Slash Boxes

SoylentNews is people

posted by martyb on Friday October 23 2020, @01:48AM   Printer-friendly
from the not-trying-to-start-a-browser-war dept.

There are various stories about Firefox not respecting user privacy. Some suggest certain settings to reduce the information Firefox sends out (such as this one from Mozilla). Over time, I have collected a lot of them into a user.js file. For those who do not know, a user.js file may be dropped into a Firefox profile directory as a convenient way to force certain settings every time Firefox starts up. This can reset changes made by the user during a previous session, but is also a convenient way to initialize desired settings in a fresh profile.

In an IRC discussion, Martyb suggested I share the settings I have collected. Below is a sample user.js that I sometimes use as a template for disabling many potential privacy and/or security holes in Firefox. Some, like HTML pings, are probably features that most privacy-minded individuals do not want (and may not have even known about). Others, like disabling cookies and/or javascript, can break how sites work (sometimes, amusingly, they only break the advertisements). Others, like disabling tracker protection, are double-edged in that disabling them exposes you to being tracked by known trackers, while enabling them might cause Firefox to phone home to get updated lists of known trackers. The comments in the user.js point out some, but definitely not all, of the potential pitfalls. The settings are definitely not set the way everybody should use them, but having them listed out at least provides a convenient starting point. I highly recommend against dropping them directly into your main Firefox profile, as they may undo changes you have made for yourself. Instead, either try them in a fresh profile and copy over things that work for you, or research the settings and only copy over the ones you want that will not break your browser.

Please share any information you may have on various settings in this file, or on any you feel are missing from this file. Also, if you have similar information for some other browsers, consider commenting on those, or perhaps submitting a story about settings for that browser.

/* Note:  All of these may be set in about:config.  Many may also be set
* via about:preferences.  Placing them in a user.js allows for them to be
* set automaticaly when Firefox starts up (overriding any changes made to
* them during the previous session), and also gives a convenient way to
* set many settings in a new profile.
* Several of these break sites (often in ways that are not immediately
* obvious); others break features.  They are being included here just to
* show what options are there.  A small amount of effort has been made to
* comment on the ones that are likely to break things.
* Obviously, most of these are not carefully explained.  Please search
* online to find out what they do. */

/* Start in offline mode, if desired: */
//user_pref("browser.offline", false);

/* Disable automatic updates. */
user_pref("", false);
user_pref("", false);
user_pref("extensions.update.autoUpdateDefault", false);
user_pref("extensions.update.enabled", false);

/* Disable settings that might try to deal with a typo, sending out
* information that was not intended to be sent. */
user_pref("browser.fixup.alternate.enabled", false);
user_pref("", false);
user_pref("keyword.enabled", false);

/* Disable certain storages that could leak information to somebody else
* using the browser. */
user_pref("browser.formfill.enable", false);
user_pref("browser.history_expire_days.mirror", 1);
user_pref("browser.history_expire_days_min", 1);
user_pref("browser.urlbar.autocomplete.enabled", false);
user_pref("browser.urlbar.suggest.bookmark", false);
user_pref("browser.urlbar.suggest.history", false);
user_pref("browser.urlbar.suggest.openpage", false);
user_pref("browser.urlbar.suggest.topsites", false);
user_pref("places.history.enabled", false);
/* Note:  Some sites that require javascript to be enabled and use local
* storage may choke with these two settings: */
user_pref("", false);
user_pref("dom.indexedDB.enabled", false);

/* Disable certain features that leak information. */
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.blockedURIs.enabled", false);
user_pref("browser.safebrowsing.downloads.enabled", false);
user_pref("browser.safebrowsing.downloads.remote.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.passwords.enabled", false);
user_pref("browser.safebrowsing.phishing.enabled", false);
user_pref("browser.safebrowsing.remoteLookups", false);
/* Disable various pings and automatic checks. */
user_pref("browser.aboutHomeSnippets.updateUrl", "");
user_pref("extensions.blocklist.enabled", false);
user_pref("extensions.getAddons.cache.enabled", false);
user_pref("network.captive-portal-service.enabled", false);
/* Disable the ping attribute in HTML links:
* <a href="" ping="">Ping</a>
* will send a ping to the ping URL when clicked if this is enabled. */
user_pref("browser.send_pings", false);
/* Disable searching the network for finding devices Firefox could send
* video to (like Roku or Chromecast devices). */
user_pref("browser.casting.enabled", false);

