Ghacks.net Firefox privacy and security user.js 0.11 is out
The most comprehensive Firefox privacy and security settings collection has been updated to version 0.11 to take into account changes in newer versions of Firefox.
Ghacks champion Pants created the initial list in 2015, and has been on it ever since that day with help of others including earthling and Tom Hawack.
The new user.js file replaces the old one. The download includes the user.js file, the changelog, and two HTML documents that lists all preferences, information and comments.
You are probably wondering what is new in version 0.11 of the file. First of all, the preferences have been updated to take into account changes in Firefox.
Mozilla has added, changed or removed preferences since the last release of the Ghacks user.js file.
Apart from that, there are new sections that you may find interesting.
There are new sections for Service Workers, First Party Isolation, Fingerprint resisting and Tor uplift. The add-ons section has been filled with links to recommended add-ons on top of that.
Some fun stats about the latest privacy and security user.js file:
- The list features a total of 464 preferences of which 48 are commented out.
- 33 items contain warnings.
- The file links to 71 http and 243 https resources for research
Click here to open the original article that has been updated with the new information, or download the new user.js file directly with a click on the following link: user.js-ghacks-0.11.zip
Here is the change log:
2300: NEW SECTION for Service Workers (items renumbered from other sections)
2698: NEW SECTION for FPI (First Party Isolation) - commented out, it's not ready yet to go prime time
2699: NEW SECTION for privacy.resistFingerprinting (was 2630)
9998: NEW SECTION for To Investigate - Tor Uplift
: APPENDIX B for Add-ons
9996: PALE MOON, section renumbered and no longer maintained
2302: was 1012 dom.caches.enabled .. ALL the stuff in the 2300s were moved there, some are new
2301+2303+2304: were 2432+2430+2431 respectively, also new prefs
1216: was 2609 insecure active content
1217: was 2610 insecure passive content
2024: was 3014 media.mediasource.webm.enabled
: some other numbers may have been reused, moved
Loads of them, just look in the deprecated section, its in order of version dropped, then number.
0301: app.update.silent and app.update.staging.enabled
0336: browser.selfsupport.enabled (also merged 0371 with this)
0410: the entire section: many prefs deprecated, replaced with others, new section 0410g
0440: mozilla flash blocklisting
0818: taskbar preview
0820: disable search reset
0907: force warnings for logins on non-secure sites
1012: browser.sessionstore.resume_from_crash (note: old number was moved to 2300s)
1209: TLS extra prefs to control min and max and fallback versions
1213: cyphers disable 3DES
1214: cyphers disable 128 bit ecdhe
1215: disable MS Family Safety cert
1218: HSTS Priming
1219: HSTS preload
1220: disable intermediate CA caching
1602: returned DNT (do not track) from deprecated
1808: disable audio auto-play in non-active tabs
1820+1825+1830+1840+1850: revamp, additions etc to GMP, DRM, OpenH264, Widevine, EME
2012: webgl.dxgl.enabled + webgl.enable-webgl2
2022: extra prefs for screensharing
2024: MSE (Media Source Extensions)
2025: enable/disable media types
2026: disable canvas capture stream
2027: disable camera image capture
2028: disable offscreen canvas
2415b: limit events that can cause a popup
2425: disable Archive API
2450: offline data storage
2504: new vr prefs
2510: Web Audio API
2627: revamped section from a single pref about build ID into all your UA/Navigator objects
2650: e10s stuff, never used by me, may be obsolete as e10s rollout changes with each release
2651: control e10s number of container processes
2652: enable console e10s shim warnings
2664: DeviceStorage API
2665: sanitize webchannel whitelist
2666: HTTP Alternative Services
2668: extension directory lockdown
2669: strip paths when sending URLs to PAC scripts
2671: svg.disabled (FF53+)
2706: Storage API
2707: clear localStorage when a WebExtension is uninstalled
3022: hide recently bookmarked items
Appendix A: new test sites: Browserprint, HTML Security, Symantec, AudioContext, HTML5, Keyboard Events, rel=noopener
Appendix A: new section:; 5 Safe Browsing, Tracking Protection tests
: custom pref renamed and configured as the Monty Python parrot
: custom pref expanded to each section with euphemisms for the parrot's demise
1211: SHA-1 variables/definitions have been changed by mozilla, recommeneded value has changed
2201: dom.event.contextmenu.enabled is now active
2404: dom.indexedDB.enabled - i turned this on and use an extension to toggle it on and off for sites
: some other prefs may have been turned on/off
3019: network.proxy.type - it is not my place to control end users connections/proxies/vpns etc
Martin, thanks to you for hosting this. Thanks to Pants,earthling and Tom Hawack, for the work which they put into this js.
