From 347c608787b1c13ab3556723667064a232f0ffff Mon Sep 17 00:00:00 2001 From: sommerfeld Date: Fri, 17 Apr 2026 10:54:18 +0100 Subject: refactor: clean up firefox user-overrides.js MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Remove 4 dead commented-out prefs (privatebrowsing.autostart, sessionstore.privacy_level, media.eme.enabled, disableIPv6 duplicate) - Remove deprecated pdfjs.disabled (dropped from arkenfox, no longer honored) - Remove deprecated browser.fixup.domainsuffixwhitelist.i2p (FF120+) - Strip arkenfox wiki comment bloat: 97 → 22 lines - Organize remaining 15 active prefs by section --- firefox/user-overrides.js | 106 ++++++++-------------------------------------- 1 file changed, 18 insertions(+), 88 deletions(-) diff --git a/firefox/user-overrides.js b/firefox/user-overrides.js index 5f57297..c6d3bc8 100644 --- a/firefox/user-overrides.js +++ b/firefox/user-overrides.js @@ -1,96 +1,26 @@ -/* override recipe: enable session restore ***/ -user_pref("browser.startup.page", 3); // 0102 - // user_pref("browser.privatebrowsing.autostart", false); // 0110 required if you had it set as true - // user_pref("browser.sessionstore.privacy_level", 0); // 1003 optional to restore cookies/formdata -user_pref("privacy.clearOnShutdown_v2.browsingHistoryAndDownloads", false); // [DEFAULT: true] -user_pref("privacy.clearOnShutdown_v2.historyFormDataAndDownloads", false); // 2811 FF128+ +/** Session restore **/ +user_pref("browser.startup.page", 3); // 0102: resume previous session +user_pref("privacy.clearOnShutdown_v2.browsingHistoryAndDownloads", false); +user_pref("privacy.clearOnShutdown_v2.historyFormDataAndDownloads", false); // FF128+ -/* 1601: control when to send a cross-origin referer - * 0=always (default), 1=only if base domains match, 2=only if hosts match - * [SETUP-WEB] Breakage: older modems/routers and some sites e.g banks, vimeo, icloud, instagram - * If "2" is too strict, then override to "0" and use Smart Referer extension (Strict mode + add exceptions) ***/ -user_pref("network.http.referer.XOriginPolicy", 0); +/** Search & URL bar **/ +user_pref("keyword.enabled", true); // allow search from URL bar +user_pref("network.http.referer.XOriginPolicy", 0); // always send cross-origin referer -/* 0801: disable location bar using search - * Don't leak URL typos to a search engine, give an error message instead - * Examples: "secretplace,com", "secretplace/com", "secretplace com", "secret place.com" - * [NOTE] This does not affect explicit user action such as using search buttons in the - * dropdown, or using keyword search shortcuts you configure in options (e.g. "d" for DuckDuckGo) - * [SETUP-CHROME] Override this if you trust and use a privacy respecting search engine ***/ -user_pref("keyword.enabled", true); - -/* 2620: enforce PDFJS, disable PDFJS scripting - * This setting controls if the option "Display in Firefox" is available in the setting below - * and by effect controls whether PDFs are handled in-browser or externally ("Ask" or "Open With") - * [WHY] pdfjs is lightweight, open source, and secure: the last exploit was June 2015 [1] - * It doesn't break "state separation" of browser content (by not sharing with OS, independent apps). - * It maintains disk avoidance and application data isolation. It's convenient. You can still save to disk. - * [NOTE] JS can still force a pdf to open in-browser by bundling its own code - * [SETUP-CHROME] You may prefer a different pdf reader for security/workflow reasons - * [SETTING] General>Applications>Portable Document Format (PDF) - * [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pdf.js+firefox ***/ -user_pref("pdfjs.disabled", true); // [DEFAULT: false] - -/* 5003: disable saving passwords - * [NOTE] This does not clear any passwords already saved - * [SETTING] Privacy & Security>Logins and Passwords>Ask to save logins and passwords for websites ***/ +/** Passwords & autofill **/ user_pref("signon.rememberSignons", false); +user_pref("extensions.formautofill.addresses.enabled", false); +user_pref("extensions.formautofill.creditCards.enabled", false); +user_pref("extensions.formautofill.heuristics.enabled", false); -/* 