The 100 Security and Anti Annoyances Preferences Reconfiguration Script, version 0.5

This script applies to browsers and mail programs or other programs using the Gecko rendering engine from the Mozilla® open source project. Applications built upon the Mozilla/Gecko code-base range over the widely acknowledged core products – particularly Firefox® and Thunderbird™ – and a lot of other applications more or less well-known.

MOZILLA and FIREFOX are registered trademarks of the Mozilla Foundation. THUNDERBIRD is a trademark of the Mozilla Foundation.

Reconfigure your Gecko application by a user.js file

The configuration of Gecko applications is to a great extent ruled by pref settings in the prefs.js file. That file is handled internally by the program. The settings therein are dependent on and will be over-ridden by user_pref settings in the user.js file. That file is not part of the program by default and must therefore be created by the admin or the end-user. Here is the place and now is the time to create this file ;-)

The user.js file itself is a simple ascii-text file and can be created and edited by use of any text editor. The Reconfiguration Script is used to fill the file with the necessary (re-)configuration commands: the at most 100 user_pref’si.e. preferences settings, which will give you as an admin or end-user power control over the browser and/or mail program.

What groups of preferences reconfigurations to include

100 settings to reconfigure a program?! Is it really necessary? Definitely not. Begin optimising by making a general selection among the user_pref’s available with this script.

Take care to not accidentally reload this page while working with it, since a reload would cause the adjusted form values to be reset to the default values.

¬ Include all the user_pref’s (but comment out those unchecked) (SeaMonkey, NS 7)
¬ [1] Only include the user_pref’s for enhanced network security and privacy concerns
¬ [2] Only include the user_pref’s for the browser component (Firefox, NS 8)
¬ [3] Only include the security and privacy related user_pref’s for the browser component
¬ [4] Only include the security and privacy related user_pref’s and those for the email component (Thunderbird)

Which individual settings to include – Fine-tuning 1-100

So, depending on the radio button checked above, unnecessary settings are struck out in the list of all the available user_pref’s below. There you may decide to include or else exclude (comment out) individual commands. Do remember that you by the use of this script will only choose which user_pref("[pref name]", [value]); to have effect in the user.js file! If a box is unchecked, the user_pref is commented out and will have no effect on the preference, i.e. the old pref in the prefs.js file will be unaffected. You would need to edit the prefs.js to remove an unwanted preference. Also, you cannot edit the values of the preferences directly. (For instance, if it says false, you could change it to true only after the user.js code is generated – why you now would want to do that :-\ )

ENHANCED NETWORK SECURITY

LXR roots: The security settings are to be found in the security-prefs.js file in the project’s source code.

All settings in this section are inline with recommendations by NSA, a security body giving advice for network environments. Cp. its Guide to Securing Netscape.

1 Validation

Use OCSP to validate only certificates that specify an OCSP service URL.

  1. user_pref("security.OCSP.enabled", 1);

2 Client certificate selection

Ask every time for the selection of a security certificate to present to web sites that require one.

  1. user_pref("security.default_personal_cert", "Ask Every Time");

3-15 Disable SSL2 and weak SSL3/TLS encryptions

Update to the stricter settings on the trunk. For more information, see bug 236933.

  1. user_pref("security.enable_ssl2", false);
  2. user_pref("security.ssl3.rsa_fips_des_sha", false);
  3. user_pref("security.ssl3.rsa_des_sha", false);
  4. user_pref("security.ssl3.rsa_1024_rc4_56_sha", false);
  5. user_pref("security.ssl3.rsa_1024_des_cbc_sha", false);
  6. user_pref("security.ssl3.rsa_rc4_40_md5", false);
  7. user_pref("security.ssl3.rsa_rc2_40_md5", false);
  8. user_pref("security.ssl3.ecdhe_ecdsa_null_sha", false);
  9. user_pref("security.ssl3.ecdhe_rsa_null_sha", false);
  10. user_pref("security.ssl3.ecdh_ecdsa_null_sha", false);
  11. user_pref("security.ssl3.ecdh_rsa_null_sha", false);
  12. user_pref("security.ssl3.dhe_rsa_des_sha", false);
  13. user_pref("security.ssl3.dhe_dss_des_sha", false);

16-20 Warning alert messages

Do not alert when loading a page that supports encryption, but warn in other cases. The dialogue will let you disable each warning until the next time you start the browser. The warning when submitting over an insecure connection is unchecked by default.

  1. user_pref("security.warn_entering_secure", false);
  2. user_pref("security.warn_entering_weak", true);
  3. user_pref("security.warn_leaving_secure", true);
  4. user_pref("security.warn_viewing_mixed", true);
  5. user_pref("security.warn_submit_insecure", true);

21-22 Master password timeout

Ask for master password (if enabled) every 30 minutes by default. Checking the second setting would make the interval 15 minutes.

  1. user_pref("security.ask_for_password", 2);
  2. user_pref("security.password_lifetime", 15);

GENERAL PRIVACY CONCERNS

LXR roots: General settings are most often to be found in the all.js file in the project’s source code.

