Slash Boxes

SoylentNews is people

posted by martyb on Friday October 23 2020, @01:48AM   Printer-friendly
from the not-trying-to-start-a-browser-war dept.

There are various stories about Firefox not respecting user privacy. Some suggest certain settings to reduce the information Firefox sends out (such as this one from Mozilla). Over time, I have collected a lot of them into a user.js file. For those who do not know, a user.js file may be dropped into a Firefox profile directory as a convenient way to force certain settings every time Firefox starts up. This can reset changes made by the user during a previous session, but is also a convenient way to initialize desired settings in a fresh profile.

In an IRC discussion, Martyb suggested I share the settings I have collected. Below is a sample user.js that I sometimes use as a template for disabling many potential privacy and/or security holes in Firefox. Some, like HTML pings, are probably features that most privacy-minded individuals do not want (and may not have even known about). Others, like disabling cookies and/or javascript, can break how sites work (sometimes, amusingly, they only break the advertisements). Others, like disabling tracker protection, are double-edged in that disabling them exposes you to being tracked by known trackers, while enabling them might cause Firefox to phone home to get updated lists of known trackers. The comments in the user.js point out some, but definitely not all, of the potential pitfalls. The settings are definitely not set the way everybody should use them, but having them listed out at least provides a convenient starting point. I highly recommend against dropping them directly into your main Firefox profile, as they may undo changes you have made for yourself. Instead, either try them in a fresh profile and copy over things that work for you, or research the settings and only copy over the ones you want that will not break your browser.

Please share any information you may have on various settings in this file, or on any you feel are missing from this file. Also, if you have similar information for some other browsers, consider commenting on those, or perhaps submitting a story about settings for that browser.

/* Note:  All of these may be set in about:config.  Many may also be set
* via about:preferences.  Placing them in a user.js allows for them to be
* set automaticaly when Firefox starts up (overriding any changes made to
* them during the previous session), and also gives a convenient way to
* set many settings in a new profile.
* Several of these break sites (often in ways that are not immediately
* obvious); others break features.  They are being included here just to
* show what options are there.  A small amount of effort has been made to
* comment on the ones that are likely to break things.
* Obviously, most of these are not carefully explained.  Please search
* online to find out what they do. */

/* Start in offline mode, if desired: */
//user_pref("browser.offline", false);

/* Disable automatic updates. */
user_pref("", false);
user_pref("", false);
user_pref("extensions.update.autoUpdateDefault", false);
user_pref("extensions.update.enabled", false);

/* Disable settings that might try to deal with a typo, sending out
* information that was not intended to be sent. */
user_pref("browser.fixup.alternate.enabled", false);
user_pref("", false);
user_pref("keyword.enabled", false);

/* Disable certain storages that could leak information to somebody else
* using the browser. */
user_pref("browser.formfill.enable", false);
user_pref("browser.history_expire_days.mirror", 1);
user_pref("browser.history_expire_days_min", 1);
user_pref("browser.urlbar.autocomplete.enabled", false);
user_pref("browser.urlbar.suggest.bookmark", false);
user_pref("browser.urlbar.suggest.history", false);
user_pref("browser.urlbar.suggest.openpage", false);
user_pref("browser.urlbar.suggest.topsites", false);
user_pref("places.history.enabled", false);
/* Note:  Some sites that require javascript to be enabled and use local
* storage may choke with these two settings: */
user_pref("", false);
user_pref("dom.indexedDB.enabled", false);

/* Disable certain features that leak information. */
user_pref("browser.safebrowsing.enabled", false);
user_pref("browser.safebrowsing.blockedURIs.enabled", false);
user_pref("browser.safebrowsing.downloads.enabled", false);
user_pref("browser.safebrowsing.downloads.remote.enabled", false);
user_pref("browser.safebrowsing.malware.enabled", false);
user_pref("browser.safebrowsing.passwords.enabled", false);
user_pref("browser.safebrowsing.phishing.enabled", false);
user_pref("browser.safebrowsing.remoteLookups", false);
/* Disable various pings and automatic checks. */
user_pref("browser.aboutHomeSnippets.updateUrl", "");
user_pref("extensions.blocklist.enabled", false);
user_pref("extensions.getAddons.cache.enabled", false);
user_pref("network.captive-portal-service.enabled", false);
/* Disable the ping attribute in HTML links:
* <a href="" ping="">Ping</a>
* will send a ping to the ping URL when clicked if this is enabled. */
user_pref("browser.send_pings", false);
/* Disable searching the network for finding devices Firefox could send
* video to (like Roku or Chromecast devices). */
user_pref("browser.casting.enabled", false);

/* General security. */
/* This definitely breaks sites, but for the paranoid, nothing enhances
* security and privacy like not letting sites choose what code runs. */
user_pref("javascript.enabled", false);
/* This is probably not an issue if javascript is disabled.  If enabled and
* used, it allows for probing local IP addresses.  Specifically, if
* enabled, the STUN protocol can use an ICE connection to figure out IP
* addresses of your computer.  Note that this is required for WebRTC
* (audio/video conferencing). */
user_pref("media.peerconnection.enabled", false);
user_pref("security.enable_java", false);
user_pref("security.warn_entering_secure", true);
user_pref("security.warn_entering_weak", true);
user_pref("security.warn_leaving_secure", true);
user_pref("security.warn_submit_insecure", true);
user_pref("security.warn_viewing_mixed", true);
/* If you do not plan to use this web notification service, you should
* probably keep is disabled. */
user_pref("dom.webnotifications.enabled", false);
user_pref("dom.webnotifications.serviceworker.enabled", false);

