Mozilla Firefox tweaks for enhanced privacy
Mozilla Firefox allows a lot of configurations, the heaven for tweakers!
Today i'd like to share my personal configurations, focused on privacy.
This settings can be configured from about:config page, but i've also developed a small user.js file that can be installed on your Firefox profile.
Configure from about:config
- Enter "about:config" in the firefox address bar and press enter.
- Press the button "I'll be careful, I promise!"
- Search and modify the following settings.
Privacy
privacy.firstparty.isolate = true
Isolates all browser identifier sources (e.g. cookies) to the first party domain, preventing tracking across different domains.
This setting is a result of the Tor Uplift , a project born to port all Tor Browser patches in the Firefox main branch.
privacy.resistFingerprinting = true
Makes Firefox more resistant to browser fingerprinting. (another setting from Tor Uplift)
privacy.trackingprotection.enabled = true
Enables Mozilla's built-in tracking protection using Disconnect.me filter list.
Browser
browser.cache.offline.enable = false
Disables offline cache: less performance, but more privacy.
browser.safebrowsing.malware.enabled = false
browser.safebrowsing.phishing.enabled = falseDisable Google Safe Browsing malware checks and phishing protection: it could be a security risk, but avoids sending data to Google servers.
browser.send_pings = false
Avoids websites track visitors' clicks.
browser.urlbar.speculativeConnect.enabled = false
Disable preloading of autocomplete URLs, in order to avoid connections to be made before you actually connect to sites.
browser.sessionstore.privacy_level = 2
Never store extra information about a session: contents of forms, scrollbar positions, cookies, and POST data. (less usability but more privacy)
DOM
dom.battery.enabled = false
Avoid webpages to track the battery status of your device.
dom.event.clipboardevents.enabled = false
Disallow sites to get notifications if you copy, paste, or cut something from a web page.
Media
media.eme.enabled = false
media.gmp-widevinecdm.enabled = falseDisables playback of DRM-controlled HTML5 content using the Google's Widevine Content Decryption Module or Adobe Flash.
media.navigator.enabled = false
Avoid websites to track the microphone and camera status of your device.
Network
network.cookie.cookieBehavior = 1
Only accept from the originating site (block third-party cookies)
network.cookie.lifetimePolicy = 2
Cookies are deleted at the end of the session. (less usability but more privacy)
network.http.referer.trimmingPolicy = 2
Send only the scheme, host, and port in the
Referer
header.
network.http.referer.XOriginPolicy = 2
Only send
Referer
header when the full hostnames match.
network.http.referer.XOriginTrimmingPolicy = 2
When sending
Referer
header across origins, only send scheme, host, and port.
network.IDN_show_punycode = true
Not rendering IDNs as their Punycode equivalent in order to avoid phishing attacks that can be very difficult to notice.
Other settings
webgl.disabled = true
WebGL provides, by virtue of its functional requirements, access to the graphics hardware, and this can expose security risks.
geo.enabled = false
Disables geolocation.
extensions.blocklist.enabled = false
Disable the Mozilla blocklist, reducing data sent to Mozilla servers.
All configuration in a single user.js file
I've collected all tweaks in a single configuration file, that can be installed on your Firefox profile with few simple steps.
Simply download the user.js file and copy it in your current user profile directory, or to a newly created Firefox profile directory.
The file should be located at:
Operating System | Path |
---|---|
Windows 7/8/10 | %APPDATA%\Mozilla\Firefox\Profiles\XXXXXXXX.profile_name\user.js |
Linux | ~/.mozilla/firefox/XXXXXXXX.profile_name/user.js |
OS X | ~/Library/Application Support/Firefox/Profiles/XXXXXXXX.profile_name |
Android | /data/data/org.mozilla.firefox/files/mozilla/XXXXXXXX.profile_name |
Finally, restart Firefox to enable new settings.
References
- Phishing with Unicode Domains, an attack almost impossible to detect
- A website could track your smartphone location using the battery status data?
- Security/Tor Uplift - MozillaWiki
- WebGL - A New Dimension for Browser Exploitation
- andreafortuna/FirefoxPrivacyEnhancements: Customized user.js with privacy enhancements for Mozilla Firefox