Consider lockPref() and mozilla.cfg about user.js HOT 18 CLOSED

On an unrelated note, you left browser.safebrowsing.malware.enabled to its default true--as a result, sites are sent to Google to be checked for malware. Many people who compiled lists of entries to enhance privacy have this set to false (including me) and instead use something dedicated to malware protection such as Malwarebytes Anti-Malware, which should be used regardless.

The malware protection shouldn't leak information to Google. See the links on: #22 (comment)

I've just publish a blog post to give more details on what exactly is sent to Google and when: https://feeding.cloud.geek.nz/posts/how-safe-browsing-works-in-firefox/

from user.js.

@berrythesoftwarecodeprogrammar in FF that setting is in milliseconds. Maybe you were just using the numbers as an example :) I find 75 to be an excellent choice - otherwise I find mousing down a menu causes menus to shoot out that I'm not interested in, and others may find it annoying or alarming. It's also a hidden pref.

@fmarier That was an excellent blog post, thank you. I wish a lot more of some of FF's inner workings were made a lot clearer. I actually used that to help clean up the code on the ghacks user.js for those who are interested http://pastebin.com/AHw0UFNA . The original was to block it all. This setup allows those who just run with it to be better protected. I think it's a good compromise between privacy and security (and yes, definitely run other layers of protection - MalwareBytes etc).

The upcoming full new user.js is here http://pastebin.com/2H6NNUdy (pastebin item will self destruct in 6 days) - I plan to update ghacks with a final version after 46 lands. Your thoughts, and anyone else's are welcome at ghacks. My apologies to pullyukko if this comes across as a bit hijacky. Just trying to share :)

from user.js.

My apologies to pullyukko if this comes across as a bit hijacky. Just trying to share :)

No worries.

from user.js.

Is 3c62edf sufficient?

from user.js.

Have you considered using lockPref() and mozilla.cfg instead?

No I haven't. Does it also prevent modifying settings from about:config? Because sometimes it's necessary to temporarily tweak something from there (at least for me).

(unless Mozilla decides to notify users of which about:config entries they have changed that conflict with your user-set entries)

Wouldn't hold my breath :)

On an unrelated note, you left browser.safebrowsing.malware.enabled to its default true--as a result, sites are sent to Google to be checked for malware. Many people who compiled lists of entries to enhance privacy have this set to false (including me) and instead use something dedicated to malware protection such as Malwarebytes Anti-Malware, which should be used regardless.

The malware protection shouldn't leak information to Google. See the links on: #22 (comment)

Then again, this setting could also be commented out, because it's easily available from the GUI.

network.seer.enabled is deprecated according to several sites. browser.sessionstore.enabled is deprecated. security.enable_ssl3 is deprecated.

Yes, there are several obsolete settings, but "according to several sites" is not good enough. The reasoning is documented here: https://github.com/pyllyukko/user.js/blob/master/CONTRIBUTING.md#removing-settings

I'll remove the other two settings accordingly, thanks.

from user.js.

No I haven't. Does it also prevent modifying settings from about:config? Because sometimes it's necessary to temporarily tweak something from there (at least for me).

lockPref() for mozilla.cfg would prevent the user from modifying about:config settings and I use it for settings that shouldn't break during my normal browsing activity because it is the only function that ensure entries are enforced and not manipulated by Firefox or addons for compatibility, malicious, or other reasons. For settings which are more likely to break, I use pref() or defaultPref() for mozilla.cfg, which is what you're looking for. More details on the functions here.

There are several advantages to using mozilla.cfg over user,js:

• According to Mozilla developers:

Note: because of abuse of user.js preferences, support for user.js may be removed in a future version of Firefox.

• mozilla.cfg applies to all profiles whereas user.js only applies to the profile it is in. Those who are privacy-conscious and are using about:config entries such as those on this list would most likely want to develop the habit of using multiple profiles, each dedicated to a certain purpose--a single, centralized configuration file is much easier to maintain. Power users periodically re-create fresh profiles to ensure optimal browser performance and that any remnants of potentially personally identifiable data residing in the profile are deleted. With mozilla.cfg, that's all that needs to be done--no need to copy over a backed up copy of the user.js file every time. In essence, mozilla.cfg sits above the profiles, therefore global, while user.js sits within a profile, therefore local.
• It allows actually locking certain entries to prevent it from being manipulated (mentioned earlier).
• On the enterprise level, mozilla.cfg is the file that's used because it is slightly more secure (partially due to the fact that it is higher level on the directory hierarchy--deleting a profile means its user.js is also deleted and partially for the reasons stated above).

from user.js.

FYI: To disable the Session Restore service completely
// WARNING: This also disables the the "Recently Closed Tabs" feature
// It does not affect "Recently Closed Windows" or any history.
user_pref("browser.sessionstore.max_tabs_undo", 0);
user_pref("browser.sessionstore.max_windows_undo", 0);

I have tested this. It does not affect recently closed windows which is what the second pref seems to indicate. It absolutely does not affect history.

Also: for those who do have session store - disable storing extra session data 0=all 1=http-only 2=none
user_pref("browser.sessionstore.privacy_level", 2);
user_pref("browser.sessionstore.privacy_level_deferred", 2);

from user.js.

@fmarier I appreciate the write-up--it clarified a lot of ambiguity and common misconceptions. I was doing a lookup on Safe Browsing and came across browser.safebrowsing.downloads.remote.enabled which gave me the impression that Safe Browsing as a whole should be disabled. It's nice to see you guys do some work to enhance privacy.

Will be sure to refer it to others.

from user.js.

i use this method in thunderbird to lock some preferences which are changed by an addon every time it starts http://kb.mozillazine.org/Locking_preferences . actually requires 2 files. a local-settings.js and a mozilla.cfg. i dont see why replacing user.js is necessary tho

from user.js.

it IS useful for my issue in #75 though, which i forgot about. i just did some tests and mozilla.cfg entries override user.js entries, even if they aren't lockPrefs. a normal pref can be used (not user_pref).

e.g. my user.js has:

user_pref("ui.submenuDelay",0);

and in my mozilla.cfg i put this:

pref("ui.submenuDelay",1);

and when i opened thunderbird the setting in about:config was 1. so yeah mozilla.cfg is useful for locking preferences or overriding user.js

from user.js.

yeah i was just using it as an example

from user.js.

@Roman-Nopantski What happened to updating the ghacks version after FF 46? And by a final version did you mean that there won't be any more updates to that user.js when future versions of FF are released and that will be the last update ever? I'm keeping a small list of URLs to check periodically when there is an update to FF to see if there are any changes worth incorporating into my own user.js.

from user.js.

@mindstormer12: I was thinking about this mozilla.cfg issue and thought that what if we make a script that generates mozilla.cfg from user.js? That way it would be an option and we wouldn't need to maintain two separate config files.

from user.js.

@mindstormer12 Read the last few comments at ghacks (I will be putting out a new version which may/may not be the last one - it will have a changelog). Please put any future questions about it at ghacks.

from user.js.

Since it's quite trivial to achieve this with something like sed 's/^user_pref/lockPref/' user.js > mozilla.cfg for those users that prefer locked preferences, I think I'll close this issue.

from user.js.

@pyllyukko I think it's worth documenting it shortly in the README (?)

from user.js.

Will do.

from user.js.

@pyllyukko yes, thanks. Note that there is another way to install user.js, which is placing it in the new profile template directory for Firefox.(see below). The install paragraph is starting to be a bit confusing, I think we should rewrite it. I will open another issue to work on this.

from user.js.