/* Set some private settings. */
/* Do not try to load links just because the cursor passed over them. */
user_pref("network.http.speculative-parallel-limit", 0);
user_pref("network.dns.disablePrefetch", true);
user_pref("network.prefetch-next", false);
/* Do not try to geolocate. */
user_pref("", "");
/* Disable DNS over HTTPS.  See other network.trr.* settings for more
* details.  Enable by setting to 2, or by going to about:preferences and
* changing the check box in about:config. */
user_pref("network.trr.mode", 5);
/* Show punycode in URLs using that (rather than showing Unicode).  This is
* an attempt to protect against sites that use names that look official,
* like except with an ``o'' replaced with some Unicode
* character that looks a lot like an ``o'', or something. */
user_pref("network.IDN_show_punycode", true);
/* Accessibility features might be a privacy issue. */
user_pref("accessibility.force_disabled", 1);
/* Disable studies and personalized extension recommendations. */
user_pref("app.normandy.enabled", false);
user_pref("app.shield.optoutstudies.enabled", false);
user_pref("browser.discovery.enabled", false);
/* Disable Normandy service, which, if enabled, allows Mozilla to push
* configuration changes and add-ons to your browser.  While an obvious
* potential security issue, note that this feature does help to prevent
* other security issues with uses not updating software, including
* apparently helping with some problem where a bug was preventing updating
* add-ons. */
user_pref("app.normandy.enabled", false);

/* If you want to use your own extensions, they will need to be signed,
* unless you disable this (set it to false). */
user_pref("xpinstall.signatures.required", true);

/* Always ask where to download files. */
user_pref("", false);

/* Open new tabs with blank pages. */
user_pref("browser.newtabpage.enabled", false);
user_pref("browser.newtabpage.enhanced", false);
/* Default home page is a blank page. */
user_pref("", 0);
user_pref("browser.startup.homepage", "about:blank");
/* Cycle through tabs in a more predictable order. */
user_pref("browser.ctrlTab.recentlyUsedOrder", false);
/* Disable showing things in new tabs if not using a blank page. */
user_pref("browser.newtabpage.activity-stream.feeds.section.topstories", false);
user_pref("browser.newtabpage.activity-stream.feeds.snippets", false);
user_pref("browser.newtabpage.activity-stream.feeds.topsites", false);
user_pref("browser.newtabpage.activity-stream.showSearch", false);
user_pref("browser.newtabpage.activity-stream.showSponsored", false);
user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false);
user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false);
user_pref("browser.newtabpage.activity-stream.feeds.section.highlights", false);
user_pref("browser.newtabpage.activity-stream.section.highlights.includeBookmarks", false);
user_pref("browser.newtabpage.activity-stream.section.highlights.includeDownloads", false);
user_pref("browser.newtabpage.activity-stream.section.highlights.includePocket", false);
user_pref("browser.newtabpage.activity-stream.section.highlights.includeVisited", false);

/* Use autoscroll. */
user_pref("general.autoScroll", true);

/* Disable cookies by default. */
user_pref("network.cookie.cookieBehavior", 2);
user_pref("network.cookie.lifetimePolicy", 2);
/* Disable other potential trackers.
* NOTE:  If these are enabled, Firefox may connect to servers to update
* lists of known cryptominers and/or trackers.  On the other hand,
* disabling them may result in Firefox loading resources from known
* trackers. */
user_pref("privacy.trackingprotection.enabled", true);
user_pref("privacy.trackingprotection.cryptomining.enabled", true);
user_pref("privacy.trackingprotection.fingerprinting.enabled", true);
user_pref("privacy.trackingprotection.socialtracking.enabled", true);

/* Clear stored data on browser shutdown. */
user_pref("privacy.sanitize.didShutdownSanitize", true);
user_pref("privacy.sanitize.sanitizeOnShutdown", true);
user_pref("privacy.clearOnShutdown.offlineApps", true);
user_pref("privacy.clearOnShutdown.siteSettings", true);

/* Do not remember credentials. */
user_pref("signon.rememberSignons", false);
user_pref("extensions.formautofill.addresses.enabled", false);
user_pref("pref.privacy.disable_button.view_passwords_exceptions", false);

/* If desired, always use a SOCKS5 proxy. */
user_pref("network.proxy.type", 1);
user_pref("network.proxy.socks", "");
user_pref("network.proxy.socks_port", "12345");
/* If using a proxy, proxy DNS as well. */
user_pref("network.proxy.socks_remote_dns", true);

Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Informative) by Anonymous Coward on Friday October 23 2020, @02:14PM

    by Anonymous Coward on Friday October 23 2020, @02:14PM (#1067873)

    The problem is that on non-firefox based browsers, you can't turn off all the info leaking "features". And, every browser you mention is full of them. So, by being able to turn off javascript features used to fingerprint users. Turn off javascript being able to spy on your clipboard. Turn off webrtc and other garbage that leaks your real IP when you are behind a VPN. You are *much* better off with firefox than any other non-firefox based browser.

    As for pale moon (a firefox based browser), it is less secure due to vulnerabilities due to running an ancient unpatched/slow to patch firefox by virtue of the tiny group of devs (you are probably better off with seamonkey, if you want XUL extensions)-- I can't find the link but there was a good writeup on pale moon where the author showed that pale moon was vulnerable to exploits known and already fixed in mainline firefox for _years_.

    Starting Score:    0  points
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  

    Total Score:   1