built-in translator. It’s been like that ever since the first release in fact.
https://floorp.app/download
Article title: Firefox 117: native language translations, last Firefox 102 update and security fixes
https://www.ghacks.net/2023/08/29/firefox-117-native-language-translations-last-firefox-102-update-and-security-fixes/
I think for now every time I comment on an article I am going to put the title of the article and/or the URL of said article because I am seeing my own comments which are from another Firefox related article but not exactly this one.
In regards to this website Martin does not have administrative access to the back end of the website. It would fall on softonic international to fix it now which seems to be of very low priority.
This might be the straw that broke the camels back for ghacks which is a shame because it had many good comments and articles that go way back. Moving away from it would suck.
Maybe try contacting them here to see if you can get any action.
https://hello.softonic.com/contact/
Can you help me please.
Latest version, they pust their VPN (powered by Mullvad) yet again. Instead of writing version changes. sigh. https://imgur.com/g6N20bN
Luckily I had a recent backup available. Firefox was no longer giving me access to profiles when I reinstalled version 116.03 and was asking me to create a new profile. It asked me to upgrade last night and to my surprise all theJS scripts were gone.
https://github.com/xiaoxiaoflood/firefox-scripts/issues/265
Firewall: “Deny [Firefox] outgoing connections to domain nextdns.io”
Firewall: “Deny [plugin-container] outgoing connections to domain cloudflare-dns.com (including mozilla.cloudflare-dns.com)”
It’s exciting to hear that Mozilla is actively working on a design refresh for their Firefox web browser, internally referred to as Photon. The last major redesign, known as Proton, was introduced in Firefox 57 back in November 2017. Since then, Mozilla has made some interface changes, including the controversial address bar overhaul in Firefox 75 Stable.
While specific details about the design refresh are currently limited, Mozilla has created a meta bug on Bugzilla to track the changes. Although no mockups or screenshots have been shared yet, the bug names provide some insights into the elements that will receive a refresh, such as the address bar, tabs bar, main menu, infobars, doorhangers, context menus, and modals.
The new design is scheduled to be released in Firefox 89, which was initially planned for a mid-2021 release, specifically May 18, 2021. However, as development work is still ongoing, there is a possibility of a delayed release.
@ Zibtek,
I’m already using Photon on Floorp which is a fork of Firefox. Here’s a pix of what it looks like:
https://i.postimg.cc/8PsK7DjV/floorp-photon.png I enabled the menu bar at the top, but you can turn it off if you don’t like it.
Floorp is a Japanese browser based on FF102. I’ve been using it as my default browser ever since ‘owl’ pointed it out on the Ghacks site last year (or was it this year, can’t remember exactly when). In any event it contains many more enhancements than the vanilla version of Firefox. It also comes with searXNG search engine in the list of search engines provided which saves having to install it yourself.
Floorp download: https://floorp.app/en/
My comment is regarding the following,
Article title:
Mozilla patches critical WebP security issue in Firefox and Thunderbird
>> ghacks.net/2023/09/13/mozilla-patches-critical-webp-security-issue-in-firefox-and-thunderbird/#respond
Indeed, today, those patch versions were applied through automatic updates.
However, since I had disabled the “WebP” function, I was not interested in that topic (Google, etc.).
Regarding Thunderbird:
Today finally,
My Thunderbird 102.14.0 (en-US) was updated with “Thunderbird 102.15.1 (x64)” through the automatic update feature.
By the way,
Naturally, it will not be automatically updated to 115 (Supernova).
Anyway,
it is clear from Bugzilla that the bug fixes related to migration from 102 to 115 are not complete, so existing users of “102” should refrain from manually updating to 115.
>> ghacks.net/2023/09/08/thunderbird-102-to-115-upgrades-are-now-enabled/#comment-4573569
Betterbird has been released 115.2.1-bb11 (12 September 2023) . Betterbird make Thunderbird a faithful upstream.
Betterbird: Release Notes
>> betterbird.eu/releasenotes/?locale=en-US&version=115.2.1&channel=default&os=WINNT&buildid=20230911203543
@Martin Brinkmann,
I posted in response to an article published on 2023/09/13.
Article title: Mozilla patches critical WebP security issue in Firefox and Thunderbird. >> ghacks.net/2023/09/13/mozilla-patches-critical-webp-security-issue-in-firefox-and-thunderbird/
However, the link was to an unrelated article published on 2019/09/27.
>> ghacks.net/2019/09/27/how-to-import-tabs-from-chrome-to-firefox-and-vice-versa/
This kind of “disorder of Articles and Comments” has been going on for another month.
Is this an obvious (by Softonic, which operates and manages ghacks.net) act of sabotage against Martin and Ashwin?
It’s really frustrating!
[ My comment is on “Mozilla patches critical WebP security issue in Firefox and Thunderbird” https://www.ghacks.net/2023/09/13/mozilla-patches-critical-webp-security-issue-in-firefox-and-thunderbird/ though not directly related to that article ]
What happened to gHacks? When the site was bought out, Martin assured us it wouldn’t go downhill and he’d maintain editorial control, but the AI-written articles are ruining the quality of the site. I’ve been tempted to drop the site from my RSS reader because of this. Is there an RSS feed with only the human-written articles? Individual feeds for each author isn’t a good solution.
Article Title: Mozilla patches critical WebP security issue in Firefox and Thunderbird
Article URL: https://www.ghacks.net/2023/09/13/mozilla-patches-critical-webp-security-issue-in-firefox-and-thunderbird/
If anyone was unaware you should download the extension “Don’t Accept WebP” regardless of the patch. WebP is absolute trash that is unnecessary and clearly an issue. I would rather my images be in their native format and not some recompiled trash such as WebP.
