Skip to content
IronFox

Features

This list is not exhaustive…

NOTE: IronFox uses configs from Phoenix to harden and configure Gecko’s preferences. This page is focused on IronFox-specific changes; some changes from Phoenix that are major or overlap with ours for IronFox may be covered, but it won’t cover everything. For more information on Phoenix’s features, please see the documentation here.

⚠️ BEFORE PROCEEDING: Please see our Limitations page to better understand what IronFox can and can not protect against.

Privacy

  • Blocks websites from accessing geolocation by default
  • Clears browsing history on exit by default
  • Clears cache on exit by default
  • Clears download history on exit by default
  • Clears open tabs on exit by default
  • Disables autofill/autocompletion of URLs by default
  • Disables disk cache by default, and adds a toggle to control it, located at IronFox -> IronFox settings -> Privacy -> Enable disk cache in settings
  • Disables disk cache for secure webpages by default, and adds a toggle to control it, located at IronFox -> IronFox settings -> Privacy -> Enable disk cache for secure webpages in settings
  • Disables network connectivity monitoring, and removes the ACCESS_NETWORK_STATE permission
  • Disables search suggestions by default
  • Disables trending search suggestions by default
  • Enables disk remnant avoidance at build-time
  • Enables DNS over HTTPS (DoH) with Max Protection (without fallback) by default, via Quad9
  • Enables Firefox’s built-in Cookie Banner Reduction by default, and exposes the toggle to enable/disable it for private browsing, located at Privacy and security -> Cookie Banner Blocker in private browsing in settings
  • Enables Global Privacy Control by default, and hides the UI to prevent users from easily/unnecessarily making themselves more fingerprintable
  • Enables proxy bypass protection at build-time
  • Enables Strict Enhanced Tracking Protection (ETP Strict)
  • Includes a default, local set of homepage wallpapers, instead of downloading them from a server remotely
  • Installs uBlock Origin by default, and configures it to provide stronger protection out of the box
  • Prevents the browser from fetching favicons for homepage shortcuts/pins on launch, without prior user interaction
  • Stubs the Beacon API (navigator.sendBeacon)

Fingerprinting

In order to combat fingerprinting, IronFox enables Mozilla’s Suspected Fingerprinters Protection (FPP). However: IronFox modifies the set of protections (targets) covered by FPP to match Resist Fingerprinting (RFP), but with the following changes:

  • We allow first-party canvas data extraction, due to prompts unfortunately not being supported on Android (Third parties are still blocked from extracting canvas data, and canvas data is still randomized when extracted)
  • We do not unconditionally spoof CSS prefers-color-scheme, to allow users to enable Dark mode if desired (though we still enable light mode by default, see below)
  • We allow display of content over 60FPS

IronFox additionally:

  • Includes bundled fonts at build-time, to improve compatibility, and to help provide users with a baseline/common set of fonts
  • Prevents fingerprinting based on whether Firefox’s internal PDF viewer (PDF.js) is enabled or disabled
  • Sets the preferred website appearance (CSS prefers-color-scheme) to light mode by default, and adds an option to configure it independently of the browser’s theme (Like Firefox on Desktop), located at IronFox -> IronFox settings -> Preferred website appearance in settings
  • Spoofs the preferred locale for websites to English (en-US) by default, and adds a toggle to enable/disable it, located at IronFox -> IronFox settings -> Privacy -> Request English versions of webpages in settings