Its so comprehensive !
So Pants is a Monty Python fan ( Dead Parrot ).
Off topic: Can you confirm or deny that Pants is a girl ? :))
The official result of the World Hide-and-Seek, Mrs Francisca Huron, Paraguay, 11 years, 2 months, 26 days, 9 hours, 3 minutes, 27 seconds (tied with Mr Don Roberts from Hinckley, Leicestershire).
Pants, Nothing like a bit of obfuscation ! :O
LOL “speaker”. You freak.
All the work goes to Pants, mainly. Great job, as always.
I’ve just downloaded this user.js-ghacks-0.11.zip and I won’t open it before tomorrow morning otherwise I’d be bound to spend the night discovering it.
I’m sure it’ll be just fine :)
Users intending to implement the user.js file should be aware that it will overwrite the prefs.js file. The latter contains all the about:config settings users might have changed.
Also, even if the user.js is deleted at a later date, the prefs.js will retain all the settings which were overwritten. Therefore it’s advisable to make a backup of the prefs.js before proceeding.
Or use Pale Moon with its config by default.
I would love to compile a head-to-head list of which of these features are featured in Pale Moon’s default configuration, but that would be feeding the troll even more than this comment is.
“How to stop Pale Moon from Giving out Information”:
Moonchild: “I suggest you don’t tweak the browser to the point of breaking.” & “There is no “way to stop Pale Moon from giving out information” because it is a web client”.
“I would love to compile a head-to-head list…”. Please don’t.
“Personally, this seems like a whole lot of nonsense to me and a wasted effort on the part of Mozilla.org to increase its following. It is nonsense like that that convinces me further that I made the right decision to switch to Pale Moon.”
Remember – “A day without laughter is a day wasted.”
May the user.js by Pants sing to you and the sun rise in your heart…
When you say “current”; how does this relate to ESR releases?
This version (0.11) is primarily targeted for Firefox 51.
Users who are currently using Firefox 45.7ESR can use this version, but I would strongly advise that they pay careful attention to the configuration settings in the deprecated list.
For example, I have a modified version of 0.11 for Firefox 51, and a separate modified version for Firefox 45.7ESR that uses some of the deprecated settings.
What the… this crap wiped my history. I’m not a paedo or terrorist. Why would I want my local history wiped? I guess the target market for this stuff is bad people. Wait, am I on a site for bad people? :-|
The sole fact that those are the first two things that crossed through your mind tells alot about you, and is quite unsettling.
I agree with Dave
/@Yuliya ,you are not funny!/
Are you inferring that I’m a terrorist paedo who wants to keep all his internet history? Yeah, that makes sense.
And if I was a terrorist paedo, why would that be unsettling to you? There are hundreds of millions of them, so why would irrationally suspecting one person who’s ten thousand miles away “unsettle” you?
No, you’re just an idiot who can’t even form his thoughts into words.
Exactly right. If someone’s first idea of “something hidden” are paedo terrorists it says a lot about their state of mind. It doesn’t imply that they are one of them, but it (long story short) does imply that a person like that would vote for orange politicians. :-)
The target market is for the obsessive, paranoid, and/or psychotic types; not necessarily just bad people. :-D
You used the file without looking through it first? You deserve to lose your history.
You are dead right. He probably clicks “next, next, next” when installing programs/apps. Then he wonders why he’s got new toolbars, crap utilities, etc.
FYI Gary, I’m a lead contributor to TOSDR, not that you’d know what that is. I’ve read every EULA for as long as I can remember, but this script isn’t a EULA (except for the first few lines) and isn’t written in English.
This place is a lynch mob. Awful people making judgements based on superficial interpretation of events they didn’t witness. I finally understand the growing argument against juries. It’s a wake-up call to see that “people” can be such fierce proponents of punishment when they know next-to nothing of the situation. All I can picture is the scene from Star Trek TNG where the peasants in the court room are shouting “hang him!!”.
Even the back-up advice in the file is bad – not that that’s really the topic anymore. The file says to back-up prefs.js, but the scope of the script affects other databases. A back-up of prefs.js would to nothing to help. The script should advise backing up the profile folder. And yes, I did back-up my profile folder (as well as other measures) so this didn’t affect me for more than a minute.
