Firefox 56: new preferences and Ghacks user.js changes
Mozilla released Firefox 56 to the release channel a couple of days ago, and this overview provides you with information on new, updated, and removed changes made to the Ghacks user.js file.
The Ghacks user.js file for Firefox is a configuration file for Firefox that you use to control settings of Firefox. Its focus is on privacy and security, and it is without doubt the most comprehensive configuration file and source of information that is out there.
You may head over to the official project website on GitHub, and if you are new, you may want to start with this excellent overview.
Note: The user.js file is intended as a template that you use to improve privacy and security of Firefox. The intention is not to copy it directly to your Firefox profile directory without going through the listing first. It contains lots of comments and links that explain what settings do.
I'd like to thank Pants, Earthling and all the other contributors who maintain the Ghacks user.js file.
Firefox 56: Ghacks user.js changes
Tip: the full list of settings changes of Firefox 56.0 compared to Firefox 55.0 is available as well. Earthling recorded 150 diffs in total, with 91 of them being new, 28 being removed, and 31 changed.
Key points:
- The preference privacy.resistFingerprinting makes some preferences obsolete. This have been moved to the new section 4600 so that ESR users and others can still set them.
- TLS/SSL ciphers are no longer disabled by default.
New preferences in Ghacks user.js for Firefox 56:
user_pref("extensions.formautofill.available", "off");
user_pref("extensions.formautofill.creditCards.enabled", false);
user_pref("extensions.getAddons.showPane", false);
user_pref("intl.regional_prefs.use_os_locales", false);
user_pref("security.data_uri.block_toplevel_data_uri_navigations", true);
user_pref("toolkit.telemetry.updatePing.enabled", false);
//user_pref("browser.stopReloadAnimation.enabled", true);
//user_pref("privacy.resistFingerprinting.block_mozAddonManager", true);
user_pref("extensions.webservice.discoverURL", ""); // 55alpha: "http://127.0.0.1"
//user_pref("general.platform.override", "Win64"); // 55alpha: "Win32"
//user_pref("general.useragent.override", "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"); // 55alpha: "Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0"
Preferences that are commented (may need to reset on about:config if you have set them before)
//user_pref("dom.indexedDB.enabled", false);
//user_pref("dom.presentation.controller.enabled", false);
//user_pref("dom.presentation.discoverable", false);
//user_pref("dom.presentation.discovery.enabled", false);
//user_pref("dom.presentation.enabled", false);
//user_pref("dom.presentation.receiver.enabled", false);
//user_pref("dom.presentation.session_transport.data_channel.enable", false);
//user_pref("dom.vr.enabled", false);
//user_pref("dom.w3c_touch_events.enabled", 0);
//user_pref("font.name.monospace.x-unicode", "Lucida Console");
//user_pref("font.name.monospace.x-western", "Lucida Console");
//user_pref("font.name.sans-serif.x-unicode", "Arial");
//user_pref("font.name.sans-serif.x-western", "Arial");
//user_pref("font.name.serif.x-unicode", "Georgia");
//user_pref("font.name.serif.x-western", "Georgia");
//user_pref("gfx.direct2d.disabled", true);
//user_pref("media.mediasource.enabled", false); // previously active with value: true
//user_pref("media.mediasource.mp4.enabled", false); // previously active with value: true
//user_pref("media.mediasource.webm.audio.enabled", false); // previously active with value: true
//user_pref("media.mediasource.webm.enabled", false); // previously active with value: true
//user_pref("security.ssl3.dhe_rsa_aes_128_sha", false);
//user_pref("security.ssl3.dhe_rsa_aes_256_sha", false);
//user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false);
//user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false);
//user_pref("security.ssl3.rsa_des_ede3_sha", false);
Preferences moved to new 4600 section (redundant because of privacy.resistFingerprinting)
user_pref("browser.zoom.siteSpecific", false);
// user_pref("device.sensors.enabled", false); // active in 55alpha
user_pref("dom.enable_performance", false);
user_pref("dom.enable_resource_timing", false);
// user_pref("dom.gamepad.enabled", false); // active in 55alpha
// user_pref("dom.maxHardwareConcurrency", 2);
user_pref("dom.netinfo.enabled", false);
user_pref("geo.enabled", false);
user_pref("geo.wifi.logging.enabled", false);
user_pref("geo.wifi.uri", "");
user_pref("geo.wifi.xhr.timeout", 1);
user_pref("media.webspeech.recognition.enable", false);
user_pref("media.webspeech.synth.enabled", false);
Preferences deprecated
extensions.formautofill.experimental
extensions.screenshots.system-disabled
Something in the Ghacks user.js for firefox 61 is breaking the possibility to login on the new yahoo login now using Google’s recaptcha
I wont find this thread again but I need to ask… Why did you stop promoting ghack user.js?
