The Ultimate Guide to Firefox Hardening in 2022

[Thorin-Oakenpants]

sup @henryistaken f^cking nice video bro

source: https://www.youtube.com/watch?v=9t6jImyvnQk

owner and maintainer of arkenfox here. I just saw the video, and I want to link to it in the arkenfox wiki

• this page: https://github.com/arkenfox/user.js/wiki/1.1-To-Arkenfox-or-Not
• in the "A FEW SETTINGS & EXTENSIONS" section

Some people just don't read, maybe a video is easier. I especially like how the unified messaging of AF (arkenfox) and PG (privacy guides) and let's not forget LW (librewolf), is starting to take affect - and resonates with what Tor Project has said and shown by Arthur's https://privacytests.org/.

Your video is almost a perfect match (to be expected since you base it on AF & PG)

However, there is a bit of a GIANT flaw in your recommended steps

• at the 2.22 mark you recommend users change to "Never remember history"

This makes your browser start in Private Window Browsing mode. This is not good.

• first: your site exceptions for not deleting cookies and site data will not work
  • you went to all the trouble of showing that and even how to manage exceptions
  • PB mode sanitizes in full regardless of any settings - that's the whole purpose of PB mode
• second, extensions by default are not enabled in PB mode
  • there goes your uBlock Origin, by default - yikes
• third: nitpick: it removes the ability to use "new private window" as a separate isolated self-sanitizing one off
  • note PB sanitizing happens when all PB mode windows are closed, hence it's useless if you start in PB mode
• fourth: nitpick: PB mode already uses ETP Strict so that would be redundant (sorry, but I like to pad my lists to look important)
• edit: fifth: PB mode (for now) doesn't utilize indexedDB or service workers and will lead to more site breakage

So ... can you edit the video? I would really like to link to it in arkenfox to help unify the messaging

Regards
Pants

[henry-fisher]

Hey there, been traveling and just got back. Thanks for much for the insight, definitely want to make sure it's updated accordingly.

I'll get this modified and re-uploaded as soon as I can. Will update this issue once it's done.

Thanks again for the fixes!

[k3tan172]

If your browser starts in private browsing mode by default, I think it also means firefox containers do not work.

[Thorin-Oakenpants]

If your browser starts in private browsing mode by default, I think it also means firefox containers do not work.

Yes. That's a sixth point. PB mode is a actually a reserved container id. First Party (and dynamic first party) isolation is keying by a different metric and works with containers and in PB mode ... but PB mode is an actual container as far as keying goes

[Yolakalemowa]

@Thorin-Oakenpants Hi Thorin..

A while ago I suggested someone create a basic video guide on how to install and manage AF user.js (including update and overrides). Even though your wiki is super useful I think maybe if @henryistaken and PG make that video it would invite many many more people to use it and make it more accessible to the general public!

Something to consider...

[henry-fisher]

@Thorin-Oakenpants Very open to working on a user.js guide under your oversight if you wanted something like @Yolakalemowa is suggesting. Feel free to contact at support@techlore.tech and we can get something going for you.

[henry-fisher]

Okay everyone, I just rendered a v2 that is set to go live tomorrow. Here is a list of all the changes that were made:

• Removed the "Never remember history" recommendation at ~2:22 in the first video for the issues listed at the top of this thread from @Thorin-Oakenpants
• Added a disclaimer that Fission may already be enabled for some people, but users should still double-check if it has been enabled. (Some users left comments that Fission was already enabled for them) (~3:47)
• Added a disclaimer that we're planning on making an in-depth uBO tutorial so people know how to use it (~4:17)
• Added an additional disclaimer for CanvasBlocker to encourage users to do their own research before deciding to use it (~4:29)
• Added a disclaimer that uBO also replaces NoScript, which was a common question in the comments (~4:43)
• Added a disclaimer at least mentioning the existence of LibreWolf (~6:37)

All timestamp estimates above are for v2, not for v1. Because of the removal of bullet 1, v2 is about ~2 seconds shorter, so feel free to add 2 seconds to all timestamps above to see where they take place in v1, or just wait for v2 to go live. I'll update this issue tomorrow with the new video link once it's live. Thanks everyone for the insight!

[Thorin-Oakenpants]

I'm open to the basics with some strong disclaimers in the middle.

e.g. "IF you have decided to use arkenfox .. more advanced and most don't need it ... " (show to Arkenfox or not, and this current video) .. then

• step one : you will have to read the wiki: this is a complimentary video
• step two
  • put prefsCleaner, user.js, updater in a temp folder
  • create an user-overrides.js
  • THIS BIT IS PERSONAL: add overrides, read the wiki page on common overrides and RFP
    • repeat: read the wiki pages
    • henry example: I use a privacy respecting search engine so I will override 0801
• step three
  • find your profile, or create a new profile
    • if you plan on doing this to your existing profile then run the cleanup script (cleanup script is full of crap people shouldn't be using)
  • add the four files
  • run updater to append your overrides
  • profit
• step four
  • once a month, check for a new changelog, run the updater, run prefsCleaner

