Git/firefox-user.js
1
0
Fork 0
mirror of https://github.com/arkenfox/user.js.git synced 2025-09-01 01:18:30 +02:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: Git:94.1
Branches Tags
Git:master Git:Thorin-Oakenpants-patch-1
Git:140.0 Git:135.0 Git:133.0 Git:128.0 Git:126.1 Git:126.0 Git:122.0 Git:119.0 Git:118.0 Git:117.0 Git:115.1 Git:115.0 Git:112.0 Git:111.0 Git:110.0 Git:v110.0 Git:109.0 Git:108.0 Git:107.0 Git:106.0 Git:105.0 Git:104.0 Git:103.0 Git:102.1 Git:102.0 Git:101.0 Git:100.0 Git:99.0 Git:98.0 Git:97.0 Git:96.0 Git:95.0 Git:94.1 Git:94.0 Git:91.1 Git:93.0 Git:92.0 Git:91.0 Git:90.0 Git:89.0 Git:88.0 Git:87.0 Git:86.0 Git:85.0 Git:84.0 Git:83.0 Git:82.0 Git:v82.0-beta Git:81.0 Git:v81.0-beta Git:80.0 Git:v80.0-beta Git:79.0 Git:v79.0-beta Git:78.0 Git:v78.0-beta Git:77.0 Git:v77.0-beta Git:76.0 Git:v76.0-beta Git:75.0 Git:v75.0-beta Git:74.0 Git:v74.0-beta Git:73.0 Git:v73.0-beta Git:72.0 Git:v72.0-beta Git:71.0 Git:v71.0-beta Git:70.0 Git:v70.0-beta Git:69.0 Git:v69.0-beta Git:68.0 Git:v68.0-beta Git:67.0 Git:v67.0-beta Git:66.0 Git:v66.0-beta Git:65.0 Git:v65.0-beta Git:64.0 Git:v64.0-beta Git:63.0 Git:v63.0-beta Git:62.0 Git:v62.0-beta Git:61.0 Git:v61.0-beta Git:60.0 Git:v60.0-beta Git:59.0 Git:v59.0-alpha Git:58.0 Git:v58.0-alpha Git:57.0 Git:v57.0-alpha Git:56.0 Git:v56.0-alpha Git:55.0 Git:v55.0-alpha Git:54.0 Git:v54.0-alpha-rev1 Git:v54.0-alpha Git:53.0 Git:v53.0-alpha Git:52.0 Git:v52.0-alpha Git:51.0
..
compare: Git:91.1
Branches Tags
Git:Thorin-Oakenpants-patch-1 Git:master
Git:140.0 Git:135.0 Git:133.0 Git:128.0 Git:126.1 Git:126.0 Git:122.0 Git:119.0 Git:118.0 Git:117.0 Git:115.1 Git:115.0 Git:112.0 Git:111.0 Git:110.0 Git:v110.0 Git:109.0 Git:108.0 Git:107.0 Git:106.0 Git:105.0 Git:104.0 Git:103.0 Git:102.1 Git:102.0 Git:101.0 Git:100.0 Git:99.0 Git:98.0 Git:97.0 Git:96.0 Git:95.0 Git:94.1 Git:94.0 Git:91.1 Git:93.0 Git:92.0 Git:91.0 Git:90.0 Git:89.0 Git:88.0 Git:87.0 Git:86.0 Git:85.0 Git:84.0 Git:83.0 Git:82.0 Git:v82.0-beta Git:81.0 Git:v81.0-beta Git:80.0 Git:v80.0-beta Git:79.0 Git:v79.0-beta Git:78.0 Git:v78.0-beta Git:77.0 Git:v77.0-beta Git:76.0 Git:v76.0-beta Git:75.0 Git:v75.0-beta Git:74.0 Git:v74.0-beta Git:73.0 Git:v73.0-beta Git:72.0 Git:v72.0-beta Git:71.0 Git:v71.0-beta Git:70.0 Git:v70.0-beta Git:69.0 Git:v69.0-beta Git:68.0 Git:v68.0-beta Git:67.0 Git:v67.0-beta Git:66.0 Git:v66.0-beta Git:65.0 Git:v65.0-beta Git:64.0 Git:v64.0-beta Git:63.0 Git:v63.0-beta Git:62.0 Git:v62.0-beta Git:61.0 Git:v61.0-beta Git:60.0 Git:v60.0-beta Git:59.0 Git:v59.0-alpha Git:58.0 Git:v58.0-alpha Git:57.0 Git:v57.0-alpha Git:56.0 Git:v56.0-alpha Git:55.0 Git:v55.0-alpha Git:54.0 Git:v54.0-alpha-rev1 Git:v54.0-alpha Git:53.0 Git:v53.0-alpha Git:52.0 Git:v52.0-alpha Git:51.0

2 Commits
94.1 ... 91.1

Author SHA1 Message Date
Thorin-Oakenpants
73994f580a update to current 2021-10-27 06:28:57 +00:00
Thorin-Oakenpants
d2fb8296e0 v91.1 2021-10-27 06:26:25 +00:00
5 changed files with 195 additions and 138 deletions
Expand all files Collapse all files

4
README.md
View File

@ -9,7 +9,7 @@ The `arkenfox user.js` is a **template** which aims to provide as much privacy a
Everyone, experts included, should at least read the [implementation](https://github.com/arkenfox/user.js/wiki/1.3-Implementation) wiki page, as it contains important information regarding a few `user.js` settings.
Note that we do *not* recommend connecting over Tor on Firefox. Use the [Tor Browser](https://www.torproject.org/projects/torbrowser.html.en) if your [threat model](https://www.torproject.org/about/torusers.html.en) calls for it, or for accessing hidden services.
Note that we do *not* recommend connecting over Tor on Firefox. Use the [Tor Browser](https://www.torproject.org/projects/torbrowser.html.en) if your [threat model](https://www.torproject.org/about/torusers.html.en) calls for it, or for accessing hidden services.
