The 100 User Preferences Script, version 1.1

This script applies to browsers and mail programs or other programs using the Gecko® rendering engine from the Mozilla® open source project. Applications built upon the Mozilla/Gecko code-base range over the widely acknowledged core products - particularly Firefox® and Thunderbird™ - and a lot of other applications more or less well-known.

MOZILLA and FIREFOX are registered trademarks of the Mozilla Foundation. THUNDERBIRD is a trademark of the Mozilla Foundation.

Reconfigure your Gecko application by a user.js file

The configuration of Gecko applications is to a great extent ruled by pref settings in the prefs.js file. That file is handled internally by the program. The preferences therein are dependent on and will be over-ridden by user_pref settings in the user.js file. That file is not part of the program by default and must therefore be created by the admin or the end-user. Here is the place and now is the time to create this file ;-)

The user.js file itself is a simple ascii-text file and can be created and edited by use of any text editor. The User Preferences Script fills the file with the necessary reconfiguration commands: the at most 100 user preferences - i.e. preferences settings, which will give you as an admin or end-user power control over the browser and/or mail program.

The groups of user preferences to include

100 preferences to configure a program?! Is it really necessary? Definitely not. Begin optimising by making a general selection among the user preferences available with this script.

¬ Automatic: Selection of user preferences based on .
¬ Browser: Include the general user preferences and those specific for Firefox (suitable for Fx, but also for any stand-alone browser embedding Gecko®).
¬ Mail: Include the general user preferences and those specific for Thunderbird (suitable for TB, but also for any e-mail client embedding Gecko®).
¬ Suite: Include the general user preferences and those specific for SeaMonkey (suitable for SM, but also for any application suite embedding Gecko®).
¬ Other: Only include the general user preferences (suitable for all other applications embedding Gecko®).
¬ All: Include all groups of user preferences. Lets you trim each individual preference.

Fine-tuning the specific user preferences to include

So, depending on the radio button checked above, unnecessary preferences are disabled in the list of all the available user preferences below. There you may decide to include (check) or else exclude (uncheck) specific preferences. Do remember that you by the use of this script will only choose which user_pref("[pref name]", [value]); to be included in the user.js file! If a box is unchecked, the user_pref is not included and will have no effect on the preference whatsoever, i.e. the old pref in the prefs.js file will hold. Naturally only an included user_pref can alter a pref.

Generating the script code by pressing the left button below the 100 preferences without fine-tuning them, is believed to result in the best weighing of security/privacy and functionality for your program. The checked preferences are in principle enhancing security/privacy. By checking unchecked user preferences, you might reduce functionality or security, so be particular when fine-tuning.

 

The preferences that are checked by default are important for security and privacy reasons. By checking more user preferences your program would be even more secure, but possibly lose some useful functionality. If you are using a program that are no longer being developed, e.g. Firefox 1.5, SeaMonkey 1.0, Thunderbird 1.5 you should be better off with version 1.0 of the 100 User Preferences Script.

GENERAL PREFERENCES

These preferences will have an effect on applications built on the Gecko 1.8.1 code-base, including but not limited to Firefox 2, Thunderbird 2, and SeaMonkey 1.1, and the great majority also apply to older and newer programs alike.

Source roots: The preferences refered to in this section are usually found in the all.js or security-prefs.js files on the 1.8 branch in the project’s source tree.

1 Client certificate selection

Enforce the asking every time for the selection of a security certificate to present to web sites that require one. By the resolution of bug 431819 a compromise was reached concerning the requirement of the application’s prompting in this regard. To keep it always asking, check this preference, which is unchecked by default (since the result might be an annoying series of prompts).

  1. user_pref("security.remember_cert_checkbox_default_setting", );

2-3 Validation

Use OCSP to validate only certificates that specify an OCSP service URL. Change the value to 2 only if you apply a particular signing certificate authority and URL to query for OCSP certificate validation.

  1. user_pref("security.OCSP.enabled", );

Require that the OCSP service is available, otherwise treat the certificate as not valid. This preference – not applying to the 1.8 branch – is unchecked by default. For more information, see bug 110161.

  1. user_pref("security.OCSP.require", );

4-8 Warning alert messages

Warn when browsing secure/normal pages. The dialogue will let you disable each warning until the next time you start the browser. The warnings when leaving a secure page, and submitting over an insecure connection are unchecked by default. For pros and cons about these warnings, see bug 341472.

  1. user_pref("security.warn_entering_weak", );
  2. user_pref("security.warn_leaving_secure", );
  3. user_pref("security.warn_viewing_mixed", );
  4. user_pref("security.warn_submit_insecure", );

Do not alert when loading a page that supports encryption. This is the default setting on the trunk as well.

