Create a gist now

Instantly share code, notes, and snippets.

What would you like to do?
Firefox bullshit removal via about:config

Firefox bullshit removal

Due to the incessant swarm of complete and utter nonsense that has been forcing its way into Firefox over time, I've decided to start collecting my personal list of “must-have” about:config tweaks required to turn Firefox into a functional brower.

NOTE: Unfortunately this is somewhat out of date. The comments link to some resources that may be more up-to-date. Patches welcome.

WebSockets

These can be used for nefarious purposes and to bypass access restrictions.

network.websocket.enabled=false

JavaScript spy vectors

These can be used for fingerprinting or data collection about the host system.

dom.event.clipboardevents.enabled=false
dom.battery.enabled=false
browser.send_pings=false
webgl.disabled=true

Pocket integration

This is a proprietary tie-in service that is a risk to your privacy.

  1. Drag the “pocket” icon off your toolbar. This step is important.
  2. browser.pocket.enabled=false

WebRTC

This is an inter-browser communication standard that is a very significant risk to your privacy and can be used to break out of VPN tunnels, proxies and unmask local users.

media.peerconnection.enabled=false
loop.enabled=false

DRM

This is a significant breach of your personal freedom and security.

media.eme.enabled=false
media.gmp-eme-adobe.enabled=false

GeoLocation / Beacon

These can be used for tracking and fingerprinting services and are harmful to your privacy

browser.beacen.enabled=false
geo.enabled=false
geo.wifi.logging.enabled=false
geo.wifi.uri=""

Safe browsing

This requires Firefox to communicate with a third party, Google by default, and also sends them metadata about your downloads.

browser.safebrowsing.enabled=false
browser.safebrowsing.downloads.enabled=false
browser.safebrowsing.malware.enabled=false

Social media integration

This anti-feature lets social media platforms integrate directly into your browser

social.directories=""
social.whitelist=""
social.manifest.facebook=""
social.remote-install.enabled=false
social.toast-notifications.enabled=false

Device tracking/statistics

These can be used to fingerprint your system and track you.

device.sensors.enabled=false
camera.control.face_detection.enabled=false
camera.control.autofocus_moving_callback.enabled=false

Tracking protection

This makes Firefox block known tracking domains by default.

privacy.trackingprotection.enabled=true

DNT Header

This makes Firefox include a DNT (“do not track”) header in its request. Theoretically, this would opt-out of tracking services for some services, but unfortunately it makes your fingerprint much more trackable, as this header is not too common. Enable if it you want, but it's probably best to leave it off to prevent tracking.

privacy.donottrackheader.enabled=true

Stat tracking / telemetry

These are used by Mozilla to spy on you, and are as such a significant risk to privacy.

datareporting.healthreport.service.enabled=false
datareporting.healthreport.uploadEnabled=false
toolkit.telemetry.enabled=false

Link pre-fetching

These will make Firefox connect with arbitrary links on a page by the simple act of hovering over them, without your explicit permission.

network.http.speculative-parallel-limit=0

Cryptography hardening

This disables algorithms that are known to be weak or broken, and prevents most common attack vectors. Be warned that this may break some older websites that are not compatible with modern protocols.

General settings

security.tls.unrestricted_rc4_fallback=false
security.tls.insecure_fallback_hosts.use_static_list=false
security.tls.version.min=1
security.ssl.require_safe_negotiation=true
security.ssl.treat_unsafe_negotiation_as_broken=true
security.ssl3.rsa_seed_sha=true
security.OCSP.enabled=1
security.OCSP.require=true

Disable unnecessary protocols

This disables older protocols that are known to be weak or entirely broken (3DES, RC4 and MD5).

security.ssl3.rsa_rc4_128_sha=false
security.ssl3.rsa_rc4_128_md5=false
security.ssl3.rsa_des_ede3_sha=false
security.ssl3.ecdhe_ecdsa_rc4_128_sha=false
security.ssl3.ecdhe_rsa_rc4_128_sha=false