23-34 Storing sensitive information, passwords and cookies

Do not save form data or secure pages, and use encryption when storing sensitive data. Checking the first setting would even disable the Password manager.

user_pref no 28 disabling the session restore utility after a crash is unchecked by default. See the issues list for the relevance of this preference.

  1. user_pref("signon.rememberSignons", false);
  2. user_pref("wallet.captureForms", false);
  3. user_pref("wallet.crypto", true);
  4. user_pref("browser.cache.disk_cache_ssl", false);
  5. user_pref("browser.formfill.enable", false);
  6. user_pref("browser.sessionstore.resume_from_crash", false);

Disable cookies for mail and else allow cookies based on either Privacy settings (P3P) high level or permissions per site. See bug 225287 for information on developers’ recent views about cookies.

user_pref no 33 making the browser ask once per site about the setting of cookies is unchecked by default.

  1. user_pref("network.cookie.disableCookieForMailNews", true);
  2. user_pref("network.cookie.cookieBehavior", 3);
  3. user_pref("network.cookie.p3p", "frfradaa");
  4. user_pref("network.cookie.p3plevel", 2);
  5. user_pref("network.cookie.lifetimePolicy", 1);
  6. user_pref("network.cookie.alwaysAcceptSessionCookies", true);

35 No spying – ignore the ping attribute

What is the ping attribute?

  1. user_pref("browser.send_pings", false);

36-39 Stay updated

The application should automatically check to see if there is an updated version of itself, but should prompt before downloading.

  1. user_pref("update_notifications.enabled", true);
  2. user_pref("app.update.enabled", true);
  3. user_pref("app.update.auto", true);
  4. user_pref("app.update.mode", 2);

40-50 JavaScript restrictions

Do not allow javascript in mail. Scripts should not be able to hide or change the status bar or the context menu. Checking the first setting would disable javascript in general.

  1. user_pref("javascript.enabled", false);
  2. user_pref("javascript.allow.mailnews", false);
  3. user_pref("dom.disable_window_status_change", true);
  4. user_pref("dom.event.contextmenu.enabled", false);

Popup windows (created by scripts) should not hide the status bar or the location bar, or have a fixed size.

  1. user_pref("dom.disable_window_open_feature.status", true);
  2. user_pref("dom.disable_window_open_feature.location", true);
  3. user_pref("dom.disable_window_open_feature.resizable", true);
  4. user_pref("dom.disable_window_open_feature.minimizable", true);

Block popup windows not created as a result of a mouse click.

  1. user_pref("dom.disable_open_during_load", true);
  2. user_pref("dom.disable_open_click_delay", 1000);
  3. user_pref("privacy.popups.disable_from_plugins", 2);

51-52 Phishing protection

Firefox 2 incorporates the Google Safe Browsing extension to detect and warn users of phishy web sites. These user_pref’s are unchecked by default. By checking both of them a third-party provider would be consulted to determine whether a site is phishy.

  1. user_pref("browser.safebrowsing.enabled", true);
  2. user_pref("browser.safebrowsing.remoteLookups", true);

PRIVACY CONCERNS AND THE EMAIL COMPONENT

LXR roots: Email component specific settings are to be found in the mailnews.js file in the project’s source code.

53 Enable phishing detection for link clicks

  1. user_pref("mail.phishing.detection.enabled", true);

54 Disable plug-ins for mail

  1. user_pref("mailnews.message_display.allow.plugins", false);

55-56 Remote images

Spammers send (often invisible) images to verify valid email addresses. Do not display remote images in messages, unless the sender is on a whitelist. Checking the first setting would disable remote images regardless of any whitelist.

  1. user_pref("mailnews.message_display.disable_remote_images.useWhitelist", false);
  2. user_pref("mailnews.message_display.disable_remote_image", true);

57-58 Return receipts

Never send a return receipt if addressee is not in "To" or "Cc". Checking the first setting would disable return receipts altogether.

  1. user_pref("mail.mdn.report.enabled", false);
  2. user_pref("mail.mdn.report.not_in_to_cc", 0);

59-60 Collecting addresses

Add email addresses to the Collected addressbook (not to muddle the Personal addressbook). Checking the first setting would disable address collecting (for outgoing messages).

  1. user_pref("mail.collect_email_address_outgoing", false);
  2. user_pref("mail.collect_addressbook","moz-abmdbdirectory://history.mab");
ANTI ANNOYANCES MEASURES — UNCHECK THOSE NOT MATCHING YOUR PERSONAL TASTE

CONTROL OVER THE BROWSER COMPONENT (e.g. Firefox®)

LXR roots: Browser component or Firefox specific settings are to be found in the browser-prefs.js or the firefox.js files in the project’s source code.

61-65 Bar popups

Turn off (annoying) bar popups and do not change the number of bars (rows). user_pref no 63 will substitute autofill for popups, but it is unchecked by default. No 64 is also unchecked, since it would hide a security warning.

  1. user_pref("browser.urlbar.showPopup", false);
  2. user_pref("browser.urlbar.showSearch", false);
  3. user_pref("browser.urlbar.autoFill", true);
  4. user_pref("privacy.popups.showBrowserMessage", false);
  5. user_pref("browser.tabs.autoHide", false);

66 The sidebar

Do not automatically open the search sidebar when doing a search.