  1. user_pref("security.warn_entering_secure", );

9-10 The Master Password

Ask for the master password (if enabled) every 30 minutes by default. You could change the interval by entering any number of minutes in the second user preference. Change the value of the first user preference to 1 if the application should ask for the password every time it’s needed.

  1. user_pref("security.ask_for_password", );
  2. user_pref("security.password_lifetime", );

11 Disable Java

The preference for disabling Java is unchecked by default.

  1. user_pref("security.enable_java", );

12-13 No cache and no prefetching of Next page

The first user preference (which is unchecked by default) would disable the caching of HTTP documents and the second user preference disables all link prefetching.

  1. user_pref("network.http.use-cache", );
  2. user_pref("network.prefetch-next", );

14-15 Sending referer headers

Do not send referer headers. With the first preference, change the value to 1 if rather than denying referers altogether, link clicks (but not images) should result in the sending of the referer. Checking the second user preference would inhibit sending of HTTPS referers to other HTTPS sites. See bugs 1582 and 141641 for caveats about disabling sending of referer headers. These preferences are unchecked by default.

  1. user_pref("network.http.sendRefererHeader", );
  2. user_pref("network.http.sendSecureXSiteReferrer", );

16-19 Cookies

There are different views on the matter, so these user preferences are unchecked by default. See bug 324397 for a reasoning about the best preference for the application default, now resolved as "Allow All Cookies", i.e. option value 0.

The option values available for the first user preference mean:

1 Allow cookies from originating server only
2 Disable all cookies
  1. user_pref("network.cookie.cookieBehavior", );

The application default for preference no 17 is "Accept cookies normally", i.e. option value 0, and the others mean:

1 Ask once for cookie per site - check user preference no 18 to avoid an excess of prompts
2 Accept for current session only
3 Accept for any number of days set in user preference no 19 (90 by default)
  1. user_pref("network.cookie.lifetimePolicy", );
  2. user_pref("network.cookie.alwaysAcceptSessionCookies", );
  3. user_pref("network.cookie.lifetime.days", );

20-29 JavaScript and popup windows restrictions

The preference for disabling JavaScript is unchecked by default.

  1. user_pref("javascript.enabled", );

Scripts should not be able to hide or change the status bar or the context menu.

  1. user_pref("dom.disable_window_status_change", );
  2. user_pref("dom.event.contextmenu.enabled", );

Popup windows (created by scripts) should not hide the location bar, have a fixed size, or be impossible to minimize or close. See bug 337344 for caveats about the first setting (which is unchecked by default).

  1. user_pref("dom.disable_window_open_feature.location", );
  2. user_pref("dom.disable_window_open_feature.resizable", );
  3. user_pref("dom.disable_window_open_feature.minimizable", );
  4. user_pref("dom.disable_window_open_feature.close", );

Block popup windows not created as a result of a mouse click. The value 2 of user preference no 29 allows whitelisted sites to open popups. To disable popups for all sites, change the value to 3.

  1. user_pref("dom.disable_open_during_load", );
  2. user_pref("dom.disable_open_click_delay", );
  3. user_pref("privacy.popups.disable_from_plugins", );

The user preferences so far were security or privacy related, and when not seriously tending to reduce functionality, checked by default. The user preferences below more depends on a matter of taste, and normally they are not checked. Only if the application default has changed in newer versions, or if the preference has an obvious security/privacy benefit it is checked by default.

GENERAL PREFERENCES FOR BROWSERS

These preferences will control behaviour of the browser component, but note that some functionality might be dependent on preferences refered to in the previous section.

Source roots: The preferences refered to in this section are usually found in the all.js or else the browser-prefs.js and firefox.js files on the 1.8 branch in the project’s source tree.

30-32 Location Bar features

Disable domain guessing and enable Internet keywords. See a mozilla.org® document for information about the implementation of this feature.

  1. user_pref("browser.fixup.alternate.enabled", );
  2. user_pref("keyword.enabled", );

Apply automatic filling in of the address in the location bar.

  1. user_pref("browser.urlbar.autoFill", );

33-36 Controlling the tabs

Do not hide the tab bar when only one tab is open.

  1. user_pref("browser.tabs.autoHide", );

Open link in a new tab (instead of a new window) when middle-clicked.

  1. user_pref("browser.tabs.opentabfor.middleclick", );

Prevent tabs opened from links or by other applications from receiving focus.

