Remove legacy prefs and add new prefs #107
any1here/settings:master into master although it is commented out, privacy.spoof_english is an integer now ; 0=prompt, 1=disabled, 2=enabled.
ref: https://github.com/arkenfox/user.js/blob/140.1/user.js#L839-L844
@degausser wrote in #107 (comment):
although it is commented out,
privacy.spoof_englishis an integer now ; 0=prompt, 1=disabled, 2=enabled.ref: https://github.com/arkenfox/user.js/blob/140.1/user.js#L839-L844
javascript.use_us_english_locale got replaced by privacy.spoof_english in 119, and it's an integer now instead of a boolean.
Seems like I am not able to read anymore 😄
i assume you'd want to do deeper changes in a separate, more involved pr, but a few quick surface level ones that could be tacked on here:
- updated doh comment does use->doesn't use
browser.urlbar.suggest.mdn->trueis already default, and actually disabled with the featureGate pref anyways
Why was browser.urlbar.suggest.mdn set to true anyways?
Since the featureGate prefs are gonna be removed someday, wouldn't it be better to remove them now and just use the prefs directly?
Or was there something that when the featureGate gets set to false, it also removes some UI parts?
why
a lot of changes (or lack thereof) in librewolf.cfg later on were not well communicated, at best reactive, sometimes straight up arbitrary decisions, i'd suspect with lacking understanding too. if git blame doesn't provide answers, it's probably better to just not ask anymore. in this case, i think it was a misunderstanding of wanting the mdn suggestions (the pref used to be upstream false), but not realizing the relation to the featureGate prefs, (and to browser.urlbar.quicksuggest.enabled->false).
featureGate prefs removal
take care to at least keep those pinging home as false; otherwise imho celenity's approach in phoenix is the way to go, default/truthy featureGates, but browser.urlbar.suggest.*->false; users enable what they want via ui in about:preferences#search. but not my call.
removed UI parts?
afaik option for mdn suggestions wasn't (and still isn't?) exposed in about:preferences#search
It is probably better to use Phoenix as a base at this point and make changes from there, since it is in much better shape than what is currently being used for LibreWolf.
Investing time in finding what to change and arriving at the same result as Celenity is just a waste, and we could mutually benefit from each other.
Phoenix as a base and make changes from there
I fully agree, but (LibreWolf) maintainer consensus has to be reached. If successful, that would indeed also supersede this PR.
@degausser
Since I have no other way of messaging you, I might as well use this PR for your input.
What is your opinion on JIT? I would disable most of it like Phoenix does and keep only the necessary minimum to use WebAssembly. But I'm not sure if this is too extreme a default for the LibreWolf userbase. According to Microsoft, most users do not notice a difference when JIT is off.
Would you agree with the RFPTargets Phoenix uses?
Keep in mind I don't pretend to have qualified knowledge to voice "correct" opinions on browser behavior, just a persons' viewpoint.
JIT and wasm
The CVEs are undeniable; however JIT-less JS (without baseline, ion) is noticeably slow, at least on old(-ish) hardware (Haswell)[1]. uBO for example parses lists longer at startup, and its ui sometimes freezes. It also causes the 'not responding' banner on heavy-js web apps[2]. I keep js JIT and plain wasm enabled[3], but wasm-ion disabled.
RFPTargets
I really hate to agree with Thorin here, but the everlong granular overrides list based on user reports, is less than ideal. It's overly verbose, can cause performance problems (long prefs.js lines) and requires maintenance[4]. I don't bother with +AllTargets and overrides, and run stock FPP. It is what it is; upstream work continues, but only TB always was a reasonably safe bet re: fingerprinting.
As a sidenote, running "Mozilla replacement" infra (e.g. rehosting ETP/SafeBrowsing lists; also uBlock assets) should be discouraged. "Only user-initiated connections" people are usually dismissed as uninformed, but in terms of resilience, they do have a point.
Regardless of how you decide (in terms of major settings changes):
- community messaging (website, reddit/mastodon propaganda) has to clearly (front and center) state the guarantees and shortcomings of the browser either way, even if alienating a part of the userbase. Anything else is unfair to next wave of people coming after the next inevitable Mozilla fsckup. You can't both please the PG crowd, and have DRM working on Spotify. Phoenixed Firefox is not a mainline Firefox drop-in replacement; Mullvad is not a clearnet TorBrowser.
- overrides functionality should be treated as sacred (has to work no-hassle OOTB and be supported, so no opinionated non-telemetry lockPrefs).
[1] personal experience; dunno about those nice MS graphs
[2] which, coincidentally, I suspected was a possibility cause of user error with issue2810 along the lines of 'I no longer remember that I flipped it for ~privacy reasons'
[3] they say adoption is coming (...)
