Control Firefox System Add-ons with the Ghacks user.js file
Some time ago part of development for Firefox shifted from integrating new features and experiments in the core browser directly to using system add-ons for that.
Mozilla did integrated Pocket in Firefox natively first for instance, but changed that by removing the code from Firefox to distribute Pocket as a system add-on instead.
System add-ons work in many regards similarly to add-ons: they can be updated independently from the browser, and come as self-contained packages.
One difference to add-ons is that users don't have full control over them. That's understandable on the one hand, as they may introduce important functionality to the Firefox browser. On the other hand, it is used to push features that some users may not want.
System add-ons are not listed in the add-ons manager of Firefox. You get a listing of them when you open about:support. Firefox users find them listed under "Firefox Features" on the page. You may find eight or more system add-ons listed on about:support in Firefox Stable currently, and more if you run a development version of the browser.
One issue that Firefox users have with these system add-ons is that they cannot be disabled on about:support or about:addons.
Some system add-ons come with preferences that you may configure to disable them. Pocket for instance can be turned off by flipping the preference extensions.pocket.enabled to false. But some system add-ons don't come with this option even though you may want to remove it from Firefox.
The Ghacks user.js file for Firefox is an excellent resource when it comes to configuring Firefox to your needs and liking. It focuses on privacy and security, and is designed to provide you with information on preferences that the browser ships with.
One of the recent additions to it is a new system add-ons section. It basically lists preferences for Firefox system add-ons to control their behavior. Note that the listing is limited to what Mozilla integrates; if Mozilla does not add an option to disable a system add-on, you cannot do so from within Firefox.
You may delete the system add-on in the Firefox installation directory, but it will be added again when you update the web browser.
I suggest you check out the master user.js file on the linked GitHub page above; here is just a short list of important preferences related to system add-ons for Firefox that you may want to be aware of:
- user_pref("experiments.enabled", false); -- Opt out of experiments
- user_pref("experiments.manifest.uri", ""); -- Opt out of experiments
- user_pref("experiments.supported", false); -- -- Opt out of experiments
- user_pref("experiments.activeExperiment", false); -- -- Opt out of experiments
- user_pref("experiments.activeExperiment", false); -- Prevent Mozilla from opting you into tests silently.
- user_pref("network.allow-experiments", false); -- Blocks the URL used for system add-on updates
- user_pref("extensions.pocket.enabled", false); -- Disable Pocket
- user_pref("dom.flyweb.enabled", false); -- Disable Flyweb
- user_pref("extensions.shield-recipe-client.enabled", false); -- Disable Shield Telemetry system
- user_pref("extensions.shield-recipe-client.api_url", ""); -- Disable Shield Telemetry system
Again, you find additional preferences and links to resources on the Ghacks user.js Github page. Also, it will get updated regularly as new system add-ons get released (and they will).
Now You: What is your take on system add-ons?
0201 went from https://github.com/ghacksuserjs/ghacks-user.js/commit/98698c8e6872955c7331c6bef914fb5e3aba7643 to https://github.com/ghacksuserjs/ghacks-user.js/commit/98698c8e6872955c7331c6bef914fb5e3aba7643 but it was originally https://127.0.0.1 https://github.com/ghacksuserjs/ghacks-user.js/commit/1b73cb828ebb5ad38b0aea5b41b7b6a780994413. https://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/#comment-3867603 makes it sound like it couldn’t be blank so just want to pass along in case going back to blank over https://127.0.0.1 was an oversight in all those changes.
And a question. https://github.com/ghacksuserjs/ghacks-user.js/commit/63ed779776d15440df93417c0204993a984bf591 says to DELETE the XPI file in your system add-ons directory. Where is that located exactly?
The info is listed in the section 0500 section header
* Portable: “…\App\Firefox64\browser\features\” (or “App\Firefox\etc” for 32bit)
* Windows: “…\Program Files\Mozilla\browser\features” (or “Program Files (X86)\etc” for 32bit)
* Mac: “…\Applications\Firefox\Contents\Resources\browser\features\”
System add-ons are stored C:\Program Files\Mozilla Firefox\browser\features or wherever Firefox is installed.