And I quote from the js file: “Backup your profile first, or even just the PREFS.JS”. The js also says “The author does NOT expect (or indeed want) end users to just run with it as is”. It is also written in English. The original article also says to backup your profile, and Martin gives step by step instructions.
“and isn’t written in English” – what language is it then?
“This place is a lynch mob”, “Awful people making judgements based on superficial interpretation” – so you’re saying that all the research, the fact that mozilla coded these prefs, that a lot of them were initiated by random people submitting bugs, and a lot are also discussed or even initiated by TBB, that the wisdom and knowledge of hundreds or thousands of people around the web, is practically worthless. That numerous sources suggest the same settings. And that the warnings and the encourage for end users to make their own decisions means nothing?
“I’m a lead contributor to TOSDR”, “I’ve read every EULA for as long as I can remember” – what does have to do with anything? Do you feel insecure or something?
Sheeshus, you sound like Trump. Talk the other person down. Talk yourself up. Belittle people to make yourself feel big and important. Add a strawman. Change the topic. Spread FUD (not in English, really?).
Why don’t we really focus on what you’re really trying to say: “I am trying to be funny and witty, and be liked, but all I come across as is a troll”. You’re welcome to your opinion. Doesn’t mean anyone has to respect it, and I’m sure no-one will.
OK Pants, this is a really pathetic reply. You’re twisting things like a pro, but not an expert. Let me unravel it all:
While the comments on your work are in English, the only way to find out that your settings wipe the history – and that’s what this conversation is about – is from the code. Code isn’t English, so Jason’s demand that the work should be read first requires understanding the code, which isn’t English. And don’t say the code is English because the base words are derived from English. I can see that rebuke coming a mile off. The only relevant thing you wrote about history is about session history and recently closed tabs. If I’m wrong, feel free to quote from your work (with a line number).
I haven’t added a single new topic, I’ve responded to tangents that other users have added. Things like “You deserve a punishment” and “You never read anything when installing” (both paraphrased for expediency). It’s right there in the witch hunt above for you to read, and if you had any objectivity at all you’d have criticised the people who added those tangents to the topic, not my factual responses. Lynch mob? Yes, welcome to the hunt. On top of that, claiming that I changed the topic IS a new topic. How exactly did I start any of these topics? Other people did, because they can’t focus. It’s not my problem that they just want someone to burn. They probably do it this all the time. I hope they decline jury duty if they’re ever asked – and that goes for you too.
To build on that slightly, TOSDR has everything to do with Gary’s comment that I responded to. Go and look it up before claiming it’s irrelevant. What you’re doing there is refusing to look at evidence. Tsk, tsk. Although frankly I don’t care if you know the relevance. I don’t really care if you understand anything. It’s not my place to hold your hand and show you how to apply logic and reason to what you read.
Wow it’s only February and you’re already calling anyone you don’t like “Trump”. All that does is it tell me you know so little about the world that your knowledge is limited to current headlines and trends. It wouldn’t cross my mind to call someone Trump. You’re just jeering – like those peasants in Star Trek.
You know what’s really bad about your comment, is that you know what things like a Strawman are (who doesn’t? The term really took off on the internet 2012) and yet you hypocritically throw a bunch of them into your own comment – on purpose – along with a few tu quoques and some ad hominem. I can play the stupid-words game too. You’re hoping that you’re up against a dumb opponent to argue against. Guess again.
Look, anyone can see that your humour comment is you trying to troll me. In the same paragraph you talk about me somehow trolling my own thread. I fail to see how. The point I’m getting to is that your entire comment seems to be a projection of it’s own flaws onto the preceding conversation. I’m not sure if you’ve done this on purpose for a laugh, or if you genuinely are the world’s biggest hypocrite, but I’d bet it’s all done on purpose for a laugh. Everything is just too well arranged in its hypocrisy for it to be coincidental. I might not have noticed how acutely hypercritical each paragraph is if not for that last paragraph you wrote causing me to look more carefully at the others. I have been trolled.
Now while this was fun, I really can’t give any more time to it. Typing thorough explanations to irrational people on the internet isn’t time well spent (because they will ignore everything). Let’s all just be glad that this is the internet and people like you can’t burn real people just by calling them witches anymore.
Thank you for telling me you don’t respect my opinion. Judging from the way you try to argue and view things, that’s the best endorsement I could get.
