Hi everyone :)

For those interested, I share my just finished personal Firefox user.js. It’s based on the latest arkenfox and has the same privacy features, with some personal tweaks to fit my workflow. And also easier to read 😅.

https://github.com/KalyaSc/fictional-sniffle/blob/main/user.js


KEEP IN MIND

Except for the privacy focused entries, some are personal choices for an easy drop-in Firefox preferences backup. This is what I consider a good privacy model and some entries could break YOUR workflow, especially if you don’t have self-hosted alternatives (Vaultwarden, Linkding, Wallabag).

I’m not an expert, but most of those entries are the same as Arkenfox’s user.js. I really encourage you to read their file for better understanding on what each entrie does. While my file is easier to read, one downside is the lack of documentation for each entries.

Also, this is not just a COPY/PAST. It took a lot of effort, time, reading, testing and understanding. I kept a similar naming scheme for cross referencing.

I learned a few things and hope that you also will enjoy, edit, read and learn new interesting things.

Happy hardening !


Features

  • Automatic dark mode theme (Keep in mind you still need Dark Reader or similar plugin for web pages in dark mode.)
  • Deep clean history on every Firefox quit. Only cookies as exception are kept. I need them for my self hosted services.
  • Disable password/auto-fill/breache. Vaultwarden takes care of everything.
  • All telemetry disabled by default except for the crash reports. To also disable the crash reports, comment the begining of the following lines with //:
user_pref("breakpad.reportURL", "");
user_pref("browser.tabs.crashReporting.sendReport", false);
user_pref("browser.crashReports.unsubmittedCheck.enabled", false);
user_pref("browser.crashReports.unsubmittedCheck.autoSubmit2", false);
  • DoH disabled (got my personal VPN with DoH enabled)
user_pref("network.trr.mode", 5);
  • Disable WebRTC. If you need it for video calling, meetings, video chats:

Comment the following line:

user_pref("media.peerconnection.enabled", false);

Uncomment the following (arkenfox default, it will force WebRTC inside your configured proxy)

//user_pref("media.peerconnection.ice.default_address_only", true);
//user_pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true);
  • FIxed Width and Height (1600x900) (Finger print resistant) arkenfox’s default
  • Resist Fingerprinting (RFP) which overrides finger print protection (FPP)
  • Alot of other tweaks you can discover while reading through the file.

How to use/test this file ?

Open firefox, type about:profiles and create a test profile. Open the corresponding root folder, put in the user.js and launch profile in a new browser.

After testing and happy with the result, BACKUP your main Firefox profile somewhere safe and put the user.js in your main profile to see if it fits your workflow.

Room for improvement / TODO.

Alot of the settings in the 5000 range form arkenfox’s user.js need further testing and investigation, because they could breake and cause performance/stability issues.

  • JS exploits:
- javascript.options.baselinejit
- javascript.options.ion
- javascript.options.wasm
- javascript.options.asmjs
  • Disable webAssembly

TODO

  • Disable non-modern cipher suites
  • Control TLS versions
  • Disable SSL session IDs [FF36+]

Also those settings are another beast that needs further testing/investigation on how they work.

The user.js file

https://github.com/KalyaSc/fictional-sniffle/blob/main/user.js

WARNING

Arkenfox advise agianst addons who scramble and randomize your fingerprint characteristics (like chameleon).

WHY? Because resist fingerprint takes care of most things. See 4500: RFP (resistFingerprinting) in arkenfox user.js.

[WARNING] DO NOT USE extensions to alter RFP protected metrics

    418986 - limit window.screen & CSS media queries (FF41)
   1281949 - spoof screen orientation (FF50)
   1330890 - spoof timezone as UTC0 (FF55)
   1360039 - spoof navigator.hardwareConcurrency as 2 (FF55)
 FF56
   1333651 - spoof User Agent & Navigator API
      version: android version spoofed as ESR (FF119 or lower)
      OS: JS spoofed as Windows 10, OS 10.15, Android 10, or Linux | HTTP Headers spoofed as Windows or Android
   1369319 - disable device sensor API
   1369357 - disable site specific zoom
   1337161 - hide gamepads from content
....

Very long list !

Final words

I’m open for any constructive criticism or any constructive comment that could help me out to improve or understand something new or something I misunderstood. Sure that’s not 100% my work, but as I said it took a lot of time, testing, searching, reading… Please don’t be a crazy Panda…

Credits

https://github.com/arkenfox/user.js

https://github.com/pyllyukko/user.js/

https://wiki.archlinux.org/title/Firefox/Privacy

  • rhymepurple
    link
    fedilink
    English
    arrow-up
    8
    ·
    8 months ago

    Didn’t look at the repo thoroughly, but I can appreciate the work that went into this.

    • Is there any reason you went this route instead of just using an user-overrides.js file for the standard arkenfox user.js file?
    • Does the automatic dark theme require enabling any fingerprintable settings (beyond just possobly determining the theme of the OS/browser)?
    • How are you handling exceptions for sites? I assumed it would be in the user.js file, but didn’t notice anything in particular handling specific URLs differently.
    • N0x0nOP
      link
      fedilink
      arrow-up
      1
      ·
      8 months ago

      Hello thanks for your inputs !

      Is there any reason you went this route instead of just using an user-overrides.js file for the standard arkenfox user.js file?

      I’m relatively new to “programming” and file management and wasn’t aware of the user-overrides.js. I was sucked in by the testing, reading, and giving my best to understand each entry that I missed this crucial information. I’m reading through the overrides section in the arkenfox wiki and will change accordingly !

      Does the automatic dark theme require enabling any fingerprintable settings (beyond just possobly determining the theme of the OS/browser)?

      Nope. But by default enabling dark theme is fingerprintable. They know that I’m using dark theme in my browser, but… my eyes can’t live without it :(. I think this is a negligeable parameter, because there are too many dark mode user on the web. As long as it’s the native Firefox dark mode theme, this should be an okayish compromise.

      user_pref("layout.css.prefers-color-scheme.content-override", 0);
      user_pref("browser.theme.content-theme", 2);
      

      How are you handling exceptions for sites? I assumed it would be in the user.js file, but didn’t notice anything in particular handling specific URLs differently.

      I’m not sure what you mean, but by default I prefere that everything what’s happening in my browser needs user consent and manual interaction. I’m still looking for the switches to block all new requests asking to access microphone, location, notification…

      Also the only sites I give permenant cookie exception are my selfhosted services (Because I mostly trust them ? XD) and everything else is deleted after each Firefox shutdown.

      If I can’t acces the site or it’s broken, I mostly just leave and just find another ressource. This probably locks me out to a lot of sites, but that’s the trade off I’m willing to take.

      To add some more fun, I also block all GAFAM at the DNS level on my pi-hole with some strict policies. If I need to acces them for any reason, I spin-up a throwable Virtual Machine.

      I hope I answerd your question and thanks for your input ! Diving into user-overrides.js ! Thanks !

      • rhymepurple
        link
        fedilink
        English
        arrow-up
        1
        ·
        8 months ago

        the only sites I give permenant cookie exception are my selfhosted services

        This is what I was referring to. How are you accomplishing this?

        I’m still looking for the switches to block all new requests asking to access microphone, location, notification

        I can’t help with this at the moment, but if you’re still struggling with this I can provide the lines required to disable these items. However, I don’t know how to do this with exceptions (ie allowing your self hosted sites to use that functionality, but block all other sites). At minimum though you could require Firefox to ask you every time a site wants to use something. This may get repetitive for things like your self hosted sites if you have everything clearing when you exit Firefox.