Slash Boxes

SoylentNews is people

posted by martyb on Friday October 23, @01:48AM   Printer-friendly
from the not-trying-to-start-a-browser-war dept.

There are various stories about Firefox not respecting user privacy. Some suggest certain settings to reduce the information Firefox sends out (such as this one from Mozilla). Over time, I have collected a lot of them into a user.js file. For those who do not know, a user.js file may be dropped into a Firefox profile directory as a convenient way to force certain settings every time Firefox starts up. This can reset changes made by the user during a previous session, but is also a convenient way to initialize desired settings in a fresh profile.

In an IRC discussion, Martyb suggested I share the settings I have collected. Below is a sample user.js that I sometimes use as a template for disabling many potential privacy and/or security holes in Firefox. Some, like HTML pings, are probably features that most privacy-minded individuals do not want (and may not have even known about). Others, like disabling cookies and/or javascript, can break how sites work (sometimes, amusingly, they only break the advertisements). Others, like disabling tracker protection, are double-edged in that disabling them exposes you to being tracked by known trackers, while enabling them might cause Firefox to phone home to get updated lists of known trackers. The comments in the user.js point out some, but definitely not all, of the potential pitfalls. The settings are definitely not set the way everybody should use them, but having them listed out at least provides a convenient starting point. I highly recommend against dropping them directly into your main Firefox profile, as they may undo changes you have made for yourself. Instead, either try them in a fresh profile and copy over things that work for you, or research the settings and only copy over the ones you want that will not break your browser.

Please share any information you may have on various settings in this file, or on any you feel are missing from this file. Also, if you have similar information for some other browsers, consider commenting on those, or perhaps submitting a story about settings for that browser.

/* Note:  All of these may be set in about:config.  Many may also be set
* via about:preferences.  Placing them in a user.js allows for them to be
* set automaticaly when Firefox starts up (overriding any changes made to
* them during the previous session), and also gives a convenient way to
* set many settings in a new profile.
* Several of these break sites (often in ways that are not immediately
* obvious); others break features.  They are being included here just to
* show what options are there.  A small amount of effort has been made to
* comment on the ones that are likely to break things.
* Obviously, most of these are not carefully explained.  Please search
* online to find out what they do. */

/* Start in offline mode, if desired: */
//user_pref("browser.offline", false);

/* Disable automatic updates. */
user_pref("", false);
user_pref("", false);
user_pref("extensions.update.autoUpdateDefault", false);
user_pref("extensions.update.enabled", false);

/* Disable settings that might try to deal with a typo, sending out
* information that was not intended to be sent. */
user_pref("browser.fixup.alternate.enabled", false);
user_pref("", false);
user_pref("keyword.enabled", false);

/* Disable certain storages that could leak information to somebody else
* using the browser. */
user_pref("browser.formfill.enable", false);
user_pref("browser.history_expire_days.mirror", 1);
user_pref("browser.history_expire_days_min", 1);
user_pref("browser.urlbar.autocomplete.enabled", false);
user_pref("browser.urlbar.suggest.bookmark", false);
user_pref("browser.urlbar.suggest.history", false);
user_pref("browser.urlbar.suggest.openpage", false);
user_pref("browser.urlbar.suggest.topsites", false);
user_pref("places.history.enabled", false);
/* Note:  Some sites that require javascript to be enabled and use local
* storage may choke with these two settings: */
user_pref("", false);
user_pref("dom.indexedDB.enabled", false);

/* Disable certain features that leak information. */
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.blockedURIs.enabled", false);
user_pref("browser.safebrowsing.downloads.enabled", false);
user_pref("browser.safebrowsing.downloads.remote.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.passwords.enabled", false);
user_pref("browser.safebrowsing.phishing.enabled", false);
user_pref("browser.safebrowsing.remoteLookups", false);
/* Disable various pings and automatic checks. */
user_pref("browser.aboutHomeSnippets.updateUrl", "");
user_pref("extensions.blocklist.enabled", false);
user_pref("extensions.getAddons.cache.enabled", false);
user_pref("network.captive-portal-service.enabled", false);
/* Disable the ping attribute in HTML links:
* <a href="" ping="">Ping</a>
* will send a ping to the ping URL when clicked if this is enabled. */
user_pref("browser.send_pings", false);
/* Disable searching the network for finding devices Firefox could send
* video to (like Roku or Chromecast devices). */
user_pref("browser.casting.enabled", false);

/* General security. */
/* This definitely breaks sites, but for the paranoid, nothing enhances
* security and privacy like not letting sites choose what code runs. */
user_pref("javascript.enabled", false);
/* This is probably not an issue if javascript is disabled.  If enabled and
* used, it allows for probing local IP addresses.  Specifically, if
* enabled, the STUN protocol can use an ICE connection to figure out IP
* addresses of your computer.  Note that this is required for WebRTC
* (audio/video conferencing). */
user_pref("media.peerconnection.enabled", false);
user_pref("security.enable_java", false);
user_pref("security.warn_entering_secure", true);
user_pref("security.warn_entering_weak", true);
user_pref("security.warn_leaving_secure", true);
user_pref("security.warn_submit_insecure", true);
user_pref("security.warn_viewing_mixed", true);
/* If you do not plan to use this web notification service, you should
* probably keep is disabled. */
user_pref("dom.webnotifications.enabled", false);
user_pref("dom.webnotifications.serviceworker.enabled", false);