Also be aware that the `arkenfox user.js` is made specifically for desktop Firefox. Using it as-is in other Gecko-based browsers can be counterproductive, especially in the Tor Browser.
@ -23,3 +23,5 @@ Also be aware that the `arkenfox user.js` is made specifically for desktop Firef
### 🟥 acknowledgments
Literally thousands of sources, references and suggestions. Many thanks, and much appreciated.

72
scratchpad-scripts/arkenfox-clear-RFP-alternatives.js Normal file
View File

@ -0,0 +1,72 @@
/***
This will reset the preferences that are under sections 4600 & 4700 in the
arkenfox user.js. These are the prefs that are no longer necessary, or they
conflict with, privacy.resistFingerprinting if you have that enabled.
Final update: 10-August-2021
As of v91, section 4600 is no longer recommended, and is all inactive. This
now includes the old 4700 section. You can reset them using prefsCleaner.
For instructions see:
https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts]
***/
(() => {
if ('undefined' === typeof(Services)) return alert('about:config needs to be the active tab!');
const aPREFS = [
/* section 4600 */
'dom.maxHardwareConcurrency',
'dom.enable_resource_timing',
'dom.enable_performance',
'device.sensors.enabled',
'browser.zoom.siteSpecific',
'dom.gamepad.enabled',
'dom.netinfo.enabled',
'media.webspeech.synth.enabled',
'media.video_stats.enabled',
'dom.w3c_touch_events.enabled',
'media.navigator.enabled',
'media.ondevicechange.enabled',
'webgl.enable-debug-renderer-info',
'ui.prefersReducedMotion',
'dom.w3c_pointer_events.enabled', // deprecated FF87
'ui.use_standins_for_native_colors',
'ui.systemUsesDarkTheme',
'dom.webaudio.enabled',
'layout.css.font-visibility.level',
/* section 4700 */
'general.appname.override',
'general.appversion.override',
'general.buildID.override',
'general.oscpu.override',
'general.platform.override',
'general.useragent.override',
/* reset parrot: check your open about:config after running the script */
'_user.js.parrot'
];
console.clear();
let c = 0;
for (const sPname of aPREFS) {
if (Services.prefs.prefHasUserValue(sPname)) {
Services.prefs.clearUserPref(sPname);
if (!Services.prefs.prefHasUserValue(sPname)) {
console.info('reset', sPname);
c++;
} else console.warn('failed to reset', sPname);
}
}
focus();
const d = (c==1) ? ' pref' : ' prefs';
alert(c ? 'successfully reset ' + c + d + "\n\nfor details check the console" : 'nothing to reset');
return 'all done';
})();

3
scratchpad-scripts/troubleshooter.js
View File

@ -1,3 +1,4 @@
/*** arkenfox user.js troubleshooter.js v1.6.3 ***/
(function() {
@ -193,7 +194,7 @@
const aBAK = getMyList(aPREFS);
//console.log(aBAK.length, "user-set prefs from our list detected and their values stored.");
const sMsg = "all detected prefs reset.\n\n" +
"!! KEEP THIS PROMPT OPEN AND TEST THE SITE IN ANOTHER TAB !!\n\n" +
"IF the problem still exists, this script can't help you - click Cancel to re-apply your values and exit.\n\n" +

62
updater.sh
View File

@ -41,9 +41,9 @@ ESR=false
# Download method priority: curl -> wget
DOWNLOAD_METHOD=''
if command -v curl >/dev/null; then
if [[ $(command -v 'curl') ]]; then
DOWNLOAD_METHOD='curl --max-redirs 3 -so'
elif command -v wget >/dev/null; then
elif [[ $(command -v 'wget') ]]; then
DOWNLOAD_METHOD='wget --max-redirect 3 --quiet -O'
else
echo -e "${RED}This script requires curl or wget.\nProcess aborted${NC}"
@ -51,7 +51,7 @@ else
fi
show_banner() {
show_banner () {
echo -e "${BBLUE}
############################################################################
#### ####
@ -103,13 +103,13 @@ Optional Arguments:
# File Handling #
#########################
download_file() { # expects URL as argument ($1)
download_file () { # expects URL as argument ($1)
declare -r tf=$(mktemp)
$DOWNLOAD_METHOD "${tf}" "$1" && echo "$tf" || echo '' # return the temp-filename or empty string on error
}
open_file() { # expects one argument: file_path
open_file () { # expects one argument: file_path
if [ "$(uname)" == 'Darwin' ]; then
open "$1"
elif [ "$(uname -s | cut -c -5)" == "Linux" ]; then
@ -119,11 +119,11 @@ open_file() { # expects one argument: file_path
fi
}
readIniFile() { # expects one argument: absolute path of profiles.ini
readIniFile () { # expects one argument: absolute path of profiles.ini
declare -r inifile="$1"
# tempIni will contain: [ProfileX], Name=, IsRelative= and Path= (and Default= if present) of the only (if) or the selected (else) profile
if [ "$(grep -c '^\[Profile' "${inifile}")" -eq "1" ]; then ### only 1 profile found
if [ $(grep -c '^\[Profile' "${inifile}") -eq "1" ]; then ### only 1 profile found
tempIni="$(grep '^\[Profile' -A 4 "${inifile}")"
else
echo -e "Profiles found:\n"
@ -150,7 +150,7 @@ readIniFile() { # expects one argument: absolute path of profiles.ini
[[ ${pathisrel} == "1" ]] && PROFILE_PATH="$(dirname "${inifile}")/${PROFILE_PATH}"
}
getProfilePath() {
getProfilePath () {
declare -r f1=~/Library/Application\ Support/Firefox/profiles.ini
declare -r f2=~/.mozilla/firefox/profiles.ini
@ -175,8 +175,8 @@ getProfilePath() {
#########################
# Returns the version number of a updater.sh file
get_updater_version() {
echo "$(sed -n '5 s/.*[[:blank:]]\([[:digit:]]*\.[[:digit:]]*\)/\1/p' "$1")"
get_updater_version () {
echo $(sed -n '5 s/.*[[:blank:]]\([[:digit:]]*\.[[:digit:]]*\)/\1/p' "$1")
}
# Update updater.sh
@ -184,14 +184,14 @@ get_updater_version() {
# Args:
# -d: New version will not be looked for and update will not occur
# -u: Check for update, if available, execute without asking
update_updater() {
[ "$UPDATE" = 'no' ] && return 0 # User signified not to check for updates
update_updater () {
[ $UPDATE = 'no' ] && return 0 # User signified not to check for updates
declare -r tmpfile="$(download_file 'https://raw.githubusercontent.com/arkenfox/user.js/master/updater.sh')"
[ -z "${tmpfile}" ] && echo -e "${RED}Error! Could not download updater.sh${NC}" && return 1 # check if download failed
if [[ $(get_updater_version "$SCRIPT_FILE") < $(get_updater_version "${tmpfile}") ]]; then
if [ "$UPDATE" = 'check' ]; then
if [ $UPDATE = 'check' ]; then
echo -e "There is a newer version of updater.sh available. ${RED}Update and execute Y/N?${NC}"
read -p "" -n 1 -r
echo -e "\n\n"
@ -211,11 +211,11 @@ update_updater() {
#########################
# Returns version number of a user.js file
get_userjs_version() {
[ -e "$1" ] && echo "$(sed -n '4p' "$1")" || echo "Not detected."
