Firefox privacy and security user.js 0.11 is out

Martin Brinkmann
Feb 12, 2017

The most comprehensive Firefox privacy and security settings collection has been updated to version 0.11 to take into account changes in newer versions of Firefox.

Ghacks champion Pants created the initial list in 2015, and has been on it ever since that day with help of others including earthling and Tom Hawack.

The new user.js file replaces the old one. The download includes the user.js file, the changelog, and two HTML documents that lists all preferences, information and comments.

ghacks user js 011

You are probably wondering what is new in version 0.11 of the file. First of all, the preferences have been updated to take into account changes in Firefox.

Mozilla has added, changed or removed preferences since the last release of the Ghacks user.js file.

Apart from that, there are new sections that you may find interesting.

There are new sections for Service Workers, First Party Isolation, Fingerprint resisting and Tor uplift. The add-ons section has been filled with links to recommended add-ons on top of that.

Some fun stats about the latest privacy and security user.js file:

  1. The list features a total of 464 preferences of which 48 are commented out.
  2. 33 items contain warnings.
  3. The file links to 71 http and 243 https resources for research

Click here to open the original article that has been updated with the new information, or download the new user.js file directly with a click on the following link: (Download Removed)

Here is the change log:


2300: NEW SECTION for Service Workers (items renumbered from other sections)
2698: NEW SECTION for FPI (First Party Isolation) - commented out, it's not ready yet to go prime time
2699: NEW SECTION for privacy.resistFingerprinting (was 2630)
9998: NEW SECTION for To Investigate - Tor Uplift
: APPENDIX B for Add-ons

Renumbered sections

9996: PALE MOON, section renumbered and no longer maintained


2302: was 1012 dom.caches.enabled .. ALL the stuff in the 2300s were moved there, some are new
2301+2303+2304: were 2432+2430+2431 respectively, also new prefs
1216: was 2609 insecure active content
1217: was 2610 insecure passive content
2024: was 3014 media.mediasource.webm.enabled
: some other numbers may have been reused, moved


Loads of them, just look in the deprecated section, its in order of version dropped, then number.


0101: browser.laterrun.enabled
0301: app.update.silent and app.update.staging.enabled
0336: browser.selfsupport.enabled (also merged 0371 with this)
0374: social.enabled
0376: FlyWeb
0380: Sync
0402: Kinto
0410: the entire section: many prefs deprecated, replaced with others, new section 0410g
0421: privacy.trackingprotection.ui.enabled
0440: mozilla flash blocklisting
0608: network.predictor.enable-prefetch
0818: taskbar preview
0819: browser.urlbar.oneOffSearches
0820: disable search reset
0907: force warnings for logins on non-secure sites
0908: browser.fixup.hide_user_pass
0909: signon.formlessCapture.enabled
1012: browser.sessionstore.resume_from_crash (note: old number was moved to 2300s)
1209: TLS extra prefs to control min and max and fallback versions
1213: cyphers disable 3DES
1214: cyphers disable 128 bit ecdhe
1215: disable MS Family Safety cert
1218: HSTS Priming
1219: HSTS preload
1220: disable intermediate CA caching
1408: gfx.font_rendering.graphite.enabled
1602: returned DNT (do not track) from deprecated
1808: disable audio auto-play in non-active tabs
1820+1825+1830+1840+1850: revamp, additions etc to GMP, DRM, OpenH264, Widevine, EME
2011: webgl.enable-debug-renderer-info
2012: webgl.dxgl.enabled + webgl.enable-webgl2
2022: extra prefs for screensharing
2024: MSE (Media Source Extensions)
2025: enable/disable media types
2026: disable canvas capture stream
2027: disable camera image capture
2028: disable offscreen canvas
2403: dom.allow_cut_copy
2415b: limit events that can cause a popup
2425: disable Archive API
2450: offline data storage
2504: new vr prefs
2510: Web Audio API
2511: media.ondevicechange.enabled
2627: revamped section from a single pref about build ID into all your UA/Navigator objects
2628: browser.uitour.url
2650: e10s stuff, never used by me, may be obsolete as e10s rollout changes with each release
2651: control e10s number of container processes
2652: enable console e10s shim warnings
2660: browser.tabs.remote.separateFileUriProcess
2663: MathML
2664: DeviceStorage API
2665: sanitize webchannel whitelist
2666: HTTP Alternative Services
2668: extension directory lockdown
2669: strip paths when sending URLs to PAC scripts
2670: security.block_script_with_wrong_mime
2671: svg.disabled (FF53+)
2706: Storage API
2707: clear localStorage when a WebExtension is uninstalled
2803a: privacy.clearOnShutdown.openWindows
2804a: privacy.cpd.openWindows
2805: privacy.sanitize.timeSpan
3022: hide recently bookmarked items
3023: browser.migrate.automigrate.enabled
Appendix A: new test sites: Browserprint, HTML Security, Symantec, AudioContext, HTML5, Keyboard Events, rel=noopener
Appendix A: new section:; 5 Safe Browsing, Tracking Protection tests


: custom pref renamed and configured as the Monty Python parrot
: custom pref expanded to each section with euphemisms for the parrot's demise
1211: SHA-1 variables/definitions have been changed by mozilla, recommeneded value has changed
2201: dom.event.contextmenu.enabled is now active
2404: dom.indexedDB.enabled - i turned this on and use an extension to toggle it on and off for sites
2421: two javascript.options now commented out, the performance loss isn't worth it
: some other prefs may have been turned on/off