[4] also stuff like extensions.quarantinedDomains.list btw
I am wondering a bit if a JIT is as big of a problem as people describe it since the process is likely heavily sandboxed. 🤔
@sertonix https://www.cve.org/CVERecord/SearchResults?query=Firefox+JIT
i'm just gonna ask, do you still prefer the current vaguely arkenfox-based status quo, over
Phoenix as a base and make changes from there
?
In case this proves useful, these are my personal changes from phoenix v2025.12.23.1 (to maybe ease some of the work needed).
- probably should be changed,
- if kept unchanged, would change current LibreWolf defaults,
- opinionated; take what you want.
1. removed / modified
// platforms unsupported by librewolf
--[ANDROID-ONLY]
--[MAIL-ONLY]
// librewolf has its own branding
--app.support.vendor
--browser.phoenix*
--distribution.about
--librewolf.*
// celenity.dev redirects
browser.geolocation.warning.infoURL->""
extensions.webcompat-reporter.newIssueEndpoint->""
media.decoder-doctor.new-issue-endpoint->""
ui.new-webcompat-reporter.new-report-endpoint->""
// reenable native messaging and fix for proton; you can't disable the inbuilt password manager, and then not have KeepassXC, or ProtonPass work ootb
--webextensions.native-messaging
extensions.webextensions.base-content-security-policy.v3->"script-src 'self' 'wasm-unsafe-eval'; upgrade-insecure-requests;"
// cloudflare turnstile gets intermittently stuck with this
--accessibility.blockautorefresh
--network.http.prompt-temp-redirect
// breaks YouTube embeds with error 153
--network.http.referer.defaultPolicy.trackers*
// breaks urlbar bookmarks search (issue 218, not fixed in release yet)
--places.frecency.unvisitedBookmarkBonus
// broken ui on linux
--privacy.ui.status_card
// auto-deny (2), instead of default prompt (0), breaks some legitimate website functionality (filecrypt); there is also the BlockLAN uBO list
--permissions.default.localhost
// stock FPP
--privacy.fingerprintingProtection.*verrides
--layout.css.prefers-color-scheme.content-override // don't force light mode
// reenable JIT; also JIT-less hard(er) Anubis takes like 20+ seconds...
--javascript.options.baselinejit
--javascript.options.ion
// hardcoded to DuckDuckGo, doesn't really matter
--browser.urlbar.placeholderName*
// this draws a hovering hand cursor over clickable links only after the whole page has loaded (there is no "hand with spinner" cursor, at least on Windows); bad concession
--browser.spin_cursor_while_busy
// no reason to disable extended taskbar shortcut menu on Windows
--browser.taskbar.lists*
// maybe don't hardcode _any_ default state, or modify to suit LibreWolf
--browser.toolbarbuttons.introduced.sidebar-button
--browser.uiCustomization.state
--sidebar.backupState
// no quarantined domains for extensions
extensions.quarantinedDomains.enabled->false
extensions.quarantinedDomains.list->""
--extensions.quarantineIgnoredByUser.*
// default mozilla remote settings and extension update intervals; keeping stuff updated is important, but hourly pings are excessive
--update.*.interval
--services.settings.poll_interval
// reenable alt key to show menu
--ui.key.menuAccessKeyFocuses
// reenable animated webpage loading thumbnail, instead of an hourglass
--ui.prefersReducedMotion
2. preferred current librewolf prefs
// ai
browser.ml.enable->false
extensions.ui.mlmodel.hidden->true
// doh off by default
network.trr.mode->5
// browser data sanitization
--privacy.c.*cookies // LibreWolf currently wipes cookies
privacy.clearOnShutdown_v2.historyFormDataAndDownloads->false
privacy.clearOnShutdown_v2.browsingHistoryAndDownloads->false
places.history.enabled->false
// safebrowsing ; no sb > proxied sb > stock sb
browser.safebrowsing.blockedURIs.enabled->false
browser.safebrowsing.downloads.enabled->false
browser.safebrowsing.downloads.remote.block*->false
browser.safebrowsing.downloads.remote.url->""
browser.safebrowsing.malware.enabled->false
browser.safebrowsing.phishing.enabled->false
browser.safebrowsing.provider.google.*advisoryName // no IronFox branding
browser.safebrowsing.provider.google.*URL->"" // updateURL, getHashURL ; now also v5
// don't use system geo for location
geo.provider.use_corelocation->false // mac
geo.provider.use_geoclue->false // linux
// disabled firefox accounts; [!] this however also disables the new profiles manager ui, same urlbar icon
identity.fxaccounts.enabled->false
// don't update system addons; historically used for telemetry (toolkit.coverage -> now dormant); originally from arkenfox
extensions.systemAddon.update.enabled->false
extensions.systemAddon.update.url->""
// less download ui interaction, not that important
browser.download.alwaysOpenPanel->false
3. personal preference, not in either
// enabled creation of text fragment links in context menu
dom.text_fragments.create_text_fragment.enabled->true
// disabled push
dom.push.connection.enabled->false
dom.push.enabled->false
dom.push.userAgentID->""
// disabled newtabpage and stories
browser.newtabpage.activity-stream.discoverystream.enabled->false
browser.newtabpage.activity-stream.feeds.system.topsites->false
browser.newtabpage.activity-stream.feeds.topsites->false
browser.newtabpage.activity-stream.showSearch->false
browser.newtabpage.activity-stream.testing.shouldInitializeFeeds->false
browser.newtabpage.disableNewTabAsAddon->true
browser.newtabpage.enabled->false
browser.urlbar.suggest.topsites->false
// blank startup page
browser.startup.page->0
startup.homepage->"about:blank"
startup.homepage.*url->"about:blank"
// more to force english websites, than to guard against fingerprinting
privacy.spoof_english->2
intl.accept_languages->"en-US, en"
// signons are disabled so no password generation; don't fetch breach alerts / vulnerable passwords lists
signon.generation.enabled->false
signon.management.page.breach-alerts.enabled->false
signon.management.page.vulnerable-passwords.enabled->false
// hardened WebRTC; `specialized-configs/extended-unified.cfg#L73-L85` -> doesn't break for me, but probably not ready as defaults
media.peerconnection.ice.default_address_only->true
media.peerconnection.ice.no_host->true
media.peerconnection.ice.relay_only->true
// ui
browser.urlbar.autoFill->true // with phoenix, fills base urls from bookmarks, openpages only
browser.urlbar.scotchBonnet.enableOverride->false // old searchengines ui
browser.urlbar.suggest.importantDates->false
browser.translations.automaticallyPopup->false
devtools.theme->"dark"
devtools.toolbox.host->"window"
devtools.webconsole.input.editor->true // old devtools console
media.videocontrols.picture-in-picture.video-toggle.has-used->true
widget.gtk.overlay-scrollbars.enabled->false // auto-hiding scrollbars on linux suck
// misc
accessibility.typeaheadfind.flashBar->0
accessibility.typeaheadfind.prefillwithselection->false
ui.textHighlightBackground->"#0c75de" // eiffel 65
browser.bookmarks.max_backups->0 // phoenix by default dumps plaintext bookmarks.html to profile dir anyways
browser.tabs.groups.enabled->false // no tab groups
browser.tabs.loadDivertedInBackground->true // links opened in unfocused new tab by default
browser.tabs.selectOwnerOnClose->false // forced right-to-left tab closing order
dom.disable_beforeunload->true
dom.event.contextmenu.enabled->false // force context menu; or shift + righclick
@degausser I removed all the defaults and other prefs that don't affect us. It ends up being about 1.2k prefs in total.
To comment on some of the points raised by @degausser:
// platforms unsupported by librewolf
--[ANDROID-ONLY]
--[MAIL-ONLY]
Phoenix doesn't contain any [MAIL-ONLY] prefs - prefs specific to Thunderbird are covered in Dove instead (So, if you do come across any Thunderbird-specific prefs in Phoenix, please LMK - because it isn't intended).
// breaks YouTube embeds with error 153
--network.http.referer.defaultPolicy.trackers*
Fixed for next release, per discussion at celenity/Phoenix#228.
// breaks urlbar bookmarks search (issue 218, not fixed in release yet)
--places.frecency.unvisitedBookmarkBonus
FYI: This is fixed as of the latest release (2026年01月21日.1).
// broken ui on linux
--privacy.ui.status_card
Phoenix already doesn't set privacy.ui.status_card for Linux, due to the broken UI.
// doh off by default
network.trr.mode->5
IMO, if LibreWolf really wants to disable DoH by default for whatever reason, network.trr.mode should be set to 0 instead. My understanding is that 5 disables DoH completely, while 0 will still use DoH if it's configured on the OS level.
// safebrowsing ; no sb > proxied sb > stock sb
browser.safebrowsing.blockedURIs.enabled->false
browser.safebrowsing.downloads.enabled->false
browser.safebrowsing.downloads.remote.block*->false
browser.safebrowsing.downloads.remote.url->""
browser.safebrowsing.malware.enabled->false
browser.safebrowsing.phishing.enabled->false
browser.safebrowsing.provider.google.*advisoryName // no IronFox branding
browser.safebrowsing.provider.google.*URL->"" // updateURL, getHashURL ; now also v5
IMO the only prefs that need to be set here are browser.safebrowsing.malware.enabled and browser.safebrowsing.phishing.enabled - the rest are unnecessary to disable Safe Browsing and just make it more difficult for users to re-enable it if desired.
