This project aim to fix privacy and security issues related to firefox without losing performances nor forking the project. It uses local-settings.js, mozilla.cfg and policies.json.
Librefox uses gHacks settings, additional privacy, performance settings and a cleaned bundle of firefox (updater, crashreporter and integrated addons that don't respect privacy are removed) to provide :
- Performances
- Security
- Privacy
> Librefox : Features ............................................................... > Librefox : Key Features v2.x ...................................................... > Librefox : Download ............................................................... > Librefox : Capture ................................................................ > Addons : Librefox Addons .......................................................... > Addons : Recommended Addons ....................................................... > Addons : Recommended Addons Settings .............................................. > Addons : Reviewing Addons Source Code ............................................. > Addons : Other Useful Addons Listing .............................................. > Wiki : Extensions Network Firewall ................................................ > Wiki : IJWY (I Just Want You To Shut Up) .......................................... > Wiki : Apply Librefox Manually .................................................... > Wiki : Edit Locked Settings ....................................................... > Wiki : Settings Index ............................................................. > Wiki : Cookies Settings ........................................................... > Wiki : Tracking Protection ........................................................ > Wiki : Comparing Changes And Updates .............................................. > Wiki : Documentation .............................................................. > Wiki : Librefox Dark Theme ........................................................ > Wiki : Tuning Librefox ............................................................ > Wiki : Librefox ESR ............................................................... > Wiki : Tor Compatibility .......................................................... > Wiki : DRM Compatibility .......................................................... > Wiki : Building And Packaging ..................................................... > Browser Tests : Security/Fingerprint .............................................. > Browser Tests : Performances ...................................................... > Browser Tests : DNS/VPN/Proxy Leak ................................................ > Infos : Librefox Roadmap .......................................................... > Infos : Changelog ................................................................. > Infos : About .....................................................................
Official builds with librefox
(Project was renamed to librefox on v2)
-
Privafox-1.8-Firefox-Linux-63.0.3.tar.bz2 - 51.8 MB - SHA1 : 321152189184ca9e2b3500a0aa5c5c47aff5999f
-
Privafox-1.8-Firefox-Windows-63.0.3.zip - 60.3 MB - SHA1 : 4dba7913435d5517f4e10f7b55aa395e5088b143
-
Privafox-1.8-Firefox-Mac-63.0.3.dmg - 60.5 MB - SHA1 : e693b9141098456a419ed7fb71f4b8c42001cde9
Beta/alpha releases (soon)
-
Librefox-2.0B-Firefox-Linux-63.0.3.tar.bz2 - 51.8 MB - SHA1 : 321152189184ca9e2b3500a0aa5c5c47aff5999f
-
Librefox-2.0B-Firefox-Windows-63.0.3.zip - 60.3 MB - SHA1 : 4dba7913435d5517f4e10f7b55aa395e5088b143
-
Librefox-2.0B-Firefox-Mac-63.0.3.dmg - 60.5 MB - SHA1 : e693b9141098456a419ed7fb71f4b8c42001cde9
Librefox addons are not bundeled and need to be installed manually
- Librefox Dark Theme : Dark theme
- Librefox HTTP Watcher : Change the url bar color on http sites
- Librefox Reload Button : Add a reload button to url bar
Recommended addons are not bundeled and need to be installed manually
- Cookie Master : Block all cookies and only allow authorised sites
- First Party Isolation : Enable/Disable FPI with a button
- User Agent Platform Spoofer : Invert UserAgent OS Linux/Windows/Mac
- Browser Plugs Privacy Firewall : Sets of settings to prevent fingerprintings and security issues
- uBock Origin + IDCAC List + Nano-Defender List : Block web advertisement and tracking
uBlock : Additional filters are availables here https://filterlists.com/ (don't surcharge it to avoid performances loss)
Browser Plugs Privacy Firewall : Keep settings light to make privacy.resistFingerprinting efficient because too much customization lead to uniqueness thus easy fingerprinting.
