Frequently Asked Questions

This FAQ documents version 6.8 of the settings. Make sure to always upgrade to the latest version of the browser. If your question is not answered here, you can try to get answers in our Gitter / Matrix room, or on r/LibreWolf and c/LibreWolf.

Alternatively, you could check the parts in the Firefox documentation that could be relevant:

Security and Privacy:

How often do you update LibreWolf?

LibreWolf is always based on the latest version of Firefox. Updates usually come within three days from each upstream stable release, at times even the same day. Unless problems arise, we always try to release often and in a timely manner.

It should however be noted that LibreWolf does not have auto-update capabilities, and therefore it relies on package managers or users to apply them.

Can I use LibreWolf with Tor?

Please don't.

The Tor Browser is specifically designed to reduce fingerprintability and to work on Tor. Using LibreWolf or any other browser would make you stand out and it is not recommended.

Why do you disable Google Safe Browsing?

We disable Safe Browsing as we consider it a censorship concern, and we would rather not let Google control another aspect of the internet. With that being said, Safe Browsing is still a good security tool and Mozilla's implementation is privacy respecting: for this reason those who are interested in the extra security, and in particular less technical users, can and should safely enable it.

Despite the above concerns, we are open to re-evaluating and recommending Safe Browsing with the right defaults. Unfortunately, to be fully functional, Safe Browsing requires to include a developer key at build time: this means that a Google account becomes a hard requirement for anyone building from source. This also means that LibreWolf cannot provide a fully functional Safe Browsing experience at the moment.

More details are available at this link.

Do you recommend using any extensions?

Yes, in fact we include uBlockOrigin in the browser. We also have a few suggestions that you can look at.

However, as a general rule, you shouldn't install too many add-ons. Each add-on is a new potential source of security vulnerabilities and may make you stand out.

What are some tips on a more hardened setup?

To improve your privacy we suggest enabling letterboxing, in order to prevent your real window size from being fingerprinted. This can be especially useful if you resize your window.

It's also possible to further limit the behavior of cross-origin referers, although it's worth noting that this might cause breakage.

Should I allow canvas access? How do I do it?

Please be mindful when allowing canvas access as it is a very strong fingerprinting vector; however, if you are already logged into a website you shouldn't stress too much about giving it canvas access because they already know who you are.

Canvas can be handled on a per-site basis thank to RFP. You will be prompted for access next to the URL bar, so look for the icon there.

Why is the built-in password manager disabled?

We believe you should use a password manager that is better for your security and comfort, please consider some of the options in our recommended addons.

Does LibreWolf use HTTPS-Only mode?

Yes, and you won't need any extension for that. HTTP can still be allowed for certain sites.

Does LibreWolf make any outgoing connections?

Yes, but they aren't in any way privacy invading and they were carefully evaluated. Specifically they are needed to fetch and update the blocking lists used by uBO, Tracking Protection and certificate revocation, which we considered more important than disabling all outgoing connections, especially ones that are harmless. LibreWolf also makes an occasional connection to check wether you have received push notifications from websites you have subscribed to.

With that being said, LibreWolf is still commited to removing all privacy invading connections, and to keep all connections to the bare minimum required to maximize and balance privacy and security.

What is Enhanced Tracking Protection?

In LibreWolf we decided to enable Enhanced Tracking Protection, as it plays nicely with uBO and it can block some extra scripts. Additionally, when set to strict it includes dFPI, SmartBlock, enhanced cookie cleaning, stricter referrer policies and URL query stripping. For this reason, we always suggest the default strict mode, and when using it please do not enable FPI, as it interferes with the more recent dFPI.

Finally, there's no point in changing from strict to any other mode, as strict mode doesn't usually cause any kind of breakage, and changing to custom mode to block cookies will come at the expense of disabling partitioning: not worth it, so we decided to hide the UI that allows users to change this setting. You can instead whitelist specific websites from the urlbar. More details are available at this link.

Tracking Protection requires some occasional outgoing connections, in order to fetch its blocking lists: these connections are harmless for privacy, and TP has a flawless track record in this regard. A particular important connection is the one that TP makes on first launch, as without it the feature cannot effectively work. If you want, you can block these outgoing connections by using the following overrides:

defaultPref("browser.safebrowsing.provider.mozilla.updateURL", "");
defaultPref("browser.safebrowsing.provider.mozilla.gethashURL", "");

As stated above, and despite what you see in the Settings UI, blocking these connections will cause TP to stop working, as it won't be able to use the lists that allow it to block known tracking, cryptomining and fingerprinting scripts.

