What is user.js?
user.js file is a way of modifying the settings for Firefox. Most normal people use the settings menu, most tech savvy people use the
about:config menu, but the most powerful way of modifying Firefox is with a
user.js file is read every time Firefox starts. In a sense, it is a permanent configuration file that overrides any and all settings a user might change in the settings menu or in
about:config. This config file allows users to configure away many of the privacy violations, homing beacons, and generally annoyances that are default in Firefox.
Getting a custom user.js
user.js file looks something like this:
[...] user_pref("dom.serviceWorkers.enabled", false); user_pref("dom.webnotifications.enabled", false); user_pref("dom.enable_performance", false); [...]
But luckily, we don't have to write our own. Mozilla documents most of their web browser's functionality but I genuinely do not have the time or energy to read API documentation and determine what does and does not work through trial and error. Today, I present you with two tools: Arkenfox, a template for writing your own user.js and Firefox Profile Maker, a tool that generates a usable user.js. Since Arkenfox has it's own documentation, I won't cover it. Instead, I will cover Firefox Profile maker because most people will choose this option.
Visit the website and begin clicking checkboxes. Once you get to the useragent part, I recommend inserting something generic into the box. A useragent is a string of information that your web browser automatically sends to the servers you connect to. This string can be used to track you. My useragent is pretty unique:
Mozilla/5.0 (X11; OpenBSD amd64; rv:91.0) Gecko/20100101 Firefox/91.0
How many people are actually using Firefox on Linux? Okay, now what about OpenBSD? I like to change my useragent to something generic and windowsy. Custom user agent strings are not bulletproof, but inserting a useragent that looks like Chrome on Windows will help prevent you from being the only guy on the internet with a useragent string that contains OpenBSD. Note that this will break the Firefox addon store and possibly other internal Firefox menus.
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36
When you get to the extensions part, I recommend selecting
Installing the generated custom user.js
In order to install our scripts, we need to determine what our profile is. To do this, enter about:support into the address bar and look for a line that says Profile Folder. This is the path we want to work with. The general process is to close firefox, delete everything in the profile folder, unzip our .zip files into the profile folder or copy over the
prefs.js file, then clean up by removing the left over .zip files. Here are the console commands:
$ cd ~/.mozilla/firefox/xxxxxxxx.default $ pkill firefox $ rm -rf ./* $ for i in ~/Downloads/*.zip; do unzip $i -d ./; done $ rm ~/Downloads/*.zip
After extracting the archive, you should start Firefox and verify that you have the configuration you wanted. You should also change your default search engine to DuckDuckGo instead of google, update the addons, fix proxy settings, etc. I recommend also installing these extensions: GNU LibreJS, FSF's JShelter, and Violentmonkey.
Alternatives to user.js
For most non-paranoid people, Firefox is
private enough. I recommend Firefox to normal people and tell them to avoid Google Chrome and any of it's metastasized clones (see Brave, Edge, Opera, etc). Default Firefox is significantly better for your online privacy than any of the chrome based browsers. Even if chromium is open source, I can't, in good faith, instruct anyone to use a program designed by a company explicitly for the purpose of data collection. If you're currently using Chrome or it's clones, consider switching to Firefox. Even without a hardened
user.js, you will be much better off. We cannot let perfect be the enemy of good.
If you don't want to mess around with custom
I think I have bigger problems if someone finds out who I am because I'm the only guy running OpenBSD in my timezone. Being loudly private is a good thing because any real violations of my privacy are very likely to also be loud. At the end of the day, we cannot let perfect be the enemy of good. The perfectly private web browser is not running a web browser at all. Is this practical? Probably not. I'll take a good web browser any day over abandoning the http protocol entirely. At least for now.