
Firefox about:config privacy settings - krn
https://gist.github.com/0XDE57/fbd302cef7693e62c769
======
pcwalton
I don't like encouraging mucking around in about:config, but I might as well
mention this one. If you don't mind your window losing vibrancy and rounded
corners, you should be able to significantly improve battery life on macOS by
setting "gfx.compositor.glcontext.opaque" to true. This makes WindowServer
stop drawing whatever is behind the Firefox window.

This bug tracks the proper solution:
[https://bugzilla.mozilla.org/show_bug.cgi?id=1429522](https://bugzilla.mozilla.org/show_bug.cgi?id=1429522)

~~~
bmurphy1976
I have a new 2018 MBP with an i9. I've noticed I can squeeze upwards of six
hours battery out of it using Safari. With Firefox I'm lucky to get three.

I made this change just to see. So far it does appear to have lowered the
energy impact score a bit, but I'm not sure it's enough to matter yet. I guess
we'll know in a couple hours.

Edit: 20 minutes in and I've watched my Time Remaining estimate creep up from
3 hours to 5.5 hours. Seems like a solid win so far (other than it looks like
crap).

~~~
greggarious
I use Firefox. I've found the big battery hit has come from streaming services
(Netflix, Pandora, Spotify, Youtube, etc).

One small change I made was streaming music to my phone, and that had a big
impact.

I know that streaming will use some battery life, but the amount of CPU being
used by say, Pandora, was rather extreme.

~~~
bmurphy1976
Sure, those will kill battery usage, but that's not what I'm doing. Typically
I'm bouncing between the browser with about 10 informational tabs open,
terminal, and sublime text all day long. There's a night and day difference
using Safari vs Firefox for just regular browsing.

I'm not the only one who experiences this either, I have a coworker who
complains about the same issue with his couple year old MBP. Firefox is a
battery vampire.

~~~
nextos
It'd be interesting to monitor Firefox vs Safari using e.g. powertop. Using
Linux, I get excellent battery life using Firefox. But it might be the case
that safari is still much better, or that it behaves differently on macOS.

~~~
pcwalton
Note that the GL context opacity issue is entirely macOS-specific and does not
affect Linux.

------
Uh7seidu
> dom.event.contextmenu.enabled = false

This is a blunt tool. Some sites uses context menu events in a benign way. A
better alternative is to simply bypass context handlers with shift-rightclick
when necessary.

> webgl.force-enabled

This isn't really a performance improvement. If webgl is disabled it's due to
troublesome drivers. Forcing it on can crash things.

> layers.offmainthreadcomposition.enabled = true >
> layers.offmainthreadcomposition.async-animations = true

Those are the defaults anyway on supported platforms

~~~
sp332
Hey I didn't know about shift-rightclick. For me, disabling
dom.event.contextmenu.enabled gives me both menus at once, then I tap Alt to
get rid of the browser's menu if I want to use the app's menu underneath it.
But I won't have to do that anymore.

------
floatingatoll
Seriously, again?

Applying all of the changes at this list will harm users and increase the
chances of threats compromising the browser.

Don’t be shortsighted and use this blindly. Especially do not punish some poor
unwary non-tech user by altering these settings on their behalf.

~~~
jake_the_third
> Applying all of the changes at this list will harm users and increase the
> chances of threats compromising the browser.

How so?

~~~
floatingatoll
browser.safebrowsing.phishing.enabled = false

These instructions disable phishing lookups, rather than pointing users to a
list of alternatives. This is unsafe and harmful to bury in this list.

network.cookie.alwaysAcceptSessionCookies = false

They will immediately lose the ability to login to their password manager,
which requires session cookies.

browser.cache.disk.enable = false browser.cache.memory.enable = false

They will start loading every resource on a page on every visit to every page,
as no resources will be cached. One hour of browsing will use a month's data
quota and the glorious no-caching detail of every pageview will be closely
observed by the server-side logging metrics that are so desperate these days
to extract targetable marketing data.