get_userjs_version () {
[ -e $1 ] && echo "$(sed -n '4p' "$1")" || echo "Not detected."
}
add_override() {
add_override () {
input=$1
if [ -f "$input" ]; then
echo "" >> user.js
@ -235,27 +235,27 @@ add_override() {
fi
}
remove_comments() { # expects 2 arguments: from-file and to-file
remove_comments () { # expects 2 arguments: from-file and to-file
sed -e '/^\/\*.*\*\/[[:space:]]*$/d' -e '/^\/\*/,/\*\//d' -e 's|^[[:space:]]*//.*$||' -e '/^[[:space:]]*$/d' -e 's|);[[:space:]]*//.*|);|' "$1" > "$2"
}
# Applies latest version of user.js and any custom overrides
update_userjs() {
update_userjs () {
declare -r newfile="$(download_file 'https://raw.githubusercontent.com/arkenfox/user.js/master/user.js')"
[ -z "${newfile}" ] && echo -e "${RED}Error! Could not download user.js${NC}" && return 1 # check if download failed
echo -e "Please observe the following information:
Firefox profile: ${ORANGE}$(pwd)${NC}
Available online: ${ORANGE}$(get_userjs_version "$newfile")${NC}
Available online: ${ORANGE}$(get_userjs_version $newfile)${NC}
Currently using: ${ORANGE}$(get_userjs_version user.js)${NC}\n\n"
if [ "$CONFIRM" = 'yes' ]; then
if [ $CONFIRM = 'yes' ]; then
echo -e "This script will update to the latest user.js file and append any custom configurations from user-overrides.js. ${RED}Continue Y/N? ${NC}"
read -p "" -n 1 -r
echo -e "\n"
if [[ $REPLY =~ ^[Nn]$ ]]; then
echo -e "${RED}Process aborted${NC}"
rm "$newfile"
rm $newfile
return 1
fi
fi
@ -269,7 +269,7 @@ update_userjs() {
# backup user.js
mkdir -p userjs_backups
local bakname="userjs_backups/user.js.backup.$(date +"%Y-%m-%d_%H%M")"
[ "$BACKUP" = 'single' ] && bakname='userjs_backups/user.js.backup'
[ $BACKUP = 'single' ] && bakname='userjs_backups/user.js.backup'
cp user.js "$bakname" &>/dev/null
mv "${newfile}" user.js
@ -295,19 +295,19 @@ update_userjs() {
past_nocomments='userjs_diffs/past_userjs.txt'
current_nocomments='userjs_diffs/current_userjs.txt'
remove_comments "$pastuserjs" "$past_nocomments"
remove_comments user.js "$current_nocomments"
remove_comments $pastuserjs $past_nocomments
remove_comments user.js $current_nocomments
diffname="userjs_diffs/diff_$(date +"%Y-%m-%d_%H%M").txt"
diff=$(diff -w -B -U 0 "$past_nocomments" "$current_nocomments")
if [ -n "$diff" ]; then
diff=$(diff -w -B -U 0 $past_nocomments $current_nocomments)
if [ ! -z "$diff" ]; then
echo "$diff" > "$diffname"
echo -e "Status: ${GREEN}A diff file was created:${NC} ${PWD}/${diffname}"
else
echo -e "Warning: ${ORANGE}Your new user.js file appears to be identical. No diff file was created.${NC}"
[ "$BACKUP" = 'multiple' ] && rm "$bakname" &>/dev/null
[ $BACKUP = 'multiple' ] && rm $bakname &>/dev/null
fi
rm "$past_nocomments" "$current_nocomments" "$pastuserjs" &>/dev/null
rm $past_nocomments $current_nocomments $pastuserjs &>/dev/null
fi
[ "$VIEW" = true ] && open_file "${PWD}/user.js"
@ -319,7 +319,7 @@ update_userjs() {
if [ $# != 0 ]; then
# Display usage if first argument is -help or --help
if [ "$1" = '--help' ] || [ "$1" = '-help' ]; then
if [ $1 = '--help' ] || [ $1 = '-help' ]; then
usage
else
while getopts ":hp:ludsno:bcvre" opt; do
@ -363,7 +363,7 @@ if [ $# != 0 ]; then
r)
tfile="$(download_file 'https://raw.githubusercontent.com/arkenfox/user.js/master/user.js')"
[ -z "${tfile}" ] && echo -e "${RED}Error! Could not download user.js${NC}" && exit 1 # check if download failed
mv "$tfile" "${tfile}.js"
mv $tfile "${tfile}.js"
echo -e "${ORANGE}Warning: user.js was saved to temporary file ${tfile}.js${NC}"
open_file "${tfile}.js"
exit 0
@ -382,7 +382,7 @@ if [ $# != 0 ]; then
fi
show_banner
update_updater "$@"
update_updater $@
getProfilePath # updates PROFILE_PATH or exits on error
cd "$PROFILE_PATH" && update_userjs

192
user.js
View File

@ -1,7 +1,7 @@
/******
* name: arkenfox user.js
* date: 23 November 2021
* version 94
* date: 27 October 2021
* version 91.1
* url: https://github.com/arkenfox/user.js
* license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt
@ -13,10 +13,10 @@
* https://github.com/arkenfox/user.js/wiki
3. If you skipped step 2, return to step 2
4. Make changes
* There are often trade-offs and conflicts between security vs privacy vs anti-tracking
* There are often trade-offs and conflicts between security vs privacy vs anti-fingerprinting
and these need to be balanced against functionality & convenience & breakage
* Some site breakage and unintended consequences will happen. Everyone's experience will differ
e.g. some user data is erased on exit (section 2800), change this to suit your needs
e.g. some user data is erased on close (section 2800), change this to suit your needs
* While not 100% definitive, search for "[SETUP" tags
e.g. third party images/videos not loading on some sites? check 1601
* Take the wiki link in step 2 and read the Troubleshooting entry
@ -31,8 +31,10 @@
* It is best to use the arkenfox release that is optimized for and matches your Firefox version
* EVERYONE: each release
- run prefsCleaner to reset prefs made inactive, including deprecated (9999s)
ESR91
- If you are not using arkenfox v91... (not a definitive list)
ESR78
- If you are not using arkenfox v78... (not a definitive list)
- 1244: HTTPS-Only mode is enabled
- 4511: non-native widget theme is enforced