3019: network.proxy.type - it is not my place to control end users connections/proxies/vpns etc




Summary Firefox privacy and security user.js 0.11 is out
Article Name Firefox privacy and security user.js 0.11 is out
The most comprehensive Firefox privacy and security settings collection has been updated to version 0.11 to take into account changes in newer versions of Firefox.
Ghacks Technology News

Tutorials & Tips

Previous Post: «
Next Post: «


  1. Mathias POUJOL-ROST said on February 15, 2019 at 7:50 pm

    Thank you :D

  2. J. Hary said on December 24, 2017 at 8:45 pm


    the new web-extension API does not allow add-ons to edit about:config references. We can change the user.js file on our desktop operating systems. But how we can edit user.js on mobile Firefox? We can change them manually from about:config but these takes long time. Also I always reset my settings/or I reset the mobile phone completely. It is difficult to set all these settings from mobile.

    It would be great if you have an idea for Android Firefox.

    Thank you

    1. Pants said on December 30, 2017 at 9:44 am

      see this issue: – AFAIK, your android needs to be rooted to get access to the profile directory to add the user.js

  3. Pants said on March 22, 2017 at 12:30 am

    NOTICE: I will no longer monitor any of the comments on the various ghacks user.js articles. If you have any suggestions or questions, use the official repo at github:

  4. b said on March 19, 2017 at 12:39 pm

    regarding section 0200: I set geolocation to false along time ago; but what about the other mentioned? they seem to require change of numbers etc. how do I change my settings and most important: any risk of crashes/complications?

    1. Pants said on March 22, 2017 at 12:29 am
  5. David said on March 13, 2017 at 7:58 am

    Thank you both for your replies and hard work on this. Tom thanks for the link.

  6. David said on March 3, 2017 at 2:38 pm

    I’m on Seamonkey, which is a few versions behind FF release. I need v.10 of the user.js, but it seems all the download links in each article lead to v.11. Can the v.10 links be put back up? I have been using this since the beginning, but now I’m having to start from scratch on a new machine. Many thanks for all the hard work, this is a must for all the hardcore FF users (still) out there.

    1. Tom Hawack said on March 11, 2017 at 11:11 am

      You can download a copy I’ve made of user.js [ghacks]-0.10.txt at
      I intended to paste it on Pastebin but the site blocks it with a “Possible Spam Detected” requiring captcha authentication, so they can go to hell. I don’t usually use for simple text files but since Pastebin is flying off the handle that’s all I found to share 79KiB of text …

    2. Pants said on March 3, 2017 at 11:00 pm

      I personally don’t have any versions except the latest, which is in constant flux. Now it’s on github, I have started archiving a version each stable release. Just use the current version and enable some of the deprecated items as per your version. Who cares if “future” prefs are being applied to your seamonkey, it will not use them. Som eprefs also have the start version, so you could disable some of those too. The deprecated version should make it easy for you to be backward compatible.

  7. Anonymous said on March 1, 2017 at 5:47 am

    Thanks, I’ll test the url suggestions now.

    Another thing:
    I’d like to have no fade in/out time when going in fullscreen on videos e.g. youtube.
    I’ve already set this to “true”:

    user_pref(“full-screen-api.enabled”, true);

    Fullscreen is working for me but I don’t know how to set the “0 0” correctly.
    I’ve added these myself:

    // Remove Firefox fade in/out on videos
    user_pref(“full-screen-api.transition-duration.enter”, 0 0);
    user_pref(“full-screen-api.transition-duration.leave”, 0 0);

    1. Pants said on March 2, 2017 at 9:53 am

      Its clearly not a number (or boolean) .. so therefore its a string .. add quotes
      user_pref(“full-screen-api.transition-duration.leave”, “0 0”);

  8. Anonymous said on February 27, 2017 at 6:25 am

    1.) How do I make FF remember the sites I’ve visited, so that when I type “yout” in the URL bar I get as a recommended site based on what I’ve visited. I can’t figure it out…

    2.) user_pref(“svg.disabled”, true); gave me a 20% CPU increase on FF while on Idle. Since I’ve set it to “false” the CPU % went down to 0%. Now sure if it’s only me but I wanted to mention it.

    Thank for migrating to GitHub! :)

    1. Pants said on February 28, 2017 at 9:40 am

      Hmm.. replied to this 24 hrs ago, still hasn’t shown

      1. Tom Hawack said on March 11, 2017 at 12:06 pm

        Most people in life don’t carry on once they have the answer to their problem. Rude as it can be.

        Nice to see gHacks-user.js is on Github. Already many pseudo issues which is the lot of users who copy/paste blindly, put all the flags to ON, do it! and then start complaining. I couldn’t handle it, but I could and do when a question/comment is clearly stated and argumented. I know, you don’t say this sort of things, I do and that’s my uneducated contribution.

