Take care to not accidentally reload this page while working with it, since a reload would cause the
adjusted form values to be reset to the default values.
So, depending on the radio button checked above, unnecessary preferences are disabled in the list
of all the available user preferences below. There you may decide to include (check ) or
else exclude (uncheck ) specific preferences. Do remember that you by the use of this
script will only choose which user_pref("
[pref
name ]",
[value ]);
to be included in the user.js
file! If a box is unchecked, the user_pref
is not included and will have no effect on
the preference whatsoever, i.e. the old pref
in the prefs.js file will hold. Naturally
only an included user_pref
can alter a pref
.
Generating the script code by pressing the left button below the 100 preferences without
fine-tuning them, is believed to result in the best weighing of security/privacy and functionality for your
program. The checked preferences are in principle enhancing security/privacy. By checking
unchecked user preferences, you might reduce functionality or security, so be particular when
fine-tuning.
APPLICATION INDEPENDENT — SECURITY AND PRIVACY CONCERNS
The preferences that are checked by default are important for security and privacy reasons. By checking
more user preferences your program would be even more secure, but possibly lose some useful
functionality. If you are using a somewhat older program, there might be precious security related
preferences in the grey area just below.
SLIGHTLY DATED APPLICATIONS
A great source of inspiration for the reconfigurations of security related preferences was the
recommendations by NSA , a security body giving advice
about network environments. Cp. its Guide to Securing Netscape
7 .
These preferences will have an effect on applications built from old branches, e.g.
Mozilla 1.7, Firefox 1.5, Seamonkey 1.0, Netscape 8 .
LXR roots: The preferences refered to in this section are found in the branches 1.7 or 1.8.0 in the
project’s source
tree .
1-9 Disable SSL2 and weak SSL3 /TLS
encryptions
Secure the Gecko 1.7 and 1.8.0 branches, where weaker encryptions were allowed. For more information,
see bug 236933 .
user_pref("security.enable_ssl2 ", );
user_pref("security.ssl3.rsa_fips_des_sha ", );
user_pref("security.ssl3.rsa_des_sha ", );
user_pref("security.ssl3.rsa_1024_rc4_56_sha ", );
user_pref("security.ssl3.rsa_1024_des_cbc_sha ", );
user_pref("security.ssl3.rsa_rc4_40_md5 ", );
user_pref("security.ssl3.rsa_rc2_40_md5 ", );
user_pref("security.ssl3.dhe_rsa_des_sha ", );
user_pref("security.ssl3.dhe_dss_des_sha ", );
ALL CURRENT APPLICATIONS
These preferences will have an effect on current applications, including but not limited to Firefox
2, Thunderbird 2, Seamonkey 1.1, Netscape 9 . They will work on older programs as well.
LXR roots: The preferences refered to in this section are most often found in the all.js or
security-prefs.js files in the project’s source tree .
10-11 Validation
Use OCSP to validate only certificates
that specify an OCSP service URL . Change the value
to 2
only if you apply a particular signing certificate authority and URL to query for
OCSP certificate verification/validation. By checking user preference no 11, the certificate would be
treated as invalid when an OCSP server connection fails. (That preference is currently implemented in
trunk builds only.)
Cp. bug
110161 to learn about recent changes concerning these preferences.
user_pref("security.OCSP.enabled ",
1
2
);
user_pref("security.OCSP.require ",
);
12 Client certificate selection
Ask every time for the selection of a security certificate to present to web sites that require one.
user_pref("security.default_personal_cert ", );
13-17 Warning alert messages
Do not alert when loading a page that supports encryption.
user_pref("security.warn_entering_secure ", );
Warn when browsing secure/normal pages. The dialogue will let you disable each warning until the next
time you start the browser. The warnings when leaving a secure page, and submitting over an insecure
connection are unchecked by default. For pros and cons about these warnings, see bug 341472 .
user_pref("security.warn_entering_weak ", );
user_pref("security.warn_leaving_secure ", );
user_pref("security.warn_viewing_mixed ", );
user_pref("security.warn_submit_insecure ", );
18-20 Storing personal information
Do not fill in automatically or save form data, and use encryption when storing sensitive data.
user_pref("browser.formfill.enable ", );
user_pref("wallet.captureForms ", );
user_pref("wallet.crypto ", );
21-23 Passwords
Ask for master password (if enabled) every 30 minutes. You could change the interval by entering any
number of minutes in user preference no 23. Checking the first preference would disable the Password
manager .
Change the value of user preference no 22 to 1
if the application should ask for the
password every time it’s needed.
user_pref("signon.rememberSignons ",
);
user_pref("security.ask_for_password ",
1
2
);
user_pref("security.password_lifetime ", );
24 Disable Java ™
The preference for disabling Java is unchecked by default.
user_pref("security.enable_java ",
);
25-26 Cache preferences
The user preference no 25 will disable all link prefetching and no 26 all caching, the latter being
unchecked by default.
user_pref("network.prefetch-next ", );
user_pref("network.http.use-cache ",
);
27-31 Cookies
Make sure cookies are disabled for mail and else allow cookies based on permissions per site. Except
for the first, these user preferences are unchecked by default, because there is ongoing discussion
about what the best options are. See bug 324397 for the reasoning about the program preference default, and see bug 366611 about the removal
of support for P3P settings.
user_pref("network.cookie.disableCookieForMailNews ", );
user_pref("network.cookie.cookieBehavior ",
0
1
2
);
The numbers available for user preference no 28 above mean:
0 Enable all cookies (default)
1 Allow cookies from originating server only
2 Disable all cookies
The numbers available for user preference no 29 below mean:
0 Accept cookies normally
1 Ask once for cookie per site — check user preference no 30 to avoid an excess of prompts
2 Accept for current session only
3 Accept for any number of days set in user preference no NN2 (90 by default)
user_pref("network.cookie.lifetimePolicy ",
0
1
2
3
);
user_pref("network.cookie.alwaysAcceptSessionCookies ", );
user_pref("network.cookie.lifetime.days ", );
32-33 Sending referer headers
Do not send referers. The referer preferences are unchecked by default. With the first preference,
change the value to 1
if rather than denying referers altogether, link clicks (but not
images) should result in the sending of the referer. See bugs 1582 and 141641 for caveats about
disabling sending of referer headers.
Checking user preference no 33 would inhibit sending of HTTPS referers to other HTTPS sites.
user_pref("network.http.sendRefererHeader ",
0
1
);
user_pref("network.http.sendSecureXSiteReferrer ", );
34-43 JavaScript and popup windows restrictions
Do not allow javascript in mail. Scripts should not be able to hide or change the status bar or the
context menu. By checking the first preference javascript would be disabled altogether.
user_pref("javascript.enabled ",
);
user_pref("javascript.allow.mailnews ", );
user_pref("dom.disable_window_status_change ", );
user_pref("dom.event.contextmenu.enabled ", );
Popup windows (created by scripts) should not hide the location bar or have a fixed size or appearance.
The first user preference (forcing the location bar to be shown) is unchecked by default,
cp. bug
337344 .
user_pref("dom.disable_window_open_feature.location ", );
user_pref("dom.disable_window_open_feature.resizable ", );
user_pref("dom.disable_window_open_feature.minimizable ", );
Block popup windows not created as a result of a mouse click. The value 2
of user
preference no 43 allows whitelisted sites to open popups. To disable popups for all sites,
change the value to 3
.
user_pref("dom.disable_open_during_load ", );
user_pref("dom.disable_open_click_delay ", );
user_pref("privacy.popups.disable_from_plugins ",
2
3
);
44-45 Automatic updates
The application should automatically check to see if there is an updated version of itself, but should
prompt before downloading major releases. Changing the first preference to false
would
disable automatic updates.
user_pref("app.update.auto ",
true
false
);
user_pref("app.update.mode ", );
46 Don’t ping
No spying – ignore the ping
attribute. (This
preference is currently implemented in trunk builds only.)
user_pref("browser.send_pings ", );
MODIFY THE BROWSER COMPONENT’S PREFERENCES
These preferences will have effect in the browser component in application suites like
SeaMonkey , and in stand-alone browsers, e.g. Firefox and its
derivatives. They are normally not security related, so all user preferences in this section are
unchecked by default.
LXR roots: The preferences refered to in this section are most often found in the browser-prefs.js
and firefox.js files, or in the all.js file in the project’s source tree .
APPLICATION SPECIFIC — ANTI ANNOYANCES
The preferences changes in the framed area are there to smooth things a bit by getting rid of possible
annoyances in popular browsers. The changes would not normally jeopardise security. If so, it is pointed
out.
The preferences will control behaviour of the browser component. Note that some functionality might be
dependent on preferences refered to in a previous section.
DEAL WITH FIREFOX ® PECULIARITIES
These preferences will have an effect in Firefox and its derivatives like Netscape
Navigator 9 . All user preferences in this section are unchecked by default.
LXR roots: Firefox specific preferences are found in the firefox.js file in the
project’s source tree .
52 Do not restore the session after a crash
This user preference is for disabling the session restore utility after a crash. See the issues list
for the relevance of this preference.
user_pref("browser.sessionstore.resume_from_crash ", );
53-54 Phishing protection
Firefox 2 incorporates the Google Safe Browsing extension to detect
and warn users of phishy web sites. The recommended setting is to keep the protection activated, but
you could turn it off by changing the first preference to false
. The user preference no
54 makes a third-party provider being consulted to determine whether a site is phishy.
user_pref("browser.safebrowsing.enabled ",
true
false
);
user_pref("browser.safebrowsing.remoteLookups ", );
55-59 Controlling the tabs
Return to Fx 1.5 defaults. Only show the tab’s close
button at the end of the tabstrip (user preference no 55) and give focus to the adjacent tab on
closing a tab (user preference no 56).
user_pref("browser.tabs.closeButtons ", );
user_pref("browser.tabs.selectOwnerOnClose ", );
Prevent tabs opened with an item from the bookmarks list from receiving focus.
user_pref("browser.tabs.loadBookmarksInBackground ", );
Have search bar results always open in a new tab.
user_pref("browser.search.openintab ", );
Append a group of tabs instead of replacing the existing tabs.
user_pref("browser.tabs.loadFolderAndReplace ", );
60 Download directory
Choose every time where downloads get put.
user_pref("browser.download.useDownloadDir ", );
DEAL WITH SEAMONKEY ® PECULIARITIES
These preferences will have an effect in SeaMonkey and its derivatives. All user
preferences in this section are unchecked by default.
LXR roots: SeaMonkey specific preferences are found in the browser-prefs.js file in
the project’s source tree .
61 Enhance JavaSript functionality
Allow JavaSript to move and resize existing windows. This user preference might
be considered a loosening of security.
user_pref("dom.disable_window_move_resize ", );
62-64 Open links in tabs
Open links from external programs, targeted links and unspecified window.open
calls in
tabs (instead of new windows).
user_pref("browser.link.open_external ", );
user_pref("browser.link.open_newwindow ", );
user_pref("browser.link.open_newwindow.restriction ", );
65-68 Location bar behaviour
Turn off confusing location bar popups.
user_pref("browser.urlbar.showPopup ", );
user_pref("browser.urlbar.showSearch ", );
Do not unintentionally select the text when clicking in the location bar (but select it by
triple-click rather).
user_pref("browser.urlbar.clickSelectsAll ", );
user_pref("browser.urlbar.clickAtEndSelects ", );
69 The sidebar
Do not automatically open the search sidebar when doing a search.
user_pref("browser.search.opensidebarsearchpanel ", );
70-71 Tooltip previews and menu icons
Disable the tooltip preview of a tab’s contents. Cp bug 315207 .
user_pref("browser.tabs.tooltippreview.enable ", );
Load site icons/favicons when displaying bookmarks in menus, but only if they have already been
cached. Changing the number to 0
would make the browser never load and show the icons in
menus.
user_pref("browser.chrome.load_toolbar_icons ",
0
1
);
MAIL & NEWSGROUPS
The preferences changes in this section are here to control mail management, addressbooks and newsgroups.
Note that some functionality might be dependent on preferences refered to in a previous section.
These preferences will have effect in the mail and newsgroups component in application suites like
SeaMonkey , and in stand-alone email clients, e.g. Thunderbird and
its derivatives. Only privacy related preferences are checked by default.
LXR roots: Mail specific preferences are found in the mailnews.js or all-thunderbird.js
files in the project’s source tree .
72-73 Privacy controls for handling remote content in mail
Disable plug-ins for mail and do not display remote images in messages. Remote images might verify
valid email addresses to spammers.
user_pref("mailnews.message_display.allow.plugins ", );
user_pref("mailnews.message_display.disable_remote_image ", );
74-77 Return receipts
Never send a return receipt if addressee is not in "To" or "Cc", and ask me in other cases. By checking
the first preference return receipts would become disabled altogether.
The numbers available for user preference no 76 and 77 mean:
0 Never send
1 Always send
2 Ask me
user_pref("mail.mdn.report.enabled ",
);
user_pref("mail.mdn.report.not_in_to_cc ", );
user_pref("mail.mdn.report.outside_domain ",
0
2
);
user_pref("mail.mdn.report.other ",
1
2
);
78-79 Collecting addresses
Add email addresses to the Collected addressbook (not to muddle the Personal
addressbook ). By checking the first preference, address collecting (for outgoing messages) would be
disabled altogether.
user_pref("mail.collect_email_address_outgoing ", );
user_pref("mail.collect_addressbook ", );
80-81 Format=flowed prefs and RFC 2646
Read messages using old style wrapping. By checking the first preference composed messages would be
prevented from being transmitted with format=flowed. See Format=Flowed
Mini-FAQ about this feature. Both user preferences are unchecked by default.
user_pref("mailnews.send_plaintext_flowed ", );
user_pref("mailnews.display.disable_format_flowed_support ", );
82 Duplicat messages
Mark duplicat messages as read. See bug 9413 for information. This user preference is unchecked by default. The alternative
values (numbers) mean:
1 Delete dupes
2 Move Dupes to trash
3 Mark Dupes as Read
user_pref("mail.server.default.dup_action ",
1
2
3
);
83-84 Mail list appearance
Do not remember the last selected message or auto-scroll to a new message. Both user preferences are
unchecked by default.
user_pref("mailnews.remember_selected_message ", );
user_pref("mailnews.scroll_to_new_message ", );
85-87 Regular compacting of folders
Compact folders when it will save over a certain amount of kilobytes, by default 100 kB. Do change the
number to any threshhold. Both user preferences are unchecked by default.
user_pref("mail.prompt_purge_threshhold ", );
user_pref("mail.purge_threshhold ",
);
Make the client show a confirmation alert when starting automatic compacting of folders. This user
preference is unchecked by default (and is currently implemented in trunk builds only).
user_pref("mail.purge.ask ",
);
88 Phishing detection for link clicks
The recommended setting is to keep phishing detection enabled, i.e. analyze
url ’s in mail messages for scams, but you
could turn it off by changing the preference to false
.
user_pref("mail.phishing.detection.enabled ",
true
false
);
89 No preview text
Disable preview text in mail alerts and folder tooltips. This user preference is unchecked by default.
user_pref("mail.showPreviewText ",
);
MISCELLANEOUS
The remaining application independent preferences we need to deal with are diverse annoyances found here
and there and they might or might not have an effect on your software. No preferences (except the last
one) are checked by default.
90-91 Blinking and tipping off
The first preference disables tooltips and the second puts an end to blinking text. Both are unchecked
by default.
user_pref("browser.chrome.toolbar_tips ", );
user_pref("browser.blink_allowed ",
);
92-93 Internet keywords
Disable domain guessing and enable Internet keywords . These user preference are unchecked by
default. See a mozilla.org ® document for information about the implementation of this
feature.
user_pref("browser.fixup.alternate.enabled ", );
user_pref("keyword.enabled ",
);
94 Page reloading
Disable automatic reload of web pages by the HTML
META refresh tag.
user_pref("accessibility.blockautorefresh ", );
95-98 Fonts
For readability on screen, fonts should not have serifs and font size should not be less than the
pixels you state (for instance 10 px). These user preferences are unchecked by default.
user_pref("font.default.x-unicode ",
);
user_pref("font.default.x-western ",
);
user_pref("font.minimum-size.x-unicode ", );
user_pref("font.minimum-size.x-western ", );
99 Let Windows OS have memory if the application is
minimized
Allow the application to release memory for the benefit of other programs. See bug 76831 for more information.
This user preference is unchecked by default.
user_pref("config.trim_on_minimize ",
);
100 Show the world
Add a note to the user agent string. Do observe that this user preference is always included.
user_pref("general.useragent.extra.user_js ",
);