- 9999: switch the appropriate deprecated section(s) back on
* INDEX:
@ -55,7 +57,7 @@
2400: DOM (DOCUMENT OBJECT MODEL)
2600: MISCELLANEOUS
2700: PERSISTENT STORAGE
2800: SHUTDOWN & SANITIZING
2800: SHUTDOWN
4000: FPI (FIRST PARTY ISOLATION)
4500: RFP (RESIST FINGERPRINTING)
5000: OPTIONAL OPSEC
@ -85,7 +87,7 @@ user_pref("_user.js.parrot", "0100 syntax error: the parrot's dead!");
user_pref("browser.shell.checkDefaultBrowser", false);
/* 0102: set startup page [SETUP-CHROME]
* 0=blank, 1=home, 2=last visited page, 3=resume previous session
* [NOTE] Session Restore is cleared with history (2811, 2812), and not used in Private Browsing mode
* [NOTE] Session Restore is cleared with history (2803, 2804), and not used in Private Browsing mode
* [SETTING] General>Startup>Restore previous session ***/
user_pref("browser.startup.page", 0);
/* 0103: set HOME+NEWWINDOW page
@ -102,7 +104,7 @@ user_pref("browser.newtab.preload", false);
* [SETTING] Home>Firefox Home Content>... to show/hide what you want ***/
user_pref("browser.newtabpage.activity-stream.feeds.telemetry", false);
user_pref("browser.newtabpage.activity-stream.telemetry", false);
user_pref("browser.newtabpage.activity-stream.feeds.snippets", false); // [DEFAULT: false]
user_pref("browser.newtabpage.activity-stream.feeds.snippets", false); // [DEFAULT: false FF89+]
user_pref("browser.newtabpage.activity-stream.feeds.section.topstories", false);
user_pref("browser.newtabpage.activity-stream.section.highlights.includePocket", false);
user_pref("browser.newtabpage.activity-stream.showSponsored", false);
@ -242,6 +244,7 @@ user_pref("extensions.webcompat-reporter.enabled", false); // [DEFAULT: false]
to Google, only a part-hash of the prefix, hidden with noise of other real part-hashes.
Firefox takes measures such as stripping out identifying parameters and since SBv4 (FF57+)
doesn't even use cookies. (#Turn on browser.safebrowsing.debug to monitor this activity)
FWIW, Google also swear it is anonymized and only used to flag malicious sites.
[1] https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/
[2] https://wiki.mozilla.org/Security/Safe_Browsing
@ -322,12 +325,7 @@ user_pref("network.file.disable_unc_paths", true); // [HIDDEN PREF]
* [2] https://en.wikipedia.org/wiki/GVfs
* [3] https://en.wikipedia.org/wiki/GIO_(software) ***/
user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF]
/* 0705: disable proxy direct failover for system requests [FF91+]
* [WARNING] Default true is a security feature against malicious extensions [1]
* [SETUP-CHROME] If you use a proxy and you trust your extensions
* [1] https://blog.mozilla.org/security/2021/10/25/securing-the-proxy-api-for-firefox-add-ons/ ***/
// user_pref("network.proxy.failover_direct", false);
/* 0710: disable DNS-over-HTTPS (DoH) rollout [FF60+]
/* 0705: disable DNS-over-HTTPS (DoH) rollout [FF60+]
* 0=off by default, 2=TRR (Trusted Recursive Resolver) first, 3=TRR only, 5=explicitly off
* see "doh-rollout.home-region": USA Feb 2020, Canada July 2021 [3]
* [1] https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/
@ -335,6 +333,11 @@ user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF]
* [3] https://blog.mozilla.org/mozilla/news/firefox-by-default-dns-over-https-rollout-in-canada/
* [4] https://www.eff.org/deeplinks/2020/12/dns-doh-and-odoh-oh-my-year-review-2020 ***/
// user_pref("network.trr.mode", 5);
/* 0706: disable proxy direct failover for system requests [FF91+]
* [WARNING] Default true is a security feature against malicious extensions [1]
* [SETUP-CHROME] If you use a proxy and you trust your extensions
* [1] https://blog.mozilla.org/security/2021/10/25/securing-the-proxy-api-for-firefox-add-ons/ ***/
// user_pref("network.proxy.failover_direct", false);
/*** [SECTION 0800]: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS ***/
user_pref("_user.js.parrot", "0800 syntax error: the parrot's ceased to be!");
@ -369,18 +372,13 @@ user_pref("browser.urlbar.speculativeConnect.enabled", false);
* 0=never resolve single words, 1=heuristic (default), 2=always resolve
* [1] https://bugzilla.mozilla.org/1642623 ***/
user_pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0);
/* 0807: disable location bar contextual suggestions [FF92+]
* [SETTING] Privacy & Security>Address Bar>Contextual Suggestions
* [1] https://blog.mozilla.org/data/2021/09/15/data-and-firefox-suggest/ ***/
user_pref("browser.urlbar.suggest.quicksuggest", false);
user_pref("browser.urlbar.suggest.quicksuggest.sponsored", false);
/* 0808: disable tab-to-search [FF85+]
* Alternatively, you can exclude on a per-engine basis by unchecking them in Options>Search
* [SETTING] Privacy & Security>Address Bar>When using the address bar, suggest>Search engines ***/
// user_pref("browser.urlbar.suggest.engines", false);
/* 0810: disable search and form history
* [SETUP-WEB] Be aware that autocomplete form data can be read by third parties [1][2]
* [NOTE] We also clear formdata on exit (2811)
* [NOTE] We also clear formdata on exit (2803)
* [SETTING] Privacy & Security>History>Custom Settings>Remember search and form history
* [1] https://blog.mindedsecurity.com/2011/10/autocompleteagain.html
* [2] https://bugzilla.mozilla.org/381681 ***/
@ -398,7 +396,7 @@ user_pref("extensions.formautofill.heuristics.enabled", false); // [FF55+]