/* General security. */
/* This definitely breaks sites, but for the paranoid, nothing enhances
* security and privacy like not letting sites choose what code runs. */
user_pref("javascript.enabled", false);
/* This is probably not an issue if javascript is disabled.  If enabled and
* used, it allows for probing local IP addresses.  Specifically, if
* enabled, the STUN protocol can use an ICE connection to figure out IP
* addresses of your computer.  Note that this is required for WebRTC
* (audio/video conferencing). */
user_pref("media.peerconnection.enabled", false);
user_pref("security.enable_java", false);
user_pref("security.warn_entering_secure", true);
user_pref("security.warn_entering_weak", true);
user_pref("security.warn_leaving_secure", true);
user_pref("security.warn_submit_insecure", true);
user_pref("security.warn_viewing_mixed", true);
/* If you do not plan to use this web notification service, you should
* probably keep is disabled. */
user_pref("dom.webnotifications.enabled", false);
user_pref("dom.webnotifications.serviceworker.enabled", false);

/* Set some private settings. */
/* Do not try to load links just because the cursor passed over them. */
user_pref("network.http.speculative-parallel-limit", 0);
user_pref("network.dns.disablePrefetch", true);
user_pref("network.prefetch-next", false);
/* Do not try to geolocate. */
user_pref("", "");
/* Disable DNS over HTTPS.  See other network.trr.* settings for more
* details.  Enable by setting to 2, or by going to about:preferences and
* changing the check box in about:config. */
user_pref("network.trr.mode", 5);
/* Show punycode in URLs using that (rather than showing Unicode).  This is
* an attempt to protect against sites that use names that look official,
* like except with an ``o'' replaced with some Unicode
* character that looks a lot like an ``o'', or something. */
user_pref("network.IDN_show_punycode", true);
/* Accessibility features might be a privacy issue. */
user_pref("accessibility.force_disabled", 1);
/* Disable studies and personalized extension recommendations. */
user_pref("app.normandy.enabled", false);
user_pref("app.shield.optoutstudies.enabled", false);
user_pref("browser.discovery.enabled", false);
/* Disable Normandy service, which, if enabled, allows Mozilla to push
* configuration changes and add-ons to your browser.  While an obvious
* potential security issue, note that this feature does help to prevent
* other security issues with uses not updating software, including
* apparently helping with some problem where a bug was preventing updating
* add-ons. */
user_pref("app.normandy.enabled", false);

/* If you want to use your own extensions, they will need to be signed,
* unless you disable this (set it to false). */
user_pref("xpinstall.signatures.required", true);

/* Always ask where to download files. */
user_pref("", false);

/* Open new tabs with blank pages. */
user_pref("browser.newtabpage.enabled", false);
user_pref("browser.newtabpage.enhanced", false);
/* Default home page is a blank page. */
user_pref("", 0);
user_pref("browser.startup.homepage", "about:blank");
/* Cycle through tabs in a more predictable order. */
user_pref("browser.ctrlTab.recentlyUsedOrder", false);
/* Disable showing things in new tabs if not using a blank page. */
user_pref("browser.newtabpage.activity-stream.feeds.section.topstories", false);
user_pref("browser.newtabpage.activity-stream.feeds.snippets", false);
user_pref("browser.newtabpage.activity-stream.feeds.topsites", false);
user_pref("browser.newtabpage.activity-stream.showSearch", false);
user_pref("browser.newtabpage.activity-stream.showSponsored", false);
user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false);
user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false);
user_pref("browser.newtabpage.activity-stream.feeds.section.highlights", false);
user_pref("browser.newtabpage.activity-stream.section.highlights.includeBookmarks", false);
user_pref("browser.newtabpage.activity-stream.section.highlights.includeDownloads", false);
user_pref("browser.newtabpage.activity-stream.section.highlights.includePocket", false);
user_pref("browser.newtabpage.activity-stream.section.highlights.includeVisited", false);