Does this work in chrome with Tampermonkey?
Where is the system add on file recommended to delete?
I read that section multiple times…when you added your last paragraph to your comment I got it! Sorry for being so thick.
“If you go to about:config and type in parrot, you can see if you had a syntax error in what section (to narrow things down) – because everything after that syntax error is not applied on startup (note items may have already been applied and are already in the prefs.js)”
about:config?filter=parrot
Where can I go to find out about the following…I simply don’t understand how testing for syntax errors works in user.js?
START: internal custom pref to test for syntax errors (thanks earthling)
* Yes, this next pref setting is redundant, but we like it!
* [1] https://en.wikipedia.org/wiki/Dead_parrot
* [2] https://en.wikipedia.org/wiki/Warrant_canary ***/
user_pref(“ghacks_user.js.parrot”, “Oh yes, the Norwegian Blue… what’s wrong with it?”);
https://github.com/ghacksuserjs/ghacks-user.js/wiki/1.1-Overview
It is all explained there in the first part. Once you know how FF loads and reads and parses what files in what order and writes them back, then you have your answer… especially these points
* It parses the user.js in the order it is written, i.e if the same preference is listed twice with two different values, the last one will be applied last
* It will abort parsing the file if it encounters a syntax error, but will still apply any content up to that error
So after it reaches section 0100, it will apply
– user_pref(“ghacks_user.js.parrot”, “0100 syntax error: the parrot’s dead!”);
If it gets to section 0200, it will update that pref with
– user_pref(“ghacks_user.js.parrot”, “0200 syntax error: the parrot’s definitely deceased!”);
If you get to the end of the file with no syntax errors, it updates it with
user_pref(“ghacks_user.js.parrot”, “No no he’s not dead, he’s, he’s restin’! Remarkable bird, the Norwegian Blue”);
If you go to about:config and type in parrot, you can see if you had a syntax error in what section (to narrow things down) – because everything after that syntax error is not applied on startup (note items may have already been applied and are already in the prefs.js)
The ‘warrant canary’ is gr8 in this!! :))
Thanks a lot, for everything, btw. Nice!
Thanks Pants for the latest two lines I added to the FF56 nightly user.js I’m investigate. Off-topic: also what I just experienced with Nightly is when the browser “crash”, opening the task manager to kill the running exe, well now you have to kill multiple process instead of one, good job Mozilla.
I left Firefox a few months ago.
The section we created is section 0500 ( https://github.com/ghacksuserjs/ghacks-user.js )
This section covers ALL system add-ons including Web Compatibility Reporter (coming in 56), Onboarding in 55 (which uses Google Analytics and exposes resource URIs), Activity Stream (which harvests metadata and telemetry and uses snippets), Screenshots (added for info), Form Autofill in 55 (which is not secure – held in a json file, in future they plan to add CC numbers etc) and I am disgusted by Follow On Search (it’s just counting and sending back numbers, and respects telemetry settings). Follow On Searches are ones made from a page loaded from an initial search – eg if you search from the search bar and it loads the google search results, that counts as income for Mozilla. What they are harvesting is if you now do a search from that google page, they want to know about it.
Here is the issue where we discussed things: https://github.com/ghacksuserjs/ghacks-user.js/issues/171
Here is an issue which shows a Firefox bug where system add-ons will not update if the automatic update setting is set to “Check for updates, but let me choose whether to install them”: https://github.com/ghacksuserjs/ghacks-user.js/issues/172
Here are some access denied tickets to do with Follow On Search
https://bugzilla.mozilla.org/show_bug.cgi?id=1367554
https://bugzilla.mozilla.org/show_bug.cgi?id=1367582
https://bugzilla.mozilla.org/show_bug.cgi?id=1369435
https://bugzilla.mozilla.org/show_bug.cgi?id=1369513
https://bugzilla.mozilla.org/show_bug.cgi?id=1369802
As earthlng said (at guthub) .. “Why the secrecy??” I recommend everyone delete this system add-on. I love Firefox, but this is crossing a line. UI metrics sure – harvesting, counting my web content – f**k off.
