Another Firefox Hardening Guide

[SearchLight]

Decided to give Firefox 90 a spin, and came across this Firefox Hardening Guide. It seemed comprehensive and easy to understand, so I followed some of the suggestions. Like with all browsers, everyone has their own personal preferences in regard to Firefox Hardening, so your mileage may vary.

Here it is for anyone interested: Yet Another Firefox Hardening Guide | Chris Xiao

 

[The_King]

I believe the dev for Decentraleyes has stopped updating it. (Listed at the bottom of the guide)
So you can use LocalCDN instead, which is a fork of Decentraleyes and has been updated recently.

LocalCDN – Get this Extension for 🦊 Firefox (en-US)

Download LocalCDN for Firefox. Emulates remote frameworks (e.g. jQuery, Bootstrap, AngularJS) and delivers them as local resource. Prevents unnecessary 3rd party requests to Google, StackPath, MaxCDN and more. Prepared rules for uBlock Origin/uMatrix.

addons.mozilla.org

 

[ForgottenSeer 72227]

Ill have to take a read...I'm really liking how FF is shaping up to be. Right now I use both FF and MS Chromium Edge.

 

[SearchLight]

I believe the dev for Decentraleyes has stopped updating it. (Listed at the bottom of the guide)
So you can use LocalCDN instead, which is a fork of Decentraleyes and has been updated recently.

LocalCDN – Get this Extension for 🦊 Firefox (en-US)

Download LocalCDN for Firefox. Emulates remote frameworks (e.g. jQuery, Bootstrap, AngularJS) and delivers them as local resource. Prevents unnecessary 3rd party requests to Google, StackPath, MaxCDN and more. Prepared rules for uBlock Origin/uMatrix.

addons.mozilla.org

I swapped Decentraleyes for LocalCDN. Thanks.

 

[CyberTech]

I believe the dev for Decentraleyes has stopped updating it. (Listed at the bottom of the guide)
So you can use LocalCDN instead, which is a fork of Decentraleyes and has been updated recently.

LocalCDN – Get this Extension for 🦊 Firefox (en-US)

Download LocalCDN for Firefox. Emulates remote frameworks (e.g. jQuery, Bootstrap, AngularJS) and delivers them as local resource. Prevents unnecessary 3rd party requests to Google, StackPath, MaxCDN and more. Prepared rules for uBlock Origin/uMatrix.

addons.mozilla.org

Thanks for letting us know that, replaced it with LocalCDN

 

[Nagisa]

fission.autostart=true

security.sandbox.content.win32k-disable=true

mathml.disabled=true

gfx.font_rendering.graphite.enabled=false

gfx.font_rendering.opentype_svg.enabled=false

pdfjs.enableScripting=false

...settings that actually improve the security

 

[rain2reign]

Firefox does indeed have security options buried in about:config, but only very few guides dived into that part.

Still doesn't take away how far it leaps behind Edge on that front, though.

 

[oldschool]

Here's another one:

Better-Fox/SecureFox.js at master · yokoffing/Better-Fox

An up-to-date user.js to speed up and secure Firefox - Better-Fox/SecureFox.js at master · yokoffing/Better-Fox

github.com

 

[oldschool]

I happened to run across this hardening guide from an author with a privacy slant that may be unpopular with hard-core tweakers: his configuration keeps the browser web-compatible without breakage for the average user. Enjoy!
How I Learned to Stop Hardening and Love Strict Tracking Protection

And there are these:
How to Set Up Firefox for Privacy
Firefox Hardening Guide

 

[SeriousHoax]

Sharing my experience here about the benefits of the Containers/First Party Isolate feature.
Before mid-2020 I kind of exclusively used Firefox since Firefox Quantum Nightly came out in 2017 I believe and have also used containers since it came out. I have social media accounts on most of the common and popular platforms like Facebook, Twitter, Instagram, Reddit but targeted ads are turned off on all platforms including Google. When I used Firefox I kind of never saw any targeted ads in apps like Facebook on Android. I also used Firefox on my Android phone BTW.
But ever since I started to try out Edge in mid-2020, I started to see targeted ads on Facebook and Twitter. It got really bad in 2021. I can't escape facebook's targeted ads ever since I started using Edge as my main browser on the PC as well as Android.

I purchased a 4k Android Smart TV two weeks ago so as we all do, I researched for a couple of weeks prior to that (google search) to decide which TV fits my needs and budget the most. Lo and behold, after a couple of days of searching I only and only saw Smart TV-related ads on Facebook. Sony, Samsung, LG, Hisense, some other local brands all types of ads started to pop out on my Facebook feed. Keep in mind for the whole time I was using Microsoft Edge on the PC and Android with Strict tracking protection, NextDNS as my DNS, and uBlock Origin on PC's Edge browser. I have never seen so many targeted ads before 2021. This is just one latest example for me.

