Click here to Skip to main content
15,749,279 members
Articles / Programming Languages / Javascript
Tip/Trick
Posted 14 Mar 2023

Stats

7.8K views
3 bookmarked

How to Place Mozilla Firefox Browser under Lockdown

Rate me:
Please Sign up or sign in to vote.
5.00/5 (7 votes)
29 Mar 2023CPOL15 min read
Use policies.json file to force Firefox to respect your preferences.
Mozilla Firefox is used only by a band of die-hard enthusiasts. Are you one of them? In this article, you can learn how to overcome the most frustrating and annoying non-features in the browser.

Introduction

Firefox used to be a great browser with RSS support and a very extensive add-on ecosystem. For unexplained reasons, Mozilla removed features that were considered fundamental to the browser's success. It not only removed features but also added useless ones. With every new release, it broke existing features and disabled all installed add-ons. It seemed to be on a crusade to frustrate and alienate its user base. Now, the Google Chrome invasion is almost complete. Firefox is used only by a band of die-hard enthusiasts. Are you one of them? In this article, you can learn how to overcome the most frustrating and annoying non-features in the browser.

Background

Firefox is not dead yet? No, there still are users who are faithful to Mozilla's original promise to take back the web. Mozilla may have lost sight of that goal but we have not. Microsoft Internet Explorer has gone to RIP. Opera and Edge have become Chrome clones. Firefox is the only other browser that has a non-Chrome HTML-rendering engine. However, in other aspects, Mozilla is making Firefox more and more dependent on the Google universe. In this article, I document how you can avoid that while continuing to use Firefox. I know it is a losing battle, but for now…

about:config Changes are Not Effective

Around the same time that Chrome was mopping up the browser market share, Firefox started annoying its users by disabling add-ons and breaking/disappearing functionality with every newly released version. Some users would modify the browser's internal settings in the about:config page to make Firefox function like it used to. For example, you could disable automatic updates by changing the app.update.enabled setting to false. Eventually, Mozilla wizened up to these tricks and made the changes ineffective.

policies.json is the New Alternative

In many corporate computer networks, end-user software applications are installed and controlled by system administrators. Application settings are also controlled by the administrators. Most end-users or desktop users are given minimal privileges. They cannot install software on their own. They may not even be able to customize the software.

To enable administrators with the ability to control Firefox installations, Mozilla has created support for a global configuration file named policies.json. This file is usually installed in a privileged location such as /etc/firefox/policies/policies.json. Someone with desktop-user privileges will not be able to modify this file. In Windows, the official guide says, you need to place the json file in a new folder named 'distribution' (create it) where the firefox.exe is located.

While Firefox may ignore your changes to about:config settings, but it will honour directives in the policies.json file. If you are the administrator of your computer, you can lock down Firefox and make it behave in the way that you want it to. You need to create a customized version of this policies.json file in the /etc/firefox/policies directory. Firefox will then think that you are in a corporate environment and be tricked into implementing the setting changes.

Image 1

When a policies.json file exists, Firefox preferences will become limited by it.

The policies.json file is written like the value of a JavaScript variable (with a JSON structure).

JavaScript
{	"policies": {
		"blah": "blah",
		"blah blah": 1,
		"blah blah blah": false
	}
}

The settings that you can use in the policies.json file are described at
https://github.com/mozilla/policy-templates/.

The customized policies.json file that I use is as follows:

JavaScript
{
  "policies": {
    "Cookies": {
      "ExpireAtSessionEnd": true,
      "Behavior": "reject-foreign",
      "BehaviorPrivateBrowsing": "reject-foreign"
    },
    "DisableAppUpdate": true,
    "DisableBuiltinPDFViewer": true,
    "DisableFeedbackCommands": true,
    "DisableFirefoxAccounts": true,
    "DisableFirefoxStudies": true,
    "FirefoxHome": {
      "Search": false,
      "TopSites": false,
      "Highlights": false,
      "Pocket": false,
      "Snippets": false,
      "Locked": true
    },
    "DisablePocket": true,
    "DisableTelemetry": true,
    "DisplayMenuBar": "always",
    "DisableProfileRefresh": false,
    "DNSOverHTTPS": {
      "Enabled":  false
    },
    "DontCheckDefaultBrowser": true,
    "FirefoxHome": {
      "Search": false,
      "TopSites": false,
      "SponsoredTopSites": false,
      "Highlights": false,
      "Pocket": false,
      "SponsoredPocket": false,
      "Snippets": false,
      "Locked": false
    },
    "Homepage": {
      "URL": "about:blank",
      "StartPage": "none",
      "Locked": true
    },
    "ManualAppUpdateOnly": true,
    "NetworkPrediction": false,
    "NewTabPage": false,
    "NoDefaultBookmarks": true,
    "OverrideFirstRunPage": "",
    "OverridePostUpdatePage": "",
    "PDFjs": { "Enabled": false },
    "Permissions": {
      "Camera": { "BlockNewRequests": true, "Locked": true },
      "Microphone": { "BlockNewRequests": true, "Locked": true },
      "Location": { "BlockNewRequests": true, "Locked": true },
      "Notifications": { "BlockNewRequests": true, "Locked": true },
      "VirtualReality": { "BlockNewRequests": true, "Locked": true },
      "Autoplay": { "Default": "block-audio-video", "Locked": true }
    },
    "Preferences": {
      "browser.safebrowsing.phishing.enabled": {
        "Value": false,
        "Status": "locked"
      },
      "browser.safebrowsing.malware.enabled": {
        "Value": false,
        "Status": "locked"
      },
      "browser.search.suggest.enabled": {
        "Value": false,
        "Status": "locked"
      },
      "browser.sessionstore.resume_from_crash": {
        "Value": false,
        "Status": "locked"
      },
      "browser.tabs.closeWindowWithLastTab": {
        "Value": false,
        "Status": "locked"
      },    
      "dom.event.clipboardevents.enabled": {
        "Value": false,
        "Status": "locked"
      },
      "dom.event.contextmenu.enabled": {
        "Value": false,
        "Status": "locked"
      },
      "extensions.htmlaboutaddons.recommendations.enabled": {
        "Value": false,
        "Status": "locked"
      },
      "media.mediasource.enabled": {
        "Value": false,
        "Status": "locked"
      }
    },
    "SanitizeOnShutdown": {
      "Cache": true,
      "Cookies": true,
      "Downloads": true,
      "FormData": true,
      "History": true,
      "Sessions": true,
      "SiteSettings": true,
      "OfflineApps": true,
      "Locked": false
    },
    "SearchBar": "separate",
    "SearchSuggestEnabled": false,
    "StartDownloadsInTempDirectory": false,
    "UserMessaging": { 
      "WhatsNew": false, 
      "ExtensionRecommendations": false, 
      "FeatureRecommendations": false, 
      "UrlbarInterventions": false,
      "SkipOnboarding": false,
      "MoreFromMozilla": false
    }
  }
}

Let us examine the settings in this file:

  • Cookies: Cookies is a small unique text file that a browser creates for a website that you visit. The browser stores this file in your profile directory. It allows access to this file only to that specific website. The cookie can exist even after you close the browser. When you visit the site again, the browser will let the site read the contents of its cookie. Websites typically store your login details or your site preferences in their cookies. Cookies are not a problem if they were created by a site that you visited. When cookies are created by an advertising company like Google or Facebook, they can track your browsing habits across several websites. How does this happen? The sites that you visit are likely to run ads from Google, Facebook and other advertising companies. These ads create their cookies — third-party cookies. That is, a third-party cookie is a cookie that was not created by the site you visited. It was created by a third-party site when it ran an ad on the site you visited. It serves no purpose other than to track you.

    You can block third-party cookies without losing any functionality. To be even more safe, you can make Firefox clear all cookies when you close the browser. You may have to login again when you visit a secure site but for that, you can use the browser's built-in password manager. Firefox allows you to save your usernames and passwords and will also autofill the login fields. Thus, the cookies functionality is required only for the session when you are logged in, not afterwards.

    • ExpireAtSessionEnd: Set this option to true to make Firefox clear the cookies when you close the browser.
    • Behavior: Set this to reject-foreign to block third-party cookies.
    • BehaviorPrivateBrowsing: Set this to reject-foreign to block third-party cookies in private-browsing tabs and windows.
  • DisableAppUpdate: Set this to true. Unlike in old versions, Firefox updates on its own and breaks a lot of add-ons and features with every new release. By changing the setting to false, you can decide when to update Firefox. Will you not be attacked by hackers who exploit bugs and zero-day vulnerabilities? No. You are suffering from a mild delusion about browser updates. Your browser is sitting on a stack of unfixed bugs and zero-day vulnerabilities that is as long as the distance between Earth and the Moon. Browser makers fix only those bugs that they think are urgent and whatever catches their whim or fancy.

    What you should do is create two Firefox installations and two Firefox profiles. You should update the first installation regularly and the second one rarely. Place your add-ons in the second and use it only for casual browsing such as reading news or consuming RSS feeds. Use the first one for financial transactions or sites that require you to log in. No, you do not have to log in to your Google account to perform your search or watch a video. Ignore popups telling you how jolly it is to log in and be tracked. Do not let anyone insult your intelligence.

    • Create a casual-browsing profile for the old browser. Give the profile a name such as 'ole'.
      /opt/firefox-old/firefox --ProfileManager
    • Create a desktop launcher (shortcut) with this command so that you can run the rarely updated Firefox installation with the casual-browsing profile ('ole').
      /opt/firefox-old/firefox -P ole
    • Create a secure-browsing profile for the new browser. Give the profile a name such as 'nuovo'.
      /opt/firefox-new/firefox --ProfileManager
    • Create a launcher with this command so that you can run the regularly updated Firefox installation with the secure-browsing profile ('nuovo').
      /opt/firefox-new/firefox -P nuovo
      Do not install any add-ons in this profile. Every add-on that you install is another set of eyes on your most precious data.

    The /opt directory belongs to root. If you extract Firefox download file to your home directory and then copy it to /opt, then the Firefox directory will have your user permissions. That would mean Firefox will be able to update itself when you run it. Set root permissions on these Firefox installation directories.

    sudo chown -R root /opt/firefox*

    These Firefoxes will run from the read-only /opt directory but will be able to create their profile directories in your home directory — the writeable ~/.mozilla directory.

    Remember that you must first create the policies.json in its proper location and then create the installations and profiles.

