13 KiB
If you need browser extensions, try the Privacy Guides page.
Chromium flags
These can generally be found from about:flags on
Chromium based browsers, for Vivaldi explicit
vivaldi://flags is required and it also has
chrome://settings for the usual Chromium settings.
#enable-quic- enabled#enable-force-dark- enabled with increased text constract#force-color-profile- sRGB#trust-tokens- enabled
Vendor-prefixed
These likely also exist, but just without the vendor-
part when searhcing.
#edge-automatic-https- enabled#edge-autoplay-user-setting-block-option#edge-tab-groups- enabled#edge-tab-groups-auto-create- enabled#edge-tab-groups-collapse-freezing- enabled
Firefox about:config
privacy.firstparty.isolatetotruefor preventing domains from accessing each other’s data.browser.newtabpage.activity-stream.showSponsored&browser.newtabpage.activity-stream.showSponsoredtofalseto stop sponsored links.dom.security.https_only_modetotrueto force HTTPS and not need HTTPS Everywheresecurity.certerrors.mitm.auto_enable_enterprise_rootstofalsein order to not trust system CA store in case of enterprise MITMsecurity.OCSP.requiretotruein order to not allow OCSP soft fail. This may be a bit paranoid, but only the paranoid survive.- (
privacy.resistFingerprinting.letterboxing=trueso letterboxing is used to hide real browser size. Tor Browser support) - (On Linux
widget.content.gtk-theme-override(a string that has to be created by user) toAdwaita:lightso text boxes in dark themes become readable, thank you Dovydas Venckus image.animation_modetooncein order to have gifs play once and then stop everywhere (noneto never have them play).geo.provider.network.urltohttps://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%in order to send nearby WiFi networks to Mozilla instead of Google. See also MLS Software.network.IDN_show_punycodetotruein order to see punycode instead of UTF-8 in case of spoofing attempt. However makes reading non-ASCII domains painful. E.g. Cyrillic alphabetreader.parse-on-load.force-enabledtotruein order to allow reader use to be used on ~all websites and devices (regardless of low RAM?)- (
toolkit.telemetry.serverto empty in order to not send telemetry (which may be blocked by filtering DNS providers such as AdGuard or NextDNS resulting high amount of failing queries))
Future note: network.dns.blockDotOnion;false
?
DNS over HTTPS
network.trr.bootstrapAddressDNS server to use for resolving the DoH name, e.g.149.112.112.112(Resolver 2 of Quad9)network.trr.modedepends, 2 to prefer DoH, but fallback to system resolver (or 3 to enforce DoH without fallback). If there is system encrypted DNS, just take 5 to at least benefit from the system DNS cache.- DoH is required by Firefox ESNI support which encrypts SNI which would still leak which sites you visit. Another bug about ESNI + Android DoT
- I have ended up to recommending 2 as otherwise the DoH server going
down stops DNS from working on your Firefox entirely, which may be more
of a problem than unencrypted SNI as not everyone supports it.
- since then I have decided that 5 is the best option, because otherwise it goes past my Unbound setup. I hope Mozilla/Firefox will fix the two bugs linked above, so I don’t have to choose between DNS under my control vs encrypted SNI.
- Are you using a VPN? Do they provide a DoH server? If yes, maybe the answer is 5 for eSNI?
network.trr.early-AAAAtrueto hopefully prefer IPv6network.trr.urifor the actual resolver address, e.g.https://dns.quad9.net/dns-queryorhttps://149.112.112.112/dns-query(removes the need fornetwork.trr.bootstrapAddressand allowsnetwork.trr.mode3?) or Privacy Guides list of Encrypted DNS Resolvers
Some notes: * You can confirm TRR working by visiting
about:networking#dns where you should be seeing DNS cache
of Firefox and a lot of TRR: true. * Quad9 became my
preferred resolver through anxiety about other options being small (and
possibly more likely to go down) or commercial while Quad9 is non-profit
organization and 2019-03-20 apparently the default fallback resolver of
dnscrypt-proxy (at least in Debian). * Quad9 while having filtering of
malicious domains should be easy to figure out as the problem if
something doesn’t work on my computers as due to the previously
mentioned bug I am mainly using it on Firefox. * While
investingating how Android 9 Private DNS works, I also wrote a DNS
provider comparsion here
SSDs
This information is from Arch Wiki on Firefox tweaks
browser.cache.disk.enabletofalseto only cache to RAM.- (
browser.cache.memory.enabletotruewhich should be default) browser.sessionstore.intervalto600000in order to only store open session every ten minutes (instead of 15 seconds) in case of crashes.- alternatively
browser.sessionstore.resume_from_crashtofalseto not store the session data for crash recovery at all. I think this may be the more healthy option with all the information flood and dozens of tabs.
- alternatively
Why?
Every object loaded (html page, jpeg image, css stylesheet, gif banner) is saved in the Firefox cache for future use without the need to download it again. It is estimated that only a fraction of these objects will be reused, usually about 30%. This because of very short object expiration time, updates or simply user behavior (loading new pages instead of returning to the ones already visited). The Firefox cache is divided into memory and disk cache and the latter results in frequent disk writes: newly loaded objects are written to memory and older objects are removed.
Firefox stores the current session status (opened urls, cookies, history and form data) to the disk on a regular basis. It is used to recover a previous session in case of crash. The default setting is to save the session every 15 seconds, resulting in frequent disk access.
and this is the reason why Firefox is at times accused of killing SSDs.
Changelog: GitHub.com commits | gitea.blesmrt.net commits