- Privacy / Fingerprint / Fake values for getClientRects
- Privacy / Fingerprint / Randomize Canvas Fingerprint
- Privacy / Fingerprint / 100% Randomize ALL Fingerprint Hash
- Firewall / Experimental / Block SVG getBBox and getComputedTextLength
- Privacy / Font / Randomize
- Privacy / Font / Enable protection for font and glyph fingerprinting
- Updated gHacks settings
- Enforcing/Defaulting Settings (Cannot/Can be changed within firefox)
- "IJWY To Shut Up" settings (details)
- Limit internet access for extensions (test-feature)
- Performances aware settings
- Disabling telemetry
- Disabling call ...
Recommended extensions code have been reviewed for potential unwanted behaviour... reviewed version are available under extensions directory
Description :
This is a test experiment feature and it is disabled by default !!! A new section Extensions Manager is added to mange addons globally (and addons networking in the subsection Extensions Firewalling). Firewalling the network for addons is doable, but it require a considerable additional work in Librefox to make it usable through a button or in a per addon basis (this may or may not be added in a future version, it also could be abandoned as it is a test feature). Currently you can block a list of domains or block the whole network for all the extensions.
Quickly Enable It :
To enable the feature and block the network for all the extensions open mozilla.cfg search for Enable-Firewall-Feature-In-The-Next-Line en remove the // in the next line
The Settings :
Available native network restriction settings for addons :
- Restricted domains list :
extensions.webextensions.restrictedDomainsthis is a list of restricted domains that will be used to block some hosts for all the extensions, firefox uses this setting to block extensions from accessing mozilla's domains/sites, by default in Librefox this setting is set to allow extensions to access all the web (You can edit that list to match your needs or to block a specific domain, note that the domain name have to be 'exact' for instance facebook.com will only block facebook.com not mobile.fabcebook.com) - Content security policy :
extensions.webextensions.base-content-security-policyandextensions.webextensions.default-content-security-policythe later settings can be redefined/changed within an extension so it's not efficient for a firewalling purpose. CSP settings are used in firefox as an added layer of security that helps to detect and mitigate certain types of attacks, including Cross Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft to site defacement to distribution of malware; In short words CSP settings block and allow certain domains under certain circumstances and thus could be used to firewall the extensions (CSP Documentations, its sources code and implementation)
Wiki - Blocking a domain :
Edit the restricted domains setting as follow under the about:config page :
- Restricted Domains Setting :
extensions.webextensions.restrictedDomainsValue :ExactDomains1,ExactDomains2,ExactDomains3etc.
Wiki - Blocking the network :
Note that this will block the network access for all the extensions and a lot of extensions needs to be connected to work. In the current version of Librefox you can block the network for all the extensions or allow it for all of them, a future version may provide additional features like "per addon" setting (By default Librefox allow networking for extensions).
To block or allow the network access for the extensions change the following settings according to your needs in about:config :
- Block : CSP Setting :
extensions.webextensions.base-content-security-policyValue :extensions.webextensions.base-content-security-policy", "default-src 'self' moz-extension: blob: filesystem: 'unsafe-eval' 'unsafe-inline'; script-src 'self' moz-extension: blob: filesystem: 'unsafe-eval' 'unsafe-inline'; object-src 'self' moz-extension: blob: filesystem:; - Allow : CSP Setting :
extensions.webextensions.base-content-security-policyValue : default (right click and reset)
Wiki - More infos :
Check debug-check-todo.log for additional infos about future version and researches about the subject. Also check CSP Documentations, its sources code and implementation
This is a set of settings that aim to remove all the servers links embedded in firefox and other calling home functions in the purpose of blocking un-needed connections. The objective is zero unauthorized connection (ping/telemetry/mozilla/google...).
Available in the releases page
- Copy
mozilla.cfgto/firefox-install-dir/ - Copy
local-settings.jsto/firefox-install-dir/defaults/pref/ - Copy
policies.jsonto/firefox-install-dir/distribution/ - If destination directories does not exist create them
- Setup the rest of the settings as you wish in
about:preferences - Delete the following files
firefox/browser/features/[email protected]
firefox/browser/features/[email protected]
firefox/browser/features/[email protected]
firefox/browser/features/[email protected]
firefox/browser/features/[email protected]
firefox/update-settings.ini
firefox/updater.ini
firefox/updater
firefox/crashreporter.ini
firefox/crashreporter
Just edit mozilla.cfg save and restart firefox
Firefox 60 and privacy.resistFingerprinting are relatively new give it sometimes to be more widely used and thus less finger-printable; If you are using an other site to analyse your browser make sure to read and understand what the test is about.
