Extensions
Surviving the XULocalypse
Configuration
1. Keybindings
Remaining work
History
Remaining issues
Alternative browsers

TL;DR: I use Firefox, for technical and political reasons. This page documents my config and why.

I run the "Quantum" version (57+) as it's a huge performance improvement, even on older machines. Some plugins fell by the wayside but I was able to find replacement for most of what I need. I installed it from the upstream tarballs on some machine, but I also tried using Snap which also works generally well. I documented that procedure in the Debian wiki. For machines running under buster or later, the quantum version is available as a Debian package (now ESR too!) so those hacks are not necessary.

Extensions

This section documents the Firefox add-ons I am using, testing, or have used in the past.

Installed

I have those extensions installed and use them very frequently:

browserpass-ce (debian package, source) - super fast access to my passwords. use some magic mumble-jumble message passing thing which feels a bit creepy. possible alternative: passff, no Debian package, 872773.
Cookie AutoDelete (no Debian package, 908285, source) - clear long-term identities for all sites except a few, too bad it does not sync with uBlock/uMatrix (issue 43)
Livemarks (no deb, source) or Awesome RSS (no deb, source) - replace the Live bookmarks removal
uBlock Origin (debian package, source) - making the web sane again
URL to QR Code - (no debian package, source) after removing another alternative that was proprietary spyware (!! see below), I found about 6 different alternatives (this one and 1, 2, 3, 4, 5 - what is wrong with you people??) This is the most popular, reviews are mostly positive, seems to be working offline, has a free license, and source is available. Super simple too.
Wallabager (no debian package, source) - to YOLO a bunch of links in a pile outside my web browser that I can read offline thanks to Wallabako

Ideally, all of those should be packaged for Debian.

In testing

I am testing those and they might make it to the top list once I'm happy:

Auto Tab Discard (no deb, source), like the old, dead Great Suspender. I was specifically looking for a feature to suspend ("discard") a specific time taking up too much CPU (but not close it). all tabs helper can also do this and manage tabs as well, but seems to overlap with the tab menu, Auto Tab Discard is also recommended. I previously used Snooze tabs (no deb, source) for this as well.
Clean URLs (no deb, source) - remove garbage in URLs
Display anchors (no deb, source)
Firefox Multi-account containers (no deb, source) - kind of useful to separate work/private stuff and generally keep cross-site surveillance under control. I was also using "Container Tab Groups" (AKA "TabArray") but this had data loss issues. That extension was very useful to "hide a container", but the builtin extension also provides that feature, just with a bunch more clicks.
- builtin: extension button -> click ">" on the right container -> "Hide this container"
- tabarray: right-click on tab and "hide this container" See Hide/Show container more accessible (#755), Show only this container option (#1662), and Some options are hard to access from the container list (#2089). Containers are rendered mostly irrelevant by the "first party isolation" features shipped with Firefox 87 (also known as total cookie protection), my primary use case for those containers is to have tab groups (e.g. "work", "play") that i can hide easily. Containers are not actually required for that, although I do like the "temporary container" feature to test sites.. Mozilla is working on native tab groups (alpha available with browser.tabs.groups.enabled in nightly as of 2024-11-01, but lacking lots of UX), which might make all of this moot as well. Also tested sideberry (overkill, no support for hiding tabs) and simple tab groups (all but simple, not as usable as tabarray)
Greasemonkey (no deb, source) - mostly for this one hack for Nextcloud Calendar to show UTC times alongside local
Link hints (no deb, source) - nice and simple alternative to full-scale keyboard driven interface like tridactyl, see the keybindings section below
Popup window (no deb, source) - open the link in a pop-up, useful to have an "app-like" window for a website (I use this for videoconferencing in a second tab)

Those should probably not be packaged in Debian until they make it to the top list.

Might use again

Those were in testing for a while, then installed, but then I got tired of them...

