# Isolation and Hardening of the Firefox Browser on macOS

## Objectives

- Physically isolate web browsing activity
- Configure Firefox for optimal privacy

## Procedure

1. Install the latest version of UTM for virtual machine management (UTM uses QEMU as its backend): https://mac.getutm.app/
	1.1. Disable clipboard sharing
	1.2. Do not enable folder sharing

2. Create the lightest possible Linux virtual machine

3. Install the latest version of the Firefox browser: https://www.firefox.com

4. Harden the Firefox browser configuration
	4.1. Initial settings
		a. Enhanced Tracking Protection (ETP): go to Settings > Privacy & Security and set tracking protection to Strict.
		b. History: in the same section, set history to "Never remember history" or enable automatic clearing on exit.
		c. Telemetry data: immediately uncheck all options under "Firefox Data Collection and Use"

	4.2. Install extensions
		a. uBlock Origin (uBO): essential.
		b. Privacy Badger: developed by the EFF; it learns to block invisible and unlisted trackers.
		c. Firefox Multi-Account Containers: allows you to isolate websites so they cannot track your activity across other sites.

	4.3. Hardening with about:config
		Type about:config in the address bar and accept the warning.
		a. Disable Pocket (proprietary service): "extensions.pocket.enabled = false"
		b. Disable prediction/prefetching (these features speed up loading by downloading likely links, but reveal your browsing intentions):
			"network.prefetch-next = false"
			"network.dns.disablePrefetch = true"
			"browser.urlbar.speculativeConnect.enabled = false"
		c. Referrer control (prevents websites from knowing where you came from): "network.http.sendRefererHeader = 0"

	4.4. Reduce fingerprinting
		a. Enable the strongest anti-fingerprinting feature: "privacy.resistFingerprinting = true"
		b. Disable WebGL (WebGL can be used for advanced fingerprinting): "webgl.disabled = true"

	4.5. Complete removal of telemetry
		a. Even if telemetry is disabled in the settings, some internal mechanisms require explicit deactivation via about:config:
			"toolkit.telemetry.enabled = false"
			"toolkit.telemetry.server": leave empty or set to a non-functional local value.
			"browser.ping-centre.telemetry = false"
			"datareporting.healthreport.uploadEnabled = false"
			"app.shield.optoutstudies.enabled = false"

	4.6. Network security and DNS
		a. Go to Settings > Privacy & Security and choose Maximum Protection in the DNS over HTTPS section.
		b. Enter your DNS provider: avoid default options (such as Cloudflare) and prefer an alternative like Quad9 (https://quad9.net).


5. Option: use a newly cloned VM for each sensitive browsing session to maintain a disposable virtual machine environment.

## History

Created: 2026.01.02