Wow, this is a great post. Thank you for taking the time to write this up. I've been using Firefox for a while now, but kept most settings fairly close to the defaults. I'm unhappy with many of their defaults, but hadn't been motivated to start tweaking stuff.
I'll note that disabling custom fonts breaks certain sites. I don't consider it a deal-breaker, but it's worth being aware. Many sites abuse fonts for icons. Developers, please consider using SVG icons instead.
Another comment mentioned how user.js disables WebGL and WebRTC. IMO, that and many other browser features should be disabled by default. If a site requires their functionality, I should be able to whitelist it. Safari used to let you conditionally enable WebGL access for only certain sites, showing a prompt when the functionality was accessed. It's a damn shame they removed the feature. I don't think most sites should have full access to all these browser APIs. Heck, all the storage APIs should probably be limited to the current session by default, with the option of requesting longer-term persistence for trusted services.
I'd really love it if we had an easy way to create fully isolated containers for each web service or group of web services, with varying tweaks in their security preferences.
Since we're already on the topic of configuring Firefox, I have a tangential question. Does anyone know how to configure Firefox to automatically save rar files? You usually receive the option to always save different file types, but the choice isn't available for rar files, so you always receive a download popup. It's quite annoying, and I have no idea why it happening. A cursory search didn't reveal any useful information on the matter. It's perplexing, because tar and zip files can be set to automatically save without any problem.
I hadn't seen uMatrix before, but it looks promising. Does anyone know of any user-friendly OS tools that lets you monitor and inspect requests? On macOS I used Little Snitch for a long time, but I'm trying to shift away from closed-source tools (no problem with paying, but I want to be able to compile it myself), especially for something so critical. Also, it doesn't let you inspect requests.
> Since we're already on the topic of configuring Firefox, I have a tangential question. Does anyone know how to configure Firefox to automatically save rar files? You usually receive the option to always save different file types, but the choice isn't available for rar files, so you always receive a download popup.
Maybe I'm missing something but for me, going to the Options tab, selecting General tab, then going to the Applications section and modifying the entry for RAR file in the list from 'Always Ask' to 'Save file' does the job.
Does it work for you?
For your second question, how about Wireshark? It's open source and does let you inspect the traffic.
There no RAR file entry in the list. It might be a macOS quirk, or it might somehow be caused by some sort of conflict with The Unarchiver. I'll probably play around with uninstalling it and trying other tools to see if that helps. Perhaps there's some sort of unexpected sandbox restriction with the default file handlers due to The Unarchiver having been installed from the App Store, or a bug with the app itself.
I just noticed that in the popup RAR files are identified as binary, while ZIP files are properly identified. Gonna have to dig into it a bit.
I've used Wireshark before, but most requests nowadays are using HTTPS. I vaguely recall at some point having tried to snoop on local HTTPS requests with Wireshark and ending up frustrated.
I'll note that disabling custom fonts breaks certain sites. I don't consider it a deal-breaker, but it's worth being aware. Many sites abuse fonts for icons. Developers, please consider using SVG icons instead.
Another comment mentioned how user.js disables WebGL and WebRTC. IMO, that and many other browser features should be disabled by default. If a site requires their functionality, I should be able to whitelist it. Safari used to let you conditionally enable WebGL access for only certain sites, showing a prompt when the functionality was accessed. It's a damn shame they removed the feature. I don't think most sites should have full access to all these browser APIs. Heck, all the storage APIs should probably be limited to the current session by default, with the option of requesting longer-term persistence for trusted services.
I'd really love it if we had an easy way to create fully isolated containers for each web service or group of web services, with varying tweaks in their security preferences.
Since we're already on the topic of configuring Firefox, I have a tangential question. Does anyone know how to configure Firefox to automatically save rar files? You usually receive the option to always save different file types, but the choice isn't available for rar files, so you always receive a download popup. It's quite annoying, and I have no idea why it happening. A cursory search didn't reveal any useful information on the matter. It's perplexing, because tar and zip files can be set to automatically save without any problem.
I hadn't seen uMatrix before, but it looks promising. Does anyone know of any user-friendly OS tools that lets you monitor and inspect requests? On macOS I used Little Snitch for a long time, but I'm trying to shift away from closed-source tools (no problem with paying, but I want to be able to compile it myself), especially for something so critical. Also, it doesn't let you inspect requests.