Security

Enhancements

  • Adds an internal list to configure specific fingerprinting protections on a per-site basis, to reduce breakage and harden protection as needed (This, as well as Mozilla’s override list that serves a similar purpose, can be disabled if desired, by setting privacy.fingerprintingProtection.remoteOverrides.enabled to false in your about:config)
  • Adds an option to configure the behavior of cross-origin referers, located at IronFox -> IronFox settings -> Privacy -> Cross-origin referer policy in settings
  • Adds a toggle to enable/disable IPv6 network connectivity, located at IronFox -> IronFox settings -> Miscellaneous -> Enable IPv6 network connectivity in settings
  • Adds a toggle to enable/disable JavaScript, located at IronFox -> IronFox settings -> Privacy and security -> Enable JavaScript in settings
  • Adds a toggle to enable/disable Scalable Vector Graphics (SVG), located at IronFox -> IronFox settings -> Security -> Enable Scalable Vector Graphics (SVG) in settings
  • Adds a toggle to enable/disable the tab bar, located at General -> Customize -> Tab bar display in settings
  • Adds a toggle to enable/disable WebAssembly (WASM), located at IronFox -> IronFox settings -> Security -> Enable WebAssembly (WASM) in settings
  • Adds a toggle to enable/disable WebGL (1, 2) globally, located at IronFox -> IronFox settings -> Privacy and security -> Enable WebGL in settings
  • Adds a toggle to enable/disable WebRTC (1, 2) globally, located at IronFox -> IronFox settings -> Security -> Enable WebRTC in settings
  • Allows zoom on all websites, even if they try to block it, by default
  • Blocks media autoplay by default
  • Blocks web notifications by default
  • Disables the Collections banner/placeholder on the homepage by default
  • Disables the display of recent tabs (Jump back in) on the homepage by default
  • Disables the display of recently visited bookmarks on the homepage by default
  • Disables the display of recently visited websites on the homepage by default
  • Disables history search suggestions by default
  • Disables recent search suggestions by default
  • Enables the about:config, and exposes it at about:about
  • Expands the list of built-in DNS over HTTPS (DoH) resolvers to include AdGuard, AdGuard (Unfiltered), Cloudflare (Malware Protection), DNS0, DNS0 (ZERO), DNS4EU (Ad Blocking), DNS4EU (Protective), DNS4EU (Unfiltered), Mullvad (Base), Mullvad (Unfiltered), Quad9, and Wikimedia
  • Exposes the secret setting to enable the composable toolbar
  • Exposes the secret setting to enable the homepage search bar
  • Exposes the secret setting to enable the menu redesign
  • Exposes the secret setting to enable the Unified Trust Panel
  • Exposes the secret setting to open the homepage as a new tab
  • Exposes the setting to enable shortcut suggestions, located at General -> Search -> Address bar -> Show shortcuts
  • Exposes the setting to lock private browsing tabs with biometrics, located at Privacy and security -> Private browsing -> Use screen lock to hide tabs in private browsing
  • Hides the Passwords drop-down menu item if the browser’s password manager is disabled
  • Hides the Sync and save data drop-down menu item if Firefox Sync isn’t signed in
  • Prevents Firefox from adding random recently visited sites to shortcuts/pins on the homepage
  • Prevents Firefox from hardcoding and resetting various preferences on start, to allow users to configure them from the about:config if desired
  • Removes privacy-invasive search engines (Baidu, Bing, Cốc Cốc, Ecosia, Google, Qwant, Reddit, Seznam, Yahoo, YouTube), and adds various privacy-respecting search engines (DuckDuckGo (HTML), DuckDuckGo (Lite), DuckDuckGo (No AI), Mojeek, Mullvad Leta (w/ Brave’s index), Mullvad Leta (w/ Google’s index), Startpage, and Startpage (EU)) by default, as well as the option to use no search engine at all
  • Removes the search widget onboarding page
  • Removes the unnecessary/unwanted Customize homepage button from the homepage
  • Sets the default search engine to DuckDuckGo

Misc

Mozilla

  • Adds support for installing add-ons without the privileged mozAddonManager API, and disables the mozAddonManager API by default, to allow uBlock Origin to run on addons.mozilla.org, to prevent exposing a list of the user’s installed add-ons to Mozilla, and to reduce attack surface (1, 2)
  • Disables contextual feature recommendations, and unwanted promotional content
  • Disables Contile (Sponsored tiles)
  • Disables crash reporting for Fenix (Firefox for Android) at build-time
  • Disables crash reporting for Gecko at build-time
  • Disables feedback surveys (Microsurveys)
  • Disables fetching featured collections/recommendations and extension icons from AMO (services.addons.mozilla.org)
  • Disables Firefox Suggest by default
  • Disables MARS (Mozilla Ad Routing Service)
  • Disables Mozilla’s GeoIP/Region Service
  • Disables nags encouraging users to interact with certain browser features
  • Disables Pocket integration
  • Disables prompts encouraging users to set the browser as the system default
  • Disables remote configuration of search engines from Mozilla
  • Disables telemetry and data collection for Fenix (Firefox for Android) at build-time
  • Disables telemetry and data collection for Gecko at build-time (1, 2)
  • Disables the “Sent from Firefox” footer/link sharing feature
  • Disables Studies and experimentation
  • Disables submission of crash reports to Mozilla
  • Disables submission of technical and interaction data to Mozilla
  • Removes the built-in Mozilla Android Components - Ads Telemetry and Mozilla Android Components - Search Telemetry browser extensions
  • Removes the Firefox Sync onboarding page
  • Removes Mozilla’s default pins/shortcuts from the homepage
  • Removes Mozilla’s URL referral parameters from the built-in DuckDuckGo and Wikipedia search engines
  • Removes the Web Compatibility Reporter
  • Prevents Fenix (Firefox for Android) from fetching/managing experiments with Nimbus
  • Prevents Gecko from fetching/managing experiments with Nimbus
  • Prevents Remote Settings from downloading collections that are not specified in preferences