I like it design wise, but like a lot of these "de-clutter" tools it defaults to disabling security features without warning and will break some sites while making most sites slower. Plus it ironically installs a bunch of browser addons.

So if you hit next, next, next you'll lose: Google Safebrowsing (security), malware scan (security), DNS over HTTPS (security and sometimes functionality), Automatic Browser Updates, access to content that requires Widevine, all third-party cookies-based authentication, anything that relies on referers, anything that relies on IndexDB, anything that relies on extended session info, anything that uses WebGL or WebRTC or WebAudio, et al.

As I said, I like the design, but the current defaults get 0/10 from me. Simply awful. If use the default profile here your browsing experience will be objectively worse and less secure.

It's making trade-offs, and differently than the Mozilla defaults. Google Safebrowsing reduces privacy (not because of the content, but because it says "hi Google, I'm running Firefox at this IP address"), DNS over HTTPS happily sends all your DNS queries to Cloudflare (and since we're arguing over functionality, breaks some split-horizon DNS), Widevine is blatantly anti-user, third-party cookies are a privacy problem, referers are a privacy problem, ... oh, actually the rest of your list from there is all privacy issues.

Anyways, the people who made this would say that Mozilla's current defaults get 0/10 from them and are simply awful, and that using them means your browsing experience will be objectively worse and less private.

Quite. My FF looks a lot like this provides. I refuse to use Widevine and explicitly disable it and DRM on principle, and I want websites to know that this is something that is perfectly legitimate to do -- unlike Chrome where they've removed the ability to turn it off without deleting the horrible library itself.

I understand that some might hate this choice. Mozilla defaults to their preferences. These defaults are pleasingly made for people like me.

I'd rather Cloudflare get my DNS queries than a broken network middlebox.

And I'd like my local pihole equivalent to get them. Most defaults fail for someone.

What is your pihole equivalent/alternative?

So pihole is just some nice tooling around dnsmasq to feed it a bunch of domains to block, but if you don't care about that you can just have have a script download a hosts file and load it into plain dnsmasq (or whatever DNS server you like; with dnsmasq use `addn-hosts=/etc/hosts.d`). Bonus: lots of routers already use dnsmasq, so you literally stick that line in the config file and populate the hosts file(s) and bam, free adblock.

Wow, thanks! I had no idea this type of thing was possible these days. I was about to ask how you'd make that hosts file but found this in my router admin panel: 'Remote Console enables SSH access into the router from a WAN connection using the modems WAN IP address.'

I do have a pihole set up and I like the web interface for it, but I look forward to playing around with this for fun.

In fairness, this is way less feature rich - no statistics, no GUI, no "temporarily disable" button, but yeah for plain DNS adblock it works:)

> Remote Console enables SSH access into the router from a WAN connection using the modems WAN IP address

That sounds like it allows SSH from the public internet; I would try SSHing to its private IP with that off. YMMV.

I just shared that because that's how I learned I could SSH into my router at all. I'll be very careful around this stuff.

Good show:) Have fun!

These days? If anything, these methods are increasingly mitigated by new functionality from your friendly global technology giant such as dns-over-https.

And on the other hand one of the biggest annoyances of the web - autoplaying videos - is enabled by default! Clearly shows that you cannot please everyone with your defaults, no matter how hard you try.

Afaik the way autoplay works is that if it is on, it does only autoplay videos without sound. This can be useful for looping video backgrounds, memes and such. If they want audio too, autoplay does not work (not even if you try to manually trigger it via js).

In my eyes (browser-configurable) autoplay without sound is an acceptable use case. Autoplay with sound is not.

Autoplay with sound is a perfectly legitimate use case, but I agree with the status quo that it should not be allowed by default.

In general, the "not an acceptable use case" argument is almost always a harmful distraction - it angers people with legitimate use cases and that in turn gives fuel to those supporting it only for their own harmful use-cases. Call it what it is - a useful feature that happens to be commonly abused.

s/autoplay/cookies/g, etc.

I thought about this a lot, but did not find a single case where I would like to have a website suddenly play audio without me specifically clicking "play" or "unmute" somewhere.

- media sites like YouTube (some people prefer that when they click on a new video, it actually starts playing) - notification sounds - playlists of any sort (music or video)

Most of this can be worked around by prompting the user on load and then never reloading the page (SPA fetch-and-replace pattern), but even big sites screw this up (like YouTube, where the memory usage increases with every "fake reload").

Again, I wouldn't want just any site to do this unexpectedly, but the ones where I want those features should be able to do it.

I would have agreed with that until news sites started popping videos into view as soon as you start reading their news articles. Since that became a way too common thing, I don't care enough for the other valid uses cases anymore and right away disable any sort of autoplay. :(

Yeah this is why we can't have nice things.