- SSLLabs
- AmiUnique
- BrowserLeaks
- BrowserPlugs
- FingerPrintJS2
- Third-Party-Cookies
- Testing-Notifications
- Browser-Storage-Abuser
- Service-Workers-Push-Test
Performance tests can be done here LVP Octane, it needs to be launched alone with other applications closed and with no other activity but the benchmark, also it's recommended to lunch it many times and then make an average.
Autor : Intika - intikadev (at) gmail.com
Donation : Paypal : intikadev (at) gmail.com
Based on : User.js, PrivaConf and Ghacks-user.js big thanks to all of them
Objectives for future versions of librefox (this may change) :
- Develop an all-in-one Librefox addon to rule them all ? (Normal & Tor Version… this would simplify Librefox)
- Develop an easy to use firewall system for extensions (button/hosts/allow/deny/per-addon)
- Update checker extension (feature in the full extension ?)
- Advert for the project to reach more users ?
Todo for future versions of librefox (this may change) :
- Improve hd-video playback performances
- Testing compatibility on those sites and adjust the related settings.
- Review un-reviewed addons code (dont-track-me-google/decentraleyes/canvasblocker/temporary-containers/switch-container/smart-referer)
// ==============================
// Index mozilla.cfg .......... :
// ==============================
//
// -----------------------------------------------------------------------
// Section : User settings // Bench Diff : +0 / 5000
// Section : Defaulting Settings // Bench Diff : ??? / 5000
// -------------------------------------------
// Section : Controversial // Bench Diff : +0 / 5000
// Section : Firefox Fingerprint // Bench Diff : +0 / 5000
// Section : Locale/Time // Bench Diff : +0 / 5000
// Section : Ghacks-user Selection // Bench Diff : +100 / 5000
// Section : Extensions Manager // Bench Diff : ??? / 5000
// Section : IJWY To Shut Up // Bench Diff : ??? / 5000
// Section : Microsoft Windows // Bench Diff : ??? / 5000
// Section : Firefox ESR60.x // Bench Diff : ??? / 5000
// -------------------------------------------
// Section : Security 1/3 // Bench Diff : +0 / 5000
// Section : Security 2/3 // Bench Diff : +0 / 5000
// Section : Security 3/3 (Cipher) // Bench Diff : +0 / 5000
// -------------------------------------------
// Section : Performances 1/5 // Bench Diff : +650 / 5000
// Section : Performances 2/5 // Bench Diff : -800 / 5000
// Section : Performances 3/5 // Bench Diff : -1720 / 5000
// Section : Performances 4/5 // Bench Diff : -200 / 5000
// Section : Performances 5/5 // Bench Diff : -50 / 5000
// -------------------------------------------
// Section : General Settings 1/3 // Bench Diff : +100 / 5000
// Section : General Settings 2/3 // Bench Diff : +0 / 5000
// Section : General Settings 3/3 // Bench Diff : -40 / 5000
// -------------------------------------------
// Section : Disabled - ON/OFF // Bench Diff : ??? / 5000
// Section : Disabled - Deprecated Active // Bench Diff : ??? / 5000
// Section : Disabled - Deprecated Inactive // Bench Diff : +0 / 5000
// -----------------------------------------------------------------------
// ==============================
// Index local-settings.js .... :
// ==============================
//
// -----------------------------------------------------------------------
// Section : General Settings // Bench Diff : ++ / 5000
// -----------------------------------------------------------------------
Using different web services without cookies is impossible and cookies settings in a browser are very important when it come to privacy, in Librefox the settings are locked to avoid unwanted changes in such important setting, but they can be easily changed in mozilla.cfg under User Settings : Cookies settings
Firefox now integrate a tracking protection feature (based on disconnect.me) it's a light list content blocking, listing can not be edited, this feature is disabled in Librefox. it's recommended to use ublock instead. This feature is disabled :
- Until it evolve and integrate at least list editing
- Because double filtering (this + ublock) is not suitable for performances.
You can however easily enable this feature in mozilla.cfg under User Settings : Track Protection (just comment active lines with // or remove the section).