/* 0820: disable coloring of visited links
* [SETUP-HARDEN] Bulk rapid history sniffing was mitigated in 2010 [1][2]. Slower and more expensive
* redraw timing attacks were largely mitigated in FF77+ [3]. Using RFP (4501) further hampers timing
* attacks. Don't forget clearing history on exit (2811). However, social engineering [2#limits][4][5]
* attacks. Don't forget clearing history on close (2803). However, social engineering [2#limits][4][5]
* and advanced targeted timing attacks could still produce usable results
* [1] https://developer.mozilla.org/docs/Web/CSS/Privacy_and_the_:visited_selector
* [2] https://dbaron.org/mozilla/visited-privacy
@ -439,7 +437,7 @@ user_pref("network.http.windows-sso.enabled", false); // [DEFAULT: false]
user_pref("_user.js.parrot", "1000 syntax error: the parrot's gone to meet 'is maker!");
/* 1001: disable disk cache
* [SETUP-CHROME] If you think disk cache helps perf, then feel free to override this
* [NOTE] We also clear cache on exit (2811) ***/
* [NOTE] We also clear cache on exit (2803) ***/
user_pref("browser.cache.disk.enable", false);
/* 1002: disable media cache from writing to disk in Private Browsing
* [NOTE] MSE (Media Source Extensions) are already stored in-memory in PB
@ -582,15 +580,12 @@ user_pref("security.insecure_connection_text.enabled", true); // [FF60+]
user_pref("_user.js.parrot", "1400 syntax error: the parrot's bereft of life!");
/* 1401: disable rendering of SVG OpenType fonts ***/
user_pref("gfx.font_rendering.opentype_svg.enabled", false);
/* 1402: limit font visibility (Windows, Mac, some Linux) [FF94+]
/* 1402: limit font visibility (Windows, Mac, some Linux) [FF79+]
* [NOTE] In FF80+ RFP ignores the pref and uses value 1
* Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts [1], bundled fonts are auto-allowed
* In normal windows: uses the first applicable: RFP (4506) over TP over Standard
* In Private Browsing windows: uses the most restrictive between normal and private
* 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts
* [1] https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc ***/
// user_pref("layout.css.font-visibility.private", 1);
// user_pref("layout.css.font-visibility.standard", 1);
// user_pref("layout.css.font-visibility.trackingprotection", 1);
// user_pref("layout.css.font-visibility.level", 1);
/*** [SECTION 1600]: HEADERS / REFERERS
Expect some breakage e.g. banks: use an extension if you need precise control
@ -632,10 +627,11 @@ user_pref("privacy.userContext.ui.enabled", true);
/*** [SECTION 2000]: PLUGINS / MEDIA / WEBRTC ***/
user_pref("_user.js.parrot", "2000 syntax error: the parrot's snuffed it!");
/* 2001: disable WebRTC (Web Real-Time Communication)
* [SETUP-WEB] WebRTC can leak your private network address from behind your VPN, but if this
* is not your threat model, and you want Real-Time Communication, this is the pref for you ***/
* [SETUP-WEB] WebRTC can leak your IP address from behind your VPN, but if this is not
* in your threat model, and you want Real-Time Communication, this is the pref for you
* [1] https://www.privacytools.io/#webrtc ***/
user_pref("media.peerconnection.enabled", false);
/* 2002: limit WebRTC private network address leaks
/* 2002: limit WebRTC IP leaks if using WebRTC
* In FF70+ these settings match Mode 4 (Mode 3 in older versions) [3]
* [TEST] https://browserleaks.com/webrtc
* [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1189041,1297416,1452713
@ -725,6 +721,7 @@ user_pref("dom.popup_allowed_events", "click dblclick mousedown pointerdown");
/*** [SECTION 2600]: MISCELLANEOUS ***/
user_pref("_user.js.parrot", "2600 syntax error: the parrot's run down the curtain!");
/* 2601: prevent accessibility services from accessing your browser [RESTART]
* [SETTING] Privacy & Security>Permissions>Prevent accessibility services from accessing your browser (FF80 or lower)
* [1] https://support.mozilla.org/kb/accessibility-services ***/
user_pref("accessibility.force_disabled", 1);
/* 2602: disable sending additional analytics to web servers
@ -837,6 +834,17 @@ user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin
* [1] https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/ ***/
user_pref("network.cookie.cookieBehavior", 1);
user_pref("browser.contentblocking.category", "custom");
/* 2702: set third-party cookies (if enabled, see 2701) to session-only
* [NOTE] .sessionOnly overrides .nonsecureSessionOnly except when .sessionOnly=false and
* .nonsecureSessionOnly=true. This allows you to keep HTTPS cookies, but session-only HTTP ones
* [1] https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/ ***/
user_pref("network.cookie.thirdparty.sessionOnly", true);
user_pref("network.cookie.thirdparty.nonsecureSessionOnly", true); // [FF58+]
/* 2703: delete cookies and site data on close
* 0=keep until they expire (default), 2=keep until you close Firefox
* [NOTE] The setting below is disabled (but not changed) if you block all cookies (2701 = 2)
* [SETTING] Privacy & Security>Cookies and Site Data>Delete cookies and site data when Firefox is closed ***/
// user_pref("network.cookie.lifetimePolicy", 2);
/* 2710: enable Enhanced Tracking Protection (ETP) in all windows
* [SETTING] Privacy & Security>Enhanced Tracking Protection>Custom>Tracking content
