Firefox Configuration Guide

The Open Web has become a predatory environment. In the past anyone could passively use a web browser and remain relatively safe by simply avoiding morally questionable websites, but not any more.

Today millions of legitimate websites are unintentionally serving up "malveritzing" and other malware. Beyond that, well-funded automated Big Data cyber-snoopers are aggressively tracking your activities by recording the web pages you see, what you search for, and even what links you hover your mouse over. You could simply ignore all of this, but that would be clouded thinking.

There's something you can do about it. With Firefox and this Configuration Guide you can have a quicker, safer, more private web-browsing experience. You'll greatly decrease surreptitious tracking of your web-surfing activities and help your computer remain malware-free.

If you're a repeat visitor you can skip to the steps or use a stripped-down, steps-only text version.

If Firefox is already installed, you can refresh your Firefox profile and achieve the same results. (Highly recommended.)

Levels of Protection

This guide explains Essential, Intermediate, and Advanced configuration changes you can make to Firefox.

Essential Changes

The Essential changes are baseline settings that "just work" without extra interaction, except maybe occasional whitelisting of sites with two clicks to permit ads for a site. These are as close to set-and-forget as possible. Whenever I install Firefox I make at least the Essential changes.

Intermediate Changes

The Intermediate-level changes require a small amount of interaction, for example you may need to enable and disable Flash using a toolbar button or you may, on rare occasion, need to whitelist a (broken) site so it will display properly.

Advanced Changes

The Advanced changes are extra-effective but require active participation to develop whitelists. They're suitable for more advanced users because they have a steeper learning curve. You can use a two-browser strategy to ease the learning process.

Pale Moon

The Firefox project seems to be losing its way.

Firefox now includes features like targeted advertising in new tabs (which we'll turn off), mandatory add-ons (Firefox Hello video-chat and Pocket read-it-later apps), connection to sites without clicking links (we'll turn off "speculative preconnection" and DNS prefetching), a new Google-Chrome-Compatible "Web Extensions API" for add-ons, and more. Some would say Firfox feature-creep has introduced some creepy features.

For Firefox users especially, the information in this guide is more important than ever.

In mid-2015 I switched to Pale Moon as my main browser.

Pale Moon is a community-driven fork of Firefox, meaning it's an independent browser based on Firefox source code. Pale Moon's original focus was on fast performance. More recently it has become a safer alternative, not just faster. (Reference)

Some undesirable Firefox features are notably absent from Pale Moon and some other desirable features notably present. Default settings seem better. It's a lean-and-mean browser that works well.

There are portable and Linux versions.

Two-browser Strategy

For "the best of both worlds" I keep Pale Moon aggressively locked down and use Firefox, configured less restrictively, as a second browser. This has turned out to be an effective strategy. (Note 0)

If you're up to trying this, start by configuring Firefox with the Essential changes and Pale Moon with the Intermediate changes (or Intermediate and Advanced respectively). Use Pale Moon until you encounter a site or a web app that won't work properly, then check it with Firefox. This will help you make necessary adjustments and at the very least you'll have a dependable fallback option.

Options / Preferences

There are two different names for the same thing. In Windows they're Options. In Linux and Mac OS, they're Preferences.

  Menu → Options (Windows)
  Menu → Preferences (Linux, Mac OS X)

or

 Tools → Options (Windows)
 Edit → Preferences (Linux, Mac OS X)

There are eight sections.

General

 Set home page to about:logo or about:blank

 Always check if Firefox is the default...
 Save files to Downloads. (Note 1)
 (Windows only) Check Show tab previews...

Search (Firefox)

 Set the default search engine
 Uncheck "Provide search suggestions" (Note 2)

Add search engines after the browser has been hardened.

Tabs (Pale Moon)

Match Firefox's behavior.

 Check "Insert related tabs next to the current tab"

Content

No changes, except possibly one optional change to avoid tiny fonts:

 Advanced - Minimum font size:
  <one size smaller than monospace font's size>

Applications

Set "mailto" to "Always ask", or to your mail program if you prefer.