// don't use system geo for location
geo.provider.use_corelocation->false // mac
geo.provider.use_geoclue->false // linux
Why? I'm interested to hear your rationale/thought process for these.
// disabled firefox accounts; [!] this however also disables the new profiles manager ui, same urlbar icon
identity.fxaccounts.enabled->false
I don't see a point here; Firefox Sync is E2EE, so not even Mozilla can access data synced - and it never actually syncs any data or makes network connections until the user goes out of their way to set it up.
// disabled push
dom.push.connection.enabled->false
dom.push.enabled->false
dom.push.enabled is unnecessary, and actually harms privacy by aiding fingerprinting. If you really want to disable Push for whatever reason, dom.push.connection.enabled and dom.push.userAgentID should take care of it.
// more to force english websites, than to guard against fingerprinting
privacy.spoof_english->2
intl.accept_languages->"en-US, en"
intl.accept_languages is unnecessary here (and actually caused issues when Phoenix set it in the past); privacy.spoof_english should cover it. I don't think it's a sane default though, due to the impact on usability for non-English speakers - but I do think LibreWolf should consider exposing it as a UI setting.
I'd like to stress that the original comment was separated to three blocks, (2.) is a matter of backwards compatibility / breaking changes, (3.) is just a personal preference.
(also the comment was written as of Phoenix v2025.12.23.1, as stated)
Phoenix already doesn't set privacy.ui.status_card for Linux, due to the broken UI.
As it currently stands, LibreWolf ships only one unified librewolf.cfg; which means the base for it has to be unified Phoenix and broken functionality has to be removed for all platforms (platform specific prefs are shipped to non-relevant platform as well, see e.g. geo prefs). More complex build scripts, or runtime os checks are the alternative, arguably not worth the effort.
DoH
Consensus here was 5. My understanding is that without disabled doh-rollout, 0 can be turned on based on the rollout criteria. Note that e.g. Phoenix disregards system os network settings in other places, like proxy != 5 (users can reenable it). IMO the default should be either a clear on (without fallback, so 3), or a clear off.
SafeBrowsing
getHashURLs and updateURLs !="" still fetch the lists; LibreWolf disabled SafeBrowsing historically (which I assume you had issues with in its current form too, hence the IronFox proxy), and the docs already include a way to reenable it, including setting those urls back (but should be amended with v5). most others are in-depth, and/or prevent fetching lists that are not needed.
hopefully v5 local lists arrive sooner than later (likely as just another ETP bucket), so we don't have to deal with any of this.
disabled system geo usage
Included in LibreWolf since forever, taken from arkenfox; arkenfox inclusion stems from this earthlng's comment, and Thorin's take ("service used should be handled only within the application"). Seems sound.
firefox accounts
I think the perceived separation of LibreWolf and Mozilla was (is?) of user importance. this is how the current docs address sync. self-hosting still has issues (see this nice writeup, as of 11/2025 for details); default is still the Mozilla server. From the article:
- Mozilla will get your email address. It needs to be a real email address that only you control, because they send login codes to it
- Your browser will periodically fetch auth tokens from Mozilla. This means Mozilla learns on a regular basis all the IP addresses you browse from, and can tie them to your email address
- Your syncserver will periodically fetch JWKS keys from Mozilla. This means Mozilla also knows your server's IP address too
push
just took this. if omiting dom.push.enabled->false still ensures that Mozilla's push services endpoint is not pinged, that's fine by me.
en-US
privacy.spoof_english and its predecessor afaik used to apply only to RFP, so explicit intl.accept_languages is to cover FPP; either way its a personal preference, same as WebRTC hardening.
Could we pleeeeeease keep discussions unrelated to this PR out of the comments for the PR?
Who ever has to review this now has the option to either ignore the comments completely, or spend an hour to filter out what actually addresses settings in the PR, and what is just comment noise.
@alyx161 wrote in #107 (comment):
Could we pleeeeeease keep discussions unrelated to this PR out of the comments for the PR? Who ever has to review this now has the option to either ignore the comments completely, or spend an hour to filter out what actually addresses settings in the PR, and what is just comment noise.
I take the blame because I started this with my comment of:
Since I have no other way of messaging you, I might as well use this PR for your input.
I made a separate issue for discussing using Phoenix as a base here librewolf/issues#2823
No due date set.
No dependencies set.
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?