Why isn't First Party Isolate enabled by default?

FPI is not enabled by default as we use dFPI, and the two do not work well together. dFPI is a newer implementation and it causes less breakage, plus it is included by default when using Tracking Protection in strict mode.

Please also notice that dFPI makes containers and containers extensions redudant, unless you want to protect your privacy when visiting the same website multiple times, during the same browsing sessions.

Why can't I use always-on private browsing?

We have decided to hide that option as it doesn't provide any benefit over the default cleaning mechanism of LibreWolf. Instead it introduces many regressions, as it doesn't respect cookie exceptions and installed addons, while also being fingerprintable.

Can LibreWolf protect my public IP address?

No. If you care about protecting your IP address, you should use a VPN or even better use the Tor Browser.

How do I disable IPv6?

Instead of disabling IPv6 in the browser, we recommend enabling the IPv6 privacy extension at the OS level. macOS and Windows users are already covered, but some Linux distros do not enable it by default.

Usability

What are the most common downsides of RFP (Resist Fingerprinting)?

It is possible that users will experience breakage because of RFP: usually this is caused by canvas access, which can be relaxed on a per-site basis.

Other common problems brought by RFP include:

  • spoofed timezone.
  • forced light theme.
  • smaller and fixed window size on startup.
  • suppressed keyboard modifier events using alt-keys.

There's no real workaround for these annoyances as they are intended to protect your privacy. Tweaking them using extensions or preferences significantly impacts the effectiveness of RFP, both for the users themselves, and the rest of the userbase: modifications create a subset of users who stand out and reduce the number of RFP users who look the same, making it worse for everyone.

For this very reason we suggest against modifying any metric involved in RFP, as even a single change could make it useless. We also suggest users to get used to RFP and stick with it as much as possible: it is a very powerful tool that gets improvements as the result of the Tor Uplift Project, and it will surely benefit your privacy in a major way.

If you don't like the downsides of RFP, or you are not concerned about fingerprinting, you can disable RFP in the LibreWolf settings, or in your overrides.

In that case consider using an extension like CanvasBlocker to retain at least a minimum amount of fingerprinting protection.

Why am I seeing striped images?

If you see striped images in your browser, that's most likely caused by the fact that the website needs canvas access to display them properly. Check out how to allow it.

What should I do if video conferencing is not working?

Videoconferencing platforms may require one or more of the following features:

Why is Session Restore not working?

Session restore will not work unless you preserve your browsing history. However, LibreWolf deletes history on shutdown by default. If you want to use session restore, set your browser to not delete history, via settings or overrides.

How do I stay logged into specific websites?

Add an exception at Settings > Privacy & Security > Cookies and Site Data > Manage Exceptions. Make sure you add a website to the exceptions before you login, both http and https versions of the domain. If you want to stay logged into www.example.com enter example.com and click on "Allow": you should then see the two versions listed, and you can go ahead and save the changes.

Why is LibreWolf forcing light theme?

This is one of the privacy measure that come with RFP (Resist Fingerprinting). Our stance is that if you care about fingerprinting protection you should never alter RFP behavior in any way.

If you still want the dark theme for web content, check whether your favourite websites allow to set it manually.

How do I enable search suggestions?

If you use a privacy respecting search engine go to Settings > Search > Search Suggestions, and enable search suggestions.

How do I add a search engine?

LibreWolf provides a selection of privacy respecting search engines, but you can add more by following this guide.

Please note that some search engines, most notably Google, do not comply with the OpenSearch standard so you will not be able to add them the usual way. In that case, you can also check The Mycroft Project for an alternative source of search engine plugins.

How do I allow autoplay of media?

Autoplay can be controlled on a per-site basis from your urlbar.

How do I enable push notifications?

Push notifications require to set a per-site exception, just like with cookies.

How do I enable DRM?

We disable DRM by default, as we consider it a limitation to user freedom. Take a moment to read about it before you go ahead and enable it.

DRM support can be enabled from Settings > General > Digital Right Management (DRM) Content. Additionally, a pop-up and an icon in your URL bar will show up when a website is trying to use DRM.

Can I safely change language in the browser?

Yes, you can normally apply language packs from the settings. To protect your privacy, LibreWolf will make you appear to websites as a en-US user.