  1. user_pref("browser.tabs.loadInBackground", );
  2. user_pref("browser.tabs.loadDivertedInBackground", );

37-38 Blinking and tipping off

The first preference disables tooltips and the second puts an end to blinking text.

  1. user_pref("browser.chrome.toolbar_tips", );
  2. user_pref("browser.blink_allowed", );

39 Inline spellchecking

Disable - option value 0 - automatic inline spellchecking for text entry controls such as textarea in HTML, or make it also available for single line controls - option value 2.

  1. user_pref("layout.spellcheckDefault", );

The preferences changes in the framed area are there to smooth things a bit by getting rid of possible annoyances in popular browsers. They will have effect in the browser component in application suites like SeaMonkey, and in stand-alone browsers, e.g. Firefox and its derivatives.

PROGRAM SPECIFIC PREFERENCES ‣ FIREFOX®

These preferences will have an effect in Firefox and all browsers based on it. If nothing else is stated each preference is valid in the latest release.

Source roots: Firefox specific preferences are found in the firefox.js file in the project’s source tree.

40 Control the display of domain in the identity box for SSL connections

Firefox 3 includes extra UI to convey information about a site using SSL to encrypt communications. Option value 1 will show the effective top-level domain along with the second-level domain (e.g., mozilla.org) emphasized to the left of the URL in the Location Bar. Use option value 2 to show the full domain (e.g., bugzilla.mozilla.org). This user preference is checked by default.

  1. user_pref("browser.identity.ssl_domain_display", );

41 Always show the toolbars and tab strip in fullscreen mode

In fullscreen mode, toolbars and the tab strip may be hidden at the top of the screen and only shown on mouseover. This preference will keep them in sight, and is checked by default.

  1. user_pref("browser.fullscreen.autohide", );

42-46 Controlling the tabs

Return to Fx 1.5 defaults. Only show the tab’s close button at the end of the tabstrip (user preference no 42) and give focus to the adjacent tab on closing a tab (user preference no 43).

  1. user_pref("browser.tabs.closeButtons", );
  2. user_pref("browser.tabs.selectOwnerOnClose", );

Prevent tabs opened with an item from the bookmarks list from receiving focus.

  1. user_pref("browser.tabs.loadBookmarksInBackground", );

Have search bar results always open in a new tab.

  1. user_pref("browser.search.openintab", );

Append a group of tabs instead of replacing the existing tabs.

  1. user_pref("browser.tabs.loadFolderAndReplace", );

47-48 Download directory

Keep the desktop clean by downloading to the last folder specified for a download, i.e. value 2, or to the downloads folder, i.e. value 1. Alternatively, check the second user preference to choose every time where downloads get put.

  1. user_pref("browser.download.folderList", );
  2. user_pref("browser.download.useDownloadDir", );

49 Page reloading

Disable automatic reload of web pages done by the HTML META refresh tag. This user preference is checked by default.

  1. user_pref("accessibility.blockautorefresh", );

50 Export bookmarks as HTML at shutdown

Firefox 3 uses JSON as the format to store bookmark backups by default. By this preference you switch back to using bookmarks.html instead. Cp. bug 384370.

  1. user_pref("browser.bookmarks.autoExportHTML", );

51 Do not restore the session after a crash

This user preference is for disabling the session restore utility after a crash. See the issues list for Fx 2 for the relevance of this preference.

  1. user_pref("browser.sessionstore.resume_from_crash", );

52 Phishing protection by a third-party provider

Firefox 3 does away with this particular preference to make a third-party provider being consulted to determine whether a site is phishy. If, however, you are using Firefox 2, you might want to activate the feature.

  1. user_pref("browser.safebrowsing.remoteLookups", );

53 Do not prefill forms with passwords

If Password manager is enabled, do not automatically fill sign-in forms with known usernames and passwords; instead, act as though there are multiple usernames/password pairs remembered for the form (fill password after username has been manually typed). This preference is for Firefox 2 only, but is checked by default.

  1. user_pref("signon.prefillForms", );

PROGRAM SPECIFIC PREFERENCES ‣ SEAMONKEY®

These preferences will have an effect in SeaMonkey and browsers based on it. If nothing else is stated each preference is valid in the latest release.

Source roots: SeaMonkey specific preferences are found in the browser-prefs.js file in the project’s source tree.

54-56 Location bar behaviour

Turn off location bar popups.

  1. user_pref("browser.urlbar.showPopup", );
  2. user_pref("browser.urlbar.showSearch", );

Do not select the text when clicking past it in the location bar.

  1. user_pref("browser.urlbar.clickAtEndSelects", );

57-60 Controlling the tabs

Append a group of tabs instead of replacing the existing tabs.