If you want to compare changes over updates or if you already have a user.js/mozilla.cfg/policies.json. consider using Compare-UserJS, an amazing tool to compare user.js files and output the diffs in detailed breakdown, developed by gHack's very own resident cat, claustromaniac 🐱
Usage : If not on windows install PowerShell then for example pwsh Compare-UserJS.ps1 mozilla.cfg user.js (Warning that PowerShell connect to MS sometimes)
Local-settings.js : Defaulting firefox settings
Mozilla.cfg : Locking firefox settings for security, privacy & prevent settings changes
Policies.json : The policies.json is cross-platform compatible, making it preferred method for enterprise environments that have workstations running various operating systems (the settings availables with policies.json are limited right now because this is a new feature of firefox)
Bench diff : Impact on the performances of firefox can be a gain or a loss of performance +100/5000 stand for 2% gained performance and -1500/5000 stand for -30% performance loss
lockPref : Locked preference can not be changed on firefox, nor by extensions, can only be changed here
Section : Description of the settings section separated by ">>>..."
Defaulting VS Enforcing : Default settings value are changed in local-settings.js and enforced settings are changed in mozilla.cfg, defaulted setting can be changed by the user in the browser while enforced settings are locked and can not be changed within the browser.
Librefox provide a classic dark theme extension (Librefox Dark Theme) but also a purified version of ShadowFox available under dark-theme directory to install it just copy the directory chrome to your firefox profile directory and reboot firefox, this will expand the dark theme to internal pages like settings pages.
Restart Button :
One simple solution is to bookmark about:restartrequired or about:profiles ... when restart is needed open that page and click "normal restart". You can even go further and add the bookmarks links to your icons bar and rename the link to an emty text (you will then have a direct icon to about:profiles and a 2 clicks reboot)
...
Alternative Dark Theme :
Linux Fix Text Colors :
On linux when using a dark desktop theme firefox could display white text over white background or black text on black input on some sites or addons, this is fixed in Librefox with lockPref("ui.use_standins_for_native_colors", true);.
If ui.use_standins_for_native_colors is not enough to fix everything you can fix this issue with an other additional solution by using the following values in about:config (you need to have Adwaita theme installed) more details (Note that this is not needed with default Librefox settings as it is already fixed)
widget.content.allow-gtk-dark-theme;false
widget.chrome.allow-gtk-dark-theme;false
widget.content.gtk-theme-override;Adwaita:light
Other privacy addons :
- NoHTTP : Block http traffic and/or redirect it to https (Excellent remplacment for the unrecommended https-everywhere)
- Google-Container : Open all google sites on a container
- Facebook-Container : Open all facebook sites on a container
- Request-Blocker : Host style blocking sites
- Decentraleyes : Makes a lot of web ressources available locally to improve privacy
- Dont-Track-Me-Google : Cleaning google search result links
- Canvas-Blocker : Prevent some fingerprinting techniques (This should not be used with browser plugs addon as it provide similar features)
- Cookie-Quick-Manager : View and edit cookies
- Mozilla-Multi-Account-Containers : Manage containers and assign sites to specific container
- Switch-Containers : Switching container for the current tab easily
- Temporary-Containers : Maximizing and automating container potential
- Smart-Referer : Manage referer with a button (Send referers only when staying on the same domain.)
Other useful addons :
- Dormancy : Unload tab after a certain time, useful for performances when opening a lot of tabs
- Add Custom Search Engine : Cutomize your search engine
- ProxySwitcheroo : Applying proxy settings in a click
- UndoCloseTabButton : Reopen last closed tab
- Advanced Github Notifier : Github notifications
- Shortkeys : Add custom shortkeys
- Tabboo : Session manager
Librefox Addons For ESR And Tor :
- Librefox HTTP Watcher ESR - Tor MoD : Change the url bar color on http and onion sites (to green/red)
- Librefox NoHTTP - Tor MoD : Block http traffic and/or redirect it to https (Excellent remplacment for the unrecommended https-everywhere)
Same as gHacks recommendations, we do not recommend connecting over Tor on Librefox. Use the Tor Browser if your threat model calls for it, or for accessing hidden services (Thus said tor settings have been enabled in v2 for user toriffying/proxifying their whole connection).
Tor compatibility may change.