Dark Background and Light Text (no deb, source) - Mozilla also recommends Midnight Lizard for Android which I couldn't figure out how to disable by default (and only enable on some sites). I also tested dark reader, which seem a bit overkill. Nowadays I just use browser.in-content.dark-mode, see below.
GhostText (no debian package, #910289, source)- "It's all text" replacement, allowed me to edit text areas with my favorite text editor (Emacs), worried about security implications
LibRedirect (no deb, source) - redirect big platforms to proxied alternatives, i particularly like the Medium.com alternative, https://scribe.rip - stopped using because alternatives are too flaky
Minimal (homepage) - removes autoplay, search suggestions and all sorts of junks from many websites (alternatives: shutup for comments, uBlock origin dynamic rules, e.g. those rules) - replaced by uBlock cosmetic rules
Open in Browser (no deb, source) - reopen the file in the browser instead of downloading - not really used that much
redirector (no deb, homepage, source) - mainly to redirect to old.reddit.com, really (alternative just for reddit
Switch container (no deb, source) - fixes one of the issues with multi-account containers (ie. moving tab to another container)
Temporary containers - not sure that works so well... installed it and then never used it so i uninstalled it.
View Page Archive & Cache (no deb, source) - load page in one or many page archives. No "save" button unfortunately, but is good enough for my purposes. The Archiver (no deb, source) is another option that does the reverse: save only, no view. -- not really used that much

Previously used

I once used those but eventually removed them for various reasons. Some are unsupported, non-free software, inconvenient, too hard to use or simply irrelevant.

adblock plus - now selling ads! replaced with ublock
Addons compatibility reporter - useless since Firefox 57 / Quantum, as incompatible extensions are just disabled
Debian buttons didn't work for me as it requires buttons, so I made a simple bookmarks folder instead
firebug - somewhat built-in
it's all text! (debian package, source) - now obsolete and replaced by GhostText (see above)
password hasher - has security issues - completely removed any password management from my browser, see 2017-03-02-password-hashers for a further review of password hashers.
Privacy Badger, tested as a replacement for the more aggressive uMatrix. Issues: doesn't allow blanket configuration (e.g. block cookies by default) and difficult to make mass configuration. Very hard to edit the list of domains, sometimes clicking on a domain would scroll back up. Doesn't block any Google cookies when I visit their sites, which is a no-no for me.
QR Code Image Generator (no debian package, no source??) - to send links to my phone. removed because no source code is available, is not free software, and seems to not actually be working offline, so URL contents are shared with an online service.
Sea containers - another GUI for containers. installed it and then never used it so i uninstalled it.
Smart HTTPS (no deb, source) - some use HTTPS everywhere but I found that one works too and doesn't require sites to be added to a list. nowadays, https URLs match http URLs quite well: long gone are the days where wikipedia had a special "secure" URL... HE does have a "Block all unencrypted requests" setting, but it does exactly that: it breaks plaintext sites completely. See issue #7936 and issue #16488 for details. Nowadays, I just don't need any extension: I enable HTTPS-only mode (AKA dom.security.https_only_mode). The EFF even deprecated HTTPS everywhere because of this.
translations (no deb, source) - native LLM translation, now available natively through browser.translations.enable, now default. models also available
U2F Support, is now unnecessary as it is builtin, starting with FF 57 (see issue #59). the upstream issue was #1065729
uMatrix (debian package, source) - abandoned upstream, replaced by uBlock origin's advanced mode and dynamic filtering, see this migration script, and Cookie Autodelete. Cookie Autodelete is actually somewhat nicer than uMatrix because it accepts cookies everywhere, but only for a while, so you need a much shorter whitelist (basically only the sites which you really want a long-term identity on, whereas you had to unblock cookies from a lot more sites just to get things to work at all in uMatrix)
Wayback machine (no deb, source?) - i also have bookmarklets, but this could work better! Unfortunately, it doesn't work with other archival sites like archive.is or Google's cache. It also tries to be too smart about broken sites: it will try to show the archive.org version when it "thinks" the website is down, but it often fails to notice when a site is down or think it's down when it isn't. Replaced with [View Page Archive & Cache][].
webdevelopper toolbar - not exactly builtin, but builtins are good enough now
yslow - now more or less built-in
zotero is in a bad shape in Debian. The "XUL" extension is gone from Zotero 5.0, and the 4.0 extension will stop working because upstream will drop support in 2018. Debian is scrambling to package the newer version that is only standalone (#871502). Right now I'm using the ~~standalone binary from upstream~~ flatpak but I'm looking at alternatives, see bookmarks for that more general problem.

Surviving the XULocalypse

I wasn't very affected by the "XULocalypse", or the removal of older "XUL" extensions from Firefox 60. My biggest blocker was it's all text! and I quickly found a replacement. Others have had more trouble, however, here are some references:

pabs
clint
Alternatives database, incomplete
Another database, more complete, but probably not exhaustive either
Discussion on Mozilla forum
Mozilla "find a replacement" documentation, pretty useless

And here are the replacements I have found:

DOM Inspector: now builtin
it's all text!: GhostText, Firefox recommends withExEditor but that requires running a separate process to launch the editor, while GhostText implements this through editor plugins instead.
u2f support addon: now builtin
uBlock origin: ported
uMatrix: ported
Wallabager: ported
web developer: ported
vimperator: see the keybindings section below

Those are the extensions I was using for which no replacement exists:

alternative trust models, like Monkeysphere. as pabs documented, those are simply not supported ~~yet~~ and might never be, which means Certificate Patrol, Perspectives, Monkeysphere and Communism are all incompatible with Firefox 57 and later
tab management. Plugins that would regroup or hide tabs have had difficulty switching over. For example, vertical tabs has been ported, but can't turn off the normal tab strip. Mozilla maintains a list of tab organizers that might answer your needs and I'm testing the Multi-account containers stuff for now. When there are too many tabs, Firefox automatically adds a drop-down on the right of the tab list as well, which happens when browser.tabs.tabMinWidth gets triggered. So turning that up counter-intuitively enables the drop-down even if there not that many tabs, at the cost of showing less tabs at once. I set it to 100, the default being 76.
profile switching extensions, like profilist, is apparently not supported by the new API.
standalone applications like Zotero: they released a new version (5) that switches to a "connector" model where there is only a "standalone" program and plugins in the web browser to talk to it. Unfortunately, Zotero is still a XUL application and uses an old, unsupported Firefox version as a runtime:
```
 $ ./zotero-bin --version
 Mozilla Firefox 52.7.4
```

In my experience, if your upstream is still active, chances are the extension was ported, provided there are APIs for the feature. The new "webext" interface has the advantage of being almost directly compatible with Chrome extensions, which makes it easier to maintain a plugin across browsers but there are, as we can see, some limitations in the newer APIs.

For users that can't afford to switch over the the newer extensions, there are already two forks of Firefox created in direct response to the removal of XUL/XPCOM from Firefox 57:

It is unclear, however, whether those browsers will be sustainable in the long term.

Configuration

I have set the following configuration options, in a user.js file that I version-control into git:

browser.tabs.loadDivertedInBackground (ref): true (fixes an issue where focus would change to the firefox window (and workspace!) when clicking links in other apps
browser.search.defaultenginename: searx.me (default search engine)
browser.startup.page (ref): 3 (startup with previous session)
browser.tabs.tabMinWidth (ref): ensure tab titles are readable and trigger the vertical dropdown earlier
network.cookie.cookieBehavior (ref): 1 (no third-party cookies)
browser.in-content.dark-mode: true (prefer dark CSS, see this discussion, new in FF 67), also set ui.systemUsesDarkTheme to 1. see this doc, also set "theme" to be "dark", flipping to "automatic" when i need "light"
privacy.resistFingerprinting: true (helps with fingerprinting, but breaks dark mode, see also this TB bug)
fixing the scroll bars:
- widget.gtk.overlay-scrollbars.enabled: false (don't overlay the scrollbars, make it take their own space)
- widget.non-native-theme.scrollbar.style: 4 ("windows 10" scrollbar style, which is a big, chunky, square-ish scrollbar)
- the actual width can be tweaked with widget.non-native-theme.scrollbar.size.override, I set it to 10
- a better approach might be to tweak the GTK theme instead...
  
  I ended up doing apt install breeze-gtk-theme which looks a bit better in other GTK apps, but somehow Firefox doesn't pick that up argh. I still set the following to have other GTK apps behave:
```
gsettings set org.gnome.desktop.interface gtk-theme Breeze-Dark
gsettings set org.gnome.desktop.interface color-scheme prefer-dark
gsettings set org.gnome.desktop.interface icon-theme Breeze-Dark
gsettings set org.gnome.desktop.interface icon-theme Breeze-Dark
gsettings set org.gnome.desktop.interface gtk-key-theme "Emacs"
gsettings set org.gnome.desktop.interface font-name "Noto Sans 11"
gsettings set org.gnome.desktop.interface document-font-name "Noto Sans 11"
gsettings set org.gnome.desktop.interface monospace-font-name "Fira Mono 11" 
```
  Useful hack:
```
gsettings list-recursively org.gnome.desktop.interface | grep -i font
```
  Source: https://wiki.archlinux.org/title/GTK
middlemouse.contentLoadURL (ref): false (got used to chromium not doing that, and it seems too risky: passwords can leak in DNS too easily if you miss the field)
U2F configuration:
- security.webauth.u2f - enable U2F token support, to use 2FA with the Yubikey and other 2FA tokens
- security.webauth.webauthn - enable WebAuthN support, not sure what that's for but it sounds promising
browser.urlbar.trimURLs: false. show protocol regardless of URL
dom.security.https_only_mode: true - only access HTTPS websites, click-through for bypass.

I also set privacy parameters following this user.js config which, incidentally, is injected in temporary profiles started with this firefox-tmp script I use to replace chromium --temp-profile. This is part of the effort to sanitize default Firefox behavior in Debian.

I also override certain site's stylesheets in my ~/.mozilla/firefox/*/chrome/userContent.css CSS file. For example, this restricts the width of pages in the Debian wiki:

/* limit paragraph width to ease reading, and center */
@-moz-document domain(wiki.debian.org) {
    div#content { max-width: 60em !important; margin: auto !important; }
}
@-moz-document domain(lwn.net) {
    div.ArticleText { max-width: 60em !important; margin: auto !important; }
}

The syntax of this file is basically undocumented. Its location and basic usage is documented in MozillaZine but not much further.

I add some search engines that are misconfigured from Mycroft and import my set of Debian bookmarks for quick access to Debian resources.

More similar projects:

arkenfox/user.js: "Firefox privacy, security and anti-tracking: a comprehensive user.js template for configuration and hardening"
SebastianSimon/firefox-omni-tweaks: "A script that disables the clickSelectsAll behavior of Firefox, and more."
Firefox Privacy Guide for Dummies!: actually pretty complete and not at all "for dummies"
Mullvad Browser: Tor Browser without Tor, has a good list of tweaks

Keybindings

I use the default keybindings in Firefox, but try to bind some extensions by hand. I have also meddled with using the web browser without the mouse.

I was originally using vimperator for a while, until the XULocalypse anyway...

Since then, quite a few vimperator alternatives have popped up. tridactyl is possibly the most prominent one. tridactyl has some annoyances, like C-f being bound to "page down" although that can be disabled with :unbind <C-f>.

vimium-ff (vimium) and vim-vixen are also working alternatives right now, although the vimperator folks say they lack some features, I couldn't figure out which. Vimium has the major problem of not entering the "edit mode" (where keybindings are not effective) in text areas, or at least in Etherpad.

