Not a great attempt IMO.

The networking and UI things are a valiant effort. Mixing them with non-mainstream security concerns are a bad idea. You may feel that safe-browsing is tracking by the man, but advising newbies to turn it off is borderline irresponsible. Similar argument for ipv6 (wtf), error reporting (congrats: your bugs will never be fixed cause firefox doesn't know about them), and geolocation ("why doesn't google maps ever know where I am?").

If you apply these, some caveat emptor: when firefox upgrades it usually wont change these settings for you. So if firefox makes things awesome, you'll be left behind. You may want that, you may not. Personally, I'd advise against.

Made a PR: https://github.com/dfkt/firefox-tweaks/pull/1

A critique and a follow-up. Better than almost everyone.

> caveat emptor: when firefox upgrades it usually wont change these settings for you

It's not so bad. You can sort prefs by user-defined, they're in bold, and each one has a reset-to-default option.

Also you can do a whole browser reset which preserves only passwords/bookmarks. Instructions: https://support.mozilla.org/en-US/kb/refresh-firefox-reset-a...

And firefox profiles might be handy for this too (from the command line add --ProfileManager or -P <profile name>).

Yes it is. Everything you've described of my two brothers can't do.

Well considering they don't browse HN or GitHub it's hard to see what the problem is.

You can put the settings in a user.js file that goes in your Firefox Profile folder. Example: https://github.com/j127/firefox-tweaks/blob/master/user.js

> Remove "(site) is now fullscreen" nag message and make it faster

For a list that want to make the browser more secure, why do they want to remove the only line of defense against sites using fullscreen mode for phishing?

> Disable PDF reader

PDF.js has fewer security vulnerabilities than desktop PDF readers.

> Disable 'safe browsing' aka. Google tracking/logging

This seems like a really bad idea for most users

> PDF.js has fewer security vulnerabilities than desktop PDF readers.

You can limit desktop readers with something like AppArmor (no network access, only allowed to read files, only allowed to open *.pdf files, etc). You can't (AFAIK) do that with PDF.js.

No, you give it read-only access to the files it needs (e.g. /usr/) and then everywhere else like /home it can only open *.pdf.

Also, no networking.

AppArmor can't do a *.pdf restriction. Even if it could, you still let through access to every pdf on your system.

The point here is that the sandboxing needs to be watertight, or it's simply not effective. pdf.js runs in the JS sandbox, but here the file origin checking failed. Placing an OS-level sandbox around it doesn't help unless it is just as tight.

Uh, yes it can

    allow /**/*.pdf r,

Wow okay, didn't realize that (was still thinking in extended-attributes SELinux land).

> PDF.js has fewer security vulnerabilities than desktop PDF readers.

That's probably because there is one PDF.js and dozens of desktop PDF readers.

PDF.js sprouts CVEs at an alarming rate. It should be disabled until someone does a full-program security audit.

The only time I ever see the fullscreen message is when the screen has essentially already fullscreened itself in a case where I want it to. =/

The warning is a bit annoying, but without it attacks like this would be harder to spot: http://feross.org/html5-fullscreen-api-attack/ (it's just a proof-of-concept, no malicious payload)

Who are all these people who apparently run their browser maximized? Web pages generally get worse as the window gets wider. (Unless, of course, they control their own width, but that's its own obvious prompt to stop wasting all your screen space.)

Only with a rubbish, widescreen display are modern websites crap. Get a nice 4:3 or 5:4 display and everything looks good when maximised.

No, it would still have to be a small squarish display. Fixing the aspect ratio won't fix the problem that you have way more space than the website will take.

That seems like an entirely inadequate warning for an average user to spot phishing anyway.

Then you probably haven't visited a phishing site that uses this technique.

It says "suck less", not more secure. And this isn't something that most users would use.

Disabling IPv6?!

This is an... opinionated list. Wish there was more annotation around what those opinions were.

Don't know if it is still true. DNS lookup didn't work correctly when ipv6 was enabled.

W..what? I don't think this has been true for any Firefox version, ever. Certainly I'm using v6 right now. (Not on hn of course, it's v4 only)

It used to be issue - in your local network, you had IPv6 automatically with Vista and newer (the same for Linux distributions). So your browser resolved AAAA records, trued o open connection to the the host, after few seconds found out that it is going nowhere, resolved the A records, the site worked.

So it became popular to manually disable IPv6 to speed up the browsing.

It was true for a Linux + Firefox combination a few versions ago. I had that issue.

Basically, the DNS lookup lasted like 4-5 times longer than it did while opening the same site in Chrome.

    BLOATWARE
    
    Disable 'Reader Mode':

Why? I use this every day to pull the text out of frustratingly-formatted sites.

It's the only UI change to firefox that I've come to appreciate.

I can't think of a single UI change since the introduction of Australis that hasn't caused me pain, frustration and forced me to spend considerable time and effort to look for workarounds or fixes. Since almost all of my UI interaction is muscle memory - changing, removing things and adding completely unwanted elements has been an unpleasant and grating experience for me and I come to dread every new feature introduced to firefox.

