.dots/firefox

HardenedFDE

A Firefox Developer Edition user.js configuration file. HardenedFDE focuses on privacy and security, not anonymity. Features relying on 3rd party services may be partially on eg. safeBrowsing.

Considerations

Whilst this configuration might work on the Nightly distribution it probably won't fully work on the current stable release, and certainly not on ESR. Beware, since 58 toolkit.telemetry.enabled has been locked to true for pre-releases. We can verify that uploads are disabled at about:telemetry.

Settings in user.js take precedence over those in the preferences, and about:config. Any changes to those two will be lost on restart.

These are a few things to consider about this user.js.

• Minimalist UI/UX settings.
• Disables geolocation.
• Spoofs basic regional settings for privacy due to tracking.
• Remove developer tools that can be abused.
• Disable WiFi hotspot checks.
• Cuts access to local network resources.
• Drops FTP handling.
• Forgets all new passwords.
• Disables form auto-fill.
• [Linux] Removes Gnome shell integration plugin.
• Disables all DRM content players.
• Disables screen sharing.
• Blocks camera, and mic use.

Some settings rely on external add-ons for better performance. More on those, and other settings are explained in the Manual Settings section below.

Requirements

• Firefox Developer Edition

Installation

• Download a copy of user.js file.
• Review settings.
• Set a single profile, or use system wide.
• Finalize with a few optional manual settings.

Review settings

Whether or not we review all setting, is good to have a view at the top two sections, ~VINTAGE~ and SENSITIVE. They are meant for convenient access to options that we may want to tune on a per-profile basis.

Single profile

As user.js changes the browser behavior, it is recommended to either:

• create a new profile
• backup current profile

Note: when following instructions from those links you may need to replace the directory paths with the ones below.

Copy user.js to desired user profile directory. The file should be located at:

• Linux ~/.mozilla/firefox/XXXXXXXX.your_profile_name/user.js
• macOS ~/Library/Application Support/Firefox/Profiles/XXXXXXXX.your_profile_name

system wide

Copy user.js to the Firefox installation directory. The file should be at:

• Linux: /etc/firefox/firefox.js or /etc/firefox-esr/firefox-esr.js
• macOS: /Applications/FirefoxDeveloperEdition.app/Contents/Resources/mozilla.cfg

In this file, we can substitute user_pref for:

• pref to set the default value for all profiles where it hasn't been set yet.
Users can modify these via ~about:config~ page. Changes are kept across sessions.
• lockPref sets the default values for new profiles. Beware: these settings are
locked and can't be changed neither through ~user.js~, nor the ~about:config~ page.

macOS

Create /Applications/FirefoxDeveloperEdition.app/Contents/Resources/defaults/pref/local-settings.js

pref("general.config.obscure_value", 0);
pref("general.config.filename", "mozilla.cfg");

If mozilla.cfg still fails to load, we must add a blank comment (//) at the top of it.

Verify

Surf to about:support, scroll down looking for "Important Modified Preferences" and "user.js Preferences" sections.

Alternatively, go to about:config and check that _user.js.log is set to ~user.js loaded~

Manual Settings

Passwords

Password storage has been disabled for security reasons. Make sure to install a password manager that doesn't rely on the browser.

DNS over HTTPS

We can enable DoH starting w/Firefox 62. So it's been enabled in this ~user.js~ with default DoH resolver.

For other resolver options check out this list by the curl team, or even this Wikipedia page.

Search engines

Whilst Firefox comes bundle with a few search engines we can add our preferred ones.

Simply visit their main search page, and click the three dots next the URL bar. Click on Add Search Engine. Alternatively, purge unused engines.

We can add two Searx instances to ensure we can always search the web privately. Alternatively, you can use close-source solutions such as DuckDuckGo, and Startpage. Also, check out the official add or remove a search engine in firefox post.

Add-ons

Tracking is too profitable to be easy to turn off. These add-ons help a lot:

• UBlock Origin
• au-revoir utm
• Cookie Autodelete
• HTTPS Everywhere
• Decentraleyes
• Multi-account containers
• Temporary containers
• Privacy Badger
• Extension source viewer

Read addons_config.org for sample configurations.

Some useful add-ons for web development (code not reviewed thoroughly):

• Laboratory - Content Security Policy toolkit
• aXe - A11y developer tools
• Compat report - Browser compatibility report
• Certainly Something - Certificate Viewer
• Dark Reader - Dark theme for every website
• a11y-outline - TOC-like page outline (toggle C-&)

Other privacy-focus extensions we've seen recommended (may replace some of the above)

• Privacy possum
• Skip redirect
• CanvasBlocker
• Random user agent. Source repo, acknowledged.

Power-extensions that require more user interaction for a customized experienced.

• NoScript
• uMatrix
• Request control

Alternative viewers

• QiuReader - ePub reader
• EPUBReader - alternative ePub reader

Downloads

For privacy reasons, downloads aren't allowed on Desktop. To set your default "downloads":

General > Downloads > Save files to

Camera / Mic

Both, camera and mic, have been blocked for privacy reason. To add site exceptions:

Page Info > Permissions > Use the Camera/Microphone

To manage site exceptions:

Options > Privacy & Security > Permissions > Camera/Microphone > Settings

Fonts

Web fonts can easily be abused on many ways, either directly or by requiring unsafe configuration settings.

Best course of action, privacy wise, is to use whatever fonts Firefox includes. Next, to set the font.name.* family of attributes to something suitable to your system. If none of that is suitable check out these:

• Liberation fonts
• 40 best google open-source fonts
• Pairings on google fonts

On macOS we might want to remove these fonts to reduce fingerprinting. In Font Book remove Wingdings 2, Wingdings 3, Arial Unicode MS, ~Brush Script MT~, Georgia, and Helvetica.

Notifications

Notifying is complex, requires features that may be abused. If you want to enable them, in the VINTAGE section toggle:

• dom.serviceWorkers.enabled
• dom.webnotifications.enabled
• dom.webnotifications.serviceworker.enabled

Even then notifications are blocked by default, yes they're that unsafe. To add site exceptions:

Page Info > Permissions > Receive Notifications

To manage site exceptions:

Options > Privacy & Security > Permissions > Notifications > Settings

Temporary configuration

As mentioned above, we can temporarily reset any option on the about:config~ page. For instance, to toggle ~media.autoplay.enabled which may break some media players. Also, to temporarily toggle on ~network.captive-portal-service.enabled~ to allow WiFi hotspot login pages. Overrides last until we restart the browser.

Updates

The user.js, as is, has browser and add-on automatic updates turn on. On BSD/Linux we may need to toggle app.update.auto under KEEP UP.

References

• Firefox profile folder
• user.js file
• about:config entries
• Create a profile with profile manager
• Backup & restore profiles
• Recover data from an old profile
• ghacks-user.js
• ghacks-user.js supplement by 12bytes.org
• Locking preferences
• TL;DR Locking preferences
• Remove system-wide hidden extensions
• Silence of the Xpi
• Adding search engines to firefox
• Add or remove a search engine in firefox
• pdf.js faq
• How to remove OpenH264 Video Codec
• How do I remove the OpenH264 Video Codec plugin??
• Inside Firefox’s DOH engine
• How to override css stylesheets in Firefox
• Customize reader view theme