Digital rights management (DRM) is enforced off by default (this is needed for netflix and similar); you can enable it with the following instructions :
- Open
mozilla.cfg - Under the section
Section : User Settings - Comment the active lines with
//under the subsectionUser Settings : DRM/CDM - Main - Comment the active lines with
//under the subsectionUser Settings : DRM/CDM - Widevine - Restart firefox then open
about:preferencesand enablePlay DRM...under general section - Firefox will download Widevine and enable it (under
about:addonsplugins section) you can force the download by clickingCheck for updatesunder the tools button
For ESR users if you opt for Librefox HTTP Watcher you need to use this version Librefox HTTP Watcher ESR - Tor MoD
Librefox is applied to a built version of firefox, you can build it or use the version provided by mozilla
Linux :
- Extract firefox-63.0.3.tar.bz2
git clone https://github.com/intika/Librefox-Firefox.git- Copy
mozilla.cfgtofirefox/ - Copy
local-settings.jstofirefox/defaults/pref/ - Create a folder
firefox/distribution/ - Copy
policies.jsontofirefox/distribution/ - Delete the following files and then compress the package (tar.bz2)
firefox/browser/features/[email protected]
firefox/browser/features/[email protected]
firefox/browser/features/[email protected]
firefox/browser/features/[email protected]
firefox/browser/features/[email protected]
firefox/update-settings.ini
firefox/updater.ini
firefox/updater
firefox/crashreporter.ini
firefox/crashreporter
Windows :
- Extract Firefox Setup 63.0.3.exe (Can be done by launching it, files are extracted to
%tmp%) git clone https://github.com/intika/Librefox-Firefox.git- Copy
mozilla.cfgtocore/ - Copy
local-settings.jstocore/defaults/pref/ - Create a folder
core/distribution/ - Copy
policies.jsontocore/distribution/ - Delete the following files and then compress the package (zip)
core/browser/features/[email protected]
core/browser/features/[email protected]
core/browser/features/[email protected]
core/browser/features/[email protected]
core/browser/features/[email protected]
core/update-settings.ini
core/updater.ini
core/updater.exe
core/crashreporter.ini
core/crashreporter.exe
Mac :
- Require a mac
- Decompressing Firefox 63.0.3.dmg with tools like (hdiutils/dropdmg/disk-utilities/ultraiso/transmac)
git clone https://github.com/intika/Librefox-Firefox.git- Rename the decomrpessed Firefox-63.0.3.dmg to Librefox-Firefox-63.0.3.dmg
- Mount Librefox-Firefox-63.0.3.dmg
- Replace
Firefox/Firefox.app/.background/background.pngwith the one from this git - Remove the directory
Firefox/Firefox.app/Contents/_CodeSignature - Remove the directory
Firefox/Firefox.app/Contents/MacOS/plugin-container.app/Contents/_CodeSignature(this one does not seem to be required) - Run
codesign --remove-signature Firefox.app(This basically remove the signature fromFirefox/Firefox.app/Contents/MacOS/firefox) - Remove the directory
Firefox/Firefox.app/Contents/MacOS/crashreporter.app/ - Remove the directory
Firefox/Firefox.app/Contents/MacOS/updater.app/ - Remove
Firefox/Firefox.app/Contents/Library/LaunchServices/org.mozilla.updater - Remove
Firefox/Firefox.app/Contents/Ressources/browser/features/[email protected] - Remove
Firefox/Firefox.app/Contents/Ressources/browser/features/[email protected] - Remove
Firefox/Firefox.app/Contents/Ressources/browser/features/[email protected] - Remove
Firefox/Firefox.app/Contents/Ressources/browser/features/[email protected] - Remove
Firefox/Firefox.app/Contents/Ressources/browser/features/[email protected] - Remove
Firefox/Firefox.app/Contents/Ressources/update-settings.ini - Remove
Firefox/Firefox.app/Contents/Ressources/updater.ini - Copy
mozilla.cfgtoFirefox/Firefox.app/Contents/Ressources/ - Copy
local-settings.jstoFirefox/Firefox.app/Contents/Ressources/defaults/pref/ - Create a folder
Firefox/Firefox.app/Contents/Ressources/distribution/ - Copy
policies.jsontoFirefox/Firefox.app/Contents/Ressources/distribution/ - Unmount the dmg file
- Compress it with tools like (hdiutils/dropdmg/disk-utilities/ultraiso/transmac)