Privacy

 Tracking
  Tell sites I do not want to be tracked
 History
  Use customs settings for history
   Keep cookies until I close Firefox
  Clear history when Firefox closes

Security

Uncheck Remember passwords for sites. (Note 3)

Sync

Leave sync turned off if privacy and security are important to you.

Advanced

 Data Choices
  Uncheck Health Report and Crash Reporter

Essential Extensions

There are some essential Firefox extensions that will protect your privacy and security. This first set of extensions were chosen because they're effective and easy to use. They don't require much, if any, attention.

Manage your add-ons using the Add-ons Manager "tab".

  Menu → Add-ons (or Tools → Add-ons)

You can also browse to about:addons or use a keyboard shortcut.

Use the tab's search feature to find extensions.

uBlock Origin

Search for: ublock

uBlock Origin is a privacy add-on that efficiently blocks ads, web trackers and malware.

If you haven't used an add-on like uBlock Origin or NoScript before, you are in for an eye-opening experience when you see how many tracking elements are slipped into the web pages you've been visiting.

The default settings for uBlock Origins work well. You can add additional site-lists if you wish to do more extensive blocking.

After you install the add-on a new button will appear in your Navigation Toolbar. You can use it to "whitelist" sites if you need to. From the add-on's page:

Many website operators earn money and support their sites by advertising. This configuration blocks ads because of computer security risk and invasive personal-privacy concerns. A few sites will be broken if ads are blocked. Consider enabling ads on sites you wish to support.

Self-Destructing Cookies

Search for: self

The Self-Destructing Cookies add-on wipes out cookies and (importantly) Local Storage Objects, sometimes called "super cookies", that you don't need any more. From the add-on's page:

In the Add-ons Manager (about:addons) under Extensions, click the extensions' Preferences button. Make two (or three) changes.

Change #1: On rare occasions this add-on destroys cookies a little too quickly. For this reason you may wish to extend the grace period from 10 seconds to something like 60 seconds.

Change #2: Scroll down to near the bottom and set "Clear cache when idle" to something like 30 minutes. There multiple reasons for clearing cache every once in a while.

Change #3: Once you become familiar with the notifications, you can uncheck Notifications to turn them off.

These changes will help the extension "just work" without concern about whitelisting.

Disable Hello, Pocket & Reader+

Search for hello (Update: If it doesn't appear in the search results, install it from the extension's page.)

Firefox includes some "forced addons" that many consider bloat. These are: Firefox Hello, Pocket, Reader+. This extension disables all three, plus WebRTC (Real-Time Chat).

From extension's description:

CanvasBlocker

This one requires you to visit the add-on's page.

"Browser fingerprinting" is a technique used to identify you (well, your browser anyway) without setting any cookies. Learn more about it at the Panopticlick test page and |BrowserLeaks.com. If you're startled and perturbed by what you discover there you're beginning to get the idea.

One fingerprinting technique is called "canvas fingerprinting". There's an add-on for that; it's called CanvasBlocker.

Pale Moon doesn't need this one. Instead, you can set canvas.poisondata to true using the Config Editor (i.e. about:config page).

Intermediate Extensions

Unlike the previous set-and-forget extensions, these require a small amount of awareness and participaton. Consider these next extensions optional, but recommended.

HTTPS-Everywhere

Search for: https

HTTPS-Everywhere automatically enables HTTPS encryption on sites that are known to support it. As a result, some connections that would normally use plain-text HTTP become encrypted over HTTPS instead. This one is in the Intermediate category because on rare occasion you may need to whitelist a site that won't load properly.

For the Pale Moon browser there's Encrypted Web.

After restarting, you'll be asked whether you want to join the SSL Observatory. Joining is probably safe.

