Firefox
Firefox Preferences
Overview
Firefox stores user preferences in prefs.js, a JavaScript file within each profile directory that contains user_pref() function calls. An optional user.js file can override preferences on every browser startup. These files control nearly every aspect of Firefox behaviour: privacy settings, security policies, network configuration, search engine defaults, UI customisation, and content blocking.
Preferences are forensically relevant because they reveal the user's security posture, privacy choices, network configuration (including proxy settings), and whether anti-forensic measures have been applied (such as disabling history, clearing data on exit, or disabling telemetry).
File Locations
| File | Path | Description |
|---|---|---|
| User preferences | ~/Library/Application Support/Firefox/Profiles/{profile}/prefs.js | Active preference store (auto-generated) |
| User overrides | ~/Library/Application Support/Firefox/Profiles/{profile}/user.js | Manual preference overrides (optional, user-created) |
prefs.js vs user.js
| Aspect | prefs.js | user.js |
|---|---|---|
| Created by | Firefox automatically | User manually |
| Updated by | Firefox on preference changes | User edits only |
| Applied when | Always loaded on startup | Applied after prefs.js, overrides values |
| Reset on startup | No -- persists user changes | Yes -- reapplied every startup |
| Forensic significance | Current state of all modified preferences | Deliberate, persistent configuration choices |
The presence of a user.js file is notable because it indicates intentional configuration hardening. Files like those generated by arkenfox/user.js (formerly ghacks-user.js) dramatically alter Firefox's privacy and security behaviour.
File Format
Both files use the same JavaScript format:
// prefs.js example
user_pref("browser.startup.homepage", "https://example.com");
user_pref("browser.startup.page", 3);
user_pref("privacy.donottrackheader.enabled", true);
user_pref("network.proxy.type", 1);
user_pref("network.proxy.http", "proxy.corp.example.com");
user_pref("network.proxy.http_port", 8080);
Each line is a user_pref("key", value) call where:
- The key is a dot-separated preference path.
- The value is a JavaScript literal: string, integer, or boolean.
Comments beginning with // or /* */ may be present but are stripped by Firefox on write.
Key Fields for Analysis
Privacy and Anti-Forensics Settings
| Preference | Default | Forensic Significance |
|---|---|---|
privacy.sanitize.sanitizeOnShutdown | false | If true, data is cleared on exit |
privacy.clearOnShutdown.history | false | History cleared on shutdown |
privacy.clearOnShutdown.cookies | false | Cookies cleared on shutdown |
privacy.clearOnShutdown.cache | false | Cache cleared on shutdown |
privacy.clearOnShutdown.formdata | false | Form history cleared on shutdown |
privacy.clearOnShutdown.sessions | false | Session data cleared on shutdown |
privacy.clearOnShutdown.downloads | false | Download history cleared on shutdown |
places.history.enabled | true | If false, browsing history is disabled entirely |
browser.formfill.enable | true | If false, form autofill is disabled |
signon.rememberSignons | true | If false, password saving is disabled |
privacy.donottrackheader.enabled | false | Sends Do Not Track header |
browser.privatebrowsing.autostart | false | If true, always starts in private browsing |
Network and Proxy Settings
| Preference | Description |
|---|---|
network.proxy.type | 0=direct, 1=manual, 2=PAC, 4=WPAD, 5=system |
network.proxy.http | HTTP proxy hostname |
network.proxy.http_port | HTTP proxy port |
network.proxy.ssl | HTTPS proxy hostname |
network.proxy.ssl_port | HTTPS proxy port |
network.proxy.socks | SOCKS proxy hostname |
network.proxy.socks_port | SOCKS proxy port |
network.proxy.socks_version | SOCKS version (4 or 5) |
network.proxy.autoconfig_url | PAC (Proxy Auto-Config) URL |
network.proxy.no_proxies_on | Proxy bypass list |
network.trr.mode | DNS over HTTPS mode (0=off, 2=first, 3=only, 5=off-by-choice) |
network.trr.uri | DNS over HTTPS resolver URL |
Security Settings
| Preference | Description |
|---|---|
security.tls.version.min | Minimum TLS version (1=1.0, 2=1.1, 3=1.2, 4=1.3) |
security.tls.version.max | Maximum TLS version |
security.OCSP.enabled | Certificate revocation checking (0=off, 1=on, 2=strict) |
security.cert_pinning.enforcement_level | Certificate pinning enforcement |
dom.security.https_only_mode | HTTPS-Only mode enabled |
security.sandbox.content.level | Content process sandbox level |
Content and Tracking Protection
| Preference | Description |
|---|---|
browser.contentblocking.category | standard, strict, or custom |
privacy.trackingprotection.enabled | Enhanced Tracking Protection for normal windows |
privacy.trackingprotection.socialtracking.enabled | Social media tracker blocking |
privacy.trackingprotection.cryptomining.enabled | Cryptominer blocking |
privacy.trackingprotection.fingerprinting.enabled | Fingerprinting protection |
privacy.resistFingerprinting | Advanced fingerprinting resistance (reduces uniqueness) |
Search and Homepage
| Preference | Description |
|---|---|
browser.startup.homepage | Homepage URL(s) |
browser.startup.page | Startup behaviour: 0=blank, 1=homepage, 3=restore session |
browser.search.defaultenginename | Default search engine name |
keyword.URL | Address bar search URL |
Telemetry and Reporting
| Preference | Description |
|---|---|
datareporting.healthreport.uploadEnabled | Telemetry data upload |
toolkit.telemetry.enabled | Telemetry collection |
app.shield.optoutstudies.enabled | Mozilla Shield studies participation |
browser.crashReports.unsubmittedCheck.autoSubmit2 | Auto-submit crash reports |
Timestamps
prefs.js does not contain timestamps within its content. However, the file's filesystem modification time reflects when preferences were last changed. The macfor collector records OriginalModTime from the file metadata.