    2. Pants said on February 27, 2017 at 5:51 pm

      1. First of all you need to stop clearing your history when you shut down, unless you mean you only wanted it to suggest your session history. Go to 2003:
      user_pref(“privacy.clearOnShutdown.formdata”, true); // Form & Search History
      user_pref(“privacy.clearOnShutdown.history”, true); // web site history
      ^ change those to false to not lose your history

      2. Now you need to allow the urlbar suggestion dropdown to come back
      /* 0803: disable locationbar dropdown
      user_pref(“browser.urlbar.maxRichResults”, 0);
      ^^reset that to the default in about:config and comment out in the js. The default is 10

      3. and enable suggestions
      /* 0806: disable autocomplete – PRIVACY (shoulder surfers, forensics/unattended browser) ***/
      user_pref(“browser.urlbar.autocomplete.enabled”, false);
      ^^ change to true

      4. and allow types of suggestions
      /* 0808: disable types of urlbar suggestions
      * These settings are under Options>Privacy>Location Bar. If you wish to enable any of these suggestions,
      user_pref(“browser.urlbar.suggest.history”, false);
      user_pref(“browser.urlbar.suggest.bookmark”, false);
      user_pref(“browser.urlbar.suggest.openpage”, false);

      SVG .. doesn’t land until FF53, we just snuck it in early, github just spontaneously happened, we didn;t think there would be another version for 6 months. Are you on FF53 or something? I have it set, on FF51, and no such issues. The pref can’t do anything, it’s not even in the build.

      1. Pants said on March 1, 2017 at 9:59 am

        “yes I am on 53 (FF Dev.)”

        Well there’s your problem .. its not “stable”

      2. Anonymous said on March 1, 2017 at 5:29 am

        yes I am on 53 (FF Dev.)

  9. Anonymous said on February 22, 2017 at 10:19 am

    When I set security.nocertdb to true, the list of save passwords in Firefox appears empty. Luckily, when I set it to false again, the passwords re-appear. So the best one can do right now is to create a widget for this setting in PrefBar and then occasionally set the flag to clear the database of cached certificates.

    1. Pants said on February 25, 2017 at 1:47 am

      I think this solution is a bit of a hack, but may suit some people. Wiping the cert8.db is not a solution for all those people who have unique CAs etc as per the bugzilla ticket – for those cases I would suggest multiple profiles – and again it comes down to who exactly is trying to track you. That said, TBB does this (security.nocertdb -> true) and that actually fits their purpose – for Firefox, not so much. There are solutions proposed (such as bundling 3000 certs), but I think FPI may be the solution.

      FYI: The user,js is now on github ( ) and the description has been rewritten (I thought it was clear) to be a bit more crystal

      1. Pants said on February 28, 2017 at 5:54 am

        Errr .. that was the wrong link: ghacks is here:

  10. tom said on February 16, 2017 at 9:33 pm

    Are any addons now obsolete because of the user.js changes?

    1. Pants said on February 17, 2017 at 7:30 am

      I can’t monitor addons. However, see this comment: . 2668 which limits scopes for extension directories does break some addons including Roboform and Internet Download Manager. It is bound to break some others who use a non standard xpi dir.

  11. tom said on February 15, 2017 at 11:21 pm

    user.js is not being used with FF Dev 53.
    perfs.js does not accept the ghacks content and moves everything in Invalidprefs.js

    What do?
    Please help!

    1. Pants said on February 16, 2017 at 7:15 am

      tom, I downloaded , unpacked it, opened it and made a couple of changes (tab tiles, flicked open the bookmarks toolbar, added about:config … nothing major). Closed it. Added the user.js to the profile. Reopened it – no errors. All prefs were applied.

      1. tom said on February 16, 2017 at 9:27 pm

        I’ve deleted my prefs.js and it’s working again. Now I’ll have to reconfigure some options but at least I got it working.
        Thank you for helping!

      2. Pants said on February 16, 2017 at 7:37 pm

        Using the js unedited, in my everyday FF, I temporarily enabled all scripts on the page (noscript), and toggled the power button off for both uBlock Origin and uMatrix and reloaded, and everything shows. I am blocking cookies and local storage on this site by default as well. And indexeddb is disabled. It definitely isn’t a user.js setting.

        I think your issue is you’ll need to allow – that’s where the bulk of the images come from (71 of them), maybe you need to allow &

      3. tom said on February 16, 2017 at 3:50 pm

        Thanks for helping!
        I’ve noticed yesterday an error that I’ve made in the config and I guess FF did not liked it.
        The config is working and I’ve already changed some stuff.

        I still have to test it over a long period of time but I’ve made a lot of things working for my personal needs.

        I did noticed a problem that I don’t know how to fix yet.
        The product / Box art images are not loading. They used to load before. umatrix was configured to load them and turning it off does not load the images either. I guess it must be the user.js

  12. Gary D said on February 14, 2017 at 4:27 pm

    Martin & Pants

    After reading carefully all your warnings, I changed the prefs with no problems. :)

    I still have one question. What do I have to do in order to display Hidden Prefs in about:config ?

    1. earthling said on February 14, 2017 at 4:54 pm

      ‘What do I have to do in order to display Hidden Prefs in about:config ?’

      It’s not possible. Hidden Prefs are prefs that mozilla choose not to include in any of their settings.js files, so they don’t show up in about:config. You have to search the source code to find them.

      1. Gary D said on February 14, 2017 at 4:59 pm

        Thanks for your fast response, earthling. :)

        I think I’ll leave playing with source code to you, pants and the other FF experts !

  13. earthling said on February 14, 2017 at 3:45 pm

    The best way to troubleshoot your current problem or any future problem is to…
    1. backup your whole profile folder
    2. rename user.js to user.js.disabled
    3. start editing your prefs.js file, ie. move sections or parts of prefs to a new editor window
    3a. start with all the ‘dom.*’ prefs, they disable some Javascript features.
    3b. the site is dealing with music files, so move out all the ‘media.*’ prefs next.
    3c. if you have Flash installed, search for ‘plugin’ and ‘flash’ prefs and move those out
    3d. search for ‘cookie’ and move all those out
    4. keep moving stuff out until your problem is solved. It’s very likely that in your case more than one pref are causing the problem.
    5. If you really want to trace it down to the problematic prefs, change each pref in your moved-out list back to the value in Pants’ user.js via about:config; one by one and test the site after each change.