webgl.force-enabled = true

Browsers disable WebGL in some scenarios to protect users from hardware,
software, and/or driver bugs that cause crashes when WebGL is enabled. This
setting overrides that which increases their risk of GPU, browser, and system
crashes. Additionally all crashes are either "exploitable" or "not
exploitable", so bypassing crash mitigation processes increases your risk of
one such vector being used against your browser.

network.dns.disableIPv6 = true

Over the next ten years, the user will see that more and more of the web
breaks down and mysteriously fails in their browser. Sites only load
partially, videoconferencing never works properly, video streaming is jerky
and slow. Providers shipped IPv6 to their customer endpoints years ago.
Disabling it has potential downsides and no upsides either for "privacy
settings" or anything else.

~~~
guilhas
This is HN. Advanced knowledge is not an issue.

People making changes to user.js will have some knowledge of what they are
doing, and handle the issues.

The post points some security/privacy extensions to complement. Nothing that a
user changing user.js wouldn't already know.

~~~
floatingatoll
Presuming intimate knowledge of second- and third-order consequences from
seemingly-innocuous preference changes is guaranteed to be a losing bet, even
among tech enthusiasts and experts.

I missed the high risk resist-fingerprinting setting and had no idea it would
cause so many problems. Those problems certainly are not documented in the
gist and I would have fallen prey to them if I had applied it unaware.

Advanced knowledge is not the issue. Misrepresented knowledge is the issue. A
document about “privacy settings” contains non-privacy settings and does not
contain any mention of the lasting harmful side effects due anyone who uses
any of the settings within it.

EDIT: _This_ is how to approach changing one of these settings with the
respect and care due to such a suggestion:

[https://news.ycombinator.com/item?id=17944991](https://news.ycombinator.com/item?id=17944991)

~~~
guilhas
So that's you, but don't say that they should not share their knowledge
because it does not follow your standards. I'm more than happy to see someone
experience on this, what what worked for them, compare with mine. Better have
something than nothing, not everyone have time to write a blog post every time
they change one setting.

You change it. Have issues. Realize it does not work for you. Change it back.
If you're not sure or don't have time to deal with it, don't do it. Not
difficult is it?

Ans a said previously the responsibility is in the person making the change to
their browser, no one is forcing them.

This is my preferred approach: [https://github.com/ghacksuserjs/ghacks-
user.js](https://github.com/ghacksuserjs/ghacks-user.js)
[https://github.com/pyllyukko/user.js](https://github.com/pyllyukko/user.js)

~~~
floatingatoll
Sharing knowledge respectfully and without overstatement or misrepresentation
is a bar I’m not willing to lower. We’ll have to settle for disagreeing on
this point.

------
kodablah
> Disable Google Safe Browsing and malware and phishing protection. Stop
> sending links and downloading lists from google.

To be clearer here, lists of partial hashes are downloaded and entire links
are only sent after partial match. Still worth disabling for privacy reasons
if you care more about that than safe browsing protection, but worth
clarifying how it works lest one thinks all links are sent.

~~~
magicalist
> _and entire links are only sent after partial match._

Only part of a hash of the url is sent to get an update for all the URLs in
the partial match block. The actual url is never sent.

The exception is when download malware protection is on. In that case, when
downloading a file the actual URL is sent. That's a regular preference, though
("Block dangerous downloads"), doesn't need about:config changes, and is well
described in the help docs.

[https://support.mozilla.org/en-US/kb/how-does-phishing-
and-m...](https://support.mozilla.org/en-US/kb/how-does-phishing-and-malware-
protection-work?as=u&utm_source=inproduct#w_what-information-is-sent-to-
mozilla-or-its-partners-when-phishing-and-malware-protection-are-enabled)