Perfect forward secrecy

If you (additionally) want to force the usage of PFS, the only enabled ciphers should be of the ecdhe/dhe variants. Might break lots of stuff.

security.ssl3.rsa_aes_256_sha=false

Force TLS 1.2

This disables TLS 1.0 and TLS 1.1 completely, which increases security as these older protocols may be used as attack vectors. (Note that TLS technically contains a mechanism for preventing protocol degradation attacks, but it requires participation from both the client and the server - which is not a guarantee in practice)

security.tls.version.min=3

Recommended addons (bonus)

In addition to the above settings, I personally recommend the usage of at least the following addons:

  • HTTPS Everywhere: Prefer HTTPS over HTTP even for sites that do not force HSTS.
  • μBlock₀: Block access to all known ads, malware domains, badware, and other malicious scripts and domains.
  • uMatrix or NoScript+RequestPolicy: Block scripts, images, CSS, objects and other (possibly external) requests by default, using a whitelist to selectively allow them. This is highly recommended as they all pose significant threats to security and privacy.

alexbel commented Sep 13, 2015

@haasn, great list. Is there a plugin which does it automatically?

lmas commented Sep 14, 2015

Great indeed, but I'm missing links to pages with more info about each issue.

For example, could someone clarify the issue with websockets and why they can be used for "nefarious purposes and to bypass access restrictions." (that's some strong wording)? All I found on that was some IPv6 bug which apparently was fixed in firefox12...

wiiaboo commented Sep 17, 2015

Note: dom.event.clipboardevents.enabled=false breaks Google Docs.

Najoj commented Dec 30, 2015

Good list. How about adding these tweaks mentioned on Ghacks which has to do with Telemetry pings?

calestyo commented Jan 3, 2016

I just found that project via a Debian bug.... it may be worth to consider joining your efforts with one of the already existing such projects, e.g. https://github.com/pyllyukko/user.js/blob/master/user.js ... there are already many such guides how to make FF suck less, and it's just an awful effort to check them all and they contain all different information.

btw: Some stuff of your list is outdated,... e.g. network.websocket.enabled doesn't exist anymore... and many others are missing ;-)

I just wrote a message in reply to @allo- and also mentioned you @haasn . Me @gunnersson also have a list of settings. Maybe they could be integrated all together. Any comments?

MrYar commented Jul 4, 2016

Thank you for your work. Here's some suggestions for updates

browser.beacon.enabled has been renamed to beacon.enabled

Also: this one doesn't change to false when unchecking datareporting in preferences. Suggest adding to list.
datareporting.policy.dataSubmissionEnabled.v2=false

According to this https://bugzilla.mozilla.org/show_bug.cgi?id=1195552#c4
It says the master switch for turning off the data reporting is the following (and takes precedence over the datareporting.healthreport.uploadEnabled)

Master switch for datareporting:
datareporting.policy.dataSubmissionEnabled=false

timmc commented Jul 13, 2016

It seems a bit much saying that the telemetry allows Mozilla to "spy" on you.

MrYar commented Sep 3, 2016

Fork created, with some minor changes for firefox 47.0.1
https://gist.github.com/MrYar/751e0e5f3f1430db7ec5a8c8aa237b72

Thanks again haasn.

MrYar commented Jan 8, 2017

I have made some updates to my fork. They include about twice the number of hardening changes, and the method of implementing is far easier. Just create a file called "user.js" in the mozilla user directory (given on the fork), and paste all the code. No more manually entering in each change.

akoppa commented Jan 19, 2017

Be aware! Some suggested changes will render some pages useless. For instance if you apply all the .ssl. modifications you will not be able to sign in at IMDB. I'm paranoid too, but not to such extend.

Is there a firefox minus bullshit fork ?

allo- commented Mar 8, 2017

I added some stuff from your list as issues on https://github.com/allo-/firefox-profilemaker, live instance on ffprofile.com
They will be integrated as soon as i write descriptions and check if they are already covered by other settings.
If you like to contribute, any help is welcome. See forms.py for the settings format or have a look at the profiles branch, which will bring a more modular format.