    Moving stuff out of prefs.js has to be done while FF is closed.

    6. If you traced it down to one or more prefs, restore your backed up profile, remove or comment out the problem prefs in the user.js and let us know what the prefs were that caused your problem.

  14. J said on February 14, 2017 at 1:04 pm

    Thanks Anonymous but, to no avail May have to just resort to resetting the browser and staying away from your user.js files altogether as they are for someone much younger not someone with tired old eyes like mine.

    1. Pants said on February 14, 2017 at 8:08 pm

      Well, at the end of the day, if you can’t troubleshoot it (and it has to be you to do it, and there are ways to halve and halve again the prefs to narrow the culprit down, its not that hard) then your correct response should be: use the user.js for all sites except that one site, and use a secondary browser or profile for echonest. The more you tighten up privacy/security/etc, the more sites will break. Personally, for one off sites that my default FF can’t quickly handle, I have a portable Opera, Chrome, and Iron .. not to mention IE (which is locked down) if I really had to.

      I am impressed though, that as a self-proclaimed “newbie”, you went full hog on it, unedited, unread .. just jumped right in the deep end.. balls to the wall. Not that there is anything in there that will break sites wholesale. Still, impressive balls :)

  15. b said on February 14, 2017 at 9:13 am

    @Pants @ Martin Brinkmann

    I’m confused: is this thread meant for comments/troubleshooting regarding 0.11 or the one on ?

    1. Martin Brinkmann said on February 14, 2017 at 2:07 pm

      You may use both. You are probably getting a better response here, but feel free to add your comments to the original thread if you prefer it. Pants monitors both with eagle eyes.

      1. Pants said on February 14, 2017 at 8:12 pm

        Yes, very pretty .. shame I had to take his eyes

        “I apologize for exposing your eagle to the public” .. that sounds so very Pythonesque, and Roman, and rude.

      2. Pants said on February 14, 2017 at 7:41 pm

        Godamnit Martin … you said wouldn’t tell anyone about that eagle

      3. Martin Brinkmann said on February 14, 2017 at 7:56 pm

        I apologize for exposing your eagle to the public. But damn, it is pretty.

  16. J said on February 14, 2017 at 7:21 am

    Yes, I am able to log into Spotify. We are loading up all of your music. This may take a while depending upon how big your music collection is. If you are impatient, you can stop the loading at anytime to work with a subset of your music.Except that it’s not loading.. dom.indexedDB.enabled: true

    1. Anonymous said on February 14, 2017 at 7:53 am

      – Try items in 2300’s – service workers – all of em, comment them all out – all 9 of them and save the file. Find each one in about:config and right click it and reset. Restart FF
      – Also maybe try 2706: dom.storageManager.enabled – flick it to true

  17. J said on February 14, 2017 at 2:10 am

    Can anyone please fix this? Why is it being stopped or rather not loading at all? If I can’t get this to work I may have to resort to resetting the browser.

    1. Pants said on February 14, 2017 at 6:14 am

      What exactly is the issue. I allowed XSS and scripts to run, I allowed an echonest cookie, and I had to ALLOW indexeddb which is 2404 – without the cookie + indexeddb, clicking “organize” does nothing. With it allowed, it redirects me to . As I said earlier: “I would suggest that you perhaps turn on indexeddb, 2404: user_pref(“dom.indexedDB.enabled”, false); either comment it out and reset in about:config (in about:config, you can right click a pref and select “reset”) .. or set it to true. Restart FF.” – you need indexeddb for starters

      So where exactly is this falling over for you? Do you get to log into spotify?

  18. J said on February 14, 2017 at 12:21 am
    Reply still broken. Not able to load a playlist or see it load. The tabs are back though. Youtube videos play, and the play, stop, next video work but are still invisible..

    1. Pants said on February 14, 2017 at 6:08 am

      comment out the two prefs in 2508 so they look like this with the double slash // in front and save the file
      // user_pref(“gfx.direct2d.disabled”, true);
      // user_pref(“layers.acceleration.disabled”, true);
      Now go to Options>Advanced>General>Use hardware acceleration when available and tick that box. Restart FF – that may fix your YT buttons. I don’t have that problem, so it’s hard to diagnose for you.

  19. Ainatar said on February 13, 2017 at 11:10 pm

    Nice job Pants, as always. I have tested it, with some minor custom changes, and everything works fine :-)

  20. VCS said on February 13, 2017 at 9:55 pm

    Thank you for your excellent work!

    Would the authors care to host this on GitHub? It could benefit even more with VCS features, user input and discussions, pull requests, increased updates frequency, issue tracking, etc. It would also be more fun overall :)

    I would also suggest you add an open-source license to the file/project – have a look at for some inspiration.

    1. Pants said on February 14, 2017 at 6:05 am

      Why does it need a license? Anyone is free to use it. I don’t even care if anyone takes it and claims it as their own – those in the know always know where to come to get the real thing.

      Github .. ummed and argghed about this for 6 months – I don’t want to install github client (earthling feels the same way) – but if someone else was to put it up, and it must keep the ghacks name, then I would be on board with that – for all the reasons you state (see – real time updates, commit/changes tracking, threads per issue etc.

