So, depending on the radio button checked above, unnecessary preferences are disabled in the list
of all the available user preferences below. There you may decide to include (check ) or
else exclude (uncheck ) specific preferences. Do remember that you by the use of this
script will only choose which user_pref("
[pref
name ]",
[value ]);
to be included in the user.js
file! If a box is unchecked, the user_pref
is not included and will have no effect on
the preference whatsoever, i.e. the old pref
in the prefs.js file will hold. Naturally
only an included user_pref
can alter a pref
.
Generating the script code by pressing the left button below the 100 preferences without
fine-tuning them, is believed to result in the best weighing of security/privacy and functionality for your
program. The checked preferences are in principle enhancing security/privacy. By checking
unchecked user preferences, you might reduce functionality or security, so be particular when
fine-tuning.
APPLICATION INDEPENDENT — SECURITY AND PRIVACY CONCERNS
The preferences that are checked by default are important for security and privacy reasons. By checking
more user preferences your program would be even more secure, but possibly lose some useful
functionality. If you are using a somewhat older program, there might be precious security related
preferences in the grey areas just below.
PREFERENCES FOR DATED PROGRAMS
A great source of inspiration for the reconfigurations of security related preferences was the
recommendations by NSA , a security body giving advice
about network environments. Cp. its Guide to Securing Netscape
7 .
These preferences will be useful when applied to applications that are no longer being developed,
e.g. Firefox 1.5, Seamonkey 1.0, Thunderbird 1.5 .
Source roots: The preferences refered to in this section are found on the branch 1.8.0 in the project’s
source tree .
1-9 Disable SSL2 and weak SSL3 /TLS
encryptions
Secure the 1.8.0 branch (and earlier), where weaker encryptions were allowed. For more information, see
bug 236933 .
user_pref("security.enable_ssl2 ", );
user_pref("security.ssl3.rsa_fips_des_sha ", );
user_pref("security.ssl3.rsa_des_sha ", );
user_pref("security.ssl3.rsa_1024_rc4_56_sha ", );
user_pref("security.ssl3.rsa_1024_des_cbc_sha ", );
user_pref("security.ssl3.rsa_rc4_40_md5 ", );
user_pref("security.ssl3.rsa_rc2_40_md5 ", );
user_pref("security.ssl3.dhe_rsa_des_sha ", );
user_pref("security.ssl3.dhe_dss_des_sha ", );
10 Client certificate selection
Ask every time for the selection of a security certificate to present to web sites that require one.
user_pref("security.default_personal_cert ", );
11 Prevent JavaSript from monkeying with window focus, etc
Do not allow web sites to raise or lower existing windows.
This preference is unchecked by default. Cp. comment #5 in bug 307407 for the
setting’s status on the old branch.
user_pref("dom.disable_window_flip ", );
PREFERENCES FOR SENIOR PROGRAMS
These preferences will be useful both when applied to dated applications as of above, and on mature
applications soon to be replaced by newer versions, e.g. Firefox 2, Seamonkey 1.1,
Thunderbird 2 .
Source roots: The preferences refered to in this section are found on the branch 1.8(.1) in the project’s
source tree .
12 Validation
Use OCSP to validate only certificates
that specify an OCSP service URL . Change the value
to 2
only if you apply a particular signing certificate authority and URL to query for
OCSP certificate validation.
user_pref("security.OCSP.enabled ",
1
2
);
13 No Security Alert
Do not alert when loading a page that supports encryption. This is the new default setting.
user_pref("security.warn_entering_secure ", );
14-15 Storing personal information
Do not save form data, and use encryption when storing sensitive data. Note that wallet
preferences are becoming obsolete in newer applications.
user_pref("wallet.captureForms ", );
user_pref("wallet.crypto ",
);
16-17 Do not give scripts the control over popup windows
Popup windows (created by scripts) should not hide the location bar, or have a fixed size. See bug 337344 for caveats about
the first setting.
user_pref("dom.disable_window_open_feature.location ",
);
user_pref("dom.disable_window_open_feature.resizable ",
);
18 Phishing protection by a third-party provider
Firefox 3 does away with this particular preference (which is off by default) to make a
third-party provider being consulted to determine whether a site is phishy. If, however, you are using
Firefox 2 , you might want to activate the feature.
user_pref("browser.safebrowsing.remoteLookups ", );
PREFERENCES FOR ALL CURRENT APPLICATIONS
These preferences will have an effect on current applications, including but not limited to Firefox
3, Thunderbird 3, and Seamonkey 2 . Most preferences will work on senior and dated
programs as well.
Source roots: The preferences refered to in this section are most often found in the all.js or
security-prefs.js files in the project’s source tree .
19-22 Warning alert messages
Warn when browsing secure/normal pages. The dialogue will let you disable each warning until the next
time you start the browser. The warnings when leaving a secure page, and submitting over an insecure
connection are unchecked by default. For pros and cons about these warnings, see bug 341472 .
user_pref("security.warn_entering_weak ", );
user_pref("security.warn_leaving_secure ", );
user_pref("security.warn_viewing_mixed ", );
user_pref("security.warn_submit_insecure ", );
23 Require validation
Require that the OCSP service is
available, otherwise treat the certificate as not valid. This preference (not applying to
1.8.x branches) is unchecked by default.
See bug 110161 to
learn about this preference and related settings.
user_pref("security.OCSP.require ", );
24-27 Passwords
Checking the first preference would disable the Password manager . If enabled though, do not
automatically fill sign-in forms with known usernames and passwords; instead, act as though there are
multiple usernames/password pairs remembered for the form (fill password after username has been
manually typed).
Ask for master password (if enabled) every 30 minutes by default. You could change the interval by
entering any number of minutes in user preference no 27 . Change the value of user preference no 26 to
1
if the application should ask for the password every time it’s needed.
user_pref("signon.rememberSignons ", );
user_pref("signon.autofillForms ", );
user_pref("security.ask_for_password ",
1
2
);
user_pref("security.password_lifetime ", );
28 Disable Java ™
The preference for disabling Java is unchecked by default.
user_pref("security.enable_java ", );
29 No prefetching of Next page
The user preference will disable all link prefetching.
user_pref("network.prefetch-next ", );
30-33 Cookies
As a suggestion, allow cookies based on permissions per site. These user preferences are unchecked by
default. See bug
324397 for a reasoning about the best preference application default, now resolved as "Allow All
Cookies", i.e. option value 0
.
The option values available for user preference no 30 mean:
1 Allow cookies from originating server only
2 Disable all cookies
user_pref("network.cookie.cookieBehavior ",
1
2
);
The application default for preference no 31 is "Accept cookies normally", i.e. option
value 0
, and the others mean:
1 Ask once for cookie per site — check user preference no 32 to avoid an excess of prompts
2 Accept for current session only
3 Accept for any number of days set in user preference no 33 (90 by default)
user_pref("network.cookie.lifetimePolicy ",
1
2
3
);
user_pref("network.cookie.alwaysAcceptSessionCookies ",
);
user_pref("network.cookie.lifetime.days ", );
34-35 Sending referer headers
Do not send referers. The referer preferences are unchecked by default. With the first preference,
change the value to 1
if rather than denying referers altogether, link clicks (but not
images) should result in the sending of the referer. See bugs 1582 and 141641 for caveats about
disabling sending of referer headers.
Checking user preference no 35 would inhibit sending of HTTPS referers to other HTTPS sites.
user_pref("network.http.sendRefererHeader ",
0
1
);
user_pref("network.http.sendSecureXSiteReferrer ", );
36-43 JavaScript and popup windows restrictions
Do not allow javascript in mail. Scripts should not be able to hide or change the status bar or the
context menu. By checking the first preference javascript would be disabled altogether.
user_pref("javascript.enabled ", );
user_pref("javascript.allow.mailnews ", );
user_pref("dom.disable_window_status_change ", );
user_pref("dom.event.contextmenu.enabled ", );
Popup windows (created by scripts) should not be impossible to minimize.
user_pref("dom.disable_window_open_feature.minimizable ",
);
Block popup windows not created as a result of a mouse click. The value 2
of user
preference no 43 allows whitelisted sites to open popups. To disable popups for all sites,
change the value to 3
.
user_pref("dom.disable_open_during_load ", );
user_pref("dom.disable_open_click_delay ", );
user_pref("privacy.popups.disable_from_plugins ",
2
3
);
44-46 Automatic updates
The application should automatically check to see if there is an updated version of itself, but should
prompt before downloading major releases. Having one of the first two preferences checked would make
automatic updates disabled.
user_pref("app.update.enabled ", );
user_pref("app.update.auto ", );
user_pref("app.update.mode ", );
The user preferences so far were security or privacy related, and when not seriously tending to reduce
functionality, checked by default. The user preferences below more depends on a matter of taste, and
normally they are not checked. Only if the application default has changed in newer versions, or if the
preference has an obvious security/privacy benefit it is checked by default.
PROGRAM SPECIFIC — ANTI ANNOYANCES
The preferences changes in the framed area are there to smooth things a bit by getting rid of possible
annoyances in popular browsers. They will have effect in the browser component in application suites like
SeaMonkey , and in stand-alone browsers, e.g. Firefox and its
derivatives.
The preferences will control behaviour of the browser component, but note that some functionality might
be dependent on preferences refered to in a previous section.
PREFERENCES APPLYING TO BOTH FIREFOX ® AND SEAMONKEY ® (OR BROWSERS BASED ON
THOSE)
Source roots: The preferences refered to in this section are most often found in the
browser-prefs.js and firefox.js files in the project’s source tree .
47-50 Filling in and Location Bar features
Do not fill in form data automatically (checked by default). On the other hand, apply automatic
filling in of the address in the location bar.
user_pref("browser.formfill.enable ", );
user_pref("browser.urlbar.autoFill ", );
Do not select the text when clicking in the location bar (but select it by triple-click rather).
user_pref("browser.urlbar.clickSelectsAll ", );
user_pref("browser.urlbar.clickAtEndSelects ", );
51-52 Controlling the tabs
Do not hide the tab bar when only one tab is open.
user_pref("browser.tabs.autoHide ", );
Prevent tabs opened by other applications from receiving focus.
user_pref("browser.tabs.loadDivertedInBackground ", );
53 Inline spellchecking
Disable — option value 0
— automatic inline spellchecking for text entry
controls such as textarea
in HTML ,
or make it also available for single line controls — option value 2
.
user_pref("layout.spellcheckDefault ",
0
2
);
54 Use font scaling
Revert to old text size zoom behaviour (rather than zooming everything on the page). See bug 401322 for more
information.
user_pref("browser.zoom.full ", );
DEAL WITH FIREFOX ® PECULIARITIES
These preferences are targeted at Firefox 3 but will have an effect in all browsers based
on Firefox .
Source roots: Firefox 3 specific preferences are found in the firefox.js file in
the project’s source tree .
55 Control the display of domain in the identity box for SSL connections
Firefox 3 includes extra UI to convey
information about a site using SSL to encrypt
communications. Option value 1
will show the effective top-level domain along with the
second-level domain (e.g., mozilla.org) emphasized to the left of the URL in the Location Bar. Use
option value 2
to show the full domain (e.g., bugzilla.mozilla.org). This user
preference is checked by default.
user_pref("browser.identity.ssl_domain_display ",
1
2
);
56 Always show the toolbars and tab strip in fullscreen mode
In fullscreen mode, toolbars and the tab strip may be hidden at the top of the screen and only shown
on mouseover. This preference will keep them in sight, and is checked by default.
user_pref("browser.fullscreen.autohide ", );
57-61 Controlling the tabs
Return to Fx 1.5 defaults. Only show the tab’s close
button at the end of the tabstrip (user preference no 57 ) and give focus to the adjacent tab on
closing a tab (user preference no 58 ).
user_pref("browser.tabs.closeButtons ", );
user_pref("browser.tabs.selectOwnerOnClose ", );
Prevent tabs opened with an item from the bookmarks list from receiving focus.
user_pref("browser.tabs.loadBookmarksInBackground ",
);
Have search bar results always open in a new tab.
user_pref("browser.search.openintab ", );
Append a group of tabs instead of replacing the existing tabs.
user_pref("browser.tabs.loadFolderAndReplace ", );
62 Download directory
Choose every time where downloads get put.
user_pref("browser.download.useDownloadDir ", );
63 Page reloading
Disable automatic reload of web pages by the HTML META refresh tag.
user_pref("accessibility.blockautorefresh ", );
64 Export bookmarks as HTML at shutdown
Firefox 3 uses JSON as the format
to store bookmark backups by default. By this preference you switch back to using
bookmarks.html instead. Cp. bug 384370 .
user_pref("browser.bookmarks.autoExportHTML ", );
65 Do not restore the session after a crash
This user preference is for disabling the session restore utility after a crash, and is checked by
default. See the issues list for the relevance of this preference.
user_pref("browser.sessionstore.resume_from_crash ",
);
DEAL WITH SEAMONKEY ® PECULIARITIES
These preferences will have an effect in SeaMonkey and browsers based on it.
Source roots: SeaMonkey specific preferences are found in the browser-prefs.js file
in the project’s source tree .
66-69 Controlling the tabs
Append a group of tabs instead of replacing the existing tabs.
user_pref("browser.tabs.loadGroup ", );
Open links from external programs, targeted links and unspecified window.open
calls in
tabs (instead of new windows).
user_pref("browser.link.open_external ", );
user_pref("browser.link.open_newwindow ", );
user_pref("browser.link.open_newwindow.restriction ",
);
70-71 Location bar behaviour
Turn off location bar popups.
user_pref("browser.urlbar.showPopup ", );
user_pref("browser.urlbar.showSearch ", );
72 The sidebar
Do not automatically open the search sidebar when doing a search.
user_pref("browser.search.opensidebarsearchpanel ", );
73 Enhance JavaSript functionality
Allow JavaSript to move and resize existing windows. This user preference will
give web sites the power to arrange your browser windows — for better or worse. Note: Checking this will nullify preference no 36 .
user_pref("dom.disable_window_move_resize ", );
74-75 Tooltip previews and menu icons
Disable the tooltip preview of a tab’s contents. Cp bug 315207 .
user_pref("browser.tabs.tooltippreview.enable ", );
Load site icons/favicons when displaying bookmarks in menus, but only if they have already been
cached. Changing the number to 2
would make the browser always load and show the icons
in menus. (The default behaviour is to never show, i.e. option value 0
.)
user_pref("browser.chrome.load_toolbar_icons ",
1
2
);
MAIL & NEWSGROUPS
The preferences changes in this section are here to control mail management, addressbooks and newsgroups.
Note that some functionality might be dependent on preferences refered to in a previous section.
These preferences will have effect in the mail and newsgroups component in application suites like
SeaMonkey , and in stand-alone e-mail clients, e.g. Thunderbird and
its derivatives. Corrections of old behaviour and security/privacy related preferences are checked by
default.
Source roots: E-mail specific preferences are found in the mailnews.js file in the project’s source
tree .
76 Keeping threaded view
In an application from the 1.8 branch, any click on a column header other than the thread column will
unthread the view. To keep threaded view on (like in TB3/SM2) this preference should be
false
(and it is checked by default).
user_pref("mailnews.thread_pane_column_unthreads ", );
77-80 Return receipts
Never send a return receipt if addressee is not in "To" or "CC", and ask me in other cases. By
checking the first preference return receipts would become disabled altogether, nullifying the effect
of the others (which are checked by default).
The option values available for these preferences mean:
0 Never send
1 Always send
2 Ask me
3 Deny the request (only report.other )
user_pref("mail.mdn.report.enabled ", );
user_pref("mail.mdn.report.not_in_to_cc ", );
user_pref("mail.mdn.report.outside_domain ",
0
2
);
user_pref("mail.mdn.report.other ",
1
2
3
);
81-82 Collecting addresses
Add e-mail addresses to the Collected addressbook (not to muddle the Personal
addressbook ). By also checking the first preference, address collecting (for outgoing messages)
would be disabled altogether.
user_pref("mail.collect_email_address_outgoing ", );
user_pref("mail.collect_addressbook ", );
83-84 Format=flowed prefs and RFC 2646
Read messages using old style wrapping. By also checking preference no 84 composed messages would be
prevented from being transmitted with format=flowed. See Format=Flowed
Mini-FAQ about this feature.
user_pref("mailnews.display.disable_format_flowed_support ",
);
user_pref("mailnews.send_plaintext_flowed ", );
85 Duplicat messages
Mark duplicat messages as read. See bug 9413 for information. The alternative values (numbers) mean:
1 Delete dupes
2 Move Dupes to trash
3 Mark Dupes as Read
user_pref("mail.server.default.dup_action ",
1
2
3
);
86-87 Mail list appearance
Do not remember the last selected message or auto-scroll to a new message.
user_pref("mailnews.remember_selected_message ", );
user_pref("mailnews.scroll_to_new_message ", );
88-90 Regular compacting of folders
Compact folders when it will save over a certain amount of kilobytes, by default 100 kB. Do change
the number to any threshhold.
user_pref("mail.prompt_purge_threshhold ", );
user_pref("mail.purge_threshhold ", );
In recent builds the client will show a confirmation alert when starting automatic compacting of
folders. Check the preference if you do not want this alert and you also checked no 88
above.
user_pref("mail.purge.ask ", );
DEAL WITH THUNDERBIRD ™ PECULIARITIES
The preferences in the framed area will have an effect in Thunderbird and e-mail clients
based on it.
Source roots: Thunderbird specific preferences are found in the all-thunderbird.js
file in the project’s source tree .
MISCELLANEOUS
The remaining application independent preferences we need to deal with are diverse annoyances found here
and there and they might or might not have an effect on your software. No preferences (except the last
one) are checked by default.
100 Show the world
Add a note to the user agent string. Do observe that this user preference is always included.
user_pref("general.useragent.extra.user_js ",
);