The file is thoroughly commented (in English) every step of the way.
damn dave, you sure are one ungreatfull, lazy and antisocial bunch of insecurities. if you cant even be thankfull for someone spending their time compiling all these infos, just shut up. you try and come across like the big man, and yes, you have some good english, but then again, good english does not garantue good content. you halfarsed reading the infos, you wanted to try it. and after it not meeting your high expectancys you are trying to make it (and in extension pants) look bad. newsflash, no one here gave you the file with any promise of it being anything else but a collection of settings you can/may use if you like and think you should use them. and now you just sound like a friggin troll trying to seed bad mood driven by a sheer unbelievable audacity to ignore facts and just talk over others. if you cant even be civil and fair to someone that spent a lot on work on a file you insisted using, then just shut up and dont try and poison the well just because you are not thirsty.
ps: that paedo/terrorist thing is a strawman so stupid, i really wonder how you manage to write that english with those few dried out braincells of yours.
pps:yes i know, i made lots of errors and dont even use uppercase letters. probably that makes all my arguments invalid and all my points stupid. you can spare yourself writing 2000 lines as an answer, as from here on i would only mock you… out of deeeeep respect ofc.
ppps: i would like to apologize to everyone here, except dave, for my wording.
What’s this, then? “Romanes eunt domus”? People called Romanes, they go, the house?
For those who don’t understand, here is the Monty Python scene: https://www.youtube.com/watch?v=KAfKFKBlZbM
Great info, thx!
security.nocertdb;true – is break PassIFox addon and FF context menu on password forms. Also i’ll be logged out from some sites which cookies is still be present (i’m pretty sure, issue in this pref: toggling to false and restarting browser – is restore session on this sites).
(sorry for bad English)
1220: security.nocertdb is actually commented out and inactive
Had to throw in your political opinion, didn’t you?
You had to pick up his one tiny off topic comparison in a see of words didn’t you ? :)
1220: security.nocertdb is indeed actually commented out and inactive.
Just reporting another issue when setting security.nocertdb to true :
I’m using Firefox’s Master Password strengthened with the FIPS option available at
Options / Advanced / Security Devices / Enable FIPS
FIPS? : https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/FIPS_Mode_-_an_explanation
If I set security.nocertdb to true, first time the Master Password is required doesn’t ask me for the password, but to change the password … I forgot to take a screenshot but ask for one if it can help and I’ll reproduce.
Pants, looks like you were definitely well inspired to comment out this setting.
“heeshus, you sound like Trump.”
Nothing wrong with sounding or being Trump.
Now that I know pants is a snow flake, don’t trust his judgement/program.
“Nothing wrong with sounding or being Trump.” Bloody Hell, a Trump fan boy !
“Now that I know pants is a snow flake”. WTF does that mean ?
Piss off Steve. Go and play Troll somewhere else you dickhead.
Off topic comments expose the real value of this article.
Down with the adsense non-sense !!
While I wouldn’t actually use a user.js file, I love the resources gathered in those pants, they’re really bulky pants, they’re terrific, I’m gonna grab them alright.
It really saves time from having to lookup Bugzilla or Firefox’s source code or specs for web standards.
Maybe it would be nice to provide a light version too that only changes a limited amount of things based on clear goals.
– Disable all network requests unrelated to browsing, from health reports to prefetching and what have you
– Disable DRM
– Among web standards, only disable the most glaring privacy dangers that are not behind a permission, such as referrers, the Timing APIs, service workers, beacons and pings, Jar, maybe Push, Alternative Factswaitnoimeant Services.
This could have been made an add-on with a slider UI like Tor Browser, but I don’t think WebExtensions can modify about:config prefs can they ?
The problem with coming up with a “lite” version is that no one size fits all. The combinations are astronomical. It’ll never please everyone. It would also be a lot of extra work. Instead we have a single file that users can make informed decisions on, which by default has some sort of balance between being private but allowing functionality (it’s also exactly what I use, because I’m the (joint) author :) – and it means I only have to deal with one version in total (yup, I’m lazy). As for creating an add-on with a slider: 1. again, who decides what goes in each setting and 2. way too much work especially maintaining an up to date version for FF releases
I can see the benefit of someone forking it several versions: 1. a zero-impact one for “newbies” – eg it leaves auto- updates, blocking protection etc in place and removes anything that breaks functionality 2. a middle version whatever that means, and 3. a super hardened version.
Although end users can do that themselves, and use multiple profiles.
Yeah I was definitely calling on the community to do that, not you, you’ve done more than your part >_>
Your second paragraph is what I mean. There is also an advantage in having a limited amount of versions lying around, due to fingerprinting.
