Comments (18)
On an unrelated note, you left browser.safebrowsing.malware.enabled to its default true--as a result, sites are sent to Google to be checked for malware. Many people who compiled lists of entries to enhance privacy have this set to false (including me) and instead use something dedicated to malware protection such as Malwarebytes Anti-Malware, which should be used regardless.
The malware protection shouldn't leak information to Google. See the links on: #22 (comment)
I've just publish a blog post to give more details on what exactly is sent to Google and when: https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/
from user.js.
@berrythesoftwarecodeprogrammar in FF that setting is in milliseconds. Maybe you were just using the numbers as an example :) I find 75 to be an excellent choice - otherwise I find mousing down a menu causes menus to shoot out that I'm not interested in, and others may find it annoying or alarming. It's also a hidden pref.
@fmarier That was an excellent blog post, thank you. I wish a lot more of some of FF's inner workings were made a lot clearer. I actually used that to help clean up the code on the ghacks user.js for those who are interested http://pastebin.com/AHw0UFNA . The original was to block it all. This setup allows those who just run with it to be better protected. I think it's a good compromise between privacy and security (and yes, definitely run other layers of protection - MalwareBytes etc).
The upcoming full new user.js is here http://pastebin.com/2H6NNUdy (pastebin item will self destruct in 6 days) - I plan to update ghacks with a final version after 46 lands. Your thoughts, and anyone else's are welcome at ghacks. My apologies to pullyukko if this comes across as a bit hijacky. Just trying to share :)
from user.js.
My apologies to pullyukko if this comes across as a bit hijacky. Just trying to share :)
No worries.
from user.js.
Is 3c62edf sufficient?
from user.js.
Have you considered using lockPref() and mozilla.cfg instead?
No I haven't. Does it also prevent modifying settings from about:config
? Because sometimes it's necessary to temporarily tweak something from there (at least for me).
(unless Mozilla decides to notify users of which about:config entries they have changed that conflict with your user-set entries)
Wouldn't hold my breath :)
On an unrelated note, you left browser.safebrowsing.malware.enabled to its default true--as a result, sites are sent to Google to be checked for malware. Many people who compiled lists of entries to enhance privacy have this set to false (including me) and instead use something dedicated to malware protection such as Malwarebytes Anti-Malware, which should be used regardless.
The malware protection shouldn't leak information to Google. See the links on: #22 (comment)
Then again, this setting could also be commented out, because it's easily available from the GUI.
network.seer.enabled is deprecated according to several sites. browser.sessionstore.enabled is deprecated. security.enable_ssl3 is deprecated.
Yes, there are several obsolete settings, but "according to several sites" is not good enough. The reasoning is documented here: https://github.com/pyllyukko/user.js/blob/master/CONTRIBUTING.md#removing-settings
I'll remove the other two settings accordingly, thanks.
from user.js.
No I haven't. Does it also prevent modifying settings from about:config? Because sometimes it's necessary to temporarily tweak something from there (at least for me).
lockPref()
for mozilla.cfg would prevent the user from modifying about:config settings and I use it for settings that shouldn't break during my normal browsing activity because it is the only function that ensure entries are enforced and not manipulated by Firefox or addons for compatibility, malicious, or other reasons. For settings which are more likely to break, I use pref()
or defaultPref()
for mozilla.cfg, which is what you're looking for. More details on the functions here.
There are several advantages to using mozilla.cfg over user,js:
- According to Mozilla developers:
Note: because of abuse of user.js preferences, support for user.js may be removed in a future version of Firefox.
- mozilla.cfg applies to all profiles whereas user.js only applies to the profile it is in. Those who are privacy-conscious and are using
about:config
entries such as those on this list would most likely want to develop the habit of using multiple profiles, each dedicated to a certain purpose--a single, centralized configuration file is much easier to maintain. Power users periodically re-create fresh profiles to ensure optimal browser performance and that any remnants of potentially personally identifiable data residing in the profile are deleted. With mozilla.cfg, that's all that needs to be done--no need to copy over a backed up copy of the user.js file every time. In essence, mozilla.cfg sits above the profiles, therefore global, while user.js sits within a profile, therefore local. - It allows actually locking certain entries to prevent it from being manipulated (mentioned earlier).
- On the enterprise level, mozilla.cfg is the file that's used because it is slightly more secure (partially due to the fact that it is higher level on the directory hierarchy--deleting a profile means its user.js is also deleted and partially for the reasons stated above).
from user.js.
