1. 47

  2. 18

    Non-obvious thing: configuring options makes you more trackable (by sufficiently advanced tracking tech — it’s possible to build a profile out of unavailable APIs, requested TLS ciphersuites, etc. — not everyone does this of course, but the ad industry is investing so heavily into development of trackers…)

    For that exact reason, the Tor Browser always opens with the same window size and doesn’t recommend resizing it.

    1. 5

      This. Thank you for reminding me of this. These settings definitely lean toward a more identifiable, more secure browser. There are both security and privacy settings in here, but customization in many cases can lead to trackability.

      1. 4

        This is why the Tor Browser aims for uniformity. If you want to be more private than private browsing mode, then use the Tor Browser Bundle.

        1. 2

          So can we all stop using the web now or… ?

          1. 2

            Well, if you just block JS wholesale for sites that don’t know your date of birth anyway (like banks you use), API availability wouldn’t mean much. If you also write a script to randomly accept only some of the bad ciphers, please share.

            1. 1

              Or not care about privacy that much. Unpopular opinion, but I’m somewhat tired of this privacy obsession.

              1. 2

                please send me your name, age, date of birth, home address, browsing history, and the contents of all your emails.

          2. 9

            You might want to set privacy.firstparty.isolate if that matters to you.

            This option will enforce a per-first-party-domain cookie policy, this might break some third party applications but isolates trackers to single domains. Tor Browser does have this enabled to my knowledge.

            1. 1

              It just so happens that I wrote an extension which does that: https://addons.mozilla.org/en-US/firefox/addon/first-party-isolation/

            2. 5

              It would greatly enhance this if there were explanations given for the preference changes. In other words, why should I trust you?

              1. 1

                Some things are misleading.

                beacon.enabled => false (notifies a website when you navigate away)

                I believe this is sendBeacon(), a JS function, which is relatively neutral. Not <a ping>.

              2. 4

                I love these, is there any way to automate applying these to a given Firefox Profile?

                It’d be so nice to have these set as part of a local Ansible run, for example

                1. 7

                  You can find prefs.js inside the profile folder. You can just add entries like user_pref("media.eme.chromium-api.enabled", false); there — it is a text file you can edit.

                  1. 1

                    Yeah, that would be cool, I’ve been trying to fully automate my desktop setup using nix.

                    1. 1

                      If marionette is enabled (or maybe webdriver?) you can also alter settings at runtime. The official python package for this is marionette_driver. I use my own code for the marionette bits, but I setup firefox settings from shell scripts.

                      1. 1

                        As far as I know, all WebDriver support in Firefox is implemented by a proxy that connects to the Firefox instance itself via Marionette protocol.

                        And WebDriver protocol is too cross-browser to support preferences. So if you want to randomize sme options in runtime (to mess with fingerprinting, I guess) or to allow/block Javascript by a script (I actually use this), native Marionette client is needed.

                        1. 2

                          As far as I know, all WebDriver support in Firefox is implemented by a proxy

                          Yes, geckodriver is the proxy. Webdriver does support browser specific options, for example you can set profile preferences when starting up geckodriver, but I dont know if webdriver provides an api to do it after the browser is started.

                          I manage firefox instances using a little CLI https://github.com/equalsraf/ffcli/blob/master/ff/MANUAL.md and lots of shell script shenanigans.

                          or to allow/block Javascript by a script (I actually use this)

                          You mean suspend script execution? How do you do that using marionette?

                          1. 1

                            No, I just start with scripts disabled, and then I manually trigger preference modification (like your prefset) to reenable scripts if I want them enabled. And I generally have many Firefox instances under different UIDs, so the effect is formally local but actually affects only one site anyway. (And launch new instances using rofi — which is similar to dmenu, and I have a way to make some bookmark there be associated with scripts enabled immediately). I gave up on managing the ports when I start too many instances at once (race conditions are annoying), so now they just live in their own network namespaces.

                    2. 2

                      Would love feedback, comments, & improvements - thanks all.

                      1. 3

                        How do these compare to the Tor Browser settings?

                        I notice (when using Tor Browser) that many sites try to use Canvas for fingerprinting. Is this blocked by your settings as well? Or does uBlock take care of that?

                        1. 6

                          Firefox 58 will actually be getting the canvas anti-fingerprinting in the Tor Browser: https://nakedsecurity.sophos.com/2017/10/30/firefox-takes-a-bite-out-of-the-canvas-super-cookie/

                      2. 2

                        A privacy vs. security tradeoff: do you limit safebrowsing in any way?

                        1. 1

                          This always is good, but then for work or something like that you need to enter to a crap site and these kind of settings breaks things, anyone can confirm that this is pretty safe on that way?

                          1. 1

                            Another relevant link: Firefox bullshit removal

                            1. 1

                              Thanks so much for the awesome feedback, I’ll incorporate the comments here and on the gist itself.

                              Additionally, information about many about.config items can be found deep in Mozilla’s documentation https://wiki.mozilla.org/.

                              1. 1

                                I set security.ssl.require_safe_negotiation to true and now one of my banking websites doesn’t work. Marvelous.