QuickJava / FlashDisable

It's wise to keep plugins disabled except when they're necessary. These extensions add an Address Toolbar button you can use to quickly enable and disable Flash, Java, and Silverlight plugins. (Note 4)

FlasDisable

Search for flashdisable

If Flash is all you need to control, use this one. Set these two options in preferences. (Experiment with the third one.)

 Reload current tab on Flash activation
 Disable Flash on Firefox startup

QuickJava

Search for quickjava

This one controls Flash, Java, and Silverlight. Set these options in preferences.

"Include In Favorites"

 Unckeck Javascript
 Check SliverLight

On Intial Load

 Java: Off
 Flash: Off
 Silverlight: Off

User Agent Overrider

Every request your browser sends to a server includes a User-Agent string, which is a string of text that identifies the browser and operating system you're using. This add-on allows you to replace the browser's default User-Agent string with a different one that "blends in with the crowd" rather than appearing out-of-the-ordinary to the server. (Note 5)

Most Windows users probably don't need this add-on. If you use Linux or Pale Moon (or both) you might want it because under those circumstances your User-Agent string could be unintentionally distinctive.

Search for: overrider

This extension's Preferences will bring you to some lines of text that need editing. Change the "<your-OS>/Firefox NN.0" line to the current release in all three places in the line of text. Occasionally you'll need to increment the version number when a new version is released. (Note 6)

Pale Moon users need to install an older version of this extension (0.2.4.1) from the extension's Version History page.

Some generic Firefox strings are:
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Mozilla/5.0 (Windows NT 6.3; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0
Mozilla/5.0 (X11; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0
Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:56.0) Gecko/20100101 Firefox/56.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:56.0) Gecko/20100101 Firefox/56.0

See also: UserAgents.txt (for pasting into Preferences)

Change Referer Button

Search for: referer

Change Referer Button Allows you to suppress your HTTP-Referer (Note 7) on the fly, either for all requests or just for image-file requests.

Advanced Extensions

These two highly-effective extensions require some effort and attention. At first they seem similar, but they do different jobs. From the RequestPolicy FAQ:

If you're unfamiliar with these, I recommend installing one at a time. After you're accustomed to using one, install the other. There are online tutorials available.

NoScript

Search for: NoScript

NoScript is particularly effective at enhancing privacy and blocking malware. It can break some sites (usually only temporarily).

RequestPolicy Continued

Search for: requestp

This extension let you control how your browser makes requests to third-party websites. You deny by default and accumulate whitelist rules, providing an effective defense against "cross-site request forgery" (CSRF)

Other Extensions

Ghostery, Disconnect uMatrix, and Privacy Badger other add-ons that provide simiar protective measures to the ones provided in this guide. Disconnect.me has a search portal, Disconnect Search.

Plugins

Sometimes a program that's installed on your computer will add a Firefox "plugin". Plugins are a type of add-on that are different from extensions.

Extensions

Software add-ons that are written specifically for Firefox and "extend" the browser.

Plugins

Third-party software that "plugs into" the browser when it's installed on the computer.

Extensions install inside Firefox, plugins install onto the operating system and are connected into Firefox.

Some common plugins are: Adobe Flash and Shockwave, Oracle Java, Apple QuickTime, Cisco OpenH264 Codec, Microsoft Silverlight, Google Update, and Dropbox Update.

You can't uninstall plugins from within Firefox. Instead, you can set them to "Never activate" or "Ask to activate". "Ask to activate" is little help from a privacy perspective. (Experiment at the Panopticlick test page to see for yourself.)

Plugins -- Java and Flash in particular -- frequently introduce security vulnerabilities. If you must run these, be sure to keep them up to date so you'll have the latest security patches. You can use Mozilla.org's Check Your Plugins page to check if your plugins are up-to-date.

A sensible policy is: Don't let third-party software plug itself into your browser unless there's a good reason. Don't install Java, QuickTime, or any other software that creates a plugin unless it's necessary.

Go to Menu → Add-ons and click the plugins tab to configure the plugins your computer has installed.

It's hard to give general advice here because so may computers and computer-operators are different. If it's your own computer you should disable anything with "Java" in the name unless you know a specific reason for leaving Java enabled in your browser, which is rare these days. If some site doesn't work, switch it to "always ask" and whitelist that site.

Use your best judgment. The more plugins you set to disable or "Always ask" without interfering with browsing content, the better.

Browse to about:plugins to see information about installed plugins.

Configuration Preferences (about:config)

Type about:config in the URL bar and click past the "scary" warning to see advanced, semi-hidden configuration options. There are tons of entries. Fortunately you can winnow them down by searching.

Many of these aren't present in Pale Moon.

Essential Settings

Geolocation - Disable geolocation ("Location-Aware Browsing" - reference):

 Search for: geo. (<-- geo<dot>)
 Set geo.enabled to false
 Delete the contents of geo.wifi.uri

Silent Pre-Connections - Disable silent requests when you hover over links or type into the location bar. (reference).

 Search for: specu
 Set network.http.speculative.parallel.limit to 0

DNS Prefetching - Disable proactive domain name resolution that can cause errors.

 Search for: disablep
 Set network.dns.disablePrefetch to true

Feedback-collection - Disable the Heartbeat feedback-collection system.

 Search for: selfs
 Delete the contents of browser.selfsupport.url.

Health Reporter and Telemetry - There are good reasons enterprises turn off settings like these.

 Search for submissione
 Set datareporting.policy.dataSubmissionEnabled to false
 Search for report.u
 Set datareporting.healthreport.uploadEnabled to false
 Search for service.e
 Set datareporting.healthreport.service.enabled to false
 Search for reporter.e
 Set dom.ipc.plugins.flash.subprocess.crashreporter.enabled to false
 Search for imgu
 Delete the contents of devtools.gcli.imgurUploadURL
 Delete the contents of devtools.gcli.imgurClientID
 Search for clienti
 Delete the contents of toolkit.telemetry.cachedClientID 

Clipboard - Avoid letting sites read or modify Clipboard contents.

 Search for: clipboarde
 Set dom.events.clipboardevents.enabled to false

Fingerprinting - Disable some items that are used for fingeprinting.

 Search for batt
 Set dom.battery.enabled to false
 Search for senso
 Set device.sensors.enabled false

Face Detection - A browser doesn't need face detection.(!)

 Search for face_
 Set camera.control.face_detection.enabled to false

New-Tab Targeted Ads - Disable Targeted Advertising(!) in new tabs.

 Search for: newt
 Set browser.newtab.preload to false
 Delete the contents of browser.newtabpage.directory.ping
 Delete the contents of browser.newtabpage.directory.source
 Set browser.newtabpage.enabled to false
 Set browser.newtabpage.enhanced to false

Web Notifications - Disable push notifications from websites (new)

 Search for: webnot
 Set dom.webnotifications.enable to false
 Set dom.webnotifications.serviceworker to false

Intermediate Settings

Block Autorefresh - "Warn me when websites try to redirect or reload"

 Search for: blocka
 Set accessibility.blockautorefresh to true

PDF Viewer - You wouldn't always want to, but you can disable the internal PDF Viewer. (Note 8)

 Search for pdfjs.disabled
 Set pdfjs.disabled to true

Canvas Fingerprinting (Pale Moon) - Enable Pale Moon's anti-canvas-fingerprinting feature.

 Search for canvas.p
 Set canvas.poisondata to true

Advanced Settings

HTTP-Referer Trimming (sic)

Consider this setting Advanced because on rare occasion it may break a site, and it would take an alert and aware user to notice why.

By default Firefox sends the full URI in the HTTP-Referer header (Note 7), revealing e.g your search terms and/or the server path to the page where you clicked the link. You can configure it to send less revealing information.

 Search for referer.t
 Set http.referer.trimmingPolicy to 1

   0-> full URI (default)
   1-> scheme, host, port and path (GET params trimmed)
   2-> scheme, host and port. (path and GET params trimmed)

Setting it to 2 breaks some sites (banks, sites with downloadable files) because they verify certain incoming requests are from a specific host and path. Setting it to 1 seems to be a safe compromise that sends the host and path, but not extra information such as search terms.

Thumbnail Capturing

New-Tab Thumbnails are created even if they won't be used. This feature has been exploited in the past. You can disable thumbnail creation by following the instructions at Mozilla.org.

To summarize, you need to add these two boolean values, then you can set them.

 Set browser.pagethumbnails.capturing_disabled to true
 Set pageThumbs.enabled to false

This is only a partial solution. Metadata about visited sites is still saved, even if the thumbnails aren't. If you've followed this guide, it's deleted when you close Firefox.

Finishing Touches

Search Engines

Your web-search history is a prime target for snoopers. Add SSL Search items to yor search engines list, then remove the plain-HTTP duplicates.

You can add other search engines at Mozilla.org's Search Add-ons page.

Location Bar Buttons

Customize your Location Bar.

  Menu → Customize (or View → Toolbars → Customize)
 Drag Subscribe onto the buttons area
 Exit Customize

Bookmarks

Show the Bookmarks Toolbar.

  Menu → Customize (or View → Toolbars → Customize)
 Show/Hide Toolbars - Bookmarks Toolbar
 Exit Customize

Yet More Add-ons

For best results, Firefox extensions should be used sparingly. With that said, here are some useful low-impact extensions.

Context Search

Search for: context

This extension significantly enhances searching from within web pages.

Zoom Page

Search for: zoom

Some people will need this extension that provides site-zooming features.

Experiment with settings for best results. Two settings are worth special notice.

Zoom text, but not images

  General -> Default Zoom Type -> Text-Only (T)

Zooming images degrades image quality and reduces space on the page available for text.

WebToPDF

This add-on allows you to generate a PDF or JPEG image from webpage, including the whole page, not just the visible area. Unlike other similar add-ons, it doesn't use a cloud service and even works offline.

Pale Moon Commander

For Pale Moon only, the Pale Moon Commander extension provides a user-friendly interface to some advanced preferences.

Yet Another Config Option

Strictly optional for convenience only. Don't autohide Navigation and Tab toolbars in fullscreen mode

 Search for: fullscreen
 Set browser.fullscreen.autohide to false

Refreshing a Firefox Profile

You can safely "start over" (restore Firefox to its default state) without losing your bookmarks. This used to be called "reset"; now it's called "refresh".

Prepare by making a list of your installed extensions and themes because refreshing removes them. Only reinstall the ones you actually use.

  Menu
   -> Help (question mark) 
     -> Troubleshooting Information 
       -> Refresh Firefox

or

 Help -> Troubleshooting Information -> Refresh Firefox

This is advisable to do every once in a while, especially if you've been experimenting with add-ons.

Pale Moon users can refresh preferences, including preferences of add-ons, using the Pale Moon Commander extension.

 Menu -> Preferences -> Advanced options
 Other - Reset
 Reset All Preferences

New-Profile method (The Old Way)

Another way to "start over" is by creating a brand new profile. This method still works. You can leave the original profile intact or delete it once the new one is working properly.

 Backup bookmarks
 Clear private data
 Exit the browser
 Start the Profile Manager (*)
   Open a terminal
   run firefox -P
 Create a new profile 
   Create Profile -> Next -> Finish
 Double-click on your new profile
 Restore bookmarks

You can recover important data from the other profile.

(*) In Windows, start the Profile Manger with something like

 Start -> Accessories -> Command Prompt
 - or -
 Start, then search for Command Prompt, then enter this at the prompt:
 "c:\Program Files (x86)\Mozilla Firefox\firefox.exe" /P

Footnotes

Note 0:
I discovered some reasons why a two-browser strategy is effective when I did in-depth research for this guide. Each browser has its own fingerprint, for one thing. Plugins are another. Arguably all plugins should be disabled in the browser you use for online shopping and banking.

Note 1:
ProTip: To quickly find your recently downloaded files, set your Downloads directory to Details View (List View in some file managers) and click the column header to sort your downloads by date, with the newest at the top.

Note 2:
Sometimes search suggestions are helpful. On those occasions, use a bookmark to go to the search engine's page, where suggestions are provided.

Note 3:
Unfortunately remembering passwords for sites similar to storing your car's ignition key in plain sight on the dashboard for convenience.

Note 4:
Flash and Java reveal a startling amount of information about your computer and their use is on the decline. They have long histories of security flaws. Flash and Silverlight also circumvent your intentions when you delete browser cookies by setting "supercookies". If you need these plugins installed, disable them whenever possible and enable them only when you're browsing one of the few remaining sites that still require them (Flash Earth, Netflix, ...).

Note 5:
Overriding the User-Agent string can be useful for other reasons, for example web development testing or perhaps for downloading files that are for an alternative operating system when a website offers no other way choose the other OS's files otherwise. Using user-agent spoofing for nefarious purposes is not recommended.

Note 6:
Use Menu → Help → About Firefox to determine what Firefox version is currently installed. Alternatively, disable User Agent Overrider (if installed) and match the version in your User-Agent string.

Note 7:
By default your browser reveals certain iformation to servers you may not want to reveal. Specifically, it reports the referring page when you visit a link or load an image or a script. From the W3C: This optional header field allows the client to specify, for the server's benefit, the address ( URI ) of the document (or element within the document) from which the URI in the request was obtained.

Note 8:
I suggest avoiding Adobe Reader because it has a poor security history. On Windows, something lightweight like Sumatra PDF is a safer option. Evince is another one.

Links

Here are some links to resources where you can learn why these changes are important and also why you shouldn't assume anonymity when browsing.

Browsing only legitimate sites is no longer a viable strategy for avoiding malware.

Nearly all websites have serious security vulnerabilities

A new Acunetix report on 5,500 companies comprising 15,000 website and network scans, performed on over 1.9 million files, finds nearly half of the web applications scanned contained a high security vulnerability such as XSS or SQL Injection, while almost 4 in 5 web applications were affected by a ‘medium security’ vulnerability.

Your computer is probably far more identifiable than you think.

Browser fingerprints, and why they are so hard to erase | Network World

Even when deleting cookies, the browser fingerprint allows organizations to re-identify and re-cookie your system, essentially rejecting your efforts to remain private.

Browsers provide a lot of "fingerprinting sources".

Valve/fingerprintjs2 · GitHub

List of fingerprinting sources

See some information your browser is providing.

Computer Hope computer system information script v1.9

This script is capable of detecting major browsers, operating systems, spyware, some software programs, and browser add-ons. However, will only display information capable of being found through your browser.

BrowserLeaks.com - Web Browser Security Checklist for Identity Theft Protection

Here you will find the gallery of web browser security testing tools, that tell you what exactly personal identity data may be leaked without any permissions when you surf the Internet.

IP/DNS Detect - What is your IP, what is your DNS, what informations you send to websites.

This is the kind of information that all the sites you visit, as well as their advertisers and any embedded widget, can see and collect about you.

Mozilla.org collects your browsing history and data about how you navigate the New Tab page.

Ads based on your browsing history quietly hit Firefox's New Tab page | PCWorld

It’s official: Firefox is serving you targeted ads on the browser’s New Tab page now.

Consider disabling location services in social apps and other browsers.

No Geolocation

The question is therefore how to effectively disable this feature.

Edge and Internet Explorer, being part of the system, expose extra vulnerabilities.

Windows Flaw Reveals Microsoft Account Passwords, VPN Credentials

When a user accesses the link via Internet Explorer, Edge, or Outlook, because of the way Windows handles authentication for network shares, their computer will automatically send their login credentials to authenticate on the crook's domain, even via the Internet.

Powered by PmWiki