/* Use autoscroll. */
user_pref("general.autoScroll", true);

/* Disable cookies by default. */
user_pref("network.cookie.cookieBehavior", 2);
user_pref("network.cookie.lifetimePolicy", 2);
/* Disable other potential trackers.
* NOTE:  If these are enabled, Firefox may connect to servers to update
* lists of known cryptominers and/or trackers.  On the other hand,
* disabling them may result in Firefox loading resources from known
* trackers. */
user_pref("privacy.trackingprotection.enabled", true);
user_pref("privacy.trackingprotection.cryptomining.enabled", true);
user_pref("privacy.trackingprotection.fingerprinting.enabled", true);
user_pref("privacy.trackingprotection.socialtracking.enabled", true);

/* Clear stored data on browser shutdown. */
user_pref("privacy.sanitize.didShutdownSanitize", true);
user_pref("privacy.sanitize.sanitizeOnShutdown", true);
user_pref("privacy.clearOnShutdown.offlineApps", true);
user_pref("privacy.clearOnShutdown.siteSettings", true);

/* Do not remember credentials. */
user_pref("signon.rememberSignons", false);
user_pref("extensions.formautofill.addresses.enabled", false);
user_pref("pref.privacy.disable_button.view_passwords_exceptions", false);

/* If desired, always use a SOCKS5 proxy. */
user_pref("network.proxy.type", 1);
user_pref("network.proxy.socks", "");
user_pref("network.proxy.socks_port", "12345");
/* If using a proxy, proxy DNS as well. */
user_pref("network.proxy.socks_remote_dns", true);

Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Informative) by Anonymous Coward on Friday October 23 2020, @01:03PM (2 children)

    by Anonymous Coward on Friday October 23 2020, @01:03PM (#1067851)

    methinks disabling "referrer" is the most obvious way to disable tracking.
    also the DOM setting that allows a remote random website to disable your "right mouse click menu(*)" is a must... to disable.
    (*) imagine a nagging anoying squeaky voice saying: " no no! you cannot just right-click on this here multimedia element that has been uploaded by meeeee to the wider global public internet and transfered to you and your computers memory and save a copy to a storage facility that remembers past power outs. now go away and thank you for looking at ads that pay me but you haven't requested."

    Starting Score:    0  points
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  

    Total Score:   1  
  • (Score: 1, Informative) by Anonymous Coward on Friday October 23 2020, @02:28PM

    by Anonymous Coward on Friday October 23 2020, @02:28PM (#1067884)

    If you allow javascript you are being tracked.

    Firefox is better than any browser out of the box for disabling this tracking due to the project to upstream changes from tor browser into mainline firefox. But, it doesn't block all javascript used to uniquely identify users.

    The problem is that if you change firefox config to block more of these javascript holes, you have now become identifiable since your browser acts differently than most. I'm the same AC as started the thread on "other sources", and for the profiles that I allow javascript on, the panopticlick site shows those browser profiles as uniquely identifiable precisely because most things that can be used for tracking are blocked. But, for those profiles, the folks I am protecting myself from (i.e., harvesting my clipboard data, location [real ip], etc.) are sites I've already logged into, and have easier ways to track me. []

    It isn't just javascript. css can be used to track you too. If the site can query fonts on your browser, that is used to identify and track you (needs js). Window sizes (this is why firefox always opens a large window now (setting migrated from tor browser), battery level (disabled in firefox now; migrated from tor browser), etc. are used to identify and track you (needs js). And, of course the obvious ones of private storage, location (either gps or your IP) and cookies.

    The web is a very user hostile place.

  • (Score: 0) by Anonymous Coward on Friday October 23 2020, @07:20PM

    by Anonymous Coward on Friday October 23 2020, @07:20PM (#1068014)

    Holding down SHIFT with a RIGHT-CLICK make a REAL RIGHT-CLICK, not what javascript overrides does.