Hello everybody. Any chance to get this as an addon to switch option on/off? Would pledge if needed on Kickstarter or Indiegogo!
So what do you think?

dontknowsquat commented Mar 23, 2017 edited

hello fellow geeks well i did everything as proscribed in this and now when i run firefox ver 42 after i installed the following addons exts. from the links here
1)request policy
2) https every where
3) redirect control
4) proxy switcher

now in facebook, my email accounts, all the graphics radio buttons are all shown broken, any ideas before i change everything back ???
can i use an old profile jon file etc

dankles commented Apr 30, 2017

I now use this to enable/disable privacy about:config features. Thought you guys might find it useful.

sergeevabc commented Jun 28, 2017 edited

Typo to fix: browser.beacen.enabled=false -> beacon.enabled=false.

vn971 commented Jul 24, 2017

@haasn @sergeevabc indeed, please fix the typo. (Feel free to delete my comment after an edit.)

vn971 commented Jul 24, 2017

security.tls.version.min=1 -- this can be removed, it's already defaulted to 1.

kgbm3 commented Jul 28, 2017 edited

@Najoj Ghacks does have a great user.js script, like you said.. It's at:

https://www.ghacks.net/2016/07/03/comprehensive-firefox-user-js/

"The most comprehensive Firefox user.js has been updated July 3, 2016" & there are, in fact, several URLs through which it's accessible.

^^ Similar to what @nodiscc had posted, a (custom) user.js

@calestyo it might help to mention what's missing like @MrYar has done: "Thank you for your work. Here's some suggestions for updates".
:)

I wanted to add (another) two links, just what I'd run into -recently- configuring Android 6.0 Firefox (Beta); trying to get the uBlock Origins WebExtension:

https://www.techworm.net/2016/02/12-coolest-firefox-aboutconfig-tips-and-tricks-to-protect-your-privacy.html
&
https://privacytoolsio.github.io/privacytools.io/#about_config

The last link is really (!) cool, it lists some very nice open-source apps!

@Najoj Ghacks does have a great user.js script, like you said.. It's at:

https://www.ghacks.net/2016/07/03/comprehensive-firefox-user-js/ [DO NOT USE]

https://github.com/ghacksuserjs/ghacks-user.js .. it has been at github for 6 months now. And instead of a one-man band and 6 monthly updates at ghacks, its now so much better "crowd-sourced" and massively superior to before, and always right up to date (stable) even with one character switches to flip on ESR 52.x preferences and loads more. That ghacks article should be removed

Thorin-Oakenpants commented Aug 29, 2017 edited

After a very quick casual glance, the above md contains quite some factual errors, such as safe browsing connecting to google, and quite a few deprecated preferences, although I fully understand it's an old unmaintained copy

Great stuff you have! Some additional suggestions from my side...

Dear all!

Great stuff you have! Some additional suggestions from my side...

Please, have a look at https://github.com/gunnersson and, to be more precise, at https://github.com/gunnersson/my_Mozilla_settings !

That's my repo and project. There's no intention of bad rivalry, but just good competition by me. In fact, there are many users and repos at GitHub of similar idea and content.

But it would be my intention to bring them all a bit together for sharing and collecting.

Maybe, in this way Mozilla Firefox and Mozilla Thunderbird could be a real joy for many people...

Thank you and kind regards,

Gunner

jawz101 commented Oct 4, 2017

if you want any preferences to sync across devices using Firefox Sync account, create additional config preferences with the prefix "services.sync.prefs.sync." and then set it to true.

ex:
create a new boolean for device.sensors.enabled
it would be
services.sync.prefs.sync.device.sensors.enabled
and set it to true.
then it'll sync across your devices. I don't think it will sync with mobile Firefox, though, but at least desktops. I've been doing this for a few years.

network.IDN_show_punycode = true

stops IDN phishing

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment