Take care to not accidentally reload this page while working with it, since a reload would cause the
adjusted form values to be reset to the default values.
So, depending on the radio button checked above, unnecessary settings are disabled in the list of
all the available user preferences below. There you may decide to include (check ) or
else exclude (uncheck ) specific preferences. Do remember that you by the use of this
script will only choose which user_pref("
[pref
name ]",
[value ]);
to be included in the user.js
file! If a box is unchecked, the user_pref
is not included and will have no effect on
the preference whatsoever, i.e. the old pref
in the prefs.js file will hold. Naturally
only an included user_pref
can alter a pref
.
Generating the script code by pressing the left button below the 100 preferences without
fine-tuning them, is believed to result in the best weighing of security/privacy and functionality for your
program. The checked preferences are in principle enhancing security/privacy. By checking
unchecked user_pref
’s, you might reduce functionality or security, so
be particular when fine-tuning.
SECURE IT — APPLICATION INDEPENDENT PREFERENCES
Most preferences are checked by default. They are important for security and privacy reasons, especially
if you are using a somewhat older program. By checking more user_pref
’s your program
would be super secure, but lose some functionality.
A great source of inspiration for the reconfigurations of security related preferences was the
recommendations by NSA , a security body giving advice
about network environments. Cp. its Guide to Securing Netscape
7 .
SECURE OLDER APPLICATIONS
These preferences will have an effect on older applications, i.e. those built from a branch
up to and including 1.8.0.
LXR roots: The settings refered to in this section are found in the security-prefs.js ,
all.js , browser-prefs.js , mailnews.js , all-thunderbird.js or
firefox.js files in the source for the project’s 1.8.0 branch .
1-9 Disable SSL2 and weak SSL3 /TLS
encryptions
Secure the Gecko 1.7 and 1.8.0 branches, where weaker encryptions were allowed. For more information,
see bug 236933 .
user_pref("security.enable_ssl2",
);
user_pref("security.ssl3.rsa_fips_des_sha",
);
user_pref("security.ssl3.rsa_des_sha",
);
user_pref("security.ssl3.rsa_1024_rc4_56_sha", );
user_pref("security.ssl3.rsa_1024_des_cbc_sha", );
user_pref("security.ssl3.rsa_rc4_40_md5",
);
user_pref("security.ssl3.rsa_rc2_40_md5",
);
user_pref("security.ssl3.dhe_rsa_des_sha",
);
user_pref("security.ssl3.dhe_dss_des_sha",
);
10-11 Privacy controls for handling remote content in mail
Disable plug-ins for mail and do not display remote images in messages. Remote images might verify
valid email addresses to spammers.
user_pref("mailnews.message_display.allow.plugins", );
user_pref("mailnews.message_display.disable_remote_image", );
GENERAL CONCERNS
These preferences will have an effect on current applications (first and foremost those built from the
1.8 branch).
LXR roots: The settings refered to in this section are found in the all.js ,
all-thunderbird.js or security-prefs.js files in the source for the project’s 1.8
branch .
12 Validation
Use OCSP to validate only certificates
that specify an OCSP service URL . Change the value
to 2
only if you apply a particular signing certificate authority and URL to query for
OCSP certificate verification/validation.
user_pref("security.OCSP.enabled",
1
2
);
13 Client certificate selection
Ask every time for the selection of a security certificate to present to web sites that require one.
user_pref("security.default_personal_cert",
" ");
14-18 Warning alert messages
Do not alert when loading a page that supports encryption, but warn in other cases. The dialogue will
let you disable each warning until the next time you start the browser. The warnings when leaving a
secure page, and submitting over an insecure connection are unchecked by default. For pros and cons
about these warnings, see bug 341472 .
user_pref("security.warn_entering_secure",
);
user_pref("security.warn_entering_weak",
);
user_pref("security.warn_leaving_secure", );
user_pref("security.warn_viewing_mixed",
);
user_pref("security.warn_submit_insecure", );
19-21 Storing personal information and passwords
Do not save form data and use encryption when storing sensitive data. Checking the first setting would
even disable the Password manager .
user_pref("signon.rememberSignons", );
user_pref("wallet.captureForms", );
user_pref("wallet.crypto", );
22-23 Master password timeout
Ask for master password (if enabled) every 30 minutes by default. You could change the interval by
entering any number of minutes in user_pref
no 23.
Change the first setting’s value to 1
if the application should ask for the password
every time it’s needed.
user_pref("security.ask_for_password",
1
2
);
user_pref("security.password_lifetime",
);
24 Disable Java ™
The preference for disabling Java is unchecked by default.
user_pref("security.enable_java", );
25-26 Cache settings
The user_pref
no 25 will disable all link prefetching, and no 26 disables caching
altogether, and that one is unchecked by default.
user_pref("network.prefetch-next",
);
user_pref("network.http.use-cache", );
27-30 Cookies
Make sure cookies are disabled for mail and else allow cookies based on permissions per site. See
bug 366611 about the
removal of support for P3P settings.
The numbers available for user_pref
no 28 mean:
0 Enable all cookies (default)
1 Allow cookies from originating server only
2 Disable all cookies
The numbers available for user_pref
no 29 mean:
0 Accept cookies normally
1 Ask once for cookie per site (keep user_pref
no 30 checked to avoid an excess of
prompts)
2 Accept for current session only
3 Accept for 90 days (or any number of days set in program preferences)
user_pref("network.cookie.disableCookieForMailNews", );
user_pref("network.cookie.cookieBehavior",
0
1
2
);
user_pref("network.cookie.lifetimePolicy",
0
1
2
3
);
user_pref("network.cookie.alwaysAcceptSessionCookies", );
31-32 Sending referer headers
Do not send referers. The referer settings are unchecked by default. With the first preference, change
the value to 1
if rather than denying referers altogether, link clicks (but not images)
should result in the sending of the referer. See bugs 1582 and 141641 for caveats about
disabling sending of referer headers.
Checking user_pref
no 32 would inhibit sending of HTTPS referers to other HTTPS sites.
user_pref("network.http.sendRefererHeader",
0
1
);
user_pref("network.http.sendSecureXSiteReferrer", );
33-44 JavaScript and popup windows restrictions
Do not allow javascript in mail. Scripts should not be able to hide or change the status bar or the
context menu. By checking the first setting javascript would be disabled altogether.
user_pref("javascript.enabled", );
user_pref("javascript.allow.mailnews",
);
user_pref("dom.disable_window_status_change",
);
user_pref("dom.event.contextmenu.enabled",
);
Popup windows (created by scripts) should not hide the status bar or the location bar, or have a fixed
size or appearance. The user_pref
no 38 is unchecked by default, cp. bug 337344 .
user_pref("dom.disable_window_open_feature.status", );
user_pref("dom.disable_window_open_feature.location",
);
user_pref("dom.disable_window_open_feature.resizable", );
user_pref("dom.disable_window_open_feature.minimizable", );
Block popup windows not created as a result of a mouse click. The value 2
of
user_pref
no 43 allows whitelisted sites to open popups. To disable popups for
all sites, change the value to 3
.
user_pref("dom.disable_open_during_load",
);
user_pref("dom.disable_open_click_delay",
);
user_pref("privacy.popups.disable_from_plugins",
2
3
);
Allow JavaSript to move and resize existing windows. This user_pref
is unchecked by default.
user_pref("dom.disable_window_move_resize", );
45-46 Blinking and tipping off
The first setting disables tooltips and the second puts an end to blinking text. Both are unchecked by
default.
user_pref("browser.chrome.toolbar_tips", );
user_pref("browser.blink_allowed", );
47-48 Automatic updates
The application should automatically check to see if there is an updated version of itself, but should
prompt before downloading major releases. Changing the first setting to false
would
disable automatic updates.
user_pref("app.update.auto",
true
false
);
user_pref("app.update.mode", );
MODIFY PREFERENCES IN THE BROWSER COMPONENT
These preferences will have an effect on the browser. Note that some functionality might be dependent on
settings refered to in a previous section.
LXR roots: The settings refered to in this section are found in the all.js or
browser-prefs.js files in the source for the project’s 1.8 branch .