/* Set some private settings. */
/* Do not try to load links just because the cursor passed over them. */
user_pref("network.http.speculative-parallel-limit", 0);
user_pref("network.dns.disablePrefetch", true);
user_pref("network.prefetch-next", false);
/* Do not try to geolocate. */
user_pref("", "");
/* Disable DNS over HTTPS.  See other network.trr.* settings for more
* details.  Enable by setting to 2, or by going to about:preferences and
* changing the check box in about:config. */
user_pref("network.trr.mode", 5);
/* Show punycode in URLs using that (rather than showing Unicode).  This is
* an attempt to protect against sites that use names that look official,
* like except with an ``o'' replaced with some Unicode
* character that looks a lot like an ``o'', or something. */
user_pref("network.IDN_show_punycode", true);
/* Accessibility features might be a privacy issue. */
user_pref("accessibility.force_disabled", 1);
/* Disable studies and personalized extension recommendations. */
user_pref("app.normandy.enabled", false);
user_pref("app.shield.optoutstudies.enabled", false);
user_pref("browser.discovery.enabled", false);
/* Disable Normandy service, which, if enabled, allows Mozilla to push
* configuration changes and add-ons to your browser.  While an obvious
* potential security issue, note that this feature does help to prevent
* other security issues with uses not updating software, including
* apparently helping with some problem where a bug was preventing updating
* add-ons. */
user_pref("app.normandy.enabled", false);

/* If you want to use your own extensions, they will need to be signed,
* unless you disable this (set it to false). */
user_pref("xpinstall.signatures.required", true);

/* Always ask where to download files. */
user_pref("", false);

/* Open new tabs with blank pages. */
user_pref("browser.newtabpage.enabled", false);
user_pref("browser.newtabpage.enhanced", false);
/* Default home page is a blank page. */
user_pref("", 0);
user_pref("browser.startup.homepage", "about:blank");
/* Cycle through tabs in a more predictable order. */
user_pref("browser.ctrlTab.recentlyUsedOrder", false);
/* Disable showing things in new tabs if not using a blank page. */
user_pref("browser.newtabpage.activity-stream.feeds.section.topstories", false);
user_pref("browser.newtabpage.activity-stream.feeds.snippets", false);
user_pref("browser.newtabpage.activity-stream.feeds.topsites", false);
user_pref("browser.newtabpage.activity-stream.showSearch", false);
user_pref("browser.newtabpage.activity-stream.showSponsored", false);
user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false);
user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false);
user_pref("browser.newtabpage.activity-stream.feeds.section.highlights", false);
user_pref("browser.newtabpage.activity-stream.section.highlights.includeBookmarks", false);
user_pref("browser.newtabpage.activity-stream.section.highlights.includeDownloads", false);
user_pref("browser.newtabpage.activity-stream.section.highlights.includePocket", false);
user_pref("browser.newtabpage.activity-stream.section.highlights.includeVisited", false);

/* Use autoscroll. */
user_pref("general.autoScroll", true);

/* Disable cookies by default. */
user_pref("network.cookie.cookieBehavior", 2);
user_pref("network.cookie.lifetimePolicy", 2);
/* Disable other potential trackers.
* NOTE:  If these are enabled, Firefox may connect to servers to update
* lists of known cryptominers and/or trackers.  On the other hand,
* disabling them may result in Firefox loading resources from known
* trackers. */
user_pref("privacy.trackingprotection.enabled", true);
user_pref("privacy.trackingprotection.cryptomining.enabled", true);
user_pref("privacy.trackingprotection.fingerprinting.enabled", true);
user_pref("privacy.trackingprotection.socialtracking.enabled", true);

/* Clear stored data on browser shutdown. */
user_pref("privacy.sanitize.didShutdownSanitize", true);
user_pref("privacy.sanitize.sanitizeOnShutdown", true);
user_pref("privacy.clearOnShutdown.offlineApps", true);
user_pref("privacy.clearOnShutdown.siteSettings", true);

/* Do not remember credentials. */
user_pref("signon.rememberSignons", false);
user_pref("extensions.formautofill.addresses.enabled", false);
user_pref("pref.privacy.disable_button.view_passwords_exceptions", false);

/* If desired, always use a SOCKS5 proxy. */
user_pref("network.proxy.type", 1);
user_pref("network.proxy.socks", "");
user_pref("network.proxy.socks_port", "12345");
/* If using a proxy, proxy DNS as well. */
user_pref("network.proxy.socks_remote_dns", true);

Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Informative) by Pino P on Friday October 23, @01:54PM

    by Pino P (4721) on Friday October 23, @01:54PM (#1067867) Journal

    Firefox has a feature called "race cache with network" that will speculatively open numerous connections to a web server to retrieve a cached resource in case the server returns the data faster than your disk's cache does. This may improve speed on devices with very slow storage, such as a Windows PC with a 5400 RPM HDD and a slow antivirus, at the cost of increased data transfer billing on an ISP's metered plan as well as loss of access to a website whose firewall confuses the "race" behavior with a SYN flood. One site where a lot of Firefox users have run into problems is, a site about homebrew game development for Nintendo Entertainment System. To disable this, open about:config and set network.http.rcwn.enabled to false.

    See the following bugs:

    • Bug 1451951: []
      Firefox opens several TCP connections and ignores some of them, and may trigger TCP SYN Flood alerts
      Resolved as invalid due to lack of steps to reproduce.
    • Bug 1622859: RCWN causes half-open connections leading to IP blocks for SYN flooding []
      Filed to provide more detailed steps to reproduce as well as evidence through Wireshark that it is happening and causing an IP address block on a particular website.
    • Bug 1618200: []
      No UI option to turn off "Race Cache With Network"
      Users must use about:config to turn off this behavior, if they even know it's happening.
    Starting Score:    1  point
    Moderation   +3  
       Interesting=1, Informative=2, Total=3
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5