From 9ad1ce561f080e7b286a35577634ab23f0e4a9b9 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Tue, 19 Aug 2025 10:49:32 +0000 Subject: [PATCH 01/24] v142 --- user.js | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/user.js b/user.js index d9364ee..613ba3b 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: arkenfox user.js -* date: 14 August 2025 -* version: 140 +* date: 15 September 2025 +* version: 142 * urls: https://github.com/arkenfox/user.js [repo] * : https://arkenfox.github.io/gui/ [interactive] * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt @@ -656,7 +656,7 @@ user_pref("privacy.clearOnShutdown_v2.cookiesAndStorage", true); /* 2820: set manual "Clear Data" items [SETUP-CHROME] [FF128+] * Firefox remembers your last choices. This will reset them when you start Firefox * [SETTING] Privacy & Security>Browser Privacy>Cookies and Site Data>Clear Data ***/ -user_pref("privacy.clearSiteData.cache", true); +user_pref("privacy.clearSiteData.cache", true); // [DEFAULT: true] user_pref("privacy.clearSiteData.cookiesAndStorage", false); // keep false until it respects "allow" site exceptions user_pref("privacy.clearSiteData.historyFormDataAndDownloads", true); // user_pref("privacy.clearSiteData.siteSettings", false); @@ -761,7 +761,10 @@ user_pref("_user.js.parrot", "4000 syntax error: the parrot's bereft of life!"); Modifier events suppressed are SHIFT and both ALT keys. Chrome is not affected. 1459089 - disable OS locale in HTTP Accept-Language headers (ANDROID) (FF62) 1479239 - return "no-preference" with prefers-reduced-motion (FF63) - 1363508 & 1826051 - spoof/suppress Pointer Events (FF64, FF132) + 1363508 & 1826051 & 1957658 - spoof/suppress Pointer Events, spoof maxTouchPoints (FF64, FF132, FF143, ESR140.2) + FF64: maxTouchPoints: 0 = desktop + FF132: maxTouchPoints: 0 = mac | 10 = windows, linux, mobile + FF143/140.2: maxTouchPoints: 0 = mac, linux | 10 = windows | 5 = mobile 1492766 - spoof pointerEvent.pointerid (FF65) 1485266 - disable exposure of system colors to CSS or canvas (FF67) 1494034 - return "light" with prefers-color-scheme (FF67) From ae6242bdede070e72384a0d7da2a1f6a6505db57 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 20 Aug 2025 16:01:10 +0000 Subject: [PATCH 02/24] remove OCSP, #1576 --- user.js | 31 ++++++------------------------- 1 file changed, 6 insertions(+), 25 deletions(-) diff --git a/user.js b/user.js index 613ba3b..5235b03 100644 --- a/user.js +++ b/user.js @@ -401,29 +401,6 @@ user_pref("security.ssl.require_safe_negotiation", true); * [3] https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/ ***/ user_pref("security.tls.enable_0rtt_data", false); -/** OCSP (Online Certificate Status Protocol) - [1] https://scotthelme.co.uk/revocation-is-broken/ - [2] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ -***/ -/* 1211: enforce OCSP fetching to confirm current validity of certificates - * 0=disabled, 1=enabled (default), 2=enabled for EV certificates only - * OCSP (non-stapled) leaks information about the sites you visit to the CA (cert authority) - * It's a trade-off between security (checking) and privacy (leaking info to the CA) - * [NOTE] This pref only controls OCSP fetching and does not affect OCSP stapling - * [SETTING] Privacy & Security>Security>Certificates>Query OCSP responder servers... - * [1] https://en.wikipedia.org/wiki/Ocsp ***/ -user_pref("security.OCSP.enabled", 1); // [DEFAULT: 1] -/* 1212: set OCSP fetch failures (non-stapled, see 1211) to hard-fail - * [SETUP-WEB] SEC_ERROR_OCSP_SERVER_ERROR | SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST - * When a CA cannot be reached to validate a cert, Firefox just continues the connection (=soft-fail) - * Setting this pref to true tells Firefox to instead terminate the connection (=hard-fail) - * It is pointless to soft-fail when an OCSP fetch fails: you cannot confirm a cert is still valid (it - * could have been revoked) and/or you could be under attack (e.g. malicious blocking of OCSP servers) - * [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ - * [2] https://www.imperialviolet.org/2014/04/19/revchecking.html - * [3] https://letsencrypt.org/2024/12/05/ending-ocsp/ ***/ -user_pref("security.OCSP.require", true); - /** CERTS / HPKP (HTTP Public Key Pinning) ***/ /* 1223: enable strict PKP (Public Key Pinning) * 0=disabled, 1=allow user MiTM (default; such as your antivirus), 2=strict @@ -435,9 +412,10 @@ user_pref("security.cert_pinning.enforcement_level", 2); * 2 = consult CRLite and enforce both "Revoked" and "Not Revoked" results * 3 = consult CRLite and enforce "Not Revoked" results, but defer to OCSP for "Revoked" (default) * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1429800,1670985,1753071 - * [2] https://blog.mozilla.org/security/tag/crlite/ ***/ + * [2] https://blog.mozilla.org/security/tag/crlite/ + * [3] https://hacks.mozilla.org/2025/08/crlite-fast-private-and-comprehensive-certificate-revocation-checking-in-firefox/ ***/ user_pref("security.remote_settings.crlite_filters.enabled", true); // [DEFAULT: true FF137+] -user_pref("security.pki.crlite_mode", 2); +user_pref("security.pki.crlite_mode", 2); // [DEFAULT: 2 FF142+] /** MIXED CONTENT ***/ /* 1241: disable insecure passive content (such as images) on https pages ***/ @@ -1052,6 +1030,9 @@ user_pref("extensions.quarantinedDomains.enabled", true); // [DEFAULT: true] // user_pref("privacy.cpd.history", ""); // user_pref("privacy.cpd.offlineApps", ""); // user_pref("privacy.cpd.sessions", ""); +/* 6051: prefsCleaner: reset previously active items removed from arkenfox FF140+ ***/ + // user_pref("security.OCSP.enabled", ""); + // user_pref("security.OCSP.require", ""); /*** [SECTION 7000]: DON'T BOTHER ***/ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies!"); From 934a339e41fd495a4be7139c892f9f6e70cd7fb1 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 20 Aug 2025 16:10:56 +0000 Subject: [PATCH 03/24] add removed OCSP prefs to cleanup script --- scratchpad-scripts/arkenfox-cleanup.js | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/scratchpad-scripts/arkenfox-cleanup.js b/scratchpad-scripts/arkenfox-cleanup.js index b1b44f5..b0d8a06 100644 --- a/scratchpad-scripts/arkenfox-cleanup.js +++ b/scratchpad-scripts/arkenfox-cleanup.js @@ -6,7 +6,7 @@ There is an archived version at https://github.com/arkenfox/user.js/issues/123 if you want the full list since jesus - Last updated: 14-August-2025 + Last updated: 20-August-2025 Instructions: - [optional] close Firefox and backup your profile @@ -76,6 +76,9 @@ 'security.ssl3.rsa_des_ede3_sha', // 93 /* REMOVED */ + /* 141-153 */ + 'security.OCSP.enabled', + 'security.OCSP.require', /* 129-140 */ 'dom.securecontext.allowlist_onions', 'network.http.referer.hideOnionSource', From ff92cee8f0865a52b917800887a77760b65aa6a0 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 24 Aug 2025 05:03:28 +0000 Subject: [PATCH 04/24] update FPP info --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 5235b03..9fbbc2d 100644 --- a/user.js +++ b/user.js @@ -204,7 +204,7 @@ user_pref("network.prefetch-next", false); user_pref("network.dns.disablePrefetch", true); user_pref("network.dns.disablePrefetchFromHTTPS", true); /* 0603: disable predictor / prefetching ***/ -user_pref("network.predictor.enabled", false); +user_pref("network.predictor.enabled", false); // [DEFAULT: false FF144+] user_pref("network.predictor.enable-prefetch", false); // [FF48+] [DEFAULT: false] /* 0604: disable link-mouseover opening connection to linked server * [1] https://news.slashdot.org/story/15/08/14/2321202/how-to-quash-firefoxs-silent-requests ***/ @@ -681,7 +681,7 @@ user_pref("privacy.sanitize.timeSpan", 0); 1887682 - use fdlibm's sin, cos and tan in jsmath (FF134+) 1978414 - various (FF143+) 1954194: available screen resolution: return a fixed offset height from screen per platform when not full screen - 1978414: hardwareConcurrency: return 2 (existing RFPTarget) + 1978414 & 1984333: hardwareConcurrency: return 2 (FF143) | mac return 8 else return 4 (FF144+) 1977836: maxTouchPoints: return multi-touch as 5 ***/ user_pref("_user.js.parrot", "4000 syntax error: the parrot's bereft of life!"); From c5087d6522ee63140dac916efb1fde41f6e6f058 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Mon, 25 Aug 2025 11:25:44 +0000 Subject: [PATCH 05/24] tidy --- user.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 9fbbc2d..048e1b2 100644 --- a/user.js +++ b/user.js @@ -681,7 +681,7 @@ user_pref("privacy.sanitize.timeSpan", 0); 1887682 - use fdlibm's sin, cos and tan in jsmath (FF134+) 1978414 - various (FF143+) 1954194: available screen resolution: return a fixed offset height from screen per platform when not full screen - 1978414 & 1984333: hardwareConcurrency: return 2 (FF143) | mac return 8 else return 4 (FF144+) + 1978414 & 1984333: hardwareConcurrency: return 2 (FF143) | less than 8 return 4 else return 8 (FF144+) 1977836: maxTouchPoints: return multi-touch as 5 ***/ user_pref("_user.js.parrot", "4000 syntax error: the parrot's bereft of life!"); @@ -714,7 +714,6 @@ user_pref("_user.js.parrot", "4000 syntax error: the parrot's bereft of life!"); [WARNING] DO NOT USE extensions to alter RFP protected metrics 418986 - limit window.screen & CSS media queries (FF41) - 1360039 - spoof navigator.hardwareConcurrency as 2 (FF55) FF56 1333651 - spoof User Agent & Navigator API JS: spoofed as Windows 10, OS X 10.15, Android 10, or Linux @@ -773,6 +772,8 @@ user_pref("_user.js.parrot", "4000 syntax error: the parrot's bereft of life!"); 1972600 - spoof network connection for HTMLMediaElement preload (FF142, ESR140.1) 1975851 - return true for navigator.onLine (FF142, ESR140.1) 1973265 - disable WebCodecs API (FF142?) + 1984333 - spoof navigator.hardwareConcurrency as 4 except mac return 8 (FF144+) + previously FF55+ it returned 2 ***/ user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs"); /* 