Ok so I found it again, and unanswered 0.0 oh well…
It would be a good idea to reset privacy.resistFingerprinting to its default “false” setting on your user.js file Martin since it causes Waterfox to resize itself on opening.
I posted the issue on Github yesterday because I thought it was due to the workaround to add spaces between buttons, but after creating a new profile and adding spaces again, Waterfox opened normally afterwards. I subsequently made my config adjustments restarting each time afterwards and the problem manifested itself after setting that one to “true”. Here’s the thread I posted on Github (different username there) which contains a screenshot: https://github.com/MrAlex94/Waterfox/issues/333
Is there a similar user.js for hardening Thunderbird 52?
Dudes, if you want to apply these ghacks on your own user.js file, I suggest to install at least two browsers: one with these privacy/security settings and another one for the sites you have to log into without problems. I do this, as Soundcloud gives me many problems.
You can install firefox and seamonkey or palemoon or links or use curl from the console and read the pages locally :)
@Pants: this is **not** a place where Markdown works, as Github!
Two profiles is enough. It’s even possible to have one shortcut per profile on desktop.
firefox.exe -P ProfileName -no-remote
@ Pants:
It’s like some of you guys don’t use the wiki.
Guilty as charged!
It’s like some of you guys don’t use the wiki. It’s even got some pretty pictures
– https://github.com/ghacksuserjs/ghacks-user.js/wiki/2.3-Concurrent-Profiles
@ Anonymous: Thanks for mentioning the -no-remote switch!
@ Tom Hawack: Thanks for asking what it is!
@ Martin: Thanks for answering!
I have both Firefox x64 and Firefox ESR x86 installed (with shortcuts pointing to different profiles, since their respective profiles are no longer compatible). Now I know how to run both at the same time, which can come in handy when you’re reconfiguring common settings and extensions in both browsers.
There’s a short discussion of the -no-remote switch (which I had never heard of) here:
http://www.brycevandyk.com/dissecting-firefoxs-no-remote-option/
OK, Martin, thanks. You learn every day.
@Anonymous, I know ‘firefox.exe -P ProfileName’ but what does the extra ‘-no-remote’ concern, if you please?
The parameter allows you to run multiple instances of Firefox at the same time.
@Martin
extensions.screenshots.system-disabled
Is not deprecated. if you set it to false then Firefox will show the screenshot button.
It blurs the text on PDFs viewed in the browser, I’ve noted.
For some reason I can’t set Firefox to open in a maximized window. After each restart it reverts to a smaller sized window. I tried to play with these entries:
user_pref(“privacy.window.maxInnerWidth”, 1600)
user_pref(“privacy.window.maxInnerHeight”, 900)
And I tried to edit the file xulstore.json.
But to no avail. Any help would be nice.
Ah but yeah, sorry, it’s not in a maximized window. There’s no solution to that ATM, which is why fingerprinting resistance is not exposed in the UI yet, it’s in progress.
privacy.window.maxInnerWidth and Height are supposed to work. They work here even with fingerprinting resistance enabled.
privacy.resistFingerprinting = false
spoofing window/screen/etc measurements was the first thing this pref did, back in FF41. It did this by making ALL measurements use the “inner browser window”. It uses this measurement (actual not spoofed) so that web pages etc do not break.
FF55 included the patch to round new windows inner measurements to multiples of 200×100 (that is width in 200’s and height in 100s). This is so there are a lot less combinations for end users to end up in. In order to do this (get the inner window measurements correct), it has to resize the BROWSER itself, taking into account all the toolbars, menu bars, sidebars, compact or normal theme, etc. Remember, the inner window measurements are not spoofed.
You cannot resize a browser that is maximized. So maximized on open will fail, it will just resize down to fit your screen in some multiple of 200×100. Maximizing undoes the work of trying to limit your measurements to a very small set.
Thanks for your explanation.
Are there any downsides to setting privacy.resistFingerprinting to true?
Personally, I gave up trying to use “privacy.resistFingerprinting” because I was unable to get the browser window size close to what I’m used to. None of my installed browsers use a Maximized window so that is not a problem. The problem I run into is that I can’t get the window size where it will use ALL of the height on a 24″ 1920×1200 display. Also I’m used to the inner window width being 1650, I could deal with using 1600 if it wasn’t for the height not being fully utilized which is a deal breaker for me. For me, “privacy.resistFingerprinting” would only work on a really big display, I wish I could justify the cost of the 34″ curved monitor that I’ve been lusting after. Sadly, I’ve decided to just use the indivdual privacy settings instead. ;)
I meant to say site specific zoom isn’t “remembered”. SMH
@Pants
Thanks for the heads up on the webext. I have it bookmarked and might play with it in the future.