I’d really contemplate making it a WE but I think they can’t access about:config, except if it’s their own custom prefs I guess. Though I could be wrong. This is something that could be brought up to the WE team if I’m right though… Also I don’t have enough time to do all of this, all I could do is pick options for the different levels of the slider.
If anyone is up to at least trying to study the feasibility of this, may you appear right before us as lightning strikes where you’ll stand!
Thanks for the update !
However, 2671 (svg.disable) breaks a lot of Youtube videos’ playback.
If set to true, the player crash and I get uncaught exceptions / TypeErrors.
I guess you should add a warning on that.
Thanks. Will add to warning/troubleshooting list, as SVG is pretty common (~15% of the top 10K sites use it). At this stage, the pref doesn’t land until 53, so maybe the cause is something else.
Thanks, Pants, et al.!
Pants pull them up.Disgrace to USA
Ha ha look at him coming back, he is so flustered. At some point you’ll have to accept that people have different views and vote differently than you do. The world won’t crumble if not everyone likes Donald Drumpf, plus he’s President and with almost no opposition now, what more could you hope for ? :)
Where do I place this file for it to work?
Where do I place this file for it to work? And, will it work with the Aurora build?
It works with all versions of Firefox, but especially Stable. You should not just place the file, as you need to go through it to adjust it. There are more than 30 warnings in the file, and simply placing it in the right folder will break things.
Instructions are provided on this page: https://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/
I am the only real person I know who uses Firefox. Thank goodness it’s a browser that allows me to find other Firefox users.
Shove it down those suckers throats! They won’t see a difference if your port their bookmarks and shit :)
Pants started the anti-Trump remark, if u dont like Trump go vote you whining losers.
Suck it up.
How do I get you tube videos to play again? The thing just goes around in a circle and videos refuse to play. Which setting would I need to switch to false to be able to watch videos again?
I just tried some random YT videos, and they all play just fine. Can you give me some links to one or two that aren’t working – so I can test the exact same items.
– It could be something to do with 1807: autoplay. On YT I have to hit pause (nothing is actually happening) and then hit play for it to actually start.
– Or it could be something to do with specific videos and widevine/drm/eme/gmp (which are all under 1820-1850)
– Or do you have an extension that does something like force HD and other settings?
– Do you have flash enabled? (I don’t)
You can also go to https://www.youtube.com/html5 and tell me is it’s all ticked as working. Six ticks for media types and another tick for using HTML5 by default.
Yes, all 7 boxes are checked.
Here is a video from Saturday Night Live, looks like it might be kinda fun to watch :) I am using Noscript and the Aurora build on Firefox. Also, http://static.echonest.com/OrganizeYourMusic/# seems broken as well as it is no longer working for me. Should I disable no script first and see if that doesn’t help?
Too much ink has penetrated into your brain.
What the hell are you trying to say (speak english)?
Yup, the problem seemed to have been with 1807. Now, how do I get the stop and play buttons to reappear on Youtube? Also, when I select a new tab it is completely blank instead of listing my most frequently visited websites. How do I get those back? Please stick around as I have a few more questions to ask.
Umm .. stop and play buttons .. mouse over the video I suppose
If you want to keep your history (which is what most frequent sites is based on), you will need to disable this one and reset it in about:config .. or just change it to false : 2803: user_pref(“privacy.clearOnShutdown.history”, true); Now as you visit sites again, they should start to populate your default startup and newtab page
You’ll also need to enable newtab: look at 0360 and do the same for user_pref(“browser.newtabpage.enabled”, false); – i.e change it to new, or comment it out and reset in about:config.
Still in 0360… I can’t exactly remember what user_pref(“browser.newtabpage.enhanced”, false); does. Maybe disable it. Once you restart firefox and get your newtab page to show, there is settings cog wheel top right that has some options.
Please help me get this site back as I use it fairly often. http://static.echonest.com/OrganizeYourMusic/# Thanks
I would suggest the following – make sure your NoScript is not interfering (it if didn’t before then it won’t be now). Looks like you login (SSL) but I wouldn’t think anything is wrong there as Spotify should be using decent ciphers etc. I don’t have a spotify account, so I can’t troubleshoot it.
I would suggest that you perhaps turn on indexeddb, 2404: user_pref(“dom.indexedDB.enabled”, false); either comment it out and reset in about:config (in about:config, you can right click a pref and select “reset”) .. or set it to true. Restart FF.
J, you need to be careful if you’re just going to run with it. By default, this js turns off tracking protection and auto-updates – you will either need to turn them back on, or use uBlock Origin and manually check periodically for add-on and program updates. uBlock Origin can work with NS, no problems.