* [SETTING] to add site exceptions: Urlbar>ETP Shield
@ -847,7 +855,7 @@ user_pref("privacy.trackingprotection.socialtracking.enabled", true);
// user_pref("privacy.trackingprotection.cryptomining.enabled", true); // [DEFAULT: true]
// user_pref("privacy.trackingprotection.fingerprinting.enabled", true); // [DEFAULT: true]
/* 2740: disable service worker cache and cache storage
* [NOTE] We clear service worker cache on exit (2811)
* [NOTE] We clear service worker cache on exit (2803)
* [1] https://w3c.github.io/ServiceWorker/#privacy ***/
// user_pref("dom.caches.enabled", false);
/* 2750: disable Storage API [FF51+]
@ -864,67 +872,52 @@ user_pref("privacy.trackingprotection.socialtracking.enabled", true);
/* 2760: enable Local Storage Next Generation (LSNG) [FF65+] ***/
user_pref("dom.storage.next_gen", true); // [DEFAULT: true FF92+]
/*** [SECTION 2800]: SHUTDOWN & SANITIZING ***/
/*** [SECTION 2800]: SHUTDOWN
* Sanitizing on shutdown is all or nothing. It does not use Managed Exceptions under
Privacy & Security>Delete cookies and site data when Firefox is closed (1681701)
* If you want to keep some sites' cookies (exception as "Allow") and optionally other site
data but clear all the rest on close, then you need to set the "cookie" and optionally the
"offlineApps" prefs below to false, and to set the cookie lifetime pref to 2 (2703)
***/
user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!");
/** COOKIES + SITE DATA : ALLOWS EXCEPTIONS ***/
/* 2801: delete cookies and site data on exit
* 0=keep until they expire (default), 2=keep until you close Firefox
* [SETTING] Privacy & Security>Cookies and Site Data>Delete cookies and site data when Firefox is closed
* [SETTING] to add site exceptions: Ctrl+I>Permissions>Cookies>Allow
* If using FPI the syntax must be https://example.com/^firstPartyDomain=example.com
* [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Settings ***/
user_pref("network.cookie.lifetimePolicy", 2);
/* 2802: delete cache on exit [FF96+]
* [NOTE] We already disable disk cache (1001) and clear on exit (2811) which is more robust
* [1] https://bugzilla.mozilla.org/1671182 ***/
// user_pref("privacy.clearsitedata.cache.enabled", true);
/* 2803: set third-party cookies to session-only
* [NOTE] .sessionOnly overrides .nonsecureSessionOnly except when .sessionOnly=false and
* .nonsecureSessionOnly=true. This allows you to keep HTTPS cookies, but session-only HTTP ones
* [1] https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/ ***/
user_pref("network.cookie.thirdparty.sessionOnly", true);
user_pref("network.cookie.thirdparty.nonsecureSessionOnly", true); // [FF58+]
/** SANITIZE ON SHUTDOWN : ALL OR NOTHING ***/
/* 2810: enable Firefox to clear items on shutdown (2811)
/* 2802: enable Firefox to clear items on shutdown (2803)
* [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes ***/
user_pref("privacy.sanitize.sanitizeOnShutdown", true);
/* 2811: set/enforce what items to clear on shutdown (if 2810 is true) [SETUP-CHROME]
* sanitizingOnShutdown is all or nothing, it does not allow exceptions (1681701)
/* 2803: set what items to clear on shutdown (if 2802 is true) [SETUP-CHROME]
* [NOTE] If "history" is true, downloads will also be cleared
* [NOTE] "sessions": Active Logins: refers to HTTP Basic Authentication [1], not logins via cookies
* [NOTE] "offlineApps": Offline Website Data: localStorage, service worker cache, QuotaManager (IndexedDB, asm-cache)
* [NOTE] Active Logins: does not refer to logins via cookies, but rather HTTP Basic Authentication [1]
* [NOTE] Offline Website Data: localStorage, service worker cache, QuotaManager (IndexedDB, asm-cache)
* [SETTING] Privacy & Security>History>Custom Settings>Clear history when Firefox closes>Settings
* [1] https://en.wikipedia.org/wiki/Basic_access_authentication ***/
user_pref("privacy.clearOnShutdown.cache", true); // [DEFAULT: true]
user_pref("privacy.clearOnShutdown.downloads", true); // [DEFAULT: true]
user_pref("privacy.clearOnShutdown.formdata", true); // [DEFAULT: true]
user_pref("privacy.clearOnShutdown.history", true); // [DEFAULT: true]
user_pref("privacy.clearOnShutdown.sessions", true); // [DEFAULT: true]
user_pref("privacy.clearOnShutdown.cookies", false);
user_pref("privacy.clearOnShutdown.offlineApps", true);
// user_pref("privacy.clearOnShutdown.siteSettings", false); // [DEFAULT: false] Site Preferences
/* 2812: reset default items to clear with Ctrl-Shift-Del (to match 2811) [SETUP-CHROME]
user_pref("privacy.clearOnShutdown.cache", true);
user_pref("privacy.clearOnShutdown.cookies", true);
user_pref("privacy.clearOnShutdown.downloads", true); // see note above
user_pref("privacy.clearOnShutdown.formdata", true); // Form & Search History
user_pref("privacy.clearOnShutdown.history", true); // Browsing & Download History
user_pref("privacy.clearOnShutdown.offlineApps", true); // Offline Website Data
user_pref("privacy.clearOnShutdown.sessions", true); // Active Logins
user_pref("privacy.clearOnShutdown.siteSettings", false); // Site Preferences
/* 2804: reset default items to clear with Ctrl-Shift-Del (to match 2803) [SETUP-CHROME]
* This dialog can also be accessed from the menu History>Clear Recent History