~~~
kodablah
Yes, my mistake, I should correct to "only checked". Still makes an internet
call to a third party (as does the original hash list download) which I think
the OP is wanting to avoid w/ the settings updates, but yes, URL not sent to
list maintainer.

~~~
Drdrdrq
Still - it is unsettling that the only browser available that somewhat
respects privacy, sends _anything_ to some 3rd party, and completely
unacceptable that they send it to Google.

------
forapurpose
How do we, and more importantly how do adventurous end users, distinguish
useful from useless from harmful configuration changes? Why should I trust
this person? Why should I think it's worth my time?

I find that these accumulated lists of security ideas are usually dangerous -
in any domain, not just Firefox or browsers. They collect information and
misinformation and add a veneer of legitimacy. Some settings don't behave as
you think; some aren't documented; some are poorly implemented or tested by
the vendor, who didn't design them for end users, and their malfunctions can
create more security holes. Some are implemented for reasons you don't
understand ('before you tear down a fence, know the reason it was put there').
Some are dependencies for other settings, features, and subsystems.

It would have to be work by an expert in browsers or Firefox or security, such
as a Mozilla engineer or someone like Giorgio Maone, for me to trust a list
like this one.

------
Uplink
Who do I tell my brand new, bright idea about IDN attack prevention?

It goes like this:

Display characters that are out of range of your selected language's character
set in a different colour than the characters of your language.

That way, when you go to раураӏ.com that last character shows up in red.

Homework: select two languages (e.g. Chinese and English), and use three
colours. Make the colour scheme colour-blind-friendly.

(it just came to me, I haven't thought it through; I'd rather read different
coloured characters than punycode)

~~~
tialaramex
Colouring is not very universal, and so not generally a good choice. Browsers
have taken different approaches to this, two popular ones are:

* Identify TLD registry operators who have a sane approach that prohibits or otherwise is effective for controlling homographs, whitelist their TLDs, default to showing punycode (the A-labels used by the DNS system which are always just ASCII). This has the effect that if your name looks "wrong" that's a problem to take up with your TLD registry. Note that com doesn't have such policies at all, it's a vast sleazy market and it remains interesting to me that huge global brands would rather be in that market, trying to shout over the crowd, than leave it to rot.

* Identify cases like you've described with "confusing" mixtures of scripts and display those as punycode.

Both have problems. The former requires that you effectively police TLD
registry operators. Find out what their policies are, check they actually
implement those policies effectively, and take action if this changes. The
latter requires you figure out how all the world's language communities use
different scripts, and how that interacts with Unicode, in order to avoid
penalising combinations lots of people want, while still detecting attacks.

------
driverdan
Some of these are strange choices and conflict. For example, disabling caching
and then changing the cache size. Or disabling caching at all since it will
have a significant negative performance impact. If you're concerned about what
caching leaves behind use memory caching only.

------
phyzome
This list is somewhere between worthless and dangerous.

Chesterton's Fence: Presumably Mozilla has already optimized the privacy and
performance of Firefox as much as they've felt comfortable doing. If they
could change each of those settings as recommended _without tradeoffs_ to help
the user, they would have done so.

Without listing the tradeoffs for each one, this list cannot be relied upon.

~~~
kodablah
Dangerous is assuming Mozilla optimized only for privacy and performance. Why
would you assume that and discourage people trying to optimize for that? This
list wouldn't exist if Mozilla offered an equivalent, optimizing for only
those two metrics, and explaining the tradeoffs you're asking for.

What you'll find, as has been the case for Mozilla in some recent decisions,
is the tradeoff includes (but is not limited to) profitability and ease-of-
use, two things you left off your list of what you think Mozilla optimizes
for. That blind trust and invalid set of optimization metrics shouldn't be
perpetuated. Granted blind trust in this list is unwise too.

~~~
singularity2001
Mozilla is optimizing for a weighted sum of privacy and revenues from Google
(who still account for >90% of Mozillas income).

Therefore manually removing all Google partner tracking features in
about:config is a very sane choice.

~~~
boomboomsubban
>who still account for >90% of Mozillas income).

You say still, but this will be the first time in a few years that will
probably be true. The details of the Google deal aren't public, but I doubt it
forced them to spend the past few months secretly hiding Google tracking into
the browser.

------
nerdponx
I frequently see recommendations to disable "safe browsing" features. Why?

~~~
dao-
Hysteria or ignorance, as with other items in this list. Safe browsing is
designed not to compromise privacy.

~~~
Drdrdrq
Ha! Says Google, right? Anything that gets sent to them is too much.