Thanks for the work :)
From a privacy point of view follow-on searches is no different from what Mozilla already does for those people with telemetry enabled. Search deals bring 90% of their revenue to Mozilla, to keep an eye on it they increment a counter every time a user with telemetry enabled does a search from the search field or the address field. They’ll send the amount of searches that occurred, not the search terms, and the data shouldn’t be traceable back to the user.
“Follow-on searches” only extends this to searches that occur in page after an initial search from the address or search field, and only for Firefox’s default search engines, since those are the ones with which Mozilla has search deals. If a user searches for “naked grand-ma riding goats with a cowboy hat”, and then on the Google’s search result page he wants to pinpoint the search to tatooed grand-ma’s only, that second search can increment a counter too.
If the first one is acceptable from a privacy point of view, the second one is too, since from a privacy point of view it is exactly the same. Disabling telemetry makes everything even more acceptable since they both get disabled.
Thnks for the effort!!!
@Pants,
“I don’t even have any original FF search engines – I have replaced them with sanitized ones, including a google one. But that would still be counted.”
Same here, none of the default search engines. Even Google, encrypted, including images and Maps.
Two pertinent related Firefox add-ons,
– Add to Search Bar at [https://addons.mozilla.org/en-US/firefox/addon/add-to-search-bar/]
– XML Search Engines Exporter/Importer at [https://addons.mozilla.org/en-US/firefox/addon/search-engines-export-import/]
XML Search Engines Exporter/Importer is valuable not only for importing/exporting a search engine’s metadata but also for editing it once exported… before importing it, nicely fit.
PS: Here’s a list of all the SAPs
https://dxr.mozilla.org/mozilla-central/source/browser/extensions/followonsearch/content/followonsearch-fs.js
forgot to post the link
Correct… as I said “Follow On Search (it’s just counting and sending back numbers, and respects telemetry settings)”
You can even use the pref “extensions.followonsearch.logging” to toggle on output to the console.
However, do you remember Health Reporting where the pref didn’t disable all of it, there was a FHR v2.0? Let’s look at telemetry .. that checkbox in about:preferences#advanced only controls “toolkit.telemetry.enabled”. So turn it off. You are STILL sending telemetry data. All you are doing is disabling the sharing of additional info – i.e, the pref controls the module. You have to dig deeper and manually set “toolkit.telemetry.unified” as false as well.
I have a very healthy disregard. Off means off. I fully appreciate this is for revenue, and that nothing is sent except aggregated counts at set periods – i.e SAP + count. I don’t begrudge Mozilla funding themselves – but about pages excluded (eg newtab, home page where they can put product features such as activity tab etc) – my web pages are hands off. I don’t f**kn care if its just a count. What next? Injecting mozilla utms on links? I’m also skeptical of the respect for telemetry here, long term. They’re not providing ways in the UI to disable system add-ons. Follow On Search doesn’t even have a pref (can be argued its covered under the Telemetry option). I’m just not buying it. Look at the crap in Activity Stream and Onboarding (GA and snippets FFS!.)
I don’t even have any original FF search engines – I have replaced them with sanitized ones, including a google one. But that would still be counted.
The good news is, you can get rid of it. Future proof yourself and just delete the bastard. This is the only one that got my goat up!
“naked grand-ma riding goats with a cowboy hat” – see, how the F did you know that? Now I’m burnt!
PS: Here’s a list of all the SAPs
Telemetry is the thing that every new Firefox install proactively prompts you about so you can disable it.
“I recommend everyone delete this system add-on. I love Firefox, but this is crossing a line”.
Thanks for your advice, you’re welcome Pants behind the line.
@pants
“this is crossing a line”
would you, as a super, super tech savvy, recommend another browser? I find it hard to actually find one that’s focused on privacy. I read somewhere that pale moon might suffer a slow death if add-ons like ublock origin wont be updated by the developer any more. is Tor really the only solution? I know of a european browser ( not released yet ) , privafox( from privacore ); but who knows; it could take ages.
“would you, as a super, super tech savvy, recommend another browser”
No. For your everyday, run of the mill browser, nothing comes close to FF. TBB (Tor Browser Bundle) is for a different purpose and has its drawbacks as well (exit nodes, honeypots, speed). You can of course use TBB and disable the TOR part, but I’ve never bothered.
Also – what Danny said below. You can ratchet up FF to re-DICK-ulous levels – a uber-hardened user.js would be the ghacks one with about 15 more prefs turned on. But with this comes more breakage. Hence you use multiple profiles. Even so, the fully beat tracking/FP’ing, you need both software, and OpSec strategies. To beat a state actor is completely different to giving google or f**kbook the finger
Firefox.
Disable telemetry, use uBlock Origin, disallow third party cookies, create privacy.resistFingerprinting and set it to true. One step further, you can disable referrers or configure them so they appear to come from the visited site itself.
With that you are already more protected privacy wise than other niche privacy browsers that I know, and you can go much further.
Niche browsers guarantee you a unique fingerprint by the way… :/
—
Regarding connections to Mozilla, you can review that guide : https://support.mozilla.org/en-US/kb/how-stop-firefox-making-automatic-connections
Downloaded ZIP file and extracted all. And now ?? What would be the next step ? Did some reading on Github but their info was not helpful for me.
Question: What do I have to do next after downloading and extracting the file to make it work ? Help would be higly appreciated. Thanks.
https://github.com/ghacksuserjs/ghacks-user.js/wiki
Try reading:
1.1 Overview
1.2 Backing Up
1.3 Implementation
1.4 Troubleshooting
1.5 Keeping Up To Date
2.1 Multiple Profiles
2.2 Multiple Profiles [Firefox Portable]
2.3 Concurrent Profiles
There’s even some pretty pictures and sh*t
Thank you, guys.
You need to place the user.js file in the Firefox Profile folder. Hit Windows key + R to open the Run command and then copy/paste the following string and click OK: %APPDATA%\Mozilla\Firefox\Profiles
If you see more than one profile in there and aren’t sure which one is currently in use, type: about:profiles in the location bar and hit Enter. It will tell you in there which one you’re using.
The following article provides some background info on user.js files: http://kb.mozillazine.org/User.js_file
*Definitely not
“definitely not bloatware”, indeed. At first reading I presumed an elegant though straightforward irony.
As for the source, Yuliya’s comment, I wouldn’t delete anything from Firefox’s install folder, with the exception of its “\browser\features\” sub-folder, once backed-up, one never knows. All can be done from the user.js file.
>Now You: What is your take on system add-ons?
del /Q “C:\Program Files\Mozilla Firefox\browser\features\*”
Actually I run this .bat file after every Fx installation/update to remove all the unnecessary crap from it:
del /Q “C:\Program Files\Mozilla Firefox\browser\features\*” “C:\Program Files\Mozilla Firefox\crashreporter.exe” “C:\Program Files\Mozilla Firefox\firefox.VisualElementsManifest.xml” “C:\Program Files\Mozilla Firefox\maintenanceservice.exe” “C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe” “C:\Program Files\Mozilla Firefox\minidump-analyzer.exe” “C:\Program Files\Mozilla Firefox\pingsender.exe”
It’s valid for FireFox x64 on Windows x64 and for FireFox x86 on Windows x86.
For FireFox x86 on Windows x64 replace “Program Files” with “Program Files (x86)”.
If you have UAC enabled, must be run as admin.
Uncheck the “Run.. ” option in the last screen of setup and run the command before first run (either it being fresh install or update). Also do a manual/custom install and opt out of maintenance bloatware.
I wouldn’t exactly call it unnecessary crap. The crash reporter is useful for Mozilla to see what sort of crashing goes on and if there’s something in a bigger picture, it also allows for more detailed bug reports and means they are able to solve issues quicker. The same applies to the minidump analyser. The maintenance service is definitely bloatware. It installs updates automatically so I don’t have to bother constantly manually doing everything. I find the features they include incredibly useful. The only thing that’s included that I disagree with is the Pocket add-on, but that’s now owned by Mozilla so I’m a bit less bothered.