FYI: To disable the Session Restore service completely
// WARNING: This also disables the the "Recently Closed Tabs" feature
// It does not affect "Recently Closed Windows" or any history.
user_pref("browser.sessionstore.max_tabs_undo", 0);
user_pref("browser.sessionstore.max_windows_undo", 0);
I have tested this. It does not affect recently closed windows which is what the second pref seems to indicate. It absolutely does not affect history.
Also: for those who do have session store - disable storing extra session data 0=all 1=http-only 2=none
user_pref("browser.sessionstore.privacy_level", 2);
user_pref("browser.sessionstore.privacy_level_deferred", 2);
from user.js.
@fmarier I appreciate the write-up--it clarified a lot of ambiguity and common misconceptions. I was doing a lookup on Safe Browsing and came across browser.safebrowsing.downloads.remote.enabled
which gave me the impression that Safe Browsing as a whole should be disabled. It's nice to see you guys do some work to enhance privacy.
Will be sure to refer it to others.
from user.js.
i use this method in thunderbird to lock some preferences which are changed by an addon every time it starts http://kb.mozillazine.org/Locking_preferences . actually requires 2 files. a local-settings.js
and a mozilla.cfg
. i dont see why replacing user.js is necessary tho
from user.js.
it IS useful for my issue in #75 though, which i forgot about. i just did some tests and mozilla.cfg
entries override user.js
entries, even if they aren't lockPref
s. a normal pref
can be used (not user_pref
).
e.g. my user.js
has:
user_pref("ui.submenuDelay",0);
and in my mozilla.cfg
i put this:
pref("ui.submenuDelay",1);
and when i opened thunderbird the setting in about:config
was 1. so yeah mozilla.cfg
is useful for locking preferences or overriding user.js
from user.js.
yeah i was just using it as an example
from user.js.
@Roman-Nopantski What happened to updating the ghacks version after FF 46? And by a final version did you mean that there won't be any more updates to that user.js when future versions of FF are released and that will be the last update ever? I'm keeping a small list of URLs to check periodically when there is an update to FF to see if there are any changes worth incorporating into my own user.js.
from user.js.
@mindstormer12: I was thinking about this mozilla.cfg issue and thought that what if we make a script that generates mozilla.cfg from user.js? That way it would be an option and we wouldn't need to maintain two separate config files.
from user.js.
@mindstormer12 Read the last few comments at ghacks (I will be putting out a new version which may/may not be the last one - it will have a changelog). Please put any future questions about it at ghacks.
from user.js.
Since it's quite trivial to achieve this with something like sed 's/^user_pref/lockPref/' user.js > mozilla.cfg
for those users that prefer locked preferences, I think I'll close this issue.
from user.js.
@pyllyukko I think it's worth documenting it shortly in the README (?)
from user.js.
Will do.
from user.js.
@pyllyukko yes, thanks. Note that there is another way to install user.js, which is placing it in the new profile template directory for Firefox.(see below). The install paragraph is starting to be a bit confusing, I think we should rewrite it. I will open another issue to work on this.
from user.js.
Related Issues (20)
- Can't stop Firefox background connections HOT 24
- Strange issue Firefox switching to active window - Firefox stealing focus! HOT 3
- Repeat PREF 4520 4614 HOT 3
- Can't change useragent HOT 2
- Segmentation fault on OpenBSD HOT 1
- user.js+noscript HOT 1
- Certain SSL prefs less secure than current Firefox defaults. HOT 1
- Settings will fall back to systemwide_user.js after firefox restart
- privacy.resistfingerprinting not overwriteable HOT 1
- Investigate use of the `sticky` flag on prefs HOT 5
- webgl.disabled can block some website data HOT 1
- Extensions don't show up HOT 4
- How to restore urlbar behaviour? HOT 1
- When connecting with VPN: Secure Connection Failed
- OpenSCAPin profiili Upstream Firefox STIG
- Exceptions for Enhanced Tracking Protection not working HOT 1
- Recommendation to support uBlock Origin "Back up to file"? HOT 1
- set `browser.sessionstore.max_tabs_undo = 0` HOT 3
- set `network.http.referer.trimmingPolicy = 2`/`network.http.referer.XOriginTrimmingPolicy = 2` HOT 2
- Investigate preferences set by ffprofile.com
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from user.js.