Reader is the only positive one for me. My eyesight isn't the best and the modern design trend for low contrast and small text makes many sites unreadable. Reader fixes that for me ina simple way, it's straightforward and doesn't have any unnecessary features.

Yeah, I like Reader Mode. It strips off all the fluff to make pages readable again.

One of the features I regularly use. Makes it easy to read and instantly removes most of the irritating .js stuffs that many sites add.

My guess is because of the Pocket integration.

Reader mode is a separate feature from the Pocket button.

Ugh, it has "disable webgl" because it's a "debatable" security concern? And disable ipv6? I hope people know what these settings are for before they apply these.

pdf.js is disabled, too, so no more easy opening PDFs in the browser if you apply these tweaks.

The type of person who is adding these settings probably wants this. That is, a web browser that does one thing very well: browse the web. The title of the repo is kind of misleading in that regard, since it makes it sound like something the average user might like.

Retitle "Project to make Firefox suck more"

No, this is definitely suckless: http://suckless.org/philosophy

The tweaks under appearance and bloatware are good, although I'd probably leave error reporting on (I'm on the nightly channel for a reason), as well as WebGL although it would be nice if it could be changed to "click-to-run" style launching. The rest of the tweaks seems fairly reasonable privacy-wise.

    browser.urlbar.trimURLs - false

Yay! This feature has annoyed me to no end.

Why Reading mode is even considered "bloatware"?

Well it was added recently, during the same time as things like pocket and hello are being added. A lot of people will never use it, so it's fair for them to put it in the same bloatware category. I use it a lot on mobile, not so much on desktop. I didn't want to disable it.

I'm not the biggest fan of hello in firefox, but I've gotten some light mileage out of it, so I guess I can't be too upset. Pocket though just really shouldn't be in the browser.

Reader mode was added in 2012-2013. Pocket and Hello were introduced in 2015.

Really ? Did they just add the url icon then ? I never noticed any of it before this year.

Reader mode was present in the Mobile version for a long time, it's port to the desktop Firefox happened recently AFAIK.

Aight. Better late than never IMO.

Reading mode is one of my favorite things about firefox. Specially on mobile. I think its a great feature.

Nice. That's a useful guide for writing an add-on to manage all those settings, some of which are documented only in very obscure places. Whether or not you turn them on or off is your business, but they need a user interface.

TBH I don't care if there's a user interface; what I want is to be able to store my browser's config in git along with the rest of my config. Every other program I use regularly is configured through sane dotfiles; if I check them out on a fresh OS install it's all like I want, except Firefox. I have to go through this insane song and dance of hunting down all my extensions and remembering obscure about:config settings every time.

In fact, it's a bit cringeworthy that this whole list is presented as a thing you're supposed to manually enter while using the about:config search.

a thing you're supposed to manually enter

Doesn't everybody know about user.js? Keep that updated and store that in git. If that file is present in the .../Profiles/<whatever>.default then Firefox automatically uses it. And Firefox doesn't rewrite it, as opposed to prefs.js.

It's still a hassle, but it's far easier than manually entering things into about:config. Here are a few of the things currently in my user.js:

   user_pref("accessibility.blockautorefresh", true);
   user_pref("browser.preferences.inContent", false);
   user_pref("network.dns.disablePrefetch", true);
   user_pref("network.prefetch-next", false);
   user_pref("pdfjs.disabled", true);
   user_pref("plugins.hide_infobar_for_blocked_plugin", true);
   user_pref("plugins.notifyMissingFlash", false);
   user_pref("social.enabled", false);
   user_pref("social.remote-install.enabled", false);

I've got more in there but I'm too lazy to look all of them up to make sure they still apply to the current version of Firefox. The ones I pasted seemed relevant based on their name.

Sure, but you can't check the profile directory into git, and you can't know the path of the profile directory ahead of time to make a symlink either. The way they randomize the path makes it seem like they're going out of their way to make it automation-resistant.

When you have to do something like that to disable unwanted intrusive and commercial features in Firefox, you know that the Mozilla Foundation is not your friend.

There is a massive bias for change aversion in this list. Basically anything that Firefox has added in the last couple of years he doesn't like. Not advised.

Even thus the changes arent all great many of them are definitely in the "why isnt this default?" category for me.

For ex webrtc should def. prompt instead of leaking by default, full screen animation is slow as fuck, pocket is adware, loop and safe-browsing should be turnable-off in the main prefs, social is adware, yada yada.

Is there any good reason to disable IPv6? I can't take the list seriously, without a proper explanation.

I agree that these are probably not good default settings, but just now I learned about pocket, hello, social, ...

Why are these not plugins in the first place, or manageable through the preferences dialog?

Disregarding the majority of rants here, I think it's a great list for everyone to just cherry-pick from for their own needs. It ain't all or nothing.

Yes... it inspired me to make my own version that only has what I need: https://github.com/j127/Better-Firefox

Why are you disabling IPv6?! It's faster than IPv4.

Yep, 50% faster.

Any feedback on which of these apply to Firefox mobile?

Step 1: Install Pale Moon. Step 2: Enjoy.

Depends on your RAM and CPU.