/firefox-debloat

Stop Firefox leaking data about you

MIT LicenseMIT

This list aims to block core Firefox features which actively leak data to third-party services (as opposed to attempts of sites to track you or otherwise passively collect information). As it isn't always easy to draw a strict line, the most critical passive data faucets like WebRTC are also mentioned.

We are not breaking the browsing experience, so you won't find things like spoofing referrers and canvas properties here.

To change the settings open about:config.

Leaks the browsing history to Google. Note that disabling Safe Browsing exposes you to a risk of not being stopped from visiting malicious or phishing sites.

browser.safebrowsing.enabled = false
browser.safebrowsing.downloads.enabled = false
browser.safebrowsing.malware.enabled = false

Firefox stats collecting

Stability and performance reports.

datareporting.healthreport.service.enabled = false
datareporting.healthreport.uploadEnabled = false

Usage statistics.

toolkit.telemetry.unified = false
toolkit.telemetry.enabled = false

A binary plugin (closed-source) is shipped with Firefox since v38. It enables playback of encrypted media and lets you use e.g. Netflix without Microsoft Silverlight. To completely remove the plugin you would have to install an EME-free build of Firefox.

media.eme.enabled = false
media.gmp-eme-adobe.enabled = false

Firefox connects to third-party (Telefonica) servers without asking for permission.

loop.enabled = false

A third-party service for managing a reading list of articles.

browser.pocket.enabled = false

Search suggestions

Everything you type in the search box is sent to the search engine. Suggestions based on local history will still work.

browser.search.suggest.enabled = false

Leaks the real IP when using VPN/TOR. Description and demo.

media.peerconnection.enabled = false

Instead of completely disabling WebRTC you could also make it connect over the default route only using:

media.peerconnection.ice.default_address_only = true
geo.enabled = false

Adobe Flash

plugin.state.flash = 0

Important changes

0.1 - initial commit

0.2 - removed mention of Reader mode (it doesn't leak data*) and added browser.safebrowsing.remoteLookups (it is confirmed to stop leaking data to Google while keeping Safe Browsing on*).

0.3 - browser.safebrowsing.remoteLookups turned out to do nothing after all. Actually, it was removed. Requests to the Google Safe Search API are not made often, so at first I thought they were gone.

0.4 - removed mention of Tracking Protection, because while blocking trackers, it "uses the same API as Google Safe Browsing". I would recommend using uBlock for this purpose instead.

0.5 - added toolkit.telemetry.unified, Adobe Flash and media.peerconnection.ice.default_address_only.

* tested using Fiddler


Pull requests are welcome.


Discussion of HN