Also by default, 3rd party cookies are blocked, but first party is not – you will probably need 3rd party cookies at some stage – so use an add-on to give you control. You may well need a spotify cookie on that echonest site.
Thank you for your excellent work!
Would the authors care to host this on GitHub? It could benefit even more with VCS features, user input and discussions, pull requests, increased updates frequency, issue tracking, etc. It would also be more fun overall :)
I would also suggest you add an open-source license to the file/project â€“ have a look at https://tldrlegal.com/licenses/browse for some inspiration.
Why does it need a license? Anyone is free to use it. I don’t even care if anyone takes it and claims it as their own – those in the know always know where to come to get the real thing.
Github .. ummed and argghed about this for 6 months – I don’t want to install github client (earthling feels the same way) – but if someone else was to put it up, and it must keep the ghacks name, then I would be on board with that – for all the reasons you state (see https://github.com/pyllyukko/user.js – real time updates, commit/changes tracking, threads per issue etc.
Nice job Pants, as always. I have tested it, with some minor custom changes, and everything works fine :-)
http://static.echonest.com/OrganizeYourMusic/# still broken. Not able to load a playlist or see it load. The tabs are back though. Youtube videos play, and the play, stop, next video work but are still invisible..
comment out the two prefs in 2508 so they look like this with the double slash // in front and save the file
// user_pref(“gfx.direct2d.disabled”, true);
// user_pref(“layers.acceleration.disabled”, true);
Now go to Options>Advanced>General>Use hardware acceleration when available and tick that box. Restart FF – that may fix your YT buttons. I don’t have that problem, so it’s hard to diagnose for you.
Can anyone please fix this? Why is it being stopped or rather not loading at all? If I can’t get this to work I may have to resort to resetting the browser. http://static.echonest.com/OrganizeYourMusic/#
What exactly is the issue. I allowed XSS and scripts to run, I allowed an echonest cookie, and I had to ALLOW indexeddb which is 2404 – without the cookie + indexeddb, clicking “organize” does nothing. With it allowed, it redirects me to https://accounts.spotify.com/authorize?xxxxx . As I said earlier: “I would suggest that you perhaps turn on indexeddb, 2404: user_pref(“dom.indexedDB.enabled”, false); either comment it out and reset in about:config (in about:config, you can right click a pref and select “reset”) .. or set it to true. Restart FF.” – you need indexeddb for starters
So where exactly is this falling over for you? Do you get to log into spotify?
Yes, I am able to log into Spotify. We are loading up all of your music. This may take a while depending upon how big your music collection is. If you are impatient, you can stop the loading at anytime to work with a subset of your music.Except that it’s not loading.. dom.indexedDB.enabled: true
– Try items in 2300’s – service workers – all of em, comment them all out – all 9 of them and save the file. Find each one in about:config and right click it and reset. Restart FF
– Also maybe try 2706: dom.storageManager.enabled – flick it to true
@Pants @ Martin Brinkmann
I’m confused: is this thread meant for comments/troubleshooting regarding 0.11 or the one on https://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/#comment-4133567 ?
You may use both. You are probably getting a better response here, but feel free to add your comments to the original thread if you prefer it. Pants monitors both with eagle eyes.
Godamnit Martin … you said wouldn’t tell anyone about that eagle
I apologize for exposing your eagle to the public. But damn, it is pretty.
Yes, very pretty .. shame I had to take his eyes
“I apologize for exposing your eagle to the public” .. that sounds so very Pythonesque, and Roman, and rude.
Thanks Anonymous but, to no avail May have to just resort to resetting the browser and staying away from your user.js files altogether as they are for someone much younger not someone with tired old eyes like mine.
Well, at the end of the day, if you can’t troubleshoot it (and it has to be you to do it, and there are ways to halve and halve again the prefs to narrow the culprit down, its not that hard) then your correct response should be: use the user.js for all sites except that one site, and use a secondary browser or profile for echonest. The more you tighten up privacy/security/etc, the more sites will break. Personally, for one off sites that my default FF can’t quickly handle, I have a portable Opera, Chrome, and Iron .. not to mention IE (which is locked down) if I really had to.
I am impressed though, that as a self-proclaimed “newbie”, you went full hog on it, unedited, unread .. just jumped right in the deep end.. balls to the wall. Not that there is anything in there that will break sites wholesale. Still, impressive balls :)
The best way to troubleshoot your current problem or any future problem is to…
1. backup your whole profile folder
2. rename user.js to user.js.disabled
3. start editing your prefs.js file, ie. move sections or parts of prefs to a new editor window
3b. the site is dealing with music files, so move out all the ‘media.*’ prefs next.