  21. J said on February 13, 2017 at 9:17 pm

    Please help me get this site back as I use it fairly often. Thanks

    1. Pants said on February 14, 2017 at 1:34 am

      J, you need to be careful if you’re just going to run with it. By default, this js turns off tracking protection and auto-updates – you will either need to turn them back on, or use uBlock Origin and manually check periodically for add-on and program updates. uBlock Origin can work with NS, no problems.

      Also by default, 3rd party cookies are blocked, but first party is not – you will probably need 3rd party cookies at some stage – so use an add-on to give you control. You may well need a spotify cookie on that echonest site.

    2. Pants said on February 13, 2017 at 9:30 pm

      I would suggest the following – make sure your NoScript is not interfering (it if didn’t before then it won’t be now). Looks like you login (SSL) but I wouldn’t think anything is wrong there as Spotify should be using decent ciphers etc. I don’t have a spotify account, so I can’t troubleshoot it.

      I would suggest that you perhaps turn on indexeddb, 2404: user_pref(“dom.indexedDB.enabled”, false); either comment it out and reset in about:config (in about:config, you can right click a pref and select “reset”) .. or set it to true. Restart FF.

  22. J said on February 13, 2017 at 8:55 pm

    Yup, the problem seemed to have been with 1807. Now, how do I get the stop and play buttons to reappear on Youtube? Also, when I select a new tab it is completely blank instead of listing my most frequently visited websites. How do I get those back? Please stick around as I have a few more questions to ask.

    1. Pants said on February 13, 2017 at 9:23 pm

      Umm .. stop and play buttons .. mouse over the video I suppose

      If you want to keep your history (which is what most frequent sites is based on), you will need to disable this one and reset it in about:config .. or just change it to false : 2803: user_pref(“privacy.clearOnShutdown.history”, true); Now as you visit sites again, they should start to populate your default startup and newtab page

      You’ll also need to enable newtab: look at 0360 and do the same for user_pref(“browser.newtabpage.enabled”, false); – i.e change it to new, or comment it out and reset in about:config.

      Still in 0360… I can’t exactly remember what user_pref(“browser.newtabpage.enhanced”, false); does. Maybe disable it. Once you restart firefox and get your newtab page to show, there is settings cog wheel top right that has some options.

  23. Steve said on February 13, 2017 at 8:31 pm

    Too much ink has penetrated into your brain.
    What the hell are you trying to say (speak english)?

  24. J said on February 13, 2017 at 8:24 pm

    Yes, all 7 boxes are checked.

    Here is a video from Saturday Night Live, looks like it might be kinda fun to watch :) I am using Noscript and the Aurora build on Firefox. Also, seems broken as well as it is no longer working for me. Should I disable no script first and see if that doesn’t help?

  25. J said on February 13, 2017 at 7:02 pm

    How do I get you tube videos to play again? The thing just goes around in a circle and videos refuse to play. Which setting would I need to switch to false to be able to watch videos again?

    1. Pants said on February 13, 2017 at 8:10 pm

      I just tried some random YT videos, and they all play just fine. Can you give me some links to one or two that aren’t working – so I can test the exact same items.

      – It could be something to do with 1807: autoplay. On YT I have to hit pause (nothing is actually happening) and then hit play for it to actually start.
      – Or it could be something to do with specific videos and widevine/drm/eme/gmp (which are all under 1820-1850)
      – Or do you have an extension that does something like force HD and other settings?
      – Do you have flash enabled? (I don’t)

      You can also go to and tell me is it’s all ticked as working. Six ticks for media types and another tick for using HTML5 by default.

  26. Steve said on February 13, 2017 at 5:23 pm

    Pants started the anti-Trump remark, if u dont like Trump go vote you whining losers.
    Suck it up.

  27. buffer said on February 13, 2017 at 11:12 am

    I am the only real person I know who uses Firefox. Thank goodness it’s a browser that allows me to find other Firefox users.

    1. Ronald McTronald said on February 13, 2017 at 3:00 pm

      Shove it down those suckers throats! They won’t see a difference if your port their bookmarks and shit :)

  28. J said on February 13, 2017 at 5:56 am

    Newbie here

    Where do I place this file for it to work? And, will it work with the Aurora build?

    1. Martin Brinkmann said on February 13, 2017 at 7:50 am

      It works with all versions of Firefox, but especially Stable. You should not just place the file, as you need to go through it to adjust it. There are more than 30 warnings in the file, and simply placing it in the right folder will break things.

      Instructions are provided on this page:

  29. J said on February 13, 2017 at 5:53 am

    Where do I place this file for it to work?

  30. steve said on February 13, 2017 at 2:05 am

    Pants pull them up.Disgrace to USA

    1. Ronald McTronald said on February 13, 2017 at 2:55 pm

      Ha ha look at him coming back, he is so flustered. At some point you’ll have to accept that people have different views and vote differently than you do. The world won’t crumble if not everyone likes Donald Drumpf, plus he’s President and with almost no opposition now, what more could you hope for ? :)

  31. dan said on February 13, 2017 at 1:50 am

    Thanks, Pants, et al.!

  32. NoSohoth said on February 13, 2017 at 12:16 am

    Thanks for the update !

    However, 2671 (svg.disable) breaks a lot of Youtube videos’ playback.
    If set to true, the player crash and I get uncaught exceptions / TypeErrors.
    I guess you should add a warning on that.

    1. Pants said on February 13, 2017 at 12:55 pm

      Thanks. Will add to warning/troubleshooting list, as SVG is pretty common (~15% of the top 10K sites use it). At this stage, the pref doesn’t land until 53, so maybe the cause is something else.