* Firefox remembers your last choices. This will reset them when you start Firefox
* [NOTE] Regardless of what you set "downloads" to, as soon as the dialog
* for "Clear Recent History" is opened, it is synced to the same as "history" ***/
user_pref("privacy.cpd.cache", true); // [DEFAULT: true]
user_pref("privacy.cpd.formdata", true); // [DEFAULT: true]
user_pref("privacy.cpd.history", true); // [DEFAULT: true]
user_pref("privacy.cpd.sessions", true); // [DEFAULT: true]
user_pref("privacy.cpd.cookies", false);
user_pref("privacy.cpd.offlineApps", true);
user_pref("privacy.cpd.cache", true);
user_pref("privacy.cpd.cookies", true);
// user_pref("privacy.cpd.downloads", true); // not used, see note above
// user_pref("privacy.cpd.passwords", false); // [DEFAULT: false] this is not listed
// user_pref("privacy.cpd.siteSettings", false); // [DEFAULT: false] Site Preferences
/* 2813: clear Session Restore data when sanitizing on shutdown or manually [FF34+]
* [NOTE] Not needed if Session Restore is not used (0102) or it is already cleared with history (2811)
user_pref("privacy.cpd.formdata", true); // Form & Search History
user_pref("privacy.cpd.history", true); // Browsing & Download History
user_pref("privacy.cpd.offlineApps", true); // Offline Website Data
user_pref("privacy.cpd.passwords", false); // this is not listed
user_pref("privacy.cpd.sessions", true); // Active Logins
user_pref("privacy.cpd.siteSettings", false); // Site Preferences
/* 2805: clear Session Restore data when sanitizing on shutdown or manually [FF34+]
* [NOTE] Not needed if Session Restore is not used (0102) or is already cleared with history (2803)
* [NOTE] privacy.clearOnShutdown.openWindows prevents resuming from crashes (also see 5008)
* [NOTE] privacy.cpd.openWindows has a bug that causes an additional window to open ***/
// user_pref("privacy.clearOnShutdown.openWindows", true);
// user_pref("privacy.cpd.openWindows", true);
/* 2814: reset default "Time range to clear" for "Clear Recent History" (2812)
/* 2806: reset default "Time range to clear" for "Clear Recent History" (2804)
* Firefox remembers your last choice. This will reset the value when you start Firefox
* 0=everything, 1=last hour, 2=last two hours, 3=last four hours, 4=today
* [NOTE] Values 5 (last 5 minutes) and 6 (last 24 hours) are not listed in the dropdown,
@ -980,13 +973,14 @@ user_pref("privacy.firstparty.isolate", true);
418986 - limit window.screen & CSS media queries (FF41)
[TEST] https://arkenfox.github.io/TZP/tzp.html#screen
1281949 - spoof screen orientation (FF50)
1281963 - hide contents of navigator.plugins and navigator.mimeTypes (FF50-88)
1330890 - spoof timezone as UTC0 (FF55)
1360039 - spoof navigator.hardwareConcurrency as 2 (FF55)
1217238 - reduce precision of time exposed by javascript (FF55)
FF56
1369303 - spoof/disable performance API
1333651 - spoof User Agent & Navigator API
JS: the version is spoofed as ESR, and the OS as Windows 10, OS 10.15, Android 10, or Linux
JS: FF91+ the version is spoofed as ESR, and the OS as Windows 10, OS 10.15, Android 10, or Linux
HTTP Headers: spoofed as Windows or Android
1369319 - disable device sensor API
1369357 - disable site specific zoom
@ -999,6 +993,8 @@ user_pref("privacy.firstparty.isolate", true);
1217290 & 1409677 - enable some fingerprinting resistance for WebGL
1382545 - reduce fingerprinting in Animation API
1354633 - limit MediaError.message to a whitelist
1382533 & 1697680 - enable fingerprinting resistance for Presentation API (FF57-87)
Blocks exposure of local IP Addresses via mDNS (Multicast DNS)
FF58-90
967895 - spoof canvas and enable site permission prompt (FF58)
1372073 - spoof/block fingerprinting in MediaDevices API (FF59)
@ -1056,15 +1052,13 @@ user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF]
* [1] https://bugzilla.mozilla.org/1635603 ***/
// user_pref("privacy.resistFingerprinting.exemptedDomains", "*.example.invalid");
// user_pref("privacy.resistFingerprinting.testGranularityMask", 0);
/* 4506: set RFP's font visibility level (1402) [FF94+] ***/
// user_pref("layout.css.font-visibility.resistFingerprinting", 1);
/* 4507: disable showing about:blank as soon as possible during startup [FF60+]
/* 4506: disable showing about:blank as soon as possible during startup [FF60+]
* When default true this no longer masks the RFP chrome resizing activity
* [1] https://bugzilla.mozilla.org/1448423 ***/
user_pref("browser.startup.blankWindow", false);
/* 4510: disable using system colors
/* 4510: enforce no system colors
* [SETTING] General>Language and Appearance>Fonts and Colors>Colors>Use system colors ***/
user_pref("browser.display.use_system_colors", false); // [DEFAULT false NON-WINDOWS]
user_pref("browser.display.use_system_colors", false); // [DEFAULT: false]
/* 4511: enforce non-native widget theme
* Security: removes/reduces system API calls, e.g. win32k API [1]
* Fingerprinting: provides a uniform look and feel across platforms [2]
@ -1120,7 +1114,7 @@ user_pref("_user.js.parrot", "5000 syntax error: the parrot's taken 'is last bow
/* 5006: disable favicons in history and bookmarks
* [NOTE] Stored as data blobs in favicons.sqlite, these don't reveal anything that your
* actual history (and bookmarks) already do. Your history is more detailed, so