~~~
dao-
Says Mozilla, and the source code is available for anyone to double-check.
Google doesn't have control over what data Firefox sends to the safe browsing
API.

~~~
Drdrdrq
Let me fix that for you: Google doesn't have _direct_ control...

------
a-ve
[https://ffprofile.com](https://ffprofile.com) does almost the same thing,
albeit without the memory stuff described in this gist.

------
kibwen
_> These settings are best combined with your standard privacy extensions
(HTTPS Everywhere, NoScript/Request Policy, uBlock origin, agent spoofing,
Privacy Badger etc)_

Side question: how many of these ought to just be standard behavior of the
browser? For example, will Firefox's new tracking protection make Privacy
Badger obsolete? Should the HTTPS Everywhere extension, which attempts to
route any HTTP request to an equivalent HTTPS, be the default behavior?

~~~
gsnedders
I'm sure plenty of people on here would object to HTTPS Everywhere being
default: "but the user typed the HTTP scheme, the browser should do what the
user asked!".

That said, the bigger problem is that too many things that HTTPS Everywhere
tries to upgrade to HTTPS are only partial versions of the site; you'd
probably need something more conservative to avoid too much breakage.

~~~
BuckRogers
I moved from HTTPS Everywhere & Privacy Badger to DuckDuckGo Privacy
Essentials. It does the job of both of those with one add-on.

In response to HTTPS Everywhere breaking things, it does, and I've done tests
comparing it and DDG PE and and found sites that would break using HTTPS
Everywhere did not with DDG PE. They may simply be doing more testing.

------
Zooper
Plugin fingerprint protection was removed 3 years ago by a poorly-reasoned
patch, favoring the large bug of unimpeded surveillance over the very tiny bug
of sites looping through non-existent lists if and only if they need to
interact with a plugin. Seeing the conversation, I'm looking for a different
browser.

"remove_plugins-enumerable_names.patch

Bug 757726 hid most plugins from navigator.plugins enumeration to reduce
fingerprinting. Plugin detection scripts could ask for a plugin or MIME type
by name, but they couldn't get a list of all installed plugins. Unfortunately,
the feature had to be disabled because it broke pretty much all plugin
detection scripts because they naively search for the desired plugin using an
O(n) loop instead of a O(1) query.

This patch removes the disabled code because it is unlikely we could ever re-
enable it. In addition to removing the obsolete navigator.plugin tests for
detecting hidden plugins, it adds tests for detecting click-to-play and
disabled plugins."

~~~
bzbarsky
The site bug wasn't "sites looping through non-existent lists if and only if
they need to interact with a plugin". It was sites trying to detect whether
Flash is installed by looping over the list, deciding it's not installed, and
not trying to play the video (or the game or whatever), instead pointing the
user to a "Download Flash" page.

This affected enough sites that it was a serious problem for users, not a
"very tiny bug".

In any case, at this point Firefox supports exactly one plug-in, so all
enumeration can tell you is whether Flash is installed or not. That's still
one bit of data, of course, but that bit could be extracted even with the "no
enumeration" patch by explicitly querying whether Flash is supported.

------
bobthedino
Am pleased to discover the "network.IDN_show_punycode" option and wonder why
it doesn't default to true, given the way other browsers seem to handle this.

~~~
gsnedders
Other browsers vary their behaviour depending on locale, if I'm not mistaken,
so that people in countries where IDNs are common don't constantly see
meaningless punycode.

------
colecut
I noticed recently that unless I manually went in and set a master password,
anyone can easily go into the FireFox settings and view all saved passwords..

I've been using FireFox Quantum as my primary browser for 3 or 4 months now
and am really trying to love it, but chrome is just so much snappier..

~~~
SubiculumCode
that has been true since forever, btw. I feel like Fireifox should make this
more clear to users

~~~
nathancahill
Isn't that true for any browser though?

~~~
colecut
Chrome prompts me for my system password before letting me view passwords

~~~
xfer
Depends what system you are on? It might make use of libkeyring if available
on linux for example, i prefer not to save passwords on browsers and use
password managers.

------
howeyc
Do these settings sync? Or do I need to do this on every one of my machines
which has firefox installed?