Can I set a default download directory?

As a security measure, LibreWolf asks for user interaction after each download. You can change that in Settings > General > Files and Applications > Downloads > Save files to..

Can I use Firefox Sync with LibreWolf? Is it safe to do so?

Yes, you can enable it in your the LibreWolf specific UI or in your overrides. There aren't significant downsides as Firefox Sync encrypts your data locally before transmitting it to the server. Additionally, you can self-host the old version of the server if you really don't want to use Mozilla's, and there's work being done to have the new version equally easy to self-host. Find out more about the technical details of Sync's implementation here and here.

When using Sync across multiple installations you might want to disable settings synchronization to avoid unintentional changes.

I'm getting the "SSL_ERROR_UNSAFE_NEGOTIATION" error. What can I do?

The server you are trying to reach does not support RFC 5746 and is potentially vulnerable to MiTM attacks. You can bypass this warning by flipping security.ssl.require_safe_negotiation to false in about:config, but we do not recommend adding this to your overrides as it is a bad default.

I'm getting "SEC_ERROR_OCSP_SERVER_ERROR". What can I do?

We enable OCSP in hard-fail mode, meaning that if the revocation status of a certificate cannot be verified because the CA cannot be reached, then it will be treated as broken. While this improves security, it could also decreases usability as OCSP servers tend to be down often.

If you're experiencing this error:

  • OCSP servers tend to get blocked by host files and blocking lists by mistake, so check your firewall and blocking lists first.
  • OCSP is not compatible with most proxy and vpn extensions, so that's also something to consider.

If instead a server is actually down, you can consider disabling hard-fail mode in the LibreWolf settings, or using overrides.

Linux specific questions:

The solution is also described in this issue.

When setting LibreWolf as a handler to open links with, in some circumstances, environment variables parsed during "regular" launch are not parsed / applied when opening LibreWolf as a handler (XDG MIME handling) when using Wayland. Librewolf then either gets launched without opening the link or by giving an error ('Librewolf is already running').

This can be fixed by placing a modified .desktop file in ~/.local/share/applications/.

It's easiest to just copy the existing .desktop file (for native packages /usr/share/applications/librewolf.desktop, for Flatpak ~/.local/share/flatpak/exports/share/applications/io.gitlab.librewolf-community.desktop) to ~/.local/share/applications/ and edit the Exec lines:

Flatpak
# io.gitlab.librewolf-community.desktop
Exec=/usr/bin/flatpak run --env=GDK_BACKEND=wayland --branch=stable --arch=x86_64 --command=librewolf --file-forwarding io.gitlab.librewolf-community @@u %u @@
Exec=/usr/bin/flatpak run --env=GDK_BACKEND=wayland --branch=stable --arch=x86_64 --command=librewolf --file-forwarding io.gitlab.librewolf-community @@u %u @@
Exec=/usr/bin/flatpak run --env=GDK_BACKEND=wayland --branch=stable --arch=x86_64 --command=librewolf --file-forwarding io.gitlab.librewolf-community --private-window @@u %u @@
Exec=/usr/bin/flatpak run --env=GDK_BACKEND=wayland --branch=stable --arch=x86_64 --command=librewolf --file-forwarding io.gitlab.librewolf-community --ProfileManager @@u %u @@

For Flatpak, this might also be possible by using flatpak override --user --env=GDK_BACKEND=wayland io.gitlab.librewolf-community, but this is not yet tested.

Native Linux Package
# librewolf.desktop

Exec=env GDK_BACKEND=wayland MOZ_ENABLE_WAYLAND=1 /usr/lib/librewolf/librewolf %u
Exec=env GDK_BACKEND=wayland MOZ_ENABLE_WAYLAND=1 /usr/lib/librewolf/librewolf --new-window %u
Exec=env GDK_BACKEND=wayland MOZ_ENABLE_WAYLAND=1 /usr/lib/librewolf/librewolf --private-window %u

How do I get native messaging to work?

To get native messaging to work, for example for the Plasma Integration, create two symlinks by running these commands:

ln -s ~/.mozilla/native-messaging-hosts ~/.librewolf/native-messaging-hosts

sudo ln -s /usr/lib/mozilla/native-messaging-hosts /usr/lib/librewolf/native-messaging-hosts

How can I get Tridactyl's native messaging to work when I install Librewolf with Flatpak?

