Sharing my personal Firefox user.js based on arkenfox's privacy policies.
Hi everyone :)
For those interested, I share my just finished personal Firefox user.js
. It’s based on the latest arkenfox and has the same privacy features, with some personal tweaks to fit my workflow. And also easier to read 😅.
github.com/KalyaSc/fictional-sniffle/…/user.js
KEEP IN MIND
Except for the privacy focused entries, some are personal choices for an easy drop-in Firefox preferences backup. This is what I consider a good privacy model and some entries could break YOUR workflow, especially if you don’t have self-hosted alternatives (Vaultwarden, Linkding, Wallabag).
I’m not an expert, but most of those entries are the same as Arkenfox’s user.js. I really encourage you to read their file for better understanding on what each entrie does. While my file is easier to read, one downside is the lack of documentation for each entries.
Also, this is not just a COPY/PAST. It took a lot of effort, time, reading, testing and understanding. I kept a similar naming scheme for cross referencing.
I learned a few things and hope that you also will enjoy, edit, read and learn new interesting things.
Happy hardening !
Features
- Automatic dark mode theme (Keep in mind you still need Dark Reader or similar plugin for web pages in dark mode.)
- Deep clean history on every Firefox quit. Only cookies as exception are kept. I need them for my self hosted services.
- Disable password/auto-fill/breache. Vaultwarden takes care of everything.
- All telemetry disabled by default except for the crash reports. To also disable the crash reports, comment the begining of the following lines with
//
:
<span style="color:#323232;">user_pref("breakpad.reportURL", "");
</span><span style="color:#323232;">user_pref("browser.tabs.crashReporting.sendReport", false);
</span><span style="color:#323232;">user_pref("browser.crashReports.unsubmittedCheck.enabled", false);
</span><span style="color:#323232;">user_pref("browser.crashReports.unsubmittedCheck.autoSubmit2", false);
</span>
- DoH disabled (got my personal VPN with DoH enabled)
<span style="color:#323232;">user_pref("network.trr.mode", 5);
</span>
- Disable WebRTC. If you need it for video calling, meetings, video chats:
Comment the following line:
<span style="color:#323232;">user_pref("media.peerconnection.enabled", false);
</span>
Uncomment the following (arkenfox default, it will force WebRTC inside your configured proxy)
<span style="color:#323232;">//user_pref("media.peerconnection.ice.default_address_only", true);
</span><span style="color:#323232;">//user_pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true);
</span>
- FIxed Width and Height (1600x900) (Finger print resistant) arkenfox’s default
- Resist Fingerprinting (RFP) which overrides finger print protection (FPP)
- Alot of other tweaks you can discover while reading through the file.
How to use/test this file ?
Open firefox, type about:profiles
and create a test profile. Open the corresponding root folder, put in the user.js
and launch profile in a new browser.
After testing and happy with the result, BACKUP
your main Firefox profile somewhere safe and put the user.js
in your main profile to see if it fits your workflow.
Room for improvement / TODO.
Alot of the settings in the 5000 range form arkenfox’s user.js need further testing and investigation, because they could breake and cause performance/stability issues.
- JS exploits:
<span style="color:#323232;">- javascript.options.baselinejit
</span><span style="color:#323232;">- javascript.options.ion
</span><span style="color:#323232;">- javascript.options.wasm
</span><span style="color:#323232;">- javascript.options.asmjs
</span>
- Disable webAssembly
- …
TODO
- Disable non-modern cipher suites
- Control TLS versions
- Disable SSL session IDs [FF36+]
Also those settings are another beast that needs further testing/investigation on how they work.
The user.js file
github.com/KalyaSc/fictional-sniffle/…/user.js
WARNING
Arkenfox advise agianst addons who scramble and randomize your fingerprint characteristics (like chameleon).
WHY? Because resist fingerprint takes care of most things. See 4500: RFP (resistFingerprinting) in arkenfox user.js.
<span style="color:#323232;">[WARNING] DO NOT USE extensions to alter RFP protected metrics
</span><span style="color:#323232;">
</span><span style="color:#323232;"> 418986 - limit window.screen & CSS media queries (FF41)
</span><span style="color:#323232;"> 1281949 - spoof screen orientation (FF50)
</span><span style="color:#323232;"> 1330890 - spoof timezone as UTC0 (FF55)
</span><span style="color:#323232;"> 1360039 - spoof navigator.hardwareConcurrency as 2 (FF55)
</span><span style="color:#323232;"> FF56
</span><span style="color:#323232;"> 1333651 - spoof User Agent & Navigator API
</span><span style="color:#323232;"> version: android version spoofed as ESR (FF119 or lower)
</span><span style="color:#323232;"> OS: JS spoofed as Windows 10, OS 10.15, Android 10, or Linux | HTTP Headers spoofed as Windows or Android
</span><span style="color:#323232;"> 1369319 - disable device sensor API
</span><span style="color:#323232;"> 1369357 - disable site specific zoom
</span><span style="color:#323232;"> 1337161 - hide gamepads from content
</span><span style="color:#323232;">....
</span><span style="color:#323232;">
</span><span style="color:#323232;">Very long list !
</span>
Final words
I’m open for any constructive criticism or any constructive comment that could help me out to improve or understand something new or something I misunderstood. Sure that’s not 100% my work, but as I said it took a lot of time, testing, searching, reading… Please don’t be a crazy Panda…
Credits
https://github.com/arkenfox/user.js
Add comment