4501: enable RFP From 0ef5f72c5f297b42c4503c2ad3194c5fb0fcf240 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 24 Sep 2025 13:23:18 +0000 Subject: [PATCH 06/24] tidy --- user.js | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/user.js b/user.js index 048e1b2..06d9708 100644 --- a/user.js +++ b/user.js @@ -1,7 +1,7 @@ /****** * name: arkenfox user.js -* date: 15 September 2025 -* version: 142 +* date: 15 October 2025 +* version: 144 * urls: https://github.com/arkenfox/user.js [repo] * : https://arkenfox.github.io/gui/ [interactive] * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt @@ -679,10 +679,10 @@ user_pref("privacy.sanitize.timeSpan", 0); https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc 1858181 - subtly randomize canvas per eTLD+1, per session and per window-mode (FF120+) 1887682 - use fdlibm's sin, cos and tan in jsmath (FF134+) - 1978414 - various (FF143+) - 1954194: available screen resolution: return a fixed offset height from screen per platform when not full screen - 1978414 & 1984333: hardwareConcurrency: return 2 (FF143) | less than 8 return 4 else return 8 (FF144+) - 1977836: maxTouchPoints: return multi-touch as 5 + 1954194 - available screen resolution: return a fixed offset height from screen per platform when not full screen (FF143+) + 1984333 - hardwareConcurrency: less than 8 return 4 else return 8 (FF143+) + 1977836 - maxTouchPoints: return multi-touch as 5 (FF143+) + 1917607 - subtly randomize WebGL's readPixels (FF145+) ***/ user_pref("_user.js.parrot", "4000 syntax error: the parrot's bereft of life!"); /* 4001: enable FPP in PB mode [FF114+] @@ -771,7 +771,7 @@ user_pref("_user.js.parrot", "4000 syntax error: the parrot's bereft of life!"); 1781277 - return 10GiB for storage estimate until persistent-storage granted (FF142, ESR140.1) 1972600 - spoof network connection for HTMLMediaElement preload (FF142, ESR140.1) 1975851 - return true for navigator.onLine (FF142, ESR140.1) - 1973265 - disable WebCodecs API (FF142?) + 1973265 - disable WebCodecs API (FF142) 1984333 - spoof navigator.hardwareConcurrency as 4 except mac return 8 (FF144+) previously FF55+ it returned 2 ***/ From a05d90d6126b98b0d4aadf5bc280c3620852011a Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 1 Oct 2025 08:38:49 +0000 Subject: [PATCH 07/24] make 2635 active it added as inactive in 140 due to bugs not fixed in time - seems stable now --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 06d9708..cea0f11 100644 --- a/user.js +++ b/user.js @@ -549,7 +549,7 @@ user_pref("browser.tabs.searchclipboardfor.middleclick", false); // [DEFAULT: fa user_pref("browser.contentanalysis.enabled", false); // [FF121+] [DEFAULT: false] user_pref("browser.contentanalysis.default_result", 0); // [FF127+] [DEFAULT: 0] /* 2635: disable referrer and storage access for resources injected by content scripts [FF139+] ***/ - // user_pref("privacy.antitracking.isolateContentScriptResources", true); +user_pref("privacy.antitracking.isolateContentScriptResources", true); /* 2640: disable CSP Level 2 Reporting [FF140+] ***/ user_pref("security.csp.reporting.enabled", false); From 7007e28e4ed30a2748e889c2f1e13983583949d9 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Thu, 9 Oct 2025 07:10:19 +0000 Subject: [PATCH 08/24] tidy --- user.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index cea0f11..1c086a3 100644 --- a/user.js +++ b/user.js @@ -409,8 +409,8 @@ user_pref("security.cert_pinning.enforcement_level", 2); /* 1224: enable CRLite [FF73+] * 0 = disabled * 1 = consult CRLite but only collect telemetry - * 2 = consult CRLite and enforce both "Revoked" and "Not Revoked" results - * 3 = consult CRLite and enforce "Not Revoked" results, but defer to OCSP for "Revoked" (default) + * 2 = consult CRLite and enforce both "Revoked" and "Not Revoked" results (default) + * 3 = consult CRLite and enforce "Not Revoked" results, but defer to OCSP for "Revoked" (removed FF145) * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1429800,1670985,1753071 * [2] https://blog.mozilla.org/security/tag/crlite/ * [3] https://hacks.mozilla.org/2025/08/crlite-fast-private-and-comprehensive-certificate-revocation-checking-in-firefox/ ***/ @@ -758,6 +758,7 @@ user_pref("_user.js.parrot", "4000 syntax error: the parrot's bereft of life!"); 1794628 - return "none" with inverted-colors (FF114) 1787790 - normalize system fonts (FF128) 1835987 - spoof timezone as Atlantic/Reykjavik (previously FF55+ was UTC) (FF128) + 1656377 - spoof pointerEvents azimuthAngle and altitudeAngle (FF131) 1834307 - always use smooth scrolling (FF132) 1918202 - spoof screen orientation based on spoofed screen size and platform (FF132) previously FF50+ it always returned landscape-primary and an angle of 0 From ba7f0cee9a8107f18011ca0f9647a6f4b27a03d8 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 31 Oct 2025 18:37:36 +0000 Subject: [PATCH 09/24] don't sanitize history/downloads --- user.js | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/user.js b/user.js index 1c086a3..fd2aace 100644 --- a/user.js +++ b/user.js @@ -1,6 +1,6 @@ /****** * name: arkenfox user.js -* date: 15 October 2025 +* date: 5 November 2025 * version: 144 * urls: https://github.com/arkenfox/user.js [repo] * : https://arkenfox.github.io/gui/ [interactive] @@ -23,6 +23,7 @@ [SETUP-SECURITY] it's one item, read it [SETUP-WEB] can cause some websites to break [SETUP-CHROME] changes how Firefox itself behaves (i.e. not directly website related) + [SETUP-HARDEN] prefs you may like to add to overrides 6. Override Recipes: https://github.com/arkenfox/user.js/issues/1080 * RELEASES: https://github.com/arkenfox/user.js/releases @@ -599,7 +600,12 @@ user_pref("browser.contentblocking.category", "strict"); // [HIDDEN PREF] * [3] https://developer.mozilla.org/docs/Web/Privacy/State_Partitioning#storage_access_heuristics ***/ // user_pref("privacy.antitracking.enableWebcompat", false); -/*** [SECTION 2800]: SHUTDOWN & SANITIZING ***/ +/*** [SECTION 2800]: SHUTDOWN & SANITIZING + We enable sanitizeOnShutdown to help prevent 1st party website tracking across sessions. + We consider history/downloads, which are not accessible to websites, as orthogonal and exempt these + + [SETUP-HARDEN] to clear all history/downloads on close, add the appropriate overrides from 2800's +***/ user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!"); /* 2810: enable Firefox to clear items on shutdown * [NOTE] In FF129+ clearing "siteSettings" on shutdown (2811+), or manually via site data (2820+) and @@ -610,11 +616,11 @@ user_pref("privacy.sanitize.sanitizeOnShutdown", true); /** SANITIZE ON SHUTDOWN: IGNORES "ALLOW" SITE EXCEPTIONS ***/ /* 2811: set/enforce clearOnShutdown items (if 2810 is true) [SETUP-CHROME] [FF128+] ***/ user_pref("privacy.clearOnShutdown_v2.cache", true); // [DEFAULT: true] -user_pref("privacy.clearOnShutdown_v2.historyFormDataAndDownloads", true); // [DEFAULT: true] +user_pref("privacy.clearOnShutdown_v2.historyFormDataAndDownloads", false); // [DEFAULT: true] // user_pref("privacy.clearOnShutdown_v2.siteSettings", false); // [DEFAULT: false] /* 2812: set/enforce clearOnShutdown items [FF136+] ***/ -user_pref("privacy.clearOnShutdown_v2.browsingHistoryAndDownloads", true); // [DEFAULT: true] -user_pref("privacy.clearOnShutdown_v2.downloads", true); // [HIDDEN] +user_pref("privacy.clearOnShutdown_v2.browsingHistoryAndDownloads", false); // [DEFAULT: true] +user_pref("privacy.clearOnShutdown_v2.downloads", false); // [HIDDEN] user_pref("privacy.clearOnShutdown_v2.formdata", true); /* 2813: set Session Restore to clear on shutdown (if 2810 is true) [FF34+] * [NOTE] Not needed if Session Restore is not used (0102) or it is already cleared with history (2811+) @@ -636,10 +642,10 @@ user_pref("privacy.clearOnShutdown_v2.cookiesAndStorage", true); * [SETTING] Privacy & Security>Browser Privacy>Cookies and Site Data>Clear Data ***/ user_pref("privacy.clearSiteData.cache", true); // [DEFAULT: true] user_pref("privacy.clearSiteData.cookiesAndStorage", false); // keep false until it respects "allow" site exceptions -user_pref("privacy.clearSiteData.historyFormDataAndDownloads", true); +user_pref("privacy.clearSiteData.historyFormDataAndDownloads", false); // user_pref("privacy.clearSiteData.siteSettings", false); /* 2821: set manual "Clear Data" items [FF136+] ***/ -user_pref("privacy.clearSiteData.browsingHistoryAndDownloads", true); +user_pref("privacy.clearSiteData.browsingHistoryAndDownloads", false); user_pref("privacy.clearSiteData.formdata", true); /** SANITIZE HISTORY: IGNORES "ALLOW" SITE EXCEPTIONS ***/ @@ -648,10 +654,10 @@ user_pref("privacy.clearSiteData.formdata", true); * [SETTING] Privacy & Security>History>Custom Settings>Clear History ***/ user_pref("privacy.clearHistory.cache", true); // [DEFAULT: true] user_pref("privacy.clearHistory.cookiesAndStorage", false); -user_pref("privacy.clearHistory.historyFormDataAndDownloads", true); // [DEFAULT: true] +user_pref("privacy.clearHistory.historyFormDataAndDownloads", false); // [DEFAULT: true] // user_pref("privacy.clearHistory.siteSettings", false); // [DEFAULT: false] /* 2831: set manual "Clear History" items [FF136+] ***/ -user_pref("privacy.clearHistory.browsingHistoryAndDownloads", true); // [DEFAULT: true] +user_pref("privacy.clearHistory.browsingHistoryAndDownloads", false); // [DEFAULT: true] user_pref("privacy.clearHistory.formdata", true); /** SANITIZE MANUAL: TIMERANGE ***/ From d01f1e971e46e2d69a1afd0cbce004717a0cc181 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 31 Oct 2025 19:04:26 +0000 Subject: [PATCH 10/24] update clearing history mentions --- user.