3c. if you have Flash installed, search for ‘plugin’ and ‘flash’ prefs and move those out
3d. search for ‘cookie’ and move all those out
4. keep moving stuff out until your problem is solved. It’s very likely that in your case more than one pref are causing the problem.
5. If you really want to trace it down to the problematic prefs, change each pref in your moved-out list back to the value in Pants’ user.js via about:config; one by one and test the site after each change.
Moving stuff out of prefs.js has to be done while FF is closed.
6. If you traced it down to one or more prefs, restore your backed up profile, remove or comment out the problem prefs in the user.js and let us know what the prefs were that caused your problem.
Martin & Pants
After reading carefully all your warnings, I changed the prefs with no problems. :)
I still have one question. What do I have to do in order to display Hidden Prefs in about:config ?
‘What do I have to do in order to display Hidden Prefs in about:config ?’
It’s not possible. Hidden Prefs are prefs that mozilla choose not to include in any of their settings.js files, so they don’t show up in about:config. You have to search the source code to find them.
Thanks for your fast response, earthling. :)
I think I’ll leave playing with source code to you, pants and the other FF experts !
user.js is not being used with FF Dev 53.
perfs.js does not accept the ghacks content and moves everything in Invalidprefs.js
tom, I downloaded http://downloads.sourceforge.net/portableapps/FirefoxPortableDeveloper_53.0_Alpha_2_English_online.paf.exe , unpacked it, opened it and made a couple of changes (tab tiles, flicked open the bookmarks toolbar, added about:config … nothing major). Closed it. Added the user.js to the profile. Reopened it – no errors. All prefs were applied.
Thanks for helping!
I’ve noticed yesterday an error that I’ve made in the config and I guess FF did not liked it.
The config is working and I’ve already changed some stuff.
I still have to test it over a long period of time but I’ve made a lot of things working for my personal needs.
I did noticed a problem that I don’t know how to fix yet.
The product / Box art images are not loading. They used to load before. umatrix was configured to load them and turning it off does not load the images either. I guess it must be the user.js
Using the js unedited, in my everyday FF, I temporarily enabled all scripts on the page (noscript), and toggled the power button off for both uBlock Origin and uMatrix and reloaded, and everything shows. I am blocking cookies and local storage on this site by default as well. And indexeddb is disabled. It definitely isn’t a user.js setting.
I think your issue is you’ll need to allow imgix.net – that’s where the bulk of the images come from (71 of them), maybe you need to allow akamaihd.net & humblebundle-a.akamaihd.net
I’ve deleted my prefs.js and it’s working again. Now I’ll have to reconfigure some options but at least I got it working.
Thank you for helping!
Are any addons now obsolete because of the user.js changes?
I can’t monitor addons. However, see this comment: https://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/#comment-4138717 . 2668 which limits scopes for extension directories does break some addons including Roboform and Internet Download Manager. It is bound to break some others who use a non standard xpi dir.
When I set security.nocertdb to true, the list of save passwords in Firefox appears empty. Luckily, when I set it to false again, the passwords re-appear. So the best one can do right now is to create a widget for this setting in PrefBar and then occasionally set the flag to clear the database of cached certificates.
I think this solution is a bit of a hack, but may suit some people. Wiping the cert8.db is not a solution for all those people who have unique CAs etc as per the bugzilla ticket – for those cases I would suggest multiple profiles – and again it comes down to who exactly is trying to track you. That said, TBB does this (security.nocertdb -> true) and that actually fits their purpose – for Firefox, not so much. There are solutions proposed (such as bundling 3000 certs), but I think FPI may be the solution.
FYI: The user,js is now on github ( https://github.com/pyllyukko/user.js ) and the description has been rewritten (I thought it was clear) to be a bit more crystal
Errr .. that was the wrong link: ghacks is here: https://github.com/ghacksuserjs/ghacks-user.js
1.) How do I make FF remember the sites I’ve visited, so that when I type “yout” in the URL bar I get youtube.com as a recommended site based on what I’ve visited. I can’t figure it out…
2.) user_pref(“svg.disabled”, true); gave me a 20% CPU increase on FF while on Idle. Since I’ve set it to “false” the CPU % went down to 0%. Now sure if it’s only me but I wanted to mention it.