Analysis Notes
Detecting Anti-Forensic Configuration
A user who has enabled privacy.sanitize.sanitizeOnShutdown with associated privacy.clearOnShutdown.* flags set to true is actively destroying forensic evidence on browser close. Check:
- Is
privacy.sanitize.sanitizeOnShutdowntrue? - Which
privacy.clearOnShutdown.*categories are enabled? - Is
browser.privatebrowsing.autostarttrue? (Permanent private browsing) - Is
places.history.enabledfalse? (History completely disabled)
Identifying Privacy Hardening Tools
The presence of extensive privacy-related overrides, especially in a user.js file, often indicates use of a hardening template:
- arkenfox/user.js: Comprehensive privacy hardening. Look for characteristic preferences like
privacy.resistFingerprinting = true, extensivenetwork.cookie.*modifications, andgeo.enabled = false. - LibreWolf defaults: Similar to arkenfox but applied via default preferences.
- Tor Browser settings: Extreme privacy configuration (unlikely in standard Firefox).
Proxy and Network Analysis
Proxy settings reveal network routing:
- Manual proxy (
network.proxy.type = 1): Checknetwork.proxy.httpandnetwork.proxy.socksfor the proxy endpoint. - PAC file (
network.proxy.type = 2): Thenetwork.proxy.autoconfig_urlmay point to an enterprise PAC file. - SOCKS proxy with DNS via SOCKS (
network.proxy.socks_remote_dns = true): May indicate Tor or SSH tunnel usage. - DNS over HTTPS (
network.trr.mode = 2 or 3): DNS queries are encrypted, bypassing local DNS monitoring.
Session Restore Behaviour
The browser.startup.page preference determines what happens on startup:
| Value | Behaviour |
|---|---|
| 0 | Blank page |
| 1 | Homepage |
| 3 | Restore previous session |
A value of 3 means the session files in sessionstore-backups/ will be loaded on startup, and session cookies will persist across browser restarts.
Parsing prefs.js
prefs.js is parseable with a simple regex or line-by-line extraction:
Pattern: user_pref\("([^"]+)",\s*(.+)\);
Group 1: preference key
Group 2: preference value (string, integer, or boolean)
Note: The macfor collector currently collects prefs.js as a raw file without structured parsing. Examiners can parse the file manually or with scripting tools.
Version Differences
| Version | Change |
|---|---|
| Firefox 70+ | browser.contentblocking.category replaces older tracking protection prefs |
| Firefox 83+ | HTTPS-Only mode available via dom.security.https_only_mode |
| Firefox 85+ | Network partitioning preferences added |
| Firefox 86+ | Total Cookie Protection preferences |
| Firefox 91+ | HTTPS-Only mode refinements |
| Firefox 114+ | DNS over HTTPS preferences expanded |
The prefs.js format itself has been unchanged for decades. New preferences are added with each Firefox release, but the syntax remains the same.
Tool Support
| Tool | Capability |
|---|---|
| macfor | Raw prefs.js file collection (Pro module) |
| Text editor | Direct inspection -- prefs.js is human-readable |
| grep/awk | Pattern-based extraction of specific preferences |
| Firefox about:config | Live preference inspection (on running Firefox) |
| AXIOM | Automated Firefox preference extraction |