· Docs · Digital Sovereignty

Firefox: Arkenfox + Container Setup

Targeted threat model: corporations, ISPs, state-level actors. Assumes Firefox as primary browser, Brave as fallback.

Contents
01

Arkenfox user.js setup

Arkenfox is a maintained user.js file that overrides Firefox's defaults at the config level — no extension required. It covers fingerprint resistance, telemetry, network leaks, and history handling that extensions can't touch.

What it does that uBlock Origin can't: disables WebGL fingerprinting, canvas API, AudioContext, font enumeration, window sizing leaks, and Firefox's own telemetry and studies. These are browser-engine features — no extension has the scope to block them.

Step 1 — Locate your Firefox profile

01
Open Firefox and navigate to about:profilesFind your active profile — it will say "This is the profile in use"
02
Click Open Folder next to "Root Directory"On macOS: ~/Library/Application Support/Firefox/Profiles/xxxxxxxx.default
03
Note this path — you'll put arkenfox files here

Step 2 — Download arkenfox

terminal 
# Navigate to your profile directory
cd ~/Library/Application\ Support/Firefox/Profiles/YOURPROFILE

# Download user.js and the updater script
curl -O https://raw.githubusercontent.com/arkenfox/user.js/master/user.js
curl -O https://raw.githubusercontent.com/arkenfox/user.js/master/updater.sh

# Make updater executable
chmod +x updater.sh

Step 3 — Create your overrides file

Never edit user.js directly — it gets overwritten on updates. Instead, create user-overrides.js in the same directory with your personal tweaks:

user-overrides.js — tuned for your setup 
/* ---- Arkenfox overrides — tuned for your threat model ---- */

/* Keep search suggestions off (you use SearXNG locally) */
user_pref("browser.search.suggest.enabled", false);
user_pref("browser.urlbar.suggest.searches", false);

/* Point default search to your local SearXNG instance */
/* Set this manually in Firefox settings after setup */

/* Re-enable smooth scrolling (arkenfox disables it) */
user_pref("general.smoothScroll", true);

/* Allow custom fonts — arkenfox blocks them; re-enable if sites break */
user_pref("browser.display.use_document_fonts", 1);

/* Keep containers enabled — arkenfox doesn't touch this but explicit is better */
user_pref("privacy.userContext.enabled", true);
user_pref("privacy.userContext.ui.enabled", true);

/* WebRTC: disable to prevent IP leaks over VPN */
user_pref("media.peerconnection.enabled", false);

/* Disable pocket — not needed */
user_pref("extensions.pocket.enabled", false);

/* letterboxing: enabled — rounds window dimensions to reduce fingerprint */
user_pref("privacy.resistFingerprinting.letterboxing", true);

/* Disable Firefox telemetry and studies explicitly */
user_pref("datareporting.healthreport.uploadEnabled", false);
user_pref("app.shield.optoutstudies.enabled", false);
user_pref("browser.discovery.enabled", false);

Step 4 — Apply and update

01
Run ./updater.sh — this merges user.js + user-overrides.jsSay yes when asked if you want to run the cleaner script
02
Restart Firefox completely
03
Verify at about:config — search resistFingerprinting — should be true
04
Run ./updater.sh again after every Firefox major updateAdd a calendar reminder — arkenfox releases align with Firefox ESR cycles
Sites that will break: Anything relying on canvas (some CAPTCHAs), WebGL (3D maps, games), and some legacy SSO flows. Use Brave as the fallback for these — don't whitelist them in Firefox.
02

uBlock Origin in medium mode

Easy mode blocks cosmetic ads. Medium mode blocks all third-party scripts and frames by default — you whitelist selectively. This is the biggest single tracking reduction available without breaking your browsing model entirely.

Expected friction: ~10–15 sites will break the first time you visit. You'll click the uBlock icon and allow specific domains. After a week you'll rarely need to touch it.