~~~
8bitsrule
Probably not. OTOH, you can put the changes into a file called 'user.js'. Go
to the folder of the FF profile you're using. Backup the file 'prefs.js' to
restore in case you don't like the result. Then drop 'user.js' into that
folder and restart.

When you're sure you're happy with the changes, then you can just drop
'user.js' into the profile folder(s) on your other machines.

The process is detailed here.
[https://www.ghacks.net/2015/08/18/a-comprehensive-list-of-
fi...](https://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-
privacy-and-security-settings/)

Edit: I haven't personally tested this past FF59.

------
zamadatix
It makes me sad that a lot of the privacy are as damaging as the thing you are
trying to avoid for no reason. Examples:

\- With right clicks I want sites to be able to supplement options but the
only options are "complete replacement" or "no modification at all".

\- I don't want to disable sending MIME information when I paste to prevent a
site from being able to block me from copying.

\- Why do I have to make the url unreadable to have special characters
emphasized?

~~~
parliament32
For the first one, just leave it on and use shift+rclick to bypass site
handling of right click.

------
billysielu
First Party Isolation is the best flag you can set.

~~~
Drdrdrq
Thanks, didn't know this feature. More info:
[https://www.ctrl.blog/entry/firefox-fpi](https://www.ctrl.blog/entry/firefox-
fpi)

------
yborg
After a number of experiments with Panopticlick, the single biggest
fingerprint was ... screen depth and resolution. Even after disabling most of
the other main fingerprinting mechanisms, my maximized browser window on a 30"
display was a very small subset of the last 45 days test results. This was
surprising to me.

------
all_factz
One thing that's frustrated me about FF (and kept me using Chrome) is that
local development is a pain in general... for example, when I type `localhost`
in my nav bar, Chrome autofills the port; FF doesn't (it just puts
`localhost/`, which is useless). Next, FF interacts oddly with NGINX, telling
me `The plain HTTP request was sent to HTTPS port`, whereas Chrome just passes
me right along, giving me a little `Not Secure` text next to the URL.

Given I have to go to this website about 1000x per day, you can see why using
FF is painful...

Anyone have any advice (on config, for example) for fixing this? And if anyone
on the FF team is listening... I'd like to use your browser, but this has kept
me from doing so.

~~~
thiht
>for example, when I type `localhost` in my nav bar, Chrome autofills the
port; FF doesn't (it just puts `localhost/`, which is useless).

What? Isn't it the opposite? I have the exact opposite experience with Firefox
and Chrome, FF autofills the ports and Chrome doesn't oO

I just checked it right now to be sure I reminded correctly

~~~
myfonj
I have opposite experience with Chrome as well: I like when URL bar behaves
just like URL bar and does nothing extra. I worked in company that used custom
TLD for all sites in internal network, and every single time I entered such
`site.tld` in Chrome's URL bar it insisted on _searching_ for that instead of
just appending protocol, '/' path and visiting it like reasonable browser.

To be honest, Firefox likes to mess with input too, but it can be easily tamed
with few prefs, namely:

    
    
        keyword.enabled=false
        // no implicit searching from URL, must use explicit keyword or Searchbar
        browser.fixup.alternate.enabled=false
        // this prevents trying www. … .com or other configured suffixes when domain-like URL fails
        browser.urlbar.trimURLs=false
        // do not hide protocol and slash
        browser.urlbar.filter.javascript=false
        // bookmarklets FTW

------
OzzyB
Somewhat tangental but can someone explain why Firefox users need to
explicitly enable new Streams API support? [1]

Safari, Chrome implement these APIs out-of-the-box but FF wants users to open
`about:config` (and ignore the ominous warning) and set `dom.streams.enabled`
and `javascript.options.streams` to `true`.

It seems a little backwards to me since this has been available since version
57 and their webpage is the first result when searching for this
documentation!