In a previous post you mentioned that site specific zoom isn’t available while using “privacy.resistFingerprinting” and I don’t remember that being a problem when I had it enabled in FFv54 or was it an earlier version? Anyway, for some of us vision challenged people and especially those of us who are too vain to wear glasses, being able to zoom a specific website is a big deal, in my case a must have. I’ve even gone so far as to modify “toolkit.zoomManager.zoomValues” so that I can zoom in 5% increments. The value I use is:
“.5,.70,.8,.9,.95,1,1.05,1.1,1.15,1.2,1.25,1.33,1.5,2,3”
I’ve also modified the zoom button in the address bar with some userChrome.css to make the font smaller and change the opacity to make it stand out less.
#urlbar-zoom-button { font-size: 10pt !important; opacity: 0.5 !important; }
it can also be made invisible with:
#urlbar-zoom-button { display: none !important; }
So…it might be a little obvious that I’m serious about using zoom on websites. LOL
Thanks again for the Window Resizer webext mention. I’ve added your instructions on its use to my notes and I’m surprised it doesn’t have more users, yet. ;)
https://addons.mozilla.org/en-US/firefox/addon/window-resizer-webextension/
Clear out all the presets, position and resize your browser to how you like (using the scratchpad) and then click the only item left in the panel – that item will now be added as a new “preset” – when you open your browser, click the button and resize, done. I too lust after a higher res monitor, and if I could I would go 1600×900 – not quite possible in my current state. Instead I go 1366×768 (with my one preset) after opening at 1400×800 (with the two prefs), although 1400×800 is fine too I guess. And once FF is open it stays open generally for a day or so at a time.
Note: I went compact theme and did away with the menu bar (getting used to the photon hamburger version with the menus). No status bar of course but I do have a bookmark toolbar to hold some extension icons and a couple of folders and bookmarked sites – all very short names or just an icon. Less than half the bookmark toolbar is used. This is also handy to drop sites onto for things like repeated tests or something to follow up on. I actually have more height now in my inner window than I did 3 months ago :)
Some annoyances:
– Spoofing timezone as UTC can cause things like looking up when a baseball game is on to be told a time like 3-00am.
– Site specific zoom is not remembered, not even with extensions (AFAIK) which could be annoying for some people (I used site specific zoom myself on about a dozen regular sites, but got over it quickly).
– UA spoofing has zero whitelisting, so AMO doesn’t recognize your version and to install a lot of extensions you have to download and then install from file. This *may* be resolved in the new AMO redesign (by using the mozAddonManager Web API which is a hardcoded whitelist of 3 mozilla sites – and yes there is a pref to turn this off specifically added for Tor)
– geolocation is effectively blocked – i.e instead of killing the API, instead RFP returns a value so it’s just like you denied the site permission when it asked. Since I never use this, I am not sure if there is a way to bypass it per site permissions. Maybe someone could test it.
There are also some side-effects/regressions
– UA spoofing leaks date locale and format
– timing attack mitigations cause jank etc (a few cases reported – eg in some games etc)
– media stats cause some media playback issues (they covered and tested a few major video sites, but not all)
– UA spoofing on mobile OSX causes desktop pages, not mobile pages
– keyboard command shortcuts break in google docs on OSX
– Pocket does not work with RFP ( https://bugzilla.mozilla.org/show_bug.cgi?id=1384657 )
Just the usual edge cases IMO
> Pocket does not work with RFP
Oophs .. that’s FPI, so ignore that one
> The preference privacy.resistFingerprinting makes some preferences obsolete
Actually, some RFP code patches and existing prefs “clash” (i.e they give different results) and in each case there is no rule as which takes precedence, but generally speaking those that disable an API cause the RFP to have no effect – thus altering your FP from the intended effect of a large subset of FF users.
SO **if** you use privacy.resistFingerprinting, then it is advised that prefs this now covers should be at default (and those can differ depending on your platform)
Firefox 56 is moving my mouse by itself. Is it a bug or it is the CIA?
I’ve already tried:
user_pref(“dom.interface.mousepossession”, false);
Still no work.
Thank You to everyone involved with this, a truly invaluable resource!!!!
A quick note to Pale Moon users. “dom.enable_resource_timing” set to false will cause YouTube to not play and show “An error occurred.” YouTube works fine with that entry when using Firefox, Waterfox or Nightly, at least for me.