Thank for migrating to GitHub! :)
1. First of all you need to stop clearing your history when you shut down, unless you mean you only wanted it to suggest your session history. Go to 2003:
user_pref(“privacy.clearOnShutdown.formdata”, true); // Form & Search History
user_pref(“privacy.clearOnShutdown.history”, true); // web site history
^ change those to false to not lose your history
2. Now you need to allow the urlbar suggestion dropdown to come back
/* 0803: disable locationbar dropdown
^^reset that to the default in about:config and comment out in the js. The default is 10
3. and enable suggestions
/* 0806: disable autocomplete – PRIVACY (shoulder surfers, forensics/unattended browser) ***/
^^ change to true
4. and allow types of suggestions
/* 0808: disable types of urlbar suggestions
* These settings are under Options>Privacy>Location Bar. If you wish to enable any of these suggestions,
SVG .. doesn’t land until FF53, we just snuck it in early, github just spontaneously happened, we didn;t think there would be another version for 6 months. Are you on FF53 or something? I have it set, on FF51, and no such issues. The pref can’t do anything, it’s not even in the build.
yes I am on 53 (FF Dev.)
“yes I am on 53 (FF Dev.)”
Well there’s your problem .. its not “stable”
Hmm.. replied to this 24 hrs ago, still hasn’t shown
Most people in life don’t carry on once they have the answer to their problem. Rude as it can be.
Nice to see gHacks-user.js is on Github. Already many pseudo issues which is the lot of users who copy/paste blindly, put all the flags to ON, do it! and then start complaining. I couldn’t handle it, but I could and do when a question/comment is clearly stated and argumented. I know, you don’t say this sort of things, I do and that’s my uneducated contribution.
Thanks, I’ll test the url suggestions now.
I’d like to have no fade in/out time when going in fullscreen on videos e.g. youtube.
I’ve already set this to “true”:
Fullscreen is working for me but I don’t know how to set the “0 0” correctly.
I’ve added these myself:
// Remove Firefox fade in/out on videos https://support.mozilla.org/t5/Privacy-and-security-settings/Remove-Firefox-fade-in-out-on-videos/m-p/1090127
user_pref(“full-screen-api.transition-duration.enter”, 0 0);
user_pref(“full-screen-api.transition-duration.leave”, 0 0);
Its clearly not a number (or boolean) .. so therefore its a string .. add quotes
user_pref(“full-screen-api.transition-duration.leave”, “0 0”);
I’m on Seamonkey, which is a few versions behind FF release. I need v.10 of the user.js, but it seems all the download links in each article lead to v.11. Can the v.10 links be put back up? I have been using this since the beginning, but now I’m having to start from scratch on a new machine. Many thanks for all the hard work, this is a must for all the hardcore FF users (still) out there.
I personally don’t have any versions except the latest, which is in constant flux. Now it’s on github, I have started archiving a version each stable release. Just use the current version and enable some of the deprecated items as per your version. Who cares if “future” prefs are being applied to your seamonkey, it will not use them. Som eprefs also have the start version, so you could disable some of those too. The deprecated version should make it easy for you to be backward compatible.
You can download a copy I’ve made of user.js [ghacks]-0.10.txt at https://mon-partage.fr/f/XdLyMkOn/
I intended to paste it on Pastebin but the site blocks it with a “Possible Spam Detected” requiring captcha authentication, so they can go to hell. I don’t usually use mon-partage.fr for simple text files but since Pastebin is flying off the handle that’s all I found to share 79KiB of text …
Thank you both for your replies and hard work on this. Tom thanks for the link.
regarding section 0200: I set geolocation to false along time ago; but what about the other mentioned? they seem to require change of numbers etc. how do I change my settings and most important: any risk of crashes/complications?
Use the github: https://github.com/ghacksuserjs/ghacks-user.js/issues
NOTICE: I will no longer monitor any of the comments on the various ghacks user.js articles. If you have any suggestions or questions, use the official repo at github: https://github.com/ghacksuserjs/ghacks-user.js/issues
the new web-extension API does not allow add-ons to edit about:config references. We can change the user.js file on our desktop operating systems. But how we can edit user.js on mobile Firefox? We can change them manually from about:config but these takes long time. Also I always reset my settings/or I reset the mobile phone completely. It is difficult to set all these settings from mobile.
It would be great if you have an idea for Android Firefox.
see this issue: https://github.com/ghacksuserjs/ghacks-user.js/issues/318 – AFAIK, your android needs to be rooted to get access to the profile directory to add the user.js
Thank you :D