Browser settings - Karegohan-And-Kamehameha/privacyguide GitHub Wiki

Overview

This section covers about:config setting that enhance privacy. Many of these settings can be set via the browser options page/window or in the settings of privacy addons, such as uBlock Origin and Random Agent Spoofer, others can not be accessed from anywhere else. Please note that some of these settings disable certain functions of the browser that may be useful, but are usually not required for general purpose browsing, however, unlike many other guides out there, these settings are a compromise between privacy and sanity, therefore settings that don't harm privacy too much and hinder usability a lot are left unchanged. Nevertheless, you are encouraged to be mindful of what you disable. Below are the settings for Waterfox, but most of them are also relevant for Pale Moon, if a setting is not present in Pale Moon, it usually means that the feature is not implemented there and there is no need to create a new setting for it. Settings that are in their proper state by default in Waterfox are not mentioned here.

Beacon

An HTML5 technique used primarily for tracking. Set beacon.enabled to false.

Disk Cache

Disk cache is not needed in our age of fast internet speeds and large amounts of RAM. It can also be used to track you. Set browser.cache.disk.enable to false.

Enhanced New Tab

Enhanced new tab page is used to deliver targeted advertising based on the browsing history to users. Set browser.newtabpage.enhanced to false.
The new tab page also captures thumbnails of the pages you visit to store in the profile, therefore it is also recommended to get rid of the new tab page altogether by setting. browser.newtabpage.enabled to false and browser.pagethumbnails.capturing_disabled to true.

Safebrowsing

Safebrowsing uses Google services to verify that links don't lead to malware and phishing sites. If you have the relevant lists active in uBlock Origin or uMatrix, or a modified hosts file, this functionality is already covered by those and sending your links to Google for verification is not a good idea. Set all of the following preferences to false:
browser.safebrowsing.blockedURIs.enabled
browser.safebrowsing.downloads.enabled
browser.safebrowsing.downloads.remote.block_dangerous
browser.safebrowsing.downloads.remote.block_dangerous_host
browser.safebrowsing.downloads.remote.block_potentially_unwanted
browser.safebrowsing.downloads.remote.block_uncommon
browser.safebrowsing.downloads.remote.enabled
browser.safebrowsing.malware.enabled
browser.safebrowsing.phishing.enabled

Geolocation

Geolocation is used for location aware browsing, which is an obvious threat to privacy. To disable geolocation, set browser.search.geoip.url to blank, geo.wifi.uri to blank, and geo.enabled to false.

Crash Reporting

Reports when tabs crash. To disable crash reporting set browser.tabs.crashReporting.sendReport to false.
And the same for plugins. Set dom.ipc.plugins.reportCrashURL to false.

Device sensors

Read this article if you want to learn how device sensors can be used to violate your privacy. To disable device sensors set device.sensors.enabled to false.

Battery

The battery status of your device can be used to fingerprint you. To disable the browser tracking of the battery status set dom.battery.enabled to false.

Website monitoring of clipboard and context menu

By default, websites know when you copy parts of the page into the clipboard or open a context menu. To prevent this behavior set dom.event.clipboardevents.enabled and dom.event.contextmenu.enabled to false.

Additional APIs

These APIs do not pose known privacy or security threats, but it can be a good idea to disable them anyway if you do not use them, simply to decrease the amount of possible attack vectors. To disable them, set the following values to false:
dom.gamepad.enabled, dom.gamepad.extensions.enabled − gamepad API.
dom.use_watchdog − passwords age analyzer, can be disabled, since you shouldn't be using the built-in password manager in the first place.
dom.vibrator.enabled − Vibrator API.
dom.vr.enabled − VR API.

EME

I am not sure why this setting is even present in Waterfox, considering that Adobe EME has been gutted from it, but better safe than sorry. Set media.eme.enabled to false.

Punycode domain names

Read this article to learn how punycode can be used for extremely convincing phishing techniques. Set network.IDN_show_punycode to true.

Third party cookies

Third party cookies are used almost exclusively for tracking, so it's best to disable them. Set network.cookie.cookieBehavior to 1.

IPv6 DNS

DNS requests via IPv6 can lead to IP leaks. Disable them by setting network.dns.disableIPv6 to true.

Prefetching

Prefetching is used to send requests to websites that are likely to be visited in the future. Disabling prefetching may slow the browsing experience a bit, but will save traffic and protect privacy. Set network.dns.disablePrefetch to true, network.http.speculative-parallel-limit to 0, and network.prefetch-next to false.

DNS via proxy

Force proxies to use their own DNS servers to resolve requests. Set network.proxy.socks_remote_dns to true.

Plugins

Set all plugins to be disabled by default. Only enable the plugins that you use. Set plugin.default.state to 0.

Do not track

Tell sites that you do not want to be tracked. Set privacy.donottrackheader.enabled to true.

Social

Disable all the social junk in the browser. Set social.remote-install.enabled and social.toast-notifications.enabled to false, social.directories and social.whitelist to blank.

WebGL

According to some sources, WebGL can be used to fingerprint your browser by generating a report hash. This technique can be tested here. To disable WebGL set webgl.disabled to true.

WebRTC

WebRTC has not one, but two privacy issues associated with it. The one that's usually spoken about is IP leakage. This issue can be alleviated in Waterfox without completely disabling WebRTC by setting media.peerconnection.ice.no_host to true.
The second issue is much less known and involves fingerprinting your browser by unique device hash enumeration. A test of this technique, as well as additional information on the issue can be found here and there does not seem to be a way around it without completely disabling WebRTC. To disable WebRTC and Media Devices set media.peerconnection.enabled to false and media.navigator.enabled to false.

Fonts

Check out this test to see how your fonts can be fingerprinted. Simply limiting the amount of detectable fonts doesn't solve the problem, because the way even one font is rendered can still be used for fingerprinting and can cause websites to look uglier or even certain languages not to work properly, therefore settings that limit the amount of fonts are not included.