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/user.js b/user.js index fd2aace..6972f33 100644 --- a/user.js +++ b/user.js @@ -84,7 +84,7 @@ user_pref("browser.aboutConfig.showWarning", false); user_pref("_user.js.parrot", "0100 syntax error: the parrot's dead!"); /* 0102: set startup page [SETUP-CHROME] * 0=blank, 1=home, 2=last visited page, 3=resume previous session - * [NOTE] Session Restore is cleared with history (2811+), and not used in Private Browsing mode + * [NOTE] Session Restore is cleared if history is also cleared (2811+), and not used in Private Browsing mode * [SETTING] General>Startup>Restore previous session ***/ user_pref("browser.startup.page", 0); /* 0103: set HOME+NEWWINDOW page @@ -293,7 +293,7 @@ user_pref("browser.urlbar.yelp.featureGate", false); // [FF124+] /* 0807: disable urlbar clipboard suggestions [FF118+] ***/ // user_pref("browser.urlbar.clipboard.featureGate", false); /* 0808: disable recent searches [FF120+] - * [NOTE] Recent searches are cleared with history (2811+) + * [NOTE] Recent searches are cleared if history is cleared (2811+) * [1] https://support.mozilla.org/kb/search-suggestions-firefox ***/ // user_pref("browser.urlbar.recentsearches.featureGate", false); /* 0810: disable search and form history @@ -310,7 +310,7 @@ user_pref("browser.formfill.enable", false); /* 0820: disable coloring of visited links * [SETUP-HARDEN] Bulk rapid history sniffing was mitigated in 2010 [1][2]. Slower and more expensive * redraw timing attacks were largely mitigated in FF77+ [3]. Using RFP (4501) further hampers timing - * attacks. Don't forget clearing history on exit (2811+). However, social engineering [2#limits][4][5] + * attacks. History can also be cleared on exit (2811+). However, social engineering [2#limits][4][5] * and advanced targeted timing attacks could still produce usable results * [1] https://developer.mozilla.org/docs/Web/CSS/Privacy_and_the_:visited_selector * [2] https://dbaron.org/mozilla/visited-privacy From 1c76110c4cc2eb5357067b6f98ab5ebc7d563dab Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 31 Oct 2025 20:22:46 +0000 Subject: [PATCH 11/24] remove 4510, #1965 --- user.js | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/user.js b/user.js index 6972f33..b3d7374 100644 --- a/user.js +++ b/user.js @@ -822,9 +822,6 @@ user_pref("privacy.resistFingerprinting.block_mozAddonManager", true); user_pref("privacy.spoof_english", 1); /* 4507: skip browser.startup.blankWindow if RFP is used [FF136+] ***/ // user_pref("privacy.resistFingerprinting.skipEarlyBlankFirstPaint", true); // [DEFAULT: true] -/* 4510: disable using system colors - * [SETTING] General>Language and Appearance>Fonts and Colors>Colors>Use system colors ***/ -user_pref("browser.display.use_system_colors", false); // [DEFAULT: false NON-WINDOWS] /* 4511: disable using system accent colors ***/ user_pref("widget.non-native-theme.use-theme-accent", false); // [DEFAULT: false WINDOWS] /* 4512: enforce links targeting new windows to open in a new tab instead @@ -1039,6 +1036,7 @@ user_pref("extensions.quarantinedDomains.enabled", true); // [DEFAULT: true] // user_pref("privacy.cpd.offlineApps", ""); // user_pref("privacy.cpd.sessions", ""); /* 6051: prefsCleaner: reset previously active items removed from arkenfox FF140+ ***/ + // user_pref("browser.display.use_system_colors", ""); // user_pref("security.OCSP.enabled", ""); // user_pref("security.OCSP.require", ""); From 8cd31371f2b6f56ca23ffae4b2775c6b94772f2a Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 31 Oct 2025 20:23:52 +0000 Subject: [PATCH 12/24] browser.display.use_system_colors, #1965 --- scratchpad-scripts/arkenfox-cleanup.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scratchpad-scripts/arkenfox-cleanup.js b/scratchpad-scripts/arkenfox-cleanup.js index b0d8a06..20803bd 100644 --- a/scratchpad-scripts/arkenfox-cleanup.js +++ b/scratchpad-scripts/arkenfox-cleanup.js @@ -6,7 +6,7 @@ There is an archived version at https://github.com/arkenfox/user.js/issues/123 if you want the full list since jesus - Last updated: 20-August-2025 + Last updated: 1-November-2025 Instructions: - [optional] close Firefox and backup your profile @@ -77,6 +77,7 @@ /* REMOVED */ /* 141-153 */ + 'browser.display.use_system_colors', 'security.OCSP.enabled', 'security.OCSP.require', /* 129-140 */ From 1f58af5cf668a86ffcead2238e290bddabb91bd8 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 31 Oct 2025 22:12:57 +0000 Subject: [PATCH 13/24] add document_color_use, #1965 --- user.js | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/user.js b/user.js index b3d7374..57d7e3e 100644 --- a/user.js +++ b/user.js @@ -822,6 +822,10 @@ user_pref("privacy.resistFingerprinting.block_mozAddonManager", true); user_pref("privacy.spoof_english", 1); /* 4507: skip browser.startup.blankWindow if RFP is used [FF136+] ***/ // user_pref("privacy.resistFingerprinting.skipEarlyBlankFirstPaint", true); // [DEFAULT: true] +/* 4510: enforce Contrast Control off [FF138+] + * 0=automatic, 1=off, 2=custom + * [SETTING] General>Language and Appearance>Contrast Control */ + // user_pref("browser.display.document_color_use", 1); // [DEFAULT: 1 NON-WINDOWS] /* 4511: disable using system accent colors ***/ user_pref("widget.non-native-theme.use-theme-accent", false); // [DEFAULT: false WINDOWS] /* 4512: enforce links targeting new windows to open in a new tab instead From c569822cd1ffdb22c04f5533fc3e068c8c78131e Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Fri, 31 Oct 2025 22:15:04 +0000 Subject: [PATCH 14/24] grrrrr .. must. be. consistent. --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index 57d7e3e..bf9f298 100644 --- a/user.js +++ b/user.js @@ -824,7 +824,7 @@ user_pref("privacy.spoof_english", 1); // user_pref("privacy.resistFingerprinting.skipEarlyBlankFirstPaint", true); // [DEFAULT: true] /* 4510: enforce Contrast Control off [FF138+] * 0=automatic, 1=off, 2=custom - * [SETTING] General>Language and Appearance>Contrast Control */ + * [SETTING] General>Language and Appearance>Contrast Control ***/ // user_pref("browser.display.document_color_use", 1); // [DEFAULT: 1 NON-WINDOWS] /* 4511: disable using system accent colors ***/ user_pref("widget.non-native-theme.use-theme-accent", false); // [DEFAULT: false WINDOWS] From e69b54487c8ec5d94ff40eb885c1491cd495840c Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 1 Nov 2025 02:54:54 +0000 Subject: [PATCH 15/24] correct RFP info --- user.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/user.js b/user.js index bf9f298..5e41a85 100644 --- a/user.js +++ b/user.js @@ -779,7 +779,7 @@ user_pref("_user.js.parrot", "4000 syntax error: the parrot's bereft of life!"); 1972600 - spoof network connection for HTMLMediaElement preload (FF142, ESR140.1) 1975851 - return true for navigator.onLine (FF142, ESR140.1) 1973265 - disable WebCodecs API (FF142) - 1984333 - spoof navigator.hardwareConcurrency as 4 except mac return 8 (FF144+) + 1984333 - spoof navigator.hardwareConcurrency as 4 except mac return 8 (FF143+) previously FF55+ it returned 2 ***/ user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs"); From 7c4444167fbf5951de6589c83af6ffe345fd1a9f Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 12 Nov 2025 03:02:29 +0000 Subject: [PATCH 16/24] remove fakespot default false and discontinued --- user.js | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 5e41a85..182a9a9 100644 --- a/user.js +++ b/user.js @@ -285,7 +285,6 @@ user_pref("browser.urlbar.trending.featureGate", false); /* 0806: disable urlbar suggestions ***/ user_pref("browser.urlbar.addons.featureGate", false); // [FF115+] user_pref("browser.urlbar.amp.featureGate", false); // [FF141+] adMarketplace -user_pref("browser.urlbar.fakespot.featureGate", false); // [FF130+] [DEFAULT: false] user_pref("browser.urlbar.mdn.featureGate", false); // [FF117+] user_pref("browser.urlbar.weather.featureGate", false); // [FF108+] user_pref("browser.urlbar.wikipedia.featureGate", false); // [FF141+] @@ -592,13 +591,16 @@ user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin * [SETTING] to add site exceptions: Urlbar>ETP Shield * [SETTING] to manage site exceptions: Options>Privacy & Security>Enhanced Tracking Protection>Manage Exceptions ***/ user_pref("browser.contentblocking.category", "strict"); // [HIDDEN PREF] -/* 2702: disable ETP web compat features [FF93+] +/* 2702: disable ETP web compat features (about:compat) [FF93+] * [SETUP-HARDEN] Includes skip lists, heuristics (SmartBlock) and automatic grants * Opener and redirect heuristics are granted for 30 days, see [3] * [1] https://blog.mozilla.org/security/2021/07/13/smartblock-v2/ * [2] https://hg.mozilla.org/mozilla-central/rev/e5483fd469ab#l4.12 * [3] https://developer.mozilla.org/docs/Web/Privacy/State_Partitioning#storage_access_heuristics ***/ // user_pref("privacy.antitracking.enableWebcompat", false); +/* 2705: (FF142+) + [1] https://support.mozilla.org/en-US/kb/manage-enhanced-tracking-protection-exceptions + [2] https://etp-exceptions.mozilla.org/ ***/ /*** [SECTION 2800]: SHUTDOWN & SANITIZING We enable sanitizeOnShutdown to help prevent 1st party website tracking across sessions. @@ -676,6 +678,7 @@ user_pref("privacy.sanitize.timeSpan", 0); on a per site basis for compatibility (4004). https://searchfox.org/mozilla-central/source/toolkit/components/resistfingerprinting/RFPTargetsDefault.inc + https://support.mozilla.org/en-US/kb/firefox-protection-against-fingerprinting#w_how-does-each-protection-work [NOTE] RFPTargets + granular overrides are somewhat experimental and may produce unexpected results - e.g. FrameRate can only be controlled per process, not per origin @@ -1041,6 +1044,7 @@ user_pref("extensions.quarantinedDomains.enabled", true); // [DEFAULT: true] // user_pref("privacy.cpd.sessions", ""); /* 6051: prefsCleaner: reset previously active items removed from arkenfox FF140+ ***/ // user_pref("browser.display.use_system_colors", ""); + // user_pref("browser.urlbar.fakespot.featureGate", ""); // user_pref("security.OCSP.enabled", ""); // user_pref("security.OCSP.require", ""); From 845872ca65811be9fd674bd0158b5b60fc7c02b6 