I have absolutely no love for the parent company of this website.
I agree, this is so atrocious – most of the time you can even tell by the URL what format the original image was in – this “reconvert-on-the-fly” nonsense is terrible – but especially so when you’re converting a lossy format, which should be avoided as often as possible.
Sometimes you can edit the image URL to get it to send the right image, unfortunately “don’t accept WebP” doesn’t always work – but that’s why they offer a built in conversion, I suppose.
@ Mystique,
Thanks for the tip (about the addon). I wasn’t aware that Webp was a vulnerability.
I read only Martin Brinkmann’s, Mike Turcotte’s, and Ashwin’s articles. Add uBlock Origin news filter for ghacks:
! 2023-09-13 https://www.ghacks.net/
ghacks.net##.hentry,.home-posts:not(:has-text(/Martin Brinkmann|Mike Turcotte|Ashwin/))
@ https://www.ghacks.net/2023/09/13/mozilla-patches-critical-webp-security-issue-in-firefox-and-thunderbird/#comment-4573641
I tried your uBlock filter on Brave snap packaga for Ubuntu, but it doesn’t work, do I need to restart the browser?
I have noticed uBO doesn’t fully work on Brave, for instance the Element Picker can’t pick anything while the Zapper do, but not 100%, Nuke Anything works much better, but it’s only temporarily.
“important address bar change” alright calm down… lol
I have gotten rid of the stupid shield and the “not secure” box, and have it set up so that it always displays the full URL (I think…?).
In a perfect world, it should just always show the full url, no icons, or emojis, or anything like that.
“Users may want to know why Firefox is no longer displaying https:// in the address bar” I’ll bet nobody will notice anything – apart from a select few autists like myself who customise everything and don’t like change.
“Users may want to know why Firefox is no longer displaying https:// in the address bar”
Why, I don’t know either (a breeze of madness or is it of love in the air), but there’s an about:config to handle that as well (Firefox) :
// display all parts of the url in the location bar (do not trim)
pref(“browser.urlbar.trimURLs”, false); // Dfault=true
Things, too many, too often are decided in spite of common sens.
Firefox is always copying whatever Chromium does… it is like they are a Chromium browser without the name and having trouble rendering many websites. In fact, it is like they are getting 400million just for existing and adopt anything Google releases or does, like web extensions, widevine, safe browsing and then visual changes like this.
I like how some people think there is a choice, and the choice is better than the leader… while still failing at basic stuff.
What’s the point of these useless changes? Just show the full address with the protocol at all times and be done with it…
I set the User Agent address bar to always show the entire URI in a unmasked format.
Martin, as of 19 September 2023, the gHacks comments system is still severely mangled. Data subjects have considerable rights conferred on them; where those decisions are likely to affect them.
Let’s start again. “I set the User Agent address bar to always show the entire URI in [an] unmasked format.”
Hallowed be the memory of the Lost Souls.
“HTTPS doesn’t mean safe:
Many people assume that an HTTPS connection means that the site is secure. In fact, HTTPS is increasingly being used by malicious sites, especially phishing ones.”
[https://www.kaspersky.com/blog/https-does-not-mean-safe/20725/]
HTTPS doesn’t mean safe
Many people assume that an HTTPS connection means that the site is secure. In fact, HTTPS is increasingly being used by malicious sites, especially phishing ones.
HTTPS doesn’t mean safe
Many people assume that an HTTPS connection means that the site is secure. In fact, HTTPS is increasingly being used by malicious sites, especially phishing ones.
website still wacked huh?
Article: Firefox 119 will launch with an important address bar change
https://www.ghacks.net/2023/09/19/firefox-119-will-launch-with-an-important-address-bar-change/
Just one thing regarding the URL bar as it looks like now in latest Firefox, the relatively new feature where some extensions would add their icon inside the URL bar, how bad can it get?
https://imgur.com/uIlWI58
https://postimg.cc/YvYnpzGh
https://ibb.co/QQT584N
ps. uploaded same pic to several links just to make sure some will work.
(For those who can’t see the pic it’s a snapshot showing a URL bar full of extensions, and also Firefox own built in icons that would appear inside the URL bar depending in some cases on which type of website is being viewed, there’s no space left for the actual thing the URL bar is supposed to view, namely the URL address itself)
Yes, I have several extensions on the toolbar, but the menu bar is pretty full and I want to keep some on the toolbar too, and usually Firefox would also push excessive extensions behind a drop-down menu for access to them as well, but as it looks like now the URL bar is given too little space priority, or is there a way to restrict to a minimum URL bar size?
You can modify Firefox with a “profileFolder/chrome/userChrome.css” file:
/* https://www.reddit.com/r/FirefoxCSS */
/* https://github.com/MrOtherGuy/firefox-csshacks */
@import url(urlbar_info_icons_on_hover.css);
@import url(page_action_buttons_on_hover.css);
@import url(compact_extensions_panel.css);
#urlbar-container:focus-within { min-width: 60vw !important; }
#navigator-toolbox .chromeclass-toolbar-additional { margin-inline: -2px !important; }
#unified-extensions-button { order: 1 !important; }
Well, Mozilla and Firefox are saved because of this and many other changes / ‘news’ in the past days!
A while ago they separated the “Firefox” brand from the “Firefox Browser” brand, now they are abandoning the Firefox brand? Or are they abandoning the Firefox Browser brand? I don’t know.