  • DisableBuiltinPDFViewer: When you click on a PDF document link, the document opens like a web page and disappears when you close the browser! Set this option to true if you want the document saved to the hard disk and then opened in Evince or whichever PDF reader you have installed.
  • DisableFirefoxStudies: Set this option to true. No amount of 'studying' seems to be helping Mozilla. I would not have written this article if it did. Unless you are a beta tester, Firefox does not have to study anything.
  • FirefoxHome:
    • Search: Set this option to false. The search URL has some tracking information. You also do not want to notify Google every time you start your browsing.
    • TopSites: Set this option to false. If the browser is listing your top sites, then that means Firefox is monitoring your browser activity.
    • Highlights: Same ole… same ole.
    • Pocket: Set this option to false. Requires you to create an account with Mozilla so they can track you better.
    • Snippets: Ditto.
    • Locked: Set this option to true. To prevent yourself from mistakenly changing any of the settings.
  • DisableFirefoxAccounts: Set this option to true. Do not create any Firefox accounts. Mozilla says it does not have money to develop the Thunderbird email client but they have money for creating accounts for millions of users? They have fired Firefox developers while also diverting resources on partisan obsessions such as THE FIGHT TO FIGHT FAKE NEWS! They seem to have misplaced priorities. Do not indulge them.
  • DisablePocket: 🙄 ⇑ 🙄 ⇑ 🙄 ⇑
  • DisableFirefoxStudies: Ye, beta tester! Not one? Set this option to true.
  • DisableTelemetry: ⇑ 🙄 ⇑ 🙄 ⇑ 🙄
  • DisplayMenuBar: Firefox developers stole this ‘innovation’ from Chrome. Options means decisions. Decisions means thinking. Chrome users do not think. Google thinks for them. If you are the scary type that thinks, YOU EVIL (WO)MAN, set this option to true. I dare ya!
  • DNSOverHTTPS: Set Enabled to false because this is an excuse to send data to Cloudflare (a.k.a. Amazon). What? You do not trust your ISP? Who is paranoid now?
  • DontCheckDefaultBrowser: Set this option to true. If you are running multiple browsers or profiles, YOU should manually set the default browser.
  • Homepage:
    • URL: Set this to an empty string. No home page means faster startups.
    • Locked: Set this option to true. Don't let a browser update to mess with these settings.
    • StartPage: Set this to none. No distractions. No tracking. No delays.
  • ManualAppUpdateOnly: Set this option to true to prevent Firefox from checking or downloading updates.
  • NetworkPrediction: Set this option to false to prevent Firefox from making unnecessary queries.
  • NoDefaultBookmarks: Set this option to true. Less clutter.
  • OverrideFirstRunPage: Set this to an empty string. First thing that it does after installation is phone home. 😉
  • OverridePostUpdatePage: Set this to an empty string. We are not going to the doctor so no need to send us a bill.
  • PDFjs: How many avtars does it have? Set Enabled to false.
  • Permissions: Browsers can now access your microphone and web camera. The latter has an indicator that lights up when it is being accessed. The microphone has nothing. Block everything, unless you need to do teleconferencing. If you are not recording anything, put some black tape on the web cam. In your computer's audio configuration settings, enable only the output devices. That will disable the microphone (an input device) at the OS level.
    • Camera: Set BlockNewRequests and Locked to true.
    • Microphone: Ditto.
    • Location: Ditto.
    • Notifications: Ditto.
    • VirtualReality: Ditto.
    • Autoplay: Prevent videos in unopened tabs from playing automatically. If you open multiple tabs, the videos can lock up your bandwidth and also kill your browser/tab process. Set Default to block-audio-video and Locked to true.
  • Preferences: These are about:config settings that you could automatically set from this json file.
    • browser.safebrowsing.*.enabled: Set these options to false. No need to verify every requested domain or file with Google for a malware check. Do not visit bad sites and do not click on bad downloads. You are on your own now.
    • browser.sessionstore.resume_from_crash: Set this option to false. You do not want a banking website to reload after a crash.
    • browser.tabs.closeWindowWithLastTab: I wonder if Chrome kills itself when you close the last tab. I bet it stays on till kingdom come. Firefox just uses any excuse to quit on you. Mozilla wants no one using Firefox. What if you wanted to open new tabs from a clean slate? Set this option to false.
    • dom.event.clipboardevents.enabled: This setting is useful on sites that let you copy URLs or some other important text with just a click instead of a Ctrl+C on a text selection. Some other sites take this opportunity to add unwanted text such as their site name and URL into the copied text. Set this option to false if you get annoyed by the spammers.
    • dom.event.contextmenu.enabled: Some sites, such as those run by Indian banks, block the right-click menu. Set this option to true if you want the menu.
    • browser.search.suggest.enabled: Just as you do not want search engines from tracking your searches, you should not know what others have been searching. It can get very disgusting, particularly with Google. Set this option to false.
    • media.mediasource.enabled: Even though I now have high-speed Internet, I cannot reliably stream videos. My video player box hangs in the middle of things. Instead of getting annoyed, I just go to a video channel, mass-download all interesting videos and then see them offline. I have a Greasemonkey script for this. This script does not work if this setting is set to true. There are add-ons that can download mediasource videos too but I prefer to do my own thing.
  • NewTabPage: No, you do not need that. What you need is about:blank. Set this option to false.
  • SanitizeOnShutdown: Make Firefox to automatically delete cookies, cache files, downloads list, history log, sessions and offline app data (an extended version of cookies) when it is closed.
  • SearchBar: Set this option to separate. Otherwise, you will end up searching everything with just one search engine.
  • SearchSuggestEnabled: Search engines store everything you search, even your corrections. Set this option to false.
  • UserMessaging: You be the judge. You decide. Do not outsource your decision-making to marketers. Set WhatsNew, ExtensionRecommendations, FeatureRecommendations, UrlbarInterventions, SkipOnboarding, MoreFromMozilla to false.

ESR-only policies.json Options

Some policies.json options are only supported in Firefox ESR (Extended Support Release) versions. These versions are much less frequently updated than ordinary Firefox versions. The ability to automatically add new search engines and remove built-in search engines is available only in Firefox ESR. (Mozilla has stopped support for OpenSearch search engine add-ons.) I use these additional options in my policies.json file.

JavaScript
"SearchEngines": {
  "PreventInstalls": false,
  "Add": [
    { "Name": "Bing",
      "URLTemplate": "https://www.bing.com/search?q={searchTerms}",
      "Method": "GET",
      "IconURL": "https://www.bing.com/favicon.ico",
      "Alias": "bi",
      "Description": "Bing search engine"
    },
    { "Name": "DuckDuckGo HTML",
      "URLTemplate": "https://html.duckduckgo.com/html/",
      "Method": "POST",
      "IconURL": "https://duckduckgo.com/favicon.ico",
      "Alias": "dh",
      "Description": "DuckDuckGo HTML search engine",
      "PostData":"q={searchTerms}"
    },
    { "Name": "DuckDuckGo Plain",
      "URLTemplate": "https://duckduckgo.com/?q={searchTerms}",
      "Method": "GET",
      "IconURL": "https://duckduckgo.com/favicon.ico",
      "Alias": "dd",
      "Description": "DuckDuckGo ordinary search engine"
    },
    { "Name": "Amazon",
      "URLTemplate": "https://www.amazon.com/s?k={searchTerms}",
      "Method": "GET",
      "IconURL": "https://www.amazon.com/favicon.ico",
      "Alias": "am",
      "Description": "Amazon product search"
    },
    { "Name": "Amazon India",
      "URLTemplate": "https://www.amazon.in/s?k={searchTerms}",
      "Method": "GET",
      "IconURL": "https://www.amazon.com/favicon.ico",
      "Alias": "ai",
      "Description": "Amazon India product search"
    },
    { "Name": "Internet Archive",
      "URLTemplate": "https://web.archive.org/web/*/{searchTerms}",
      "Method": "GET",
      "IconURL": "https://archive.org/favicon.ico",
      "Alias": "ia",
      "Description": "Web archive search"
    },
    { "Name": "Google",
      "URLTemplate": "https://www.google.com/search?q={searchTerms}",
      "Method": "GET",
      "IconURL": "https://www.google.com/favicon.ico",
      "Alias": "o",
      "Description": "Google search"
    },
    { "Name": "Google Images",
      "URLTemplate": "https://www.google.com/search?tbm=isch&q={searchTerms}",
      "Method": "GET",
      "IconURL": "https://www.google.com/favicon.ico",
      "Alias": "oi",
      "Description": "Google image search"
    },
    { "Name": "Google News (USA)",
      "URLTemplate": "https://www.google.com/search?hl=en-US&gl=US&tbm=nws&tbs=sbd:1&q={searchTerms}",
      "Method": "GET",
      "IconURL": "https://ssl.gstatic.com/gnews/logo/google_news_192.png",
      "Alias": "on",
      "Description": "Google news search"
    },
    { "Name": "IMDB",
      "URLTemplate": "https://www.imdb.com/find?q={searchTerms}",
      "Method": "GET",
      "IconURL": "https://www.imdb.com/favicon.ico",
      "Alias": "im",
      "Description": "Internet Movie Database search"
    },
    { "Name": "Youtube",
      "URLTemplate": "https://www.youtube.com/results?search_query={searchTerms}&sp=CAI%253D",
      "Method": "GET",
      "IconURL": "https://www.youtube.com/favicon.ico",
      "Alias": "yt",
      "Description": "Youtube search"
    }
  ]
},

If you want to take advantage of these additional options, then go to https://ftp.mozilla.org/pub/firefox/releases/ and download a Firefox version marked as ESR for your OS.

Youtube.com's search by default uses the filter ‘by relevancy’. By this, they refer to usually irrelevant videos (published by traditional media) that have been artificially boosted to the top. The custom search engine added by this policies.json uses the ‘by upload date’ filter. This will bring in most recent results by independent Youtubers. If you do the same search from the search box in the Youtube web page, the results will automatically revert to Youtube ‘by relevancy’ filter.

