The Ultimate Firefox Privacy & Security Guide [about:config]
I recently came across a website listing adjustments to Firefox's about:config settings. These are supposedly done to help make the browser more secure. Modifications to browser.safebrowsing.phishing.enabled,and after, are what I'm most curious about - mostly since the name Google is attached.
Others: - dom.event.clipboardevents.enabled [copy and paste tracking] - network.http.sendRefererHeader [hyperlink tracking]
Website for reference: https://proprivacy.com/privacy-service/guides/firefox-privacy-security-guide
I understand a lot can change within a year, but before breaking something, I wanted to ask if changing any of the above settings, particularly those having to do with Google, will cause damage to the browser itself. -thx
Chosen solution
browser.safebrowsing.phishing.enabled
This preference allows Firefox to block sites listed as sketchy in Google's SafeBrowsing database. I'm pretty sure that Firefox's background lookups in this database are done with a different cookie, so they are not directly associated with your Google browsing session (if any). Please see the following article: How does built-in Phishing and Malware Protection work?
dom.event.clipboardevents.enabled
Sites with more complicated script-driven forms may break if you disable their ability to detect pasting into the form (for example, Facebook and YouTube comments). This can lead to doubled or undeletable text. If you disable this preference, try not to paste into forms to avoid causing problems.
network.http.sendRefererHeader
Some sites require proof that you requested an image from their own site and not somewhere else, so turning off the header may prevent viewing some content. If your goal is to limit cross-site leakage of information about where you clicked a link or requested an image, you could experiment with another preference instead and perhaps experience less problems:
(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button accepting the risk.
(2) In the search box in the page, type or paste network.http.referer.XOriginPolicy and pause while the list is filtered
(3) To modify the policy, double-click the preference to display an editing field, and change the value to either 1 or 2 as desired, then press Enter or click the blue check mark button to save the change.
Policy choices:
- 0 => Follow default behavior [DEFAULT]
- 1 => Omit referring URL if base domains do not match
www.example.com to www.example.com SEND
www.example.com to mail.example.com SEND
www.example.com to www.othersite.com do NOT send
- 2 => Omit referring URL if host names do not match -- may cause more breakage
www.example.com to www.example.com SEND
www.example.com to mail.example.com do NOT SEND
www.example.com to www.othersite.com do NOT send
All Replies (4)
It is best to avoid making changes to prefs like suggested in that article and in other articles and leave them at their default to avoid inexplicable behavior. The default values are chosen to balance between security and not breaking websites. Even making changes in Settings (Options/Preferences) can cause issues, but you can find them easily and you do not need to dig on about:config and try to remember what changes you made. The warning (general.warnOnAboutConfig) you get when you open about:config is there for a reason.
Chosen Solution
browser.safebrowsing.phishing.enabled
This preference allows Firefox to block sites listed as sketchy in Google's SafeBrowsing database. I'm pretty sure that Firefox's background lookups in this database are done with a different cookie, so they are not directly associated with your Google browsing session (if any). Please see the following article: How does built-in Phishing and Malware Protection work?
dom.event.clipboardevents.enabled
Sites with more complicated script-driven forms may break if you disable their ability to detect pasting into the form (for example, Facebook and YouTube comments). This can lead to doubled or undeletable text. If you disable this preference, try not to paste into forms to avoid causing problems.
network.http.sendRefererHeader
Some sites require proof that you requested an image from their own site and not somewhere else, so turning off the header may prevent viewing some content. If your goal is to limit cross-site leakage of information about where you clicked a link or requested an image, you could experiment with another preference instead and perhaps experience less problems:
(1) In a new tab, type or paste about:config in the address bar and press Enter/Return. Click the button accepting the risk.
(2) In the search box in the page, type or paste network.http.referer.XOriginPolicy and pause while the list is filtered
(3) To modify the policy, double-click the preference to display an editing field, and change the value to either 1 or 2 as desired, then press Enter or click the blue check mark button to save the change.
Policy choices:
- 0 => Follow default behavior [DEFAULT]
- 1 => Omit referring URL if base domains do not match
www.example.com to www.example.com SEND
www.example.com to mail.example.com SEND
www.example.com to www.othersite.com do NOT send
- 2 => Omit referring URL if host names do not match -- may cause more breakage
www.example.com to www.example.com SEND
www.example.com to mail.example.com do NOT SEND
www.example.com to www.othersite.com do NOT send
@jscher - Such a detailed response, thank you for the time spent. I had a look at the article and did get some peace of mind when reading this part:
What information is sent to Mozilla or its partners when Phishing and Malware Protection are enabled? There are two times when Firefox will communicate with Mozilla’s partners.. The first is during the regular updates to the lists of reporting phishing and malware sites. No information about you or the sites you visit is communicated during list updates. The second is in the event that you encounter a reported phishing or malware site. This request does not include the complete address of the visited site, it only contains partial information derived from the address.
Despite the fact that Google is somehow connected, I now believe the trade off for being protected is more important. Reflecting back on the topic - it seems the idea of 'tracking', and all its associations, can lead to a bit of paranoia. In view of this, after having read the details you pointed out, I believe now that tracking isn't a serious concept in itself, and more geared towards the safekeeping of all. Thanks for providing that knowledge.
Modified
Btw, love your 'Google Hit Hider' extension