  1. user_pref("browser.search.opensidebarsearchpanel", false);

67-76 Controlling the window tabs

Open links from external programs, targeted links and unspecified window.open calls into tabs (instead of windows). No 70, which will give focus to the adjacent tab on closing a tab (old default), is unchecked by default.

  1. user_pref("browser.link.open_external", 3);
  2. user_pref("browser.link.open_newwindow", 3);
  3. user_pref("browser.link.open_newwindow.restriction", 2);
  4. user_pref("browser.tabs.selectOwnerOnClose", false);

Only show the tab close button at the end of the tabstrip (old default).

  1. user_pref("browser.tabs.closeButtons", 3);

Prevent tabs opened by other applications from receiving focus. This user_pref is unchecked by default.

  1. user_pref("browser.tabs.loadDivertedInBackground", true);

Append tabs (rather than replace the existing ones).

  1. user_pref("browser.tabs.loadGroup", 0);
  2. user_pref("browser.tabs.loadFolderAndReplace", false);
  3. user_pref("browser.search.openintab", true);
  4. user_pref("browser.tabs.opentabfor.urlbar", true);

77-78 Location bar selection

Do not select the text if clicking in the location bar (but select it by triple-click rather).

  1. user_pref("browser.urlbar.clickSelectsAll", false);
  2. user_pref("browser.urlbar.clickAtEndSelects", false);

79-80 Internet keywords

Enable Internet keywords and disable domain guessing. See a mozilla.org® document for information about the implementation of this feature.

  1. user_pref("browser.fixup.alternate.enabled", false);
  2. user_pref("keyword.enabled", true);

81-83 Tooltips and icons

Disable the tooltip preview of a tab’s contents. Cp bug 315207. Checking the first setting would disable tooltips altogether.

  1. user_pref("browser.chrome.toolbar_tips", false);
  2. user_pref("browser.tabs.tooltippreview.enable", false);

Load site icons/favicons when displaying bookmarks in menus, but only if they have already been cached.

  1. user_pref("browser.chrome.load_toolbar_icons", 1);

84-85 Download manager

Show a download progress window (used in older applications). Choose where downloads get put (used in newer applications).

  1. user_pref("browser.downloadmanager.behavior", 1);
  2. user_pref("browser.download.useDownloadDir", false);

86 Disable inline spellchecking

Disable automatic inline spellchecking (used in newer applications) for text entry controls such as textarea in HTML.

  1. user_pref("layout.spellcheckDefault", 0);

CONTROL OVER THE EMAIL COMPONENT (e.g. Thunderbird™)

LXR roots: Thunderbird specific settings are to be found in the all-thunderbird.js file in the project’s source code.

87-90 Format=flowed prefs and RFC 2646

Read messages using old-style wrapping and structured text. See Format=Flowed Mini-FAQ about the implementation of this feature.

  1. user_pref("mailnews.send_plaintext_flowed", true);
  2. user_pref("mailnews.display.disable_format_flowed_support", true);
  3. user_pref("mail.display_struct", true);
  4. user_pref("mail.send_struct", false);

91 Duplicat messages

Move duplicat messages to trash. See bug 9413 for more information.

  1. user_pref("mail.server.default.dup_action", 2);

92-93 Mail list appearance

Do not remember the last selected message or auto-scroll to a new message.

  1. user_pref("mailnews.remember_selected_message", false);
  2. user_pref("mailnews.scroll_to_new_message", false);

94-95 Regular compacting of folders

Compact folders when it will save over 9 MB.

  1. user_pref("mail.prompt_purge_threshhold", true);
  2. user_pref("mail.purge_threshhold", 9000);

MISCELLANEOUS

96 Font size

For readability on screen, font size should not be smaller than this.

  1. user_pref("font.minimum-size.x-western", 11);

97 Let Windows OS have memory if the application is minimized

Allow the application to release memory for the benefit of other programs. See bug 76831 for more information. This user_pref is unchecked by default.

  1. user_pref("config.trim_on_minimize", true);

98 Put an end to blinking text

This user_pref is unchecked by default.

  1. user_pref("browser.blink_allowed", false);

99 Preferences window

Changes to preferences should (if possible) become active immediately.

  1. user_pref("browser.preferences.instantApply", true);

100 Show the world

Add a note to the user agent string. Do observe that this user_pref is always included.

  1. user_pref("general.useragent.extra.user_js","reconfigured by user.js v0.5");

No. I'll reset everything and start all over:

Time to get the content to copy/paste


| | | | |

After generating the code, press the Select it button, copy the code and paste it into an empty file. Save the file as user.js to the same directory/folder as the prefs.js file. To locate prefs.js you would need to locate the profile folder on the disk. Guides for that purpose exist for Firefox users and Thunderbird users and there are also more general instructions.

Well, you’re done :-) Restart the browser or the email program and prefs.js will incorporate the new or changed settings from the user.js, and the program adjusts itself accordingly.

top of page
© 2006-11-21 lars.pm <mailto:larspeemm@netscape.net>