49 When starting a download
Show a download progress window, or by changing the value to 0
, open the Download Manager.
user_pref("browser.downloadmanager.behavior",
0
1
);
50 Filling in forms
Disable filling in forms automatically.
user_pref("browser.formfill.enable",
);
51-56 Window tabs
All tab behaviour user_pref
’s are unchecked by default.
Do not hide the tab bar when only one tab is open. The second setting will append a group of tabs
instead of replacing the existing tabs.
user_pref("browser.tabs.autoHide", );
user_pref("browser.tabs.loadGroup", );
Prevent tabs opened by other applications from receiving focus.
user_pref("browser.tabs.loadDivertedInBackground", );
Open links from external programs, targeted links and unspecified window.open
calls in
tabs (instead of new windows).
user_pref("browser.link.open_external", );
user_pref("browser.link.open_newwindow", );
user_pref("browser.link.open_newwindow.restriction",
);
57-58 Internet keywords
Enable Internet keywords and disable domain guessing – the user_pref
for the
latter is unchecked by default. See a mozilla.org ®
document for information about the implementation of this feature.
By unchecking user_pref
no 58 it will depend on the current settings of your
program whether keywords should be enabled.
user_pref("browser.fixup.alternate.enabled", );
user_pref("keyword.enabled", );
59 Disable inline spellchecking
Disable automatic inline spellchecking for text entry controls such as textarea
in
HTML . This user_pref
is unchecked by
default.
user_pref("layout.spellcheckDefault", );
60-64 Location bar behaviour
Turn off confusing location bar popups. By also checking user_pref
no 62 autofilling of
the address would be substituted for popups.
user_pref("browser.urlbar.showPopup",
);
user_pref("browser.urlbar.showSearch",
);
user_pref("browser.urlbar.autoFill", );
Do not unintentionally select the text when clicking in the location bar (but select it by triple-click
rather).
user_pref("browser.urlbar.clickSelectsAll",
);
user_pref("browser.urlbar.clickAtEndSelects",
);
65 The sidebar
Do not automatically open the search sidebar when doing a search. This user_pref
is
unchecked by default.
user_pref("browser.search.opensidebarsearchpanel", );
66-67 Tooltip previews and menu icons
Disable the tooltip preview of a tab’s contents. Cp bug 315207 . This
user_pref
is unchecked by default.
user_pref("browser.tabs.tooltippreview.enable", );
Load site icons/favicons when displaying bookmarks in menus, but only if they have already been cached.
Changing the number to 2
would make the browser always load and show the icons in menus.
This user_pref
is unchecked by default.
user_pref("browser.chrome.load_toolbar_icons",
1
2
);
MODIFY PREFERENCES IN THE EMAIL COMPONENT
These preferences will have an effect on mail management, addressbooks and newsgroups. Note that some
functionality might be dependent on settings refered to in a previous section.
LXR roots: The settings refered to in this section are found in the mailnews.js file in the
source for
the project’s 1.8 branch .
68-71 Return receipts
Never send a return receipt if addressee is not in "To" or "Cc", and ask me in other cases. By checking
the first setting return receipts would become disabled altogether.
The numbers available for user_pref
no 70 and 71 mean:
0 Never send
1 Always send
2 Ask me
user_pref("mail.mdn.report.enabled", );
user_pref("mail.mdn.report.not_in_to_cc",
);
user_pref("mail.mdn.report.outside_domain",
0
2
);
user_pref("mail.mdn.report.other",
1
2
);
72-73 Collecting addresses
Add email addresses to the Collected addressbook (not to muddle the Personal
addressbook ). By checking the first setting, address collecting (for outgoing messages) would be
disabled altogether.
user_pref("mail.collect_email_address_outgoing", );
user_pref("mail.collect_addressbook",
" ");
74-75 Format=flowed prefs and RFC 2646
Read messages using old style wrapping. By checking the first preference composed messages would be
prevented from being transmitted with format=flowed. See Format=Flowed
Mini-FAQ about this feature. Both user_pref
’s are unchecked by default.