[https://developer.mozilla.org/en-
US/docs/Web/API/ReadableStr...](https://developer.mozilla.org/en-
US/docs/Web/API/ReadableStream)

~~~
gsnedders
Quality of implementation.

[https://bugzilla.mozilla.org/show_bug.cgi?id=1389628](https://bugzilla.mozilla.org/show_bug.cgi?id=1389628)
is the tracking bug for enabling it by default.

------
satysin
While talking about Firefox I have a quick question I am hoping someone here
can help answer.

One feature of Chrome I like a lot is the super simple per-site settings
options. I use this to disable JS on a number of sites without impacting any
other sites. As far as I can tell there is no option built into Firefox that
allows me to do this. Does anyone know of a simple way to get per-site JS
blocking?

I have looked at a few extensions which works but I was wondering (hoping) for
a hidden Firefox option to do such a thing. I hacve tried to get Firefox
policies to work but they appear broken?

Can anyone help?

~~~
Drdrdrq
uMatrix lets you set policies per domain / subdomain, while being very easy to
use (for someone who knows web technologies). Highly recommend it.

~~~
satysin
Isn't that the same as blocking scripts with uBlock Origin?

~~~
SSLy
It is, but I have easier time understanding what uM does over uBo.

~~~
satysin
Thanks. Just wanted to make sure I was understanding things right. Will check
out uMatrix.

------
xenophonf
If you're interested in hardening your Firefox profile, check out this
repository of user.js settings:

[https://github.com/pyllyukko/user.js](https://github.com/pyllyukko/user.js)

This does things like blocking analytics and browser fingerprinting, and it's
a simple to install or revert---just drop the user.js file in your Firefox
profile directory.

~~~
magicalist
Before anyone tries this, I really really really encourage you to read the
`Known problems and limitations`. eg it'll erase all your saved passwords,
bullet point 23 (at least it's in bold :/)

[https://github.com/pyllyukko/user.js/issues/27#issuecomment-...](https://github.com/pyllyukko/user.js/issues/27#issuecomment-123461838)

------
ocdtrekkie
I was thinking about summarizing some of my own changes for this as well, but
I realized I didn't realize what a lot of these settings actually did.

One setting I read about recently I wanted changed was to turn off URL
trimming, so [http://](http://) still displays and the like:
browser.urlbar.trimURLs

------
shabbyrobe
toolkit.telemetry.cachedClientID will be repopulated by Firefox even after you
clear it. I have just locked the preference [1], hopefully this stops it.

[1]:
[http://kb.mozillazine.org/Locking_preferences](http://kb.mozillazine.org/Locking_preferences)

------
known
[https://wiki.archlinux.org/index.php/Firefox/Tweaks](https://wiki.archlinux.org/index.php/Firefox/Tweaks)
i slick

------
darkstar999
I wish there was a setting to prevent changes to scroll behavior.

------
pgy
My favorite about:config setting is browser.tabs.closeWindowWithLastTab=false,
it keeps Firefox open when all the tabs are closed.

------
ct0
config.trim_on_minimize = true Reduce memory usage when minimized. (Windows
only) -This really helped for me

~~~
cpeterso
The config.trim_on_minimize preference no longer exists, as it was Windows
XP's own behavior that Firefox was suppressing:

[https://bugzilla.mozilla.org/show_bug.cgi?id=660367](https://bugzilla.mozilla.org/show_bug.cgi?id=660367)

    
    
      // Our internal trim prevention logic is effective on 2K/XP at maintaining
      // the working set when windows are minimized, but on Vista and up it has
      // little to no effect. Since this feature has been the source of numerous
      // bugs over the years, disable it (sTrimOnMinimize=1) on Vista and up.

------
rk06
> PRIVACY SETTING

> network.http.sendRefererHeader = 0

WARNING: twitter.com does not work with this setting

default value is 2

Tested on FF 62, Win 10 Pro

------
seanalltogether
what are the reasons for disabling memory and disk cache, and lowering dns
caching?

~~~
mike-cardwell
[https://www.grepular.com/Preventing_Web_Tracking_via_the_Bro...](https://www.grepular.com/Preventing_Web_Tracking_via_the_Browser_Cache)

------
danjoc
Good grief that's a long list. I'd rather just use a browser like Brave with
privacy and ad blocks enabled by default.

~~~
subsection1h
Yeah, and Emacs has a long manual. I'd rather just use a text editor with
toolbars and menus I can clicky click.