  33. DOM said on February 12, 2017 at 11:48 pm

    While I wouldn’t actually use a user.js file, I love the resources gathered in those pants, they’re really bulky pants, they’re terrific, I’m gonna grab them alright.

    It really saves time from having to lookup Bugzilla or Firefox’s source code or specs for web standards.

    Maybe it would be nice to provide a light version too that only changes a limited amount of things based on clear goals.
    Goal examples:
    – Disable all network requests unrelated to browsing, from health reports to prefetching and what have you
    – Disable DRM
    – Among web standards, only disable the most glaring privacy dangers that are not behind a permission, such as referrers, the Timing APIs, service workers, beacons and pings, Jar, maybe Push, Alternative Factswaitnoimeant Services.

    This could have been made an add-on with a slider UI like Tor Browser, but I don’t think WebExtensions can modify about:config prefs can they ?

    1. Pants said on February 13, 2017 at 1:47 pm

      The problem with coming up with a “lite” version is that no one size fits all. The combinations are astronomical. It’ll never please everyone. It would also be a lot of extra work. Instead we have a single file that users can make informed decisions on, which by default has some sort of balance between being private but allowing functionality (it’s also exactly what I use, because I’m the (joint) author :) – and it means I only have to deal with one version in total (yup, I’m lazy). As for creating an add-on with a slider: 1. again, who decides what goes in each setting and 2. way too much work especially maintaining an up to date version for FF releases

      I can see the benefit of someone forking it several versions: 1. a zero-impact one for “newbies” – eg it leaves auto- updates, blocking protection etc in place and removes anything that breaks functionality 2. a middle version whatever that means, and 3. a super hardened version.

      Although end users can do that themselves, and use multiple profiles.

      1. DOM said on February 13, 2017 at 2:41 pm

        Yeah I was definitely calling on the community to do that, not you, you’ve done more than your part >_>
        Your second paragraph is what I mean. There is also an advantage in having a limited amount of versions lying around, due to fingerprinting.

        I’d really contemplate making it a WE but I think they can’t access about:config, except if it’s their own custom prefs I guess. Though I could be wrong. This is something that could be brought up to the WE team if I’m right though… Also I don’t have enough time to do all of this, all I could do is pick options for the different levels of the slider.

        If anyone is up to at least trying to study the feasibility of this, may you appear right before us as lightning strikes where you’ll stand!

  34. ramen peelantsky said on February 12, 2017 at 10:00 pm

    Off topic comments expose the real value of this article.

    Down with the adsense non-sense !!

  35. Steve said on February 12, 2017 at 9:27 pm

    “heeshus, you sound like Trump.”
    Nothing wrong with sounding or being Trump.

    1. Steve said on February 12, 2017 at 9:29 pm

      Now that I know pants is a snow flake, don’t trust his judgement/program.

      1. T J said on February 13, 2017 at 12:22 am

        @ Steve

        “Nothing wrong with sounding or being Trump.” Bloody Hell, a Trump fan boy !

        “Now that I know pants is a snow flake”. WTF does that mean ?

        Piss off Steve. Go and play Troll somewhere else you dickhead.

  36. nnm said on February 12, 2017 at 9:25 pm

    security.nocertdb;true – is break PassIFox addon and FF context menu on password forms. Also i’ll be logged out from some sites which cookies is still be present (i’m pretty sure, issue in this pref: toggling to false and restarting browser – is restore session on this sites).

    (sorry for bad English)

    1. Tom Hawack said on February 14, 2017 at 12:45 am

      1220: security.nocertdb is indeed actually commented out and inactive.

      Just reporting another issue when setting security.nocertdb to true :

      I’m using Firefox’s Master Password strengthened with the FIPS option available at
      Options / Advanced / Security Devices / Enable FIPS

      FIPS? :

      If I set security.nocertdb to true, first time the Master Password is required doesn’t ask me for the password, but to change the password … I forgot to take a screenshot but ask for one if it can help and I’ll reproduce.

      Pants, looks like you were definitely well inspired to comment out this setting.

    2. Pants said on February 12, 2017 at 9:36 pm

      1220: security.nocertdb is actually commented out and inactive

      1. Bron said on February 13, 2017 at 4:47 pm

        You had to pick up his one tiny off topic comparison in a see of words didn’t you ? :)

      2. Richard said on February 12, 2017 at 10:12 pm

        Had to throw in your political opinion, didn’t you?

  37. P said on February 12, 2017 at 4:21 pm

    Great info, thx!

  38. Dave said on February 12, 2017 at 2:12 pm

    What the… this crap wiped my history. I’m not a paedo or terrorist. Why would I want my local history wiped? I guess the target market for this stuff is bad people. Wait, am I on a site for bad people? :-|

    1. funkysausage said on February 13, 2017 at 11:00 am

      damn dave, you sure are one ungreatfull, lazy and antisocial bunch of insecurities. if you cant even be thankfull for someone spending their time compiling all these infos, just shut up. you try and come across like the big man, and yes, you have some good english, but then again, good english does not garantue good content. you halfarsed reading the infos, you wanted to try it. and after it not meeting your high expectancys you are trying to make it (and in extension pants) look bad. newsflash, no one here gave you the file with any promise of it being anything else but a collection of settings you can/may use if you like and think you should use them. and now you just sound like a friggin troll trying to seed bad mood driven by a sheer unbelievable audacity to ignore facts and just talk over others. if you cant even be civil and fair to someone that spent a lot on work on a file you insisted using, then just shut up and dont try and poison the well just because you are not thirsty.

      ps: that paedo/terrorist thing is a strawman so stupid, i really wonder how you manage to write that english with those few dried out braincells of yours.

      pps:yes i know, i made lots of errors and dont even use uppercase letters. probably that makes all my arguments invalid and all my points stupid. you can spare yourself writing 2000 lines as an answer, as from here on i would only mock you… out of deeeeep respect ofc.

      ppps: i would like to apologize to everyone here, except dave, for my wording.