To get Tridactyl's native feature to work Tridactyl's install script needs to look into Librewolf's app data directory and be allowed to read the user's RC file.

Execute the following:

curl \
	https://gitlab.com/librewolf-community/browser/common/-/raw/master/helpers/tridactyl-install.sh \
	> /tmp/tridactyl-install.sh
sed -i \
	's/\.librewolf/\.var\/app\/io\.gitlab\.librewolf-community\/\.librewolf/g' \
	/tmp/tridactyl-install.sh
chmod +x /tmp/tridactyl-install.sh
/tmp/tridactyl-install.sh

# If installed onto the system, rather than the user, then remove `--user`
flatpak --user override io.gitlab.librewolf-community --filesystem="${XDG_CONFIG_HOME:-~/.config}"/tridactyl
flatpak --user override io.gitlab.librewolf-community --filesystem="${XDG_DATA_HOME:-~/.local/share}"/tridactyl

I get the APT error "Certificate verification failed"

If you get an error message that looks something like this

Err:5 https://deb.librewolf.net uma Release
  Certificate verification failed: The certificate is NOT trusted. The certificate chain uses expired certificate.  Could not handshake: Error in the certificate verification. [IP: 116.203.248.82 443]
Reading package lists... Done
E: The repository 'http://deb.librewolf.net uma Release' does not have a Release file.
N: Updating from such a repository can't be done securely, and is therefore disabled by default.
N: See apt-secure(8) manpage for repository creation and user configuration details.

You can try to fix it by running

sudo apt install ca-certificates

macOS specific questions:

How do I install LibreWolf on macOS?

As explained in the install section you can either build from source following the build guide, install using a disk image from the releases or install using HomeBrew.

How do I build LibreWolf on macOS?

You can build from source following the build guide.

How do I update LibreWolf on macOS?

To update the browser on macOS you need to grab the latest .app and drag it into your Applications directory, or if you installed using HomeBrew you can do it as you would for every other cask.

Is LibreWolf available via Homebrew?

LibreWolf is available as a cask, so you can install entering brew install --cask librewolf.

Does LibreWolf work on M1 machines?

Yes, we provide native builds for both Intel and ARM based machines. If you own a M1 powered MacBook the relative builds are refered to as aarch64, they are cross-compiled and we did not test them before release. Please consider that the build time on M1 is relatively low, so building from source is probably worth it in any case.

Why is LibreWolf marked as broken?

It is possible that M1 users see their recently downloaded LibreWolf flagged as broken or unsafe by the OS.

This happens because we do not notarize the macOS version of the browser: we don't have a paid Apple Developer license and we don't want to support this signing mechanism that is put behind a paywall without providing significant gains.

Here you can find a proposed fix, and the relative discussion. Alternatively, you can remove the quarantine attribute directly from brew:

brew install librewolf --no-quarantine

How do I get native messaging to work?

You need to add the following symbolic link:

ln -s ~/Library/Application\ Support/Mozilla/NativeMessagingHosts ~/Library/Application\ Support/LibreWolf/NativeMessagingHosts

This is necessary to get KeePassXC-Browser extension to work.

General questions

Why don't you accept donations?

We don't want to deal with the administration required to properly handle donations. If we don't need funding, we won't risk becoming dependent on it. And also: no donations means no expectations. This means that people working on LibreWolf are free to move on to other projects whenever they want.

Do you have any contribution guidelines?

Before opening a new issue we require that you read the FAQ in full and that you check out the settings page. We also ask you to look for existing issues that address your problem, before opening redundant ones. When opening a new issue make sure you follow the template if it exists, and after you did we ask you to contribute to it, by providing the needed details. When these simple rules are not respected, issues might be closed by maintainers.

Suggestions, improvements and contributions to LibreWolf are appreciated in the form of merge requests, or alternatively well documented issues. We suggest interested contributors to join us on Matrix.

I have a problem. Where do I open a new issue?

Once you have read the contribution guidelines and you are sure you want to open a new issue, follow these rules:

  • if the problem is OS-specific, use one of the relative repos;
  • if the problem is related to the behavior of the browser on web pages, use the settings repo;
  • if you have a general feature suggestion, use the source repo;
  • if you want to ask about a platform which isn't supported yet or you want to help with a new build, use the bsys5 repo;
  • if you have a suggestion about docs or regarding the website, use the website repo.

Will you provide an Android version of LibreWolf?

At the moment nobody is working on it, and it is not something we have considered investing time in.