5017: disable Form Autofill - * If .supportedCountries includes your region (browser.search.region) and .supported - * is "detect" (default), then the UI will show. Stored data is not secure, uses JSON - * [NOTE] Heuristics controls Form Autofill on forms without @autocomplete attributes - * [SETTING] Privacy & Security>Forms and Autofill>Autofill addresses - * [1] https://wiki.mozilla.org/Firefox/Features/Form_Autofill ***/ -user_pref("extensions.formautofill.addresses.enabled", false); // [FF55+] -user_pref("extensions.formautofill.creditCards.enabled", false); // [FF56+] -user_pref("extensions.formautofill.heuristics.enabled", false); // [FF55+] - -/* 2022: disable all DRM content (EME: Encryption Media Extension) - * Optionally hide the setting which also disables the DRM prompt - * [SETUP-WEB] e.g. Netflix, Amazon Prime, Hulu, HBO, Disney+, Showtime, Starz, DirectTV - * [SETTING] General>DRM Content>Play DRM-controlled content - * [TEST] https://bitmovin.com/demos/drm - * [1] https://www.eff.org/deeplinks/2017/10/drms-dead-canary-how-we-just-lost-web-what-we-learned-it-and-what-we-need-do-next ***/ -// user_pref("media.eme.enabled", false); // already disabled -user_pref("browser.eme.ui.enabled", false); +/** DRM **/ +user_pref("browser.eme.ui.enabled", false); // hide DRM UI toggle -/* 0701: disable IPv6 - * IPv6 can be abused, especially with MAC addresses, and can leak with VPNs: assuming - * your ISP and/or router and/or website is IPv6 capable. Most sites will fall back to IPv4 - * [SETUP-WEB] PR_CONNECT_RESET_ERROR: this pref *might* be the cause - * [STATS] Firefox telemetry (Sept 2022) shows ~8% of successful connections are IPv6 - * [NOTE] This is an application level fallback. Disabling IPv6 is best done at an - * OS/network level, and/or configured properly in VPN setups. If you are not masking your IP, - * then this won't make much difference. If you are masking your IP, then it can only help. - * [NOTE] PHP defaults to IPv6 with "localhost". Use "php -S 127.0.0.1:PORT" - * [TEST] https://ipleak.org/ - * [1] https://www.internetsociety.org/tag/ipv6-security/ (Myths 2,4,5,6) ***/ -// user_pref("network.dns.disableIPv6", true); -user_pref("network.dns.disableIPv6", false); +/** Network **/ +user_pref("network.dns.disableIPv6", false); // keep IPv6 enabled +/** Resist Fingerprinting **/ user_pref("privacy.resistFingerprinting.testGranularityMask", 4); -/* 4505: experimental RFP [FF91+] - * [WARNING] DO NOT USE unless testing, see [1] comment 12 - * [1] https://bugzilla.mozilla.org/1635603 ***/ user_pref("privacy.resistFingerprinting.exemptedDomains", "meet.google.com,teams.microsoft.com"); - -user_pref("browser.fixup.domainsuffixwhitelist.i2p", true); - -/* 4504: enable letterboxing [FF67+] - * Dynamically resizes the inner window by applying margins in stepped ranges [2] - * If you use the dimension pref, then it will only apply those resolutions. - * The format is "width1xheight1, width2xheight2, ..." (e.g. "800x600, 1000x1000") - * [SETUP-WEB] This is independent of RFP (4501). If you're not using RFP, or you are but - * dislike the margins, then flip this pref, keeping in mind that it is effectively fingerprintable - * [WARNING] DO NOT USE: the dimension pref is only meant for testing - * [1] https://bugzilla.mozilla.org/1407366 - * [2] https://hg.mozilla.org/mozilla-central/rev/6d2d7856e468#l2.32 ***/ -user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF] - -/* 4506: disable RFP spoof english prompt [FF59+] - * 0=prompt, 1=disabled, 2=enabled - * [NOTE] When changing from value 2, preferred languages ('intl.accept_languages') is not reset. - * [SETUP-WEB] when enabled, sets 'en-US, en' for displaying pages and 'en-US' as locale. - * [SETTING] General>Language>Choose your preferred language for displaying pages>Choose>Request English... ***/ -user_pref("privacy.spoof_english", 2); +user_pref("privacy.resistFingerprinting.letterboxing", true); +user_pref("privacy.spoof_english", 2); // force English headers -- cgit v1.2.3-70-g09d2