And why I run two adblockers. If you give them a finger they'll take the hand

The <blink> tag is now legacy for reasons.

For tools like this, I'm a big fan of Shutup10's design: Nothing is changed by default. Settings are sorted by risk. It's one click to apply "recommended" settings. It's simple and beautiful.

https://www.oo-software.com/en/shutup10

Most of these defaults are what I have mine set to. I wouldn't say it's "simply awful", just different priorities. Having a tool like this allows the choice to be made in the first place, versus installing a browser and not being able to pick these without exploring.

It also explains the risks of most option pretty candidly.

The takeaway from this wizard is that firefox has a fuckton of not-very-privacy-friendly stuff.

Why does Firefox support Beacons, which have zero user benefit and only exist to track users?

Why is the battery API still present, when it's been known for years that it is used for fingerprinting and tracking?

Why is Punycode allowed when it's known to be used for phishing?

Why is a hidden DRM extension from Google allowed to download arbitrary code? (Mmmmm, tasty tasty sponsorship dollars!)

"User privacy" doesn't actually seem to be much of a priority for Firefox these days.

Gotta pay for that skyrocketing CEO pay somehow...

Terrible defaults, as discussed below. Also I kind of dislike the fact telemetry is disabled by default: you’re making all these non-default changes to Firefox, then you’re actively disabling the feature that tells Mozilla you value these non-default features, or any crash reports relating to them?

I get it, wide-ranging telemetry is bad. But it seems like it actively hurts Mozilla to do this.

This is for the privacy focused. Telemetry is not.

This is great but it's also enormously depressing that there is such a massive amount of crap you have to do to have a reasonably private/secure/frictionless web browser these days.

This is great although some of the add-ons they suggest are either redundant or no longer supported like uMatrix. Since it's also now an option in Firefox settings you no longer need HTTPS Everywhere and Privacy Badger is useless if you have Ublock Origin. Also if you use Resist Fingerprinting, Canvas Blocker will just mess with your ability to blend in the crowd, effectively making your browser more unique than it should be.

I'm wondering about the security implications of this default referrer setting to "Spoof referer (send the same url)" (step "Privacy", third item from the top).

Wouldn't that then bypass all csrf checks, where the site checks if the referer is correct, because your browser is overriding and always setting it to the expected origin?

So does this let me actually use the "multiple profiles" Firefox feature? I was always so confused by Firefox having "profiles" but apparently no interface for using or switching among them.

I use multiple profiles for NSFW stuff.

I just go to about:profiles, and click on Launch profile in new browser.

I can use incognito mode, but this way I don't have to login, and keeps browsing history.

If you're on a Mac, and you want something slightly easier than having to drop down to a command shell to add the necessary flags, you can have Automator bundle a script as an app that you can then put in your dock. Here's the script I use:

https://gist.github.com/ilikepi/9d2e17e0d3b3efd6fc0584f46f09...

Note that, when run for the first time, it will request permission to talk to a couple system services. You can remove that stuff pretty easily though. You can also launch a shell script from Automator, which would have been easier but then I would not have had a chance to play with Applescript...

Use `firefox -ProfileManager --no-remote` to get the profile selection dialog on startup.

Launch firefox with the -p flag and you'll have a profile interface.

Nit: the preferred abbreviation is Fx or fx, instead of ff. See FAQ 8 on https://website-archive.mozilla.org/www.mozilla.org/firefox_...

No one can decide the preferred usage but the public. Through these two decades I hardly ever saw the Fx abbreviation in use.

This is the first time I saw "Fx".

I've always called it FF since before 2005

That FAQ is from 2005, is it still the preferred abbreviation in 2021?

This is nice.

I do wish it included:

user_pref("toolkit.cosmeticAnimations.enabled", false);

And I'm annoyed that you can't disable showing the tab bar when there's only one tab any more.

And if there were a pref to disable auto selecting the entire URL when clicking the URL bar, I'd be so happy. Makes editing a URL so painful.

Wizard is cool, but would love if this also included the GUI/about:config option to make this change.

Exactly what I was thinking. I would love this if it was just a list of options that you may consider changing.

Very interesting, I have been looking for a tool like this for a while. Probably it would be possible to combine this with something like home manager to manage the Firefox config along the rest of user settings from a single place.

You can also enforce most of these settings in all profiles with a policy: https://github.com/mozilla/policy-templates

One past thread:

Firefox Profilemaker - https://news.ycombinator.com/item?id=18589555 - Dec 2018 (87 comments)

Sadly the site is nearly unusable on Firefox mobile

Is there an alternative to this that can be run locally?

It's open source (https://github.com/allo-/firefox-profilemaker). It's python based so you could run the app and serve the page locally, if that's what you want.

I was thinking something built into Firefox itself or a local desktop app rather than a website.

wow... .lovely!!!

I will never stop using this!