  1. user_pref("browser.tabs.loadGroup", );

Open links from external programs, targeted links and unspecified window.open calls in tabs instead of new windows (mimic Fx behaviour).

  1. user_pref("browser.link.open_external", );
  2. user_pref("browser.link.open_newwindow", );
  3. user_pref("browser.link.open_newwindow.restriction", );

61 The sidebar

Do not automatically open the search sidebar when doing a search.

  1. user_pref("browser.search.opensidebarsearchpanel", );

62-63 Tooltip previews and menu icons

Disable the tooltip preview of a tab’s contents. Cp. bug 315207.

  1. user_pref("browser.tabs.tooltippreview.enable", );

Load site icons/favicons when displaying bookmarks in menus, but only if they have already been cached. Changing the number to 2 would make the browser always load and show the icons in menus. (The default behaviour is to never show, i.e. option value 0.)

  1. user_pref("browser.chrome.load_toolbar_icons", );

MAIL & NEWSGROUPS

The preferences changes in this section are here to control mail management, addressbooks and newsgroups. Note that some functionality might be dependent on preferences refered to in a previous section.

GENERAL PREFERENCES FOR MAIL CLIENTS

These preferences will have effect in the mail and newsgroups component in application suites like SeaMonkey, and in stand-alone e-mail clients, e.g. Thunderbird and its derivatives. Corrections of old behaviour and security/privacy related preferences are checked by default.

Source roots: Mail & News specific preferences are usually found in the all.js or mailnews.js files on the 1.8 branch in the project’s source tree.

64-67 Security restrictions and Privacy concerns

Do not allow JavaScript, cookies, plugins or remote images in mail.

  1. user_pref("javascript.allow.mailnews", );
  2. user_pref("network.cookie.disableCookieForMailNews", );
  3. user_pref("mailnews.message_display.allow.plugins", );
  4. user_pref("mailnews.message_display.disable_remote_image", );

68-71 Return receipts

Never send a return receipt if addressee is not in "To" or "CC", and ask me in other cases. By checking the first preference return receipts would become disabled altogether, nullifying the effect of the others (which are checked by default).

The option values available for these preferences mean:

0 Never send
1 Always send
2 Ask me
3 Deny the request (only report.other)
  1. user_pref("mail.mdn.report.enabled", );
  2. user_pref("mail.mdn.report.not_in_to_cc", );
  3. user_pref("mail.mdn.report.outside_domain", );
  4. user_pref("mail.mdn.report.other", );

72-73 Collecting addresses

Add e-mail addresses to the Collected addressbook (not to muddle the Personal addressbook). By also checking the first preference, address collecting (for outgoing messages) would be disabled altogether.

  1. user_pref("mail.collect_email_address_outgoing", );
  2. user_pref("mail.collect_addressbook", );

74-77 Mail list appearance

Do not remember the last selected message or auto-scroll to a new message.

  1. user_pref("mailnews.remember_selected_message", );
  2. user_pref("mailnews.scroll_to_new_message", );

In an application from the 1.8 branch, any click on a column header other than the thread column will unthread the view. To keep threaded view on (like in TB3/SM2) this preference should be false (and it is checked by default).

  1. user_pref("mailnews.thread_pane_column_unthreads", );

Mark duplicat messages as read. See bug 9413 for information. The alternative values (numbers) mean:

1 Delete dupes
2 Move Dupes to trash
3 Mark Dupes as Read
  1. user_pref("mail.server.default.dup_action", );

78-79 Format=flowed prefs and RFC 2646

Read messages using old style wrapping. By also checking preference no 79 composed messages would be prevented from being transmitted with format=flowed. See Format=Flowed Mini-FAQ about this feature.

  1. user_pref("mailnews.display.disable_format_flowed_support", );
  2. user_pref("mailnews.send_plaintext_flowed", );

80-82 Regular compacting of folders

Compact folders when it will save over a certain amount of kilobytes, by default 100 kB. Do change the number to any threshhold.

  1. user_pref("mail.prompt_purge_threshhold", );
  2. user_pref("mail.purge_threshhold", );

In recent builds the client will show a confirmation alert when starting automatic compacting of folders. Check the preference if you do not want this alert and you also checked no 80 above.

  1. user_pref("mail.purge.ask", );

83 Do not check for new mail until the mail client is started

In recent SeaMonkey builds a check for new mail will be done, even when the Mail & Newsgroups component remains closed. Check this user preference to disable the feature.