* control that instead; e.g. disable history, clear history on exit, use PB mode
* control that instead; e.g. disable history, clear history on close, use PB mode
* [NOTE] favicons.sqlite is sanitized on Firefox close ***/
// user_pref("browser.chrome.site_icons", false);
/* 5007: exclude "Undo Closed Tabs" in Session Restore ***/
@ -1144,7 +1138,7 @@ user_pref("_user.js.parrot", "5000 syntax error: the parrot's taken 'is last bow
* [1] https://support.mozilla.org/kb/address-bar-autocomplete-firefox#w_url-autocomplete ***/
// user_pref("browser.urlbar.autoFill", false);
/* 5013: disable browsing and download history
* [NOTE] We also clear history and downloads on exit (2811)
* [NOTE] We also clear history and downloads on exit (2803)
* [SETTING] Privacy & Security>History>Custom Settings>Remember browsing and download history ***/
// user_pref("places.history.enabled", false);
/* 5014: disable Windows jumplist [WINDOWS] ***/
@ -1213,12 +1207,12 @@ user_pref("security.csp.enable", true); // [DEFAULT: true]
user_pref("security.dialog_enable_delay", 1000); // [DEFAULT: 1000]
/* 6005: enforce window.opener protection [FF65+]
* Makes rel=noopener implicit for target=_blank in anchor and area elements when no rel attribute is set ***/
user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: true]
user_pref("dom.targetBlankNoOpener.enabled", true); // [DEFAULT: true FF79+]
/* 6006: enforce "window.name" protection [FF82+]
* If a new page from another domain is loaded into a tab, then window.name is set to an empty string. The original
* string is restored if the tab reverts back to the original page. This change prevents some cross-site attacks
* [TEST] https://arkenfox.github.io/TZP/tests/windownamea.html ***/
user_pref("privacy.window.name.update.enabled", true); // [DEFAULT: true]
user_pref("privacy.window.name.update.enabled", true); // [DEFAULT: true FF86+]
/* 6050: prefsCleaner: reset previously active items removed from arkenfox in 79-91 ***/
// user_pref("browser.newtabpage.activity-stream.asrouter.providers.snippets", "");
// user_pref("browser.send_pings.require_same_host", "");
@ -1270,6 +1264,7 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies
// user_pref("security.ssl3.rsa_aes_256_gcm_sha384", false); // no PFS
// user_pref("security.ssl3.rsa_aes_128_sha", false); // no PFS
// user_pref("security.ssl3.rsa_aes_256_sha", false); // no PFS
// user_pref("security.ssl3.rsa_des_ede3_sha", false); // 3DES
/* 7004: control TLS versions
* [WHY] Passive fingerprinting. Downgrades are still possible: behind user interaction ***/
// user_pref("security.tls.version.min", 3); // [DEFAULT: 3]
@ -1289,7 +1284,7 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies
/* 7008: set the default Referrer Policy [FF59+]
* 0=no-referer, 1=same-origin, 2=strict-origin-when-cross-origin, 3=no-referrer-when-downgrade
* [WHY] Defaults are fine. They can be overridden by a site-controlled Referrer Policy ***/
// user_pref("network.http.referer.defaultPolicy", 2); // [DEFAULT: 2]
// user_pref("network.http.referer.defaultPolicy", 2); // [DEFAULT: 2 FF87+]
// user_pref("network.http.referer.defaultPolicy.pbmode", 2); // [DEFAULT: 2]
/* 7009: disable HTTP2
* [WHY] Passive fingerprinting. ~50% of sites use HTTP2 [1]
@ -1301,7 +1296,7 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies
/* 7010: disable HTTP Alternative Services [FF37+]
* [WHY] Already isolated by network partitioning (FF85+) or FPI ***/
// user_pref("network.http.altsvc.enabled", false);
// user_pref("network.http.altsvc.oe", false); // [DEFAULT: false FF94+]
// user_pref("network.http.altsvc.oe", false);
/* 7011: disable website control over browser right-click context menu
* [WHY] Just use Shift-Right-Click ***/
// user_pref("dom.event.contextmenu.enabled", false);
@ -1362,10 +1357,9 @@ user_pref("browser.startup.homepage_override.mstone", "ignore"); // master switc
// user_pref("startup.homepage_welcome_url.additional", "");
// user_pref("startup.homepage_override_url", ""); // What's New page after updates
/* WARNINGS ***/
// user_pref("browser.tabs.warnOnClose", false); // [DEFAULT false FF94+]
// user_pref("browser.tabs.warnOnClose", false);
// user_pref("browser.tabs.warnOnCloseOtherTabs", false);
// user_pref("browser.tabs.warnOnOpen", false);
// user_pref("browser.warnOnQuitShortcut", false); // [FF94+]
// user_pref("full-screen-api.warning.delay", 0);
// user_pref("full-screen-api.warning.timeout", 0);
/* APPEARANCE ***/
@ -1408,18 +1402,6 @@ user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features",
[1] https://github.com/arkenfox/user.js/issues/123
***/
user_pref("_user.js.parrot", "9999 syntax error: the parrot's shuffled off 'is mortal coil!");
/* ESR91.x still uses all the following prefs
// [NOTE] replace the * with a slash in the line above to re-enable them
// FF93
// 7003: disable non-modern cipher suites
// [-] https://bugzilla.mozilla.org/1724072
// user_pref("security.ssl3.rsa_des_ede3_sha", false); // 3DES
// FF94
// 1402: limit font visibility (Windows, Mac, some Linux) [FF79+] - replaced by new 1402
// [-] https://bugzilla.mozilla.org/1715507
// user_pref("layout.css.font-visibility.level", 1);
// ***/
/* ESR78.x still uses all the following prefs
// [NOTE] replace the * with a slash in the line above to re-enable them
// FF79