SurfingKeys is another vim-like extension.

pentadactyl is the father to all of those, but seems to have disappeared off the internet. vimfx also did not survive the XULocalypse.

There's also lighter versions like link hints and key jump.

Krabby, another of those implementations, has an interesting list of alternatives. Krabby itself is marked as inactive in Qutebrowser's list of alternatives, it hasn't had a commit since 2021 at the time of writing (April 2023).

Other dead alternatives include:

salsa key, without vi-like keybindings, GitHub repository archived in 2022-11-07

Remaining work

My Firefox configuration is not fully automated yet. The user.js hacks above only go so far. For example, the search engine override doesn't seem to work anymore. Similarly, it is not possible to populate the following:

search engines
bookmarks
extensions

Bookmarks and search engines seems to be hackable through a distribution file (and a different one on mobile??), but I haven't figured out how that works just yet. It also seems extensions are going to become harder since Mozilla decided to stop sideloading for some obscure reason...

I miss the times where bookmarks where just that HTML file sitting in the profile directory...

History

I have been a long time user of the "Mozilla" family of web browsers. My first web browser (apart from lynx) was probably the venerable Netscape Navigator, which was eventually opened source into what was then called Pheonix and then Firefox. I eventually abandoned Firefox because of stability and features: an HTML5 video site would crash firefox, and when I tried it in Chromium, it worked, so I gave on up on Firefox then.

But now (Jan 2017) I have switched back to Firefox, mostly because of privacy reasons. There are multiple privacy issues in Chromium (which is supposed to be the unbranded version of the Google Chrome browser). Some infamous privacy intrusions were fixed, but others werent: bug Debian bug #792580 (phones home to DoubleClick and Google Analytics) was filed in 2015 and I confirmed it in 2016, and it's still not fixed. I have also found troubling the site engagement profile that Chromium builds on you (which carries over into the Incognito mode). I also had concerns that Chromium would keep history indefinitely, but it looks like it actually keeps it for 90 days. Firefox is now actually worst than Chromium in that regard as it keeps a dynamic number of pages instead of a configurable delay. I also had problems with Chromium not opening tabs when it's lacking focus (Debian bug #848930), a new regression that was really annoying as I visit a lot of websites... There's the ungoogled-chromium project which attempts to correct all of those issues, but that is yet another browser, and it's not packaged in Debian, so not really an option for me right now.

So long story short, I use firefox now. It's nice to root for the underdog anyways.

Remaining issues

My remaining concerns with Firefox, right now, are:

it's slower than Chromium: Firefox starts in about 2 seconds here whereas Chromium starts in less than a second (on curie, i3-6100U 4x2.3Ghz, 16GB of ram, on my laptop, it's even worst: about 7-8 seconds for Firefox and < 2 seconds for Chromium). since i usually have the browser already started, that's kind of okay. This is fixed in Firefox 57: it's super fast, startup time seems even faster than Chromium.
history retention settings are unclear - FF computes a number that "will not affect performance" but that may mean a number that is just huge. For example, it keeps 162 751 pages here, keeping pages well over 6 months. There are extensions to fix this like Expire history by days and History cleaner

Alternative browsers

Even though writing a browser is hard these days, quite a few people have tried to tackle this. Here are some interesting alternatives here:

Tor Browser: basically a fork of Firefox with (mandatory) Tor support baked in, alongside lots of strong privacy patches, includes No Script by default
Qutebrowser: keyboard-driven, Python and Qt5, QtWebEngine-based, some support for adblock
Luakit: "micro-browser framework", extensible with Lua, C, WebKit2, GTK+
vimb: vim-like, C, WebKit2, GTK

Dead browsers:

uzbl (2018)

Created 2017-01-18 11:20. Edited 2024-11-01 22:53.