Enabling medium mode

01
Open uBlock Origin dashboard → Filter lists tab
02
Go to My rules tab and add these two rules:This is what activates medium mode
uBlock Origin — My rules 
# Block all third-party scripts by default
* * 3p-script block
# Block all third-party frames by default
* * 3p-frame block

Recommended filter lists

List Purpose Priority
uBlock filters (default) Core ad/tracker blocking must
EasyList Ad network coverage must
EasyPrivacy Tracker network coverage must
uBlock – Annoyances Cookie banners, overlays recommended
Peter Lowe's list Ad servers + tracking recommended
AdGuard Tracking Protection Supplements EasyPrivacy recommended
Privacy Badger Redundant — you have uBO remove
03

Firefox container structure

The goal is identity isolation — each container has a separate cookie jar, session store, and indexedDB. Sites in different containers cannot correlate your activity even if they share trackers. Install Firefox Multi-Account Containers + Container Tabs extensions, then build this structure:

PERSONAL
Proton Mail, Proton Pass, personal services tied to your real identity
proton.me protonmail.com protonvpn.com your custom domain
→ Never open social or shopping here
SOCIAL
All social platforms — fully isolated from everything else. Assume everything here is surveilled.
twitter.com instagram.com facebook.com linkedin.com
→ No real browsing, no logins to other services
RESEARCH
Sensitive browsing, activism, digital rights work. No persistent logins. Clear on close.
no logins SearXNG archive.org tor-adjacent
→ For high-sensitivity: use Tor Browser instead
SHOPPING
E-commerce, delivery, price tracking. Isolated so purchase history can't be correlated with browsing.
amazon e-commerce delivery apps
→ Use alias email addresses here
WORK / DEV
Development tools, GitHub, professional services, documentation. Clean separation from personal.
github.com dev tools docs CI/CD
→ Work identity stays here only
FINANCE
Banking, investments, crypto. Completely isolated — never mix with shopping or social.
banking brokerage crypto tax
→ Never open unsolicited links here
THROWAWAY
One-off logins, link previews, untrusted sites, anything you don't want touching other containers.
temp signups unknown links trials
→ Clear cookies after every session
MEDIA
Streaming services — isolated so viewing habits can't be correlated with identity or research containers.
netflix youtube spotify streaming
→ Never open links from here in other containers
Automation tip: Use the "Always open in this container" feature — right-click any container → Manage → assign domains. After setup, proton.me always opens in PERSONAL, twitter.com always in SOCIAL. Zero manual switching.
The single most effective habit: Never open an unfamiliar link directly in your current container. Right-click → Open in Container → Throwaway for any link you didn't explicitly navigate to yourself. This one habit closes more correlation vectors than most technical controls — a tracker embedded in a link can tie your RESEARCH identity to your PERSONAL one if you open it in the wrong container.
High-sensitivity research: The RESEARCH container reduces correlation but doesn't anonymise you at the network level. Your WireGuard tunnel helps, but for genuinely sensitive work (activism, digital rights) use Tor Browser as a separate application — not a container, not Brave, not a VPN-over-Firefox setup.
04

Brave cleanup

Keep Brave as your fallback for sites that break under hardened Firefox. But strip the features that reintroduce telemetry:

01
Disable Brave Rewards — Settings → Brave Rewards → toggle offThe BAT/ad replacement system phones home to Brave's ad servers
02
Disable Brave News — New Tab → hide feedFetches content from Brave's CDN, tied to your install ID
03
Disable Brave Wallet — Settings → Web3 → Default wallet → NoneUnless you actively use it — otherwise it's unnecessary attack surface
04
Set Shields to Aggressive — brave://settings/shieldsBrave's fingerprint resistance is genuinely good — let it do its job
05
Search engine → set to your local SearXNG instancebrave://settings/search → add custom search engine with your Pi's SearXNG URL
05

Final checklist

Arkenfox user.js installed and user-overrides.js applied
uBlock Origin in medium mode with recommended filter lists
Privacy Badger removed
8 containers created with domain assignments automated (Personal, Social, Research, Shopping, Work/Dev, Finance, Throwaway, Media)
Habit set: unfamiliar links always opened in Throwaway container via right-click → Open in Container
Firefox Sync disabled or using throwaway Mozilla account
SearXNG set as default search in both Firefox and Brave
Brave: Rewards, News, Wallet disabled — Shields on Aggressive
Tor Browser installed separately for high-sensitivity research
WebRTC disabled via user-overrides.js — verify at browserleaks.com/webrtc
Fingerprint test at coveryourtracks.eff.org — should show "strong protection"
Run arkenfox updater.sh after every Firefox major version update — add a calendar reminder
kasunben · created · updated
#digital-sovereignty #firefox #privacy