  1. user_pref("mail.biff.on_new_window", );

PROGRAM SPECIFIC PREFERENCES ‣ THUNDERBIRD

The preferences in the framed area will have an effect in Thunderbird and e-mail clients based on it. If nothing else is stated each preference is valid in the latest release.

Source roots: Thunderbird specific preferences are found in the all-thunderbird.js file in the project’s source tree.

84-85 Phishing detection for link clicks

You could turn parts of phishing detection, i.e. analyzing of url’s in mail messages for scams, off in Thunderbird by setting two preferences to false. The first will make the client refrain from checking the matching of visible links with ip addresses, and the second will make it refrain from checking the matching of visible links with host names.

  1. user_pref("mail.phishing.detection.ipaddresses", );
    Note: The user preference above is somewhat jeopardising security.
  2. user_pref("mail.phishing.detection.mismatched_hosts", );
    Note: The user preference above is somewhat jeopardising security.

86 No preview text

Disable preview text in mail alerts and folder tooltips.

  1. user_pref("mail.showPreviewText", );

MISCELLANEOUS

The remaining user preferences we need to deal with are diverse annoyances found here and there and they might or might not have an effect on your software. Privacy related preferences are checked by default.

87-88 Zoom behaviour

Revert to old text size zoom behaviour (not zooming everything on the page). See bug 401322 for more information.

  1. user_pref("browser.zoom.full", );

Do not remember zooming on a per-site basis, instead the zoom level should be applied on the current tab only. Cp. bug 419609. This preference is for Firefox 3 only.

  1. user_pref("browser.zoom.siteSpecific", );

89-91 Handling personal information

Do not save form data, and use encryption when storing sensitive data. The wallet preferences apply to Thunderbird and Seamonkey.

  1. user_pref("wallet.captureForms", );
  2. user_pref("wallet.crypto", );

Do not fill in form data automatically. (This preference does not apply to SeaMonkey 1.)

  1. user_pref("browser.formfill.enable", );

92-93 The Password Manager

Checking the first preference would disable the Password manager.

If it is enabled though, do not automatically fill sign-in forms with known usernames and passwords; instead, act as though there are multiple usernames/password pairs remembered for the form (fill password after username has been manually typed). (This preference does not apply to the 1.8 branch.)

  1. user_pref("signon.rememberSignons", );
  2. user_pref("signon.autofillForms", );

94-95 Ease the handling of self-signed certificates

The first preference enables some extra UI on the SSL error page that makes it easier to accept an invalid certificate, and the second preference pre-fetches the certificate. See bug 427293 for more information. (These preferences don’t apply to the 1.8 branch.)

  1. user_pref("browser.xul.error_pages.expert_bad_cert", );
    Note: The user preference above is somewhat jeopardising security.
  2. user_pref("browser.ssl_override_behavior", );
    Note: The user preference above is somewhat jeopardising security.

96-97 Automatic updates

The application should automatically check to see if there is an updated version of itself, but should prompt before downloading major releases. Checking the first user preference would disable automatic updates.

  1. user_pref("app.update.auto", );
    Note: The user preference above is somewhat jeopardising security.
  2. user_pref("app.update.mode", );

98 Uncover the secret add-ons install button

Unhides the install button in the add-ons manager. See Uncover... for a blog entry about this feature.

  1. user_pref("extensions.hideInstallButton", );

99 Let Windows OS have memory if the application is minimized

Allow the application to release memory for the benefit of other programs. See bug 76831 for more information.

  1. user_pref("config.trim_on_minimize", );

100 Show the world

Add a note to the user agent string. Do observe that this user preference is always included.

  1. user_pref("general.useragent.extra.user_js", );

No. I’ll reset everything and start all over:

Time to get the content to copy/paste

Generate the user.js file by pressing the appropriate button below the text area. By Generate user.js (custom) a code according to the choices made in the form is generated. By Generate user.js (default) a code is generated containing general (excluding program specific) default values, i.e. regardless of your customisations. That code is aiming towards enhanced security and privacy without you losing important functionality.

Generating the contents for the user.js
| | | | |

After generating the code, press the Select it button, copy the code and paste it into an empty file. Save the file as user.js to the same directory/folder as the prefs.js file. To locate prefs.js you would need to locate the profile folder on the disk. Guides for that purpose exist for Firefox users and Thunderbird users and there are also more general instructions.

Well, you’re done :-) Restart the browser or the e-mail program and prefs.js will incorporate the new or changed preferences from the user.js file, and the program adjusts itself accordingly.

Version 1.0 | Version 0.9 | Version 0.8 | Version 0.7 | Version 0.6 | Version 0.5 |||| © mikaels.net · e-mail
valid-xhtml11 top of page