My Firefox Setup

Why I Use Firefox

I have used Firefox since the very beginning on Windows. I stuck with it even in the early 2010s, when it clearly lagged behind Chrome, because of a profound distaste for Chrome’s GUI and Google’s business practices. In my opinion, Firefox Quantum released in 2017, has addressed most of the performance gap between Chrome and Firefox. In many cases, Firefox feels even snappier than Chrome. I still use Chrome every day, but mostly as my “debugging” browser for web development, my “translator” and, very rarely, my “Flash player”.

On macOS, I have used Safari since the beginning. However, as of macOS 10.15, I was forced to switch to Firefox when Apple decided to disable the legacy JavaScript API for extensions. The new extension model involves installing an App from the App Store. The “container” App provides an XPC extension which runs inside the Safari browser. This is arguably more efficient than JavaScript extensions, but this choice makes it very difficult for developers to port existing extensions to Safari. The “container” app also provides a much greater attack surface than a mere JavaScript extension.

Content Blocking Extensions

The move to the new extension API in Safari killed support for my favorite extension: uBlock Origin.

For performance and security reasons, Apple decided to no longer let extensions intercept HTTP requests in Safari. Instead, extensions had to migrate to the newer content blocking API introduced in 2015, as part of iOS 9. This API requires extensions to provide a fixed list of blocking rules, identical for all sites. This is nowhere near as effective as uBlock Origin’s dynamic rules. However, the privacy advantage is undeniable, since extension no longer have access to the sensitive information that can be inferred from intercepting all HTTP requests.

This debate about content blocking extensions was recently revived by the upcoming transition to Manifest v3 for Google Chrome extensions. Google is pushing for a similar approach to Apple’s with their new declarativeWebRequest API. They also argue that their new API would be more efficient and safer. However, I am somewhat skeptical, since the old webRequest API will be kept as part of manifest v3 minus the ability to block requests. In other words, Google plans to cripple content blocking extensions like uBLock Origin but other extensions would still be able to spy on users by sniffing requests. The old webRequest blocking API will also be kept for their “Enterprise customers”, which I interpret as Google’s partial acknowledgement that their new API does… indeed… suck.

My Firefox Extensions

This is the list of my Firefox Extensions:

  • uBlock Origin. As previously mentioned, I ditched Safari in favor of Firefox because of this extension. It is the best and fastest ad blocker. It can also be configured to block any kind of content on the spot. Content blocking extensions not only make web pages render better and faster, but also more securely since legitimate ad networks have been tricked many times in the past into distributing malware.

  • HTTPS Everywhere. This extension ensures that you always use HTTPS for a site that support it, even though you may be following an HTTP link. It is becoming less of an issue, but still worth having.

  • Cookie AutoDelete. This extension can be configured to delete cookies and local storage data for all visited sites, except for a short list of exceptions. This is more aggressive than the built-in delete cookies when Firefox is closed option since the extension will activity attempt to delete cookies while Firefox is running. I would recommend turning off notifications, since this extension is a bit too proud of itself for deleting cookies.

  • I don’t care about cookies. This extension automatically discards the annoying EU Cookie Banners that seem to spread around the Internet like the plague. I really do not need know about your cookies, nor care, since they will soon be deleted (see above). The only downside of this extension is that it does occasionally break sites. When this occurs, disable the extension for the site, click on the banner, and move on.

  • Dark Reader. I use macOS built-in feature to automatically switch to dark mode at night. The problem is that many web pages do not implement dark mode and carry on using very light backgrounds. Dark Reader attempts to automatically switch the pages to have light text on dark background. It usually does a decent job and it can be tweaked for more challenging sites. The only downside is that it seems unable to detect sites that natively support dark mode via the prefers-color-scheme media query.

  • Firefox Multi-Account Containers. This extension creates boundaries for cookies and local storage data. It is conceptually similar to running different tabs in the browser under different user profiles. I use this extension to segment sites where I need to remember cookies. For personal use the obvious example is social media. I also use the extension to keep multiple Google Classroom accounts simultaneously opened, to track the progress of my children’s online learning. I also use dedicated containers for work.

  • Tampermonkey. This extension allows you to run a custom scripts to modify the appearance and functionality of any sites. I use it to improve some internal web applications we use at work. I also use it to make Google search results look the same as before. It is also trivial to remove ads from Google search results.

  • Instapaper. I use Instaper to quickly save interesting web pages I do not have the time to read right away. I can go back to them later in the evening and read them on my phone.

  • Lastpass is my password manager. It works and it is cross-platform. I am very convinced one needs to use a password manager, but there are many things in Lastpass that annoy me. I may change in the future.

Configuration Tweaks

I use the following configuration tweaks to improve privacy without resorting to a VPN:

  • Enable DNS over HTTPS (aka DoH). This feature is normally turned on by default, except if you live in the UK as it frustrates the government surveillance efforts (see Snoopers' Charter) and the “voluntary” porn filters run by ISPs. The UK Internet Service Providers Association has named Firefox an Internet Villain over the issue.

  • Turn on Encrypted SNI support (aka eSNI). This ensures that Firefox does not leak the name of the visited sites in the clear, when doing a TLS handshake. By default, over plain old SNI, the domain name is sent in plain text before the encrypted connection is established.

You can verify the state of DoH and eSNI using this convenient Test Page from Cloudflare.

Alternatively, if you live in the UK, you could also try to visit the top banned site which cannot effectively be blocked by ISPs when using DoH and eSNI. Since the site is hosted by CLoudFlare, IP blocking would result in massive over blocking of thousands of legitimate sites.

The Future is Uncertain

Unfortunately, it looks like my current set up is living on borrowed times. Mozilla laid off the majority of the Servo team last August, which begs the question about the future of the Firefox, since Servo backported a lot of their technologies to make Firefox Quantum possible. The Servo project on Github is now essentially dead. I am somewhat less worried about the Rust language itself, since it is now large and useful enough to survive on its on merits.

Instead, Mozilla seems to be focusing their energy on their VPN offer and their clone of Have I been pwned?. Obviously these services have a clear monetization strategy compared to a free web browser, but it’s hard to imagine how Mozilla intends to fulfill their self professed goal of providing a better Internet for People with these niche and unambitious projects. If the Firefox browser is unable to keep pace with its commercial competitors, it will fail to attract new users.

In any case, I may transition back to Safari on the Mac. The upcoming version of Safari will support manifest v2 JavaScript extensions as announced at WWDC. This appears to support webRequest, so a port of uBlock Origin may be theoretically possible.

Another alternative would be to consider using Brave, which is yet another Chromium based browser with a focus on privacy. However, the browser has made some controversial moves in the past.