user_pref("mailnews.send_plaintext_flowed", );
user_pref("mailnews.display.disable_format_flowed_support",
);
76 Duplicat messages
Mark duplicat messages as read. See bug 9413 for information. This user_pref
is unchecked by default. The
alternative values (numbers) mean:
1 Delete dupes
2 Move Dupes to trash
3 Mark Dupes as Read
user_pref("mail.server.default.dup_action",
1
2
3
);
77-78 Mail list appearance
Do not remember the last selected message or auto-scroll to a new message. Both
user_pref
’s are unchecked by default.
user_pref("mailnews.remember_selected_message", );
user_pref("mailnews.scroll_to_new_message", );
79-80 Regular compacting of folders
Compact folders when it will save over a certain amount of kilobytes, by default 100 kB. Do change the
number to any threshhold. Both user_pref
’s are unchecked by default.
user_pref("mail.prompt_purge_threshhold", );
user_pref("mail.purge_threshhold", );
81 Phishing detection for link clicks
The default is to keep phishing detection enabled, i.e. analyze url ’s in mail messages for scams, but you could turn it off
by changing the setting to false
.
user_pref("mail.phishing.detection.enabled",
true
false
);
OPTIMIZE IT — APPLICATION SPECIFIC PREFERENCES
The applications reconfigured with the following user preferences may be considered secure by default.
The preferences changes are here to smooth things a bit by getting rid of potential annoyances. Actually
some modifications might make the software less secure, but they will appear unchecked in the
list.
DEAL WITH FIREFOX ® ANNOYANCES
These preferences will have an effect on Firefox 2 and its derivatives like Netscape
Navigator 9 .
LXR roots: Firefox specific settings are found in the firefox.js file in the
source for
the project’s 1.8 branch .
82 Do not restore the session after a crash
This user_pref
for disabling the session restore utility after a crash is unchecked by
default. See the issues list for the relevance of this preference.
user_pref("browser.sessionstore.resume_from_crash",
);
83-84 Phishing protection
Firefox 2 incorporates the Google Safe Browsing extension to detect
and warn users of phishy web sites. The default is to keep the protection activated, but you could
turn it off by changing the first setting to false
. The user_pref
no 84
makes a third-party provider being consulted to determine whether a site is phishy, but it is
unchecked by default.
user_pref("browser.safebrowsing.enabled",
true
false
);
user_pref("browser.safebrowsing.remoteLookups", );
85-89 Controlling the tabs
All user_pref
’s about tab control are unchecked by default, since their potential
inclusions are actually a matter of opinion only.
Return to Fx 1.5 defaults. Only show the tab’s close
button at the end of the tabstrip (user_pref
no 85) and give focus to the adjacent tab
on closing a tab (user_pref
no 86).
user_pref("browser.tabs.closeButtons", );
user_pref("browser.tabs.selectOwnerOnClose", );
Prevent tabs opened with an item from the bookmarks list from receiving focus.
user_pref("browser.tabs.loadBookmarksInBackground",
);
Have search bar results always open in a new tab.
user_pref("browser.search.openintab", );
Append a group of tabs instead of replacing the existing tabs.
user_pref("browser.tabs.loadFolderAndReplace", );
90 Download directory
Choose every time where downloads get put.
user_pref("browser.download.useDownloadDir", );
DEAL WITH THUNDERBIRD ™ ANNOYANCES
These preferences will have an effect on Thunderbird 2 and later, and its derivatives.
LXR roots: Thunderbird specific settings are found in the mailnews.js or
all-thunderbird.js file in the source for the project’s trunk .
DEAL WITH BLEEDING EDGE APPLICATIONS
These preferences will have an effect on particularly recent applications, i.e. those
built from branch 1.9 or from the trunk.
LXR roots: Gecko 1.9 specific settings are found in the all.js ,
browser-prefs.js or firefox.js files in the source for the project’s
trunk .
MISCELLANEOUS
The remaining application independent preferences we need to deal with are diverse annoyances found here
and there and they might or might not have an effect on your software. Only security related preferences
are checked by default.
100 Show the world
Add a note to the user agent string. Do observe that this user_pref
is always included.
user_pref("general.useragent.extra.user_js", " ");