      1. Budster said on February 13, 2017 at 7:05 pm

        What’s this, then? “Romanes eunt domus”? People called Romanes, they go, the house?

      2. Martin Brinkmann said on February 13, 2017 at 7:56 pm

        For those who don’t understand, here is the Monty Python scene:

    2. Jason said on February 12, 2017 at 7:12 pm

      You used the file without looking through it first? You deserve to lose your history.

      1. Jason said on February 13, 2017 at 4:06 pm

        @ Dave:

        The file is thoroughly commented (in English) every step of the way.

      2. Dave said on February 13, 2017 at 2:08 am

        OK Pants, this is a really pathetic reply. You’re twisting things like a pro, but not an expert. Let me unravel it all:

        While the comments on your work are in English, the only way to find out that your settings wipe the history – and that’s what this conversation is about – is from the code. Code isn’t English, so Jason’s demand that the work should be read first requires understanding the code, which isn’t English. And don’t say the code is English because the base words are derived from English. I can see that rebuke coming a mile off. The only relevant thing you wrote about history is about session history and recently closed tabs. If I’m wrong, feel free to quote from your work (with a line number).

        I haven’t added a single new topic, I’ve responded to tangents that other users have added. Things like “You deserve a punishment” and “You never read anything when installing” (both paraphrased for expediency). It’s right there in the witch hunt above for you to read, and if you had any objectivity at all you’d have criticised the people who added those tangents to the topic, not my factual responses. Lynch mob? Yes, welcome to the hunt. On top of that, claiming that I changed the topic IS a new topic. How exactly did I start any of these topics? Other people did, because they can’t focus. It’s not my problem that they just want someone to burn. They probably do it this all the time. I hope they decline jury duty if they’re ever asked – and that goes for you too.

        To build on that slightly, TOSDR has everything to do with Gary’s comment that I responded to. Go and look it up before claiming it’s irrelevant. What you’re doing there is refusing to look at evidence. Tsk, tsk. Although frankly I don’t care if you know the relevance. I don’t really care if you understand anything. It’s not my place to hold your hand and show you how to apply logic and reason to what you read.

        Wow it’s only February and you’re already calling anyone you don’t like “Trump”. All that does is it tell me you know so little about the world that your knowledge is limited to current headlines and trends. It wouldn’t cross my mind to call someone Trump. You’re just jeering – like those peasants in Star Trek.

        You know what’s really bad about your comment, is that you know what things like a Strawman are (who doesn’t? The term really took off on the internet 2012) and yet you hypocritically throw a bunch of them into your own comment – on purpose – along with a few tu quoques and some ad hominem. I can play the stupid-words game too. You’re hoping that you’re up against a dumb opponent to argue against. Guess again.

        Look, anyone can see that your humour comment is you trying to troll me. In the same paragraph you talk about me somehow trolling my own thread. I fail to see how. The point I’m getting to is that your entire comment seems to be a projection of it’s own flaws onto the preceding conversation. I’m not sure if you’ve done this on purpose for a laugh, or if you genuinely are the world’s biggest hypocrite, but I’d bet it’s all done on purpose for a laugh. Everything is just too well arranged in its hypocrisy for it to be coincidental. I might not have noticed how acutely hypercritical each paragraph is if not for that last paragraph you wrote causing me to look more carefully at the others. I have been trolled.

        Now while this was fun, I really can’t give any more time to it. Typing thorough explanations to irrational people on the internet isn’t time well spent (because they will ignore everything). Let’s all just be glad that this is the internet and people like you can’t burn real people just by calling them witches anymore.

        Thank you for telling me you don’t respect my opinion. Judging from the way you try to argue and view things, that’s the best endorsement I could get.

      3. Pants said on February 12, 2017 at 9:13 pm


        And I quote from the js file: “Backup your profile first, or even just the PREFS.JS”. The js also says “The author does NOT expect (or indeed want) end users to just run with it as is”. It is also written in English. The original article also says to backup your profile, and Martin gives step by step instructions.

        “and isn’t written in English” – what language is it then?

        “This place is a lynch mob”, “Awful people making judgements based on superficial interpretation” – so you’re saying that all the research, the fact that mozilla coded these prefs, that a lot of them were initiated by random people submitting bugs, and a lot are also discussed or even initiated by TBB, that the wisdom and knowledge of hundreds or thousands of people around the web, is practically worthless. That numerous sources suggest the same settings. And that the warnings and the encourage for end users to make their own decisions means nothing?

        “I’m a lead contributor to TOSDR”, “I’ve read every EULA for as long as I can remember” – what does have to do with anything? Do you feel insecure or something?

        Sheeshus, you sound like Trump. Talk the other person down. Talk yourself up. Belittle people to make yourself feel big and important. Add a strawman. Change the topic. Spread FUD (not in English, really?).

        Why don’t we really focus on what you’re really trying to say: “I am trying to be funny and witty, and be liked, but all I come across as is a troll”. You’re welcome to your opinion. Doesn’t mean anyone has to respect it, and I’m sure no-one will.

      4. Dave said on February 12, 2017 at 8:14 pm

        FYI Gary, I’m a lead contributor to TOSDR, not that you’d know what that is. I’ve read every EULA for as long as I can remember, but this script isn’t a EULA (except for the first few lines) and isn’t written in English.

        This place is a lynch mob. Awful people making judgements based on superficial interpretation of events they didn’t witness. I finally understand the growing argument against juries. It’s a wake-up call to see that “people” can be such fierce proponents of punishment when they know next-to nothing of the situation. All I can picture is the scene from Star Trek TNG where the peasants in the court room are shouting “hang him!!”.

        Even the back-up advice in the file is bad – not that that’s really the topic anymore. The file says to back-up prefs.js, but the scope of the script affects other databases. A back-up of prefs.js would to nothing to help. The script should advise backing up the profile folder. And yes, I did back-up my profile folder (as well as other measures) so this didn’t affect me for more than a minute.

      5. Gary D said on February 12, 2017 at 7:46 pm


        You are dead right. He probably clicks “next, next, next” when installing programs/apps. Then he wonders why he’s got new toolbars, crap utilities, etc.

    3. Mikke O said on February 12, 2017 at 5:03 pm

      The target market is for the obsessive, paranoid, and/or psychotic types; not necessarily just bad people. :-D

    4. Yuliya said on February 12, 2017 at 3:32 pm

      The sole fact that those are the first two things that crossed through your mind tells alot about you, and is quite unsettling.

      1. MdN said on February 13, 2017 at 4:56 pm

        Exactly right. If someone’s first idea of “something hidden” are paedo terrorists it says a lot about their state of mind. It doesn’t imply that they are one of them, but it (long story short) does imply that a person like that would vote for orange politicians. :-)

      2. Dave said on February 12, 2017 at 6:10 pm

        Are you inferring that I’m a terrorist paedo who wants to keep all his internet history? Yeah, that makes sense.

        And if I was a terrorist paedo, why would that be unsettling to you? There are hundreds of millions of them, so why would irrationally suspecting one person who’s ten thousand miles away “unsettle” you?

        No, you’re just an idiot who can’t even form his thoughts into words.

      3. Rastuie said on February 12, 2017 at 4:30 pm

        I agree with Dave

        /@Yuliya ,you are not funny!/

  39. Dave said on February 12, 2017 at 1:48 pm


    When you say “current”; how does this relate to ESR releases?

    1. Montegua said on February 14, 2017 at 9:26 pm

      This version (0.11) is primarily targeted for Firefox 51.

      Users who are currently using Firefox 45.7ESR can use this version, but I would strongly advise that they pay careful attention to the configuration settings in the deprecated list.

      For example, I have a modified version of 0.11 for Firefox 51, and a separate modified version for Firefox 45.7ESR that uses some of the deprecated settings.

  40. Anonymous said on February 12, 2017 at 1:35 pm

    Or use Pale Moon with its config by default.

    1. Andy said on February 13, 2017 at 6:59 pm

      I would love to compile a head-to-head list of which of these features are featured in Pale Moon’s default configuration, but that would be feeding the troll even more than this comment is.

      1. Anonymous said on February 14, 2017 at 8:26 am

        “Personally, this seems like a whole lot of nonsense to me and a wasted effort on the part of to increase its following. It is nonsense like that that convinces me further that I made the right decision to switch to Pale Moon.”

        Remember – “A day without laughter is a day wasted.”
        May the user.js by Pants sing to you and the sun rise in your heart…

      2. Anonymous said on February 14, 2017 at 7:51 am

        “How to stop Pale Moon from Giving out Information”:
        Moonchild: “I suggest you don’t tweak the browser to the point of breaking.” & “There is no “way to stop Pale Moon from giving out information” because it is a web client”.

        “I would love to compile a head-to-head list…”. Please don’t.

  41. Xircal said on February 12, 2017 at 1:35 pm

    Users intending to implement the user.js file should be aware that it will overwrite the prefs.js file. The latter contains all the about:config settings users might have changed.

    Also, even if the user.js is deleted at a later date, the prefs.js will retain all the settings which were overwritten. Therefore it’s advisable to make a backup of the prefs.js before proceeding.

  42. Gary D said on February 12, 2017 at 12:58 pm

    Martin, thanks to you for hosting this. Thanks to Pants,earthling and Tom Hawack, for the work which they put into this js.

    Its so comprehensive !

    So Pants is a Monty Python fan ( Dead Parrot ).

    Off topic: Can you confirm or deny that Pants is a girl ? :))

    1. Tom Hawack said on February 13, 2017 at 2:23 am

      All the work goes to Pants, mainly. Great job, as always.
      I’ve just downloaded this and I won’t open it before tomorrow morning otherwise I’d be bound to spend the night discovering it.
      I’m sure it’ll be just fine :)

    2. Pants said on February 12, 2017 at 3:09 pm

      The official result of the World Hide-and-Seek, Mrs Francisca Huron, Paraguay, 11 years, 2 months, 26 days, 9 hours, 3 minutes, 27 seconds (tied with Mr Don Roberts from Hinckley, Leicestershire).

      1. Anonymous said on February 13, 2017 at 4:38 pm

        LOL “speaker”. You freak.

      2. Gary D said on February 12, 2017 at 4:01 pm

        Pants, Nothing like a bit of obfuscation ! :O

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.