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 12 Nov 2025 03:03:37 +0000 Subject: [PATCH 17/24] fakespot.featureGate --- scratchpad-scripts/arkenfox-cleanup.js | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scratchpad-scripts/arkenfox-cleanup.js b/scratchpad-scripts/arkenfox-cleanup.js index 20803bd..4599e73 100644 --- a/scratchpad-scripts/arkenfox-cleanup.js +++ b/scratchpad-scripts/arkenfox-cleanup.js @@ -6,7 +6,7 @@ There is an archived version at https://github.com/arkenfox/user.js/issues/123 if you want the full list since jesus - Last updated: 1-November-2025 + Last updated: 12-November-2025 Instructions: - [optional] close Firefox and backup your profile @@ -78,6 +78,7 @@ /* REMOVED */ /* 141-153 */ 'browser.display.use_system_colors', + 'browser.urlbar.fakespot.featureGate', 'security.OCSP.enabled', 'security.OCSP.require', /* 129-140 */ From 59c17aad4c8463ca07fca404a99f6a4997cf2157 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Wed, 12 Nov 2025 14:03:00 +0000 Subject: [PATCH 18/24] MOAR featuregates JFC --- user.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/user.js b/user.js index 182a9a9..fb370c0 100644 --- a/user.js +++ b/user.js @@ -285,6 +285,8 @@ user_pref("browser.urlbar.trending.featureGate", false); /* 0806: disable urlbar suggestions ***/ user_pref("browser.urlbar.addons.featureGate", false); // [FF115+] user_pref("browser.urlbar.amp.featureGate", false); // [FF141+] adMarketplace +user_pref("browser.urlbar.importantDates.featureGate", false); // [FF143+] +user_pref("browser.urlbar.market.featureGate", false); // [FF143+] financial stocks user_pref("browser.urlbar.mdn.featureGate", false); // [FF117+] user_pref("browser.urlbar.weather.featureGate", false); // [FF108+] user_pref("browser.urlbar.wikipedia.featureGate", false); // [FF141+] From dd081db0075ad26fd71d7a429993bd163654b369 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 15 Nov 2025 05:59:31 +0000 Subject: [PATCH 19/24] ETP exception lists --- user.js | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/user.js b/user.js index fb370c0..487205a 100644 --- a/user.js +++ b/user.js @@ -1,6 +1,6 @@ /****** * name: arkenfox user.js -* date: 5 November 2025 +* date: 15 November 2025 * version: 144 * urls: https://github.com/arkenfox/user.js [repo] * : https://arkenfox.github.io/gui/ [interactive] @@ -286,7 +286,7 @@ user_pref("browser.urlbar.trending.featureGate", false); user_pref("browser.urlbar.addons.featureGate", false); // [FF115+] user_pref("browser.urlbar.amp.featureGate", false); // [FF141+] adMarketplace user_pref("browser.urlbar.importantDates.featureGate", false); // [FF143+] -user_pref("browser.urlbar.market.featureGate", false); // [FF143+] financial stocks +user_pref("browser.urlbar.market.featureGate", false); // [FF143+] stock market user_pref("browser.urlbar.mdn.featureGate", false); // [FF117+] user_pref("browser.urlbar.weather.featureGate", false); // [FF108+] user_pref("browser.urlbar.wikipedia.featureGate", false); // [FF141+] @@ -600,9 +600,12 @@ user_pref("browser.contentblocking.category", "strict"); // [HIDDEN PREF] * [2] https://hg.mozilla.org/mozilla-central/rev/e5483fd469ab#l4.12 * [3] https://developer.mozilla.org/docs/Web/Privacy/State_Partitioning#storage_access_heuristics ***/ // user_pref("privacy.antitracking.enableWebcompat", false); -/* 2705: (FF142+) +/* 2705: set ETP Strict/Custom exception lists (FF141+) + [SETTING] Options>Privacy & Security>Enhanced Tracking Protection>Strict/Custom>Fix major [baseline] | minor [convenience] [1] https://support.mozilla.org/en-US/kb/manage-enhanced-tracking-protection-exceptions [2] https://etp-exceptions.mozilla.org/ ***/ +user_pref("privacy.trackingprotection.allow_list.baseline.enabled", true); // [DEFAULT: true] +user_pref("privacy.trackingprotection.allow_list.convenience.enabled", false); // DEFAULT: false when ETP Strict manually chosen] /*** [SECTION 2800]: SHUTDOWN & SANITIZING We enable sanitizeOnShutdown to help prevent 1st party website tracking across sessions. From 669930fd21f7e66c7b64bad932d36c0c955c6776 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 15 Nov 2025 08:15:49 +0000 Subject: [PATCH 20/24] passkeys attestation --- user.js | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 487205a..c6d4b96 100644 --- a/user.js +++ b/user.js @@ -47,7 +47,7 @@ 0600: BLOCK IMPLICIT OUTBOUND 0700: DNS / DoH / PROXY / SOCKS 0800: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS - 0900: PASSWORDS + 0900: PASSWORDS / PASSKEYS 1000: DISK AVOIDANCE 1200: HTTPS (SSL/TLS / OCSP / CERTS / HPKP) 1600: REFERERS @@ -324,7 +324,7 @@ user_pref("browser.formfill.enable", false); user_pref("browser.search.separatePrivateDefault", true); // [FF70+] user_pref("browser.search.separatePrivateDefault.ui.enabled", true); // [FF71+] -/*** [SECTION 0900]: PASSWORDS +/*** [SECTION 0900]: PASSWORDS / PASSKEYS [1] https://support.mozilla.org/kb/use-primary-password-protect-stored-logins-and-pas ***/ user_pref("_user.js.parrot", "0900 syntax error: the parrot's expired!"); @@ -350,6 +350,9 @@ user_pref("network.auth.subresource-http-auth-allow", 1); /* 0907: enforce no automatic authentication on Microsoft sites [FF131+] [MAC] * On macOS, SSO only works on corporate devices ***/ // user_pref("network.http.microsoft-entra-sso.enabled", false); // [DEFAULT: false] +/* 0910: enforce no direct attestation in passkeys [FF144+] + // [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1981587 ***/ +pref("security.webauthn.always_allow_direct_attestation", false); // [DEFAULT: false] /*** [SECTION 1000]: DISK AVOIDANCE ***/ user_pref("_user.js.parrot", "1000 syntax error: the parrot's gone to meet 'is maker!"); From e1dd797b380d08ec7da47ffaa39f425678eced40 Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 16 Nov 2025 03:34:58 +0000 Subject: [PATCH 21/24] yelpRealtime.featureGate --- user.js | 1 + 1 file changed, 1 insertion(+) diff --git a/user.js b/user.js index c6d4b96..7f64353 100644 --- a/user.js +++ b/user.js @@ -291,6 +291,7 @@ user_pref("browser.urlbar.mdn.featureGate", false); // [FF117+] user_pref("browser.urlbar.weather.featureGate", false); // [FF108+] user_pref("browser.urlbar.wikipedia.featureGate", false); // [FF141+] user_pref("browser.urlbar.yelp.featureGate", false); // [FF124+] +user_pref("browser.urlbar.yelpRealtime.featureGate", false); // [FF144+] /* 0807: disable urlbar clipboard suggestions [FF118+] ***/ // user_pref("browser.urlbar.clipboard.featureGate", false); /* 0808: disable recent searches [FF120+] From 5ca8f0c10c970af982e27198479e65c2ade9cb8f Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sun, 16 Nov 2025 19:41:12 +0000 Subject: [PATCH 22/24] tidy --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 7f64353..00b27f2 100644 --- a/user.js +++ b/user.js @@ -353,7 +353,7 @@ user_pref("network.auth.subresource-http-auth-allow", 1); // user_pref("network.http.microsoft-entra-sso.enabled", false); // [DEFAULT: false] /* 0910: enforce no direct attestation in passkeys [FF144+] // [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1981587 ***/ -pref("security.webauthn.always_allow_direct_attestation", false); // [DEFAULT: false] +user_pref("security.webauthn.always_allow_direct_attestation", false); // [DEFAULT: false] /*** [SECTION 1000]: DISK AVOIDANCE ***/ user_pref("_user.js.parrot", "1000 syntax error: the parrot's gone to meet 'is maker!"); @@ -609,7 +609,7 @@ user_pref("browser.contentblocking.category", "strict"); // [HIDDEN PREF] [1] https://support.mozilla.org/en-US/kb/manage-enhanced-tracking-protection-exceptions [2] https://etp-exceptions.mozilla.org/ ***/ user_pref("privacy.trackingprotection.allow_list.baseline.enabled", true); // [DEFAULT: true] -user_pref("privacy.trackingprotection.allow_list.convenience.enabled", false); // DEFAULT: false when ETP Strict manually chosen] +user_pref("privacy.trackingprotection.allow_list.convenience.enabled", true); // [DEFAULT: true] /*** [SECTION 2800]: SHUTDOWN & SANITIZING We enable sanitizeOnShutdown to help prevent 1st party website tracking across sessions. From 54956e548a837b2873387d175e6f36d12d006c6a Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 22 Nov 2025 00:39:35 +0000 Subject: [PATCH 23/24] update RFP info --- user.js | 1 + 1 file changed, 1 insertion(+) diff --git a/user.js b/user.js index 00b27f2..75f5c6b 100644 --- a/user.js +++ b/user.js @@ -793,6 +793,7 @@ user_pref("_user.js.parrot", "4000 syntax error: the parrot's bereft of life!"); 1973265 - disable WebCodecs API (FF142) 1984333 - spoof navigator.hardwareConcurrency as 4 except mac return 8 (FF143+) previously FF55+ it returned 2 + 1999126 - enforce navigator.pdfViewerEnabled as true and plugins/mimeTypes as hard-coded values (FF147+) ***/ user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs"); /* 4501: enable RFP From c90135cf86a3c73c38c9904facae50b9f422024c Mon Sep 17 00:00:00 2001 From: Thorin-Oakenpants Date: Sat, 22 Nov 2025 00:40:49 +0000 Subject: [PATCH 24/24] be consistent --- user.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/user.js b/user.js index 75f5c6b..9e22dad 100644 --- a/user.js +++ b/user.js @@ -791,9 +791,9 @@ user_pref("_user.js.parrot", "4000 syntax error: the parrot's bereft of life!"); 1972600 - spoof network connection for HTMLMediaElement preload (FF142, ESR140.1) 1975851 - return true for navigator.onLine (FF142, ESR140.1) 1973265 - disable WebCodecs API (FF142) - 1984333 - spoof navigator.hardwareConcurrency as 4 except mac return 8 (FF143+) + 1984333 - spoof navigator.hardwareConcurrency as 4 except mac return 8 (FF143) previously FF55+ it returned 2 - 1999126 - enforce navigator.pdfViewerEnabled as true and plugins/mimeTypes as hard-coded values (FF147+) + 1999126 - enforce navigator.pdfViewerEnabled as true and plugins/mimeTypes as hard-coded values (FF147) ***/ user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs"); /* 4501: enable RFP