When I used Firefox with first-party isolate/Containers I almost never saw any targeted ads. Containers on Firefox is really a brilliant feature and helps to minimize tracking around the web a lot. No matter what you do on a Chromium browser you simply can't achieve something as good as this.
Chromium browsers are better in terms of security and maybe even in performance by a little margin (Firefox actually feels as fast as Chrome/Edge to me) but for the privacy-minded people, Firefox is still the best choice. It's not by default but can be achieved by minimal tweaking.

 

[oldschool]

When I used Firefox with first-party isolate/Containers I almost never saw any targeted ads. Containers on Firefox is really a brilliant feature and helps to minimize tracking around the web a lot. No matter what you do on a Chromium browser you simply can't achieve something as good as this.
Chromium browsers are better in terms of security and maybe even in performance by a little margin (Firefox actually feels as fast as Chrome/Edge to me) but for the privacy-minded people, Firefox is still the best choice. It's not by default but can be achieved by minimal tweaking.

Really great example from your personal experience. I'm going to give Containers another shot, but not for social media, just general browsing. I'm trying to find a combo that works while allowing me to save cookies for my search page settings on search.disroot and search.brave, which FPI doesn't allow (no cookie exceptions).

 

[monkeylove]

I noticed that if certain tracking, etc., features are disabled, then some sites can be broken, or problems like the need to re-log or adjust settings take place.

I found a video where people were advised to just use two or more vanilla browsers to at least stop cross-tracking.

After trying different ways, I settled on just using Firefox with some about:config tweaks and some addons given here:

Best Private Web Browsers for Most Privacy in 2024

Protect your online privacy with the best private web browsers. Find out which browsers offer the most security and anonymity. Get started now.

privacytools.io

especially Multi Account Containers.

 

[oldschool]

@SeriousHoax what is your current FF setup?

 

[SeriousHoax]

@SeriousHoax what is your current FF setup?

I lost my previous profile not so long ago. Had a problem with it and deleted it without backing up my user.js file by mistake. I have not made any changes yet since then and have mostly been using Edge. I'll have to check some suggestions posted here on this thread. I don't think I'll change much. Maybe a few containers to not let logged-in site's cookies talk to each other.

 

[Kongo]

Really great example from your personal experience. I'm going to give Containers another shot, but not for social media, just general browsing. I'm trying to find a combo that works while allowing me to save cookies for my search page settings on search.disroot and search.brave, which FPI doesn't allow (no cookie exceptions).

Firefox 86 Introduces Total Cookie Protection – Mozilla Security Blog

Total Cookie Protection is a major anti-tracking advance in Firefox that confines cookies to the site where they were created.

blog.mozilla.org

Total Cookie Protection is an evolution of the First-Party-Isolation feature, a privacy protection that is shipped in Tor Browser. We are thankful to the Tor Project for that close collaboration.

 

[SeriousHoax]

Firefox 86 Introduces Total Cookie Protection – Mozilla Security Blog

Total Cookie Protection is a major anti-tracking advance in Firefox that confines cookies to the site where they were created.

blog.mozilla.org

Totally forgot about it. So does it mean we can skip the first party isolate feature or containers if the main goal is to put each site's cookies separately?

 

[Kongo]

Totally forgot about it. So does it mean we can skip the first party isolate feature or containers if the main goal is to put each site's cookies separately?

Containers seperate more than cookies from what I know, so it's still useful in some cases. First Party Isolation however should be disabled if you are using Strict tracking protection with TCP as it doesn't bring any value.

Read more about it here: Total Cookie Protection comparison · Issue #1974 · mozilla/multi-account-containers

 

[oldschool]

Read more about it here: Total Cookie Protection comparison · Issue #1974 · mozilla/multi-account-containers

This was a short but good read which included @Reddit links I have yet to read.
And your first link included these references.

Firefox 85 Cracks Down on Supercookies – Mozilla Security Blog

Trackers and adtech companies have long abused browser features to follow people around the web. Since 2018, we have been dedicated to reducing the number of ways our users can ...

blog.mozilla.org

State Partitioning - Privacy on the web | MDN

State Partitioning is a broad effort to rework how Firefox manages client-side state (i.e., data stored in the browser) to mitigate the ability of websites to abuse state for cross-site tracking. This effort aims to achieve that by providing what is effectively a "different", isolated...

developer.mozilla.org

My general take upon first read of above sources is that Strict tracking protection is quite strong viz a viz FPI but not quite equal to containers, as you stated above. I'm still trying to fully digest the technical details. Thanks again!

 

[oldschool]

This one is even more clear

Introducing State Partitioning – Mozilla Hacks - the Web developer blog

State Partitioning is the new privacy feature called Total Cookie Protection, which will be available in ETP Strict Mode in Firefox 86.

hacks.mozilla.org

 

[wat0114]

...settings that actually improve the security

With

security.sandbox.content.win32k-disable=true

enabled, the Firefox Addons page crashes when I try to navigate to it:



It is reproducible every time. No problems when set to False.