HOSTS File

Having a 'blocking' hosts file is the most effective way to reduce the environmental footprint of your browsing activity. JavaScript from social media sites and advertising are the #1 reason for the slowness of the web pages. When you use a blocking hosts files, the content delivery domains of these sites are pointed back to the IP 0.0.0.0. Your browser just abandons those requests.

I use a hosts file from this project:

DNS

Do not set the DNS servers in your modem configuration to 8.8.8.8 or 8.8.4.4 (both from Google) or 1.1.1.1 (from Cloudflare ~ Amazon). Instead, use the DNS provided by your ISP or from other free DNS services such as Comodo (8.26.56.26 and 8.20.247.20) or OpenDNS (208.67.222.123 and 208.67.220.123). Spread your Internet footprint across several providers and make it thin out. Do note that these alternative DNS servers provide family-safe filtered results.

Chrome Alternatives

Sure, there are Chrome alternatives like Opera, Edge, Brave and Vivaldi. When Microsoft Edge made the switch to Chromium engine, they revealed that they had replaced several Google-related dependencies from the open-source code. It was quite a long list. (Microsoft reveals all the Google things it removed in its Chromium Edge browser; The Verge; 2019) Microsoft had their own proprietary replacements. How much did the other Chrome alternatives remove?

Summary

In my humble opinion:

  • Using Chrome or its clones may not be good for the World Wide Web.
  • Say NO to browser monoculture and use Firefox while you can.

You can also add-ons such as Greasemonkey and Stylus to run User CSS and JS and customize websites to your heart's liking. To maintain your anonymity, use an RSS reader to consume news. RSS readers are available as browser add-ons and independent desktop/mobile apps. Thunderbird mail client lets you browse RSS content just like email.

Notes

  • This article was originally published in the Open Source For You magazine in 2022. I have re-posted it on CodeProject in 2023.
  • This article has been sourced from my book Linux Command-Line Tips & Tricks. It is available for free in many ebook stores.

History

  • 14th March, 2023: Initial version
  • 29th March, 2023: Added ESR-only policies.json options

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)


Written By
Software Developer www.VSubhash.in
India India
V. Subhash is an invisible Indian writer, programmer and illustrator. In 2020, he wrote one of the biggest jokebooks of all time and then ended up with over two dozen mostly non-fiction books including Linux Command-Line Tips & Tricks, CommonMark Ready Reference, PC Hardware Explained, Cool Electronic Projects and How To Install Solar. His book Quick Start Guide to FFmpeg has been published by Apress/SpringerNature in 2023. He wrote, illustrated, designed and produced all of his books using only open-source software. Subhash has programmed in more than a dozen languages (as varied as assembly, Java and Javascript); published software for desktop (NetCheck), mobile (Subhash Browser & RSS Reader) and web (TweetsToRSS); and designed several websites. As of 2023, he is working on a portable Javascript-free CMS using plain-jane PHP and SQLite. Subhash also occasionally writes for Open Source For You magazine and CodeProject.com.

Comments and Discussions

 
QuestionThank You Pin
Pleby15-Mar-23 3:54
Pleby15-Mar-23 3:54 
AnswerRe: Thank You Pin
V. Subhash22-Mar-23 19:11
V. Subhash22-Mar-23 19:11 
I checked the description for LibreWolf. They seem to be doing the right thing. However, they are using the Ublock add-on. This is not needed if the user uses the HOSTS ad-blocking file. This blocks all ad+spam+social+gambling+smut sites at the OS level. All applications are blocked from accessing the included sites. For an out-of-the-box solution, the add-on perhaps is needed. Those who do not have access permission for the HOSTS file can use it.
--
http://www.vsubhash.com

GeneralRe: Thank You Pin
Pleby23-Mar-23 1:32
Pleby23-Mar-23 1:32 
GeneralRe: Thank You Pin
V. Subhash23-Mar-23 20:48
V. Subhash23-Mar-23 20:48 
QuestionOld Hand Here Pin
jgakenhe14-Mar-23 19:59
professionaljgakenhe14-Mar-23 19:59 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Praise Praise    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.