Something like that where it's an instructional video on the before/after (90% of content) and barely touches on the actual overrides and instead gives a "warning" that you need to read and decide these things on your own

[Thorin-Oakenpants]

Some users left comments that Fission was already enabled for them

FYI: fission was rolled out via experiments over three/four releases to 100%. Those who disabled experiments didn't get that .. UNTIL .. v97 where it was enabled by default for all

[henry-fisher]

New video (v2) is live here: https://youtu.be/F7-bW2y6lcI
Old video delisted but still accessible via this link: https://youtu.be/9t6jImyvnQk

All the listed changes from my earlier comment:

Okay everyone, I just rendered a v2 that is set to go live tomorrow. Here is a list of all the changes that were made:

• Removed the "Never remember history" recommendation at ~2:22 in the first video for the issues listed at the top of this thread from @Thorin-Oakenpants
• Added a disclaimer that Fission may already be enabled for some people, but users should still double-check if it has been enabled. (Some users left comments that Fission was already enabled for them) (~3:47)
• Added a disclaimer that we're planning on making an in-depth uBO tutorial so people know how to use it (~4:17)
• Added an additional disclaimer for CanvasBlocker to encourage users to do their own research before deciding to use it (~4:29)
• Added a disclaimer that uBO also replaces NoScript, which was a common question in the comments (~4:43)
• Added a disclaimer at least mentioning the existence of LibreWolf (~6:37)

All timestamp estimates above are for v2, not for v1. Because of the removal of bullet 1, v2 is about ~2 seconds shorter, so feel free to add 2 seconds to all timestamps above to see where they take place in v1, or just wait for v2 to go live. I'll update this issue tomorrow with the new video link once it's live. Thanks everyone for the insight!

[henry-fisher]

I'm open to the basics with some strong disclaimers in the middle.

e.g. "IF you have decided to use arkenfox .. more advanced and most don't need it ... " (show to Arkenfox or not, and this current video) .. then

• step one : you will have to read the wiki: this is a complimentary video

• step two

  • put prefsCleaner, user.js, updater in a temp folder

  • create an user-overrides.js

  • THIS BIT IS PERSONAL: add overrides, read the wiki page on common overrides and RFP

    • repeat: read the wiki pages
    • henry example: I use a privacy respecting search engine so I will override 0801

• step three

  • find your profile, or create a new profile

    • if you plan on doing this to your existing profile then run the cleanup script (cleanup script is full of crap people shouldn't be using)

  • add the four files

  • run updater to append your overrides

  • profit

• step four

  • once a month, check for a new changelog, run the updater, run prefsCleaner

Something like that where it's an instructional video on the before/after (90% of content) and barely touches on the actual overrides and instead gives a "warning" that you need to read and decide these things on your own

Okay great. We have a pretty packed schedule this/next month, but will do our best to send something over as soon as possible.

[Thorin-Oakenpants]

^ I'm in no hurry whatsoever ... the longer you leave it the more I can get done elsewhere :) - edit: for the other vid idea, not the edited one which I will point to in the wiki shortly tomorrow

[Thorin-Oakenpants]

from YT comments

When I add an Exception to Cookies & Site Data, it never works. For example, I'll add YouTube, but I will still have to login every single time I reopen my browser... why?

read the f*&$##ng wiki -> https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]#-keep-logins - the example is even for youtube

this is why I just close these questions as invalid all the time now. I have given up on humanity being able to read

emphasis and eyes added

🟪 KEEP LOGINS

• We delete all cookies and site data on close
  • There is no need to change any prefs - to keep some cookies and logins, just add site exceptions: either
    • Ctrl+I > Permissions > Cookies > Allow
    • ☰ Settings > Privacy & Security > Cookies & Site Data > Manage Exceptions
  • 👀 For cross-domain logins, add exceptions for both sites 👀
    • 👀 e.g. https://www.youtube.com (site) + https://accounts.google.com (single sign on) 👀

[henry-fisher]

read the f*&$##ng wiki -> https://github.com/arkenfox/user.js/wiki/3.2-Overrides-[Common]#-keep-logins - the example is even for youtube

this is why I just close these questions as invalid all the time now. I have given up on humanity being able to read

Welcome to 1/2 my job...Don't blame you at all for closing those, it's exhausting!

[Thorin-Oakenpants]

done - if you want to track any additional video like an AF user.js one, then I'm sure you can do that elsewhere or in a new issue :)

[henry-fisher]

Super awesome! Feel free to ping us if anything becomes outdated and we will do our best to push out some form of an update. As for the AF user.js, will be doing our best to fit it in as soon as we can.

[Thorin-Oakenpants]

As for the AF user.js, will be doing our best to fit it in as soon as we can.

management 101 - you chase me, not the other way round :) if you have q's or whatever, before you publish, gimme a heads up for a review first - and then when it's polished/acceptable I can add a link to it like the last one

thanks for the mad vid production and "speed talking and going fast so old people can't follow" :)