misc (#1040)

* misc - cleanup of old release notation in comments: e.g. if it's not applicable to ESR78+ - same with default version info - simplify and save bytes on section 4700 - update 4500 header - and unify the message about using extensions as counterproductive - letterboxing - provide info on stepped ranged (and drop crap about FF67) - don't judge users who dislike seeing margins (I don't like them either, but I force my window to exact dimensions and stay there) - screenshots uploading was disabled in FF67+ : [67 release notes](https://www.mozilla.org/en-US/firefox/67.0/releasenotes/) - the pref is still there (default false) but so far I'm 99% sure this pref now does anything - I will add it to the scatchpad script if this change sticks * simplify 4500 RFP, see #1041 * update removed script * tidy readme, see #1045 - also put readme before releases * RIP FX Site Compat * clean out RFP Alts info: the information is redundant: it's already in the readme
2025-11-03 23:35:26 +01:00 · 2020-10-21 00:58:20 +13:00
parent f591a8adf8
commit 0adfddd1e2
2 changed files with 110 additions and 150 deletions
--- a/scratchpad-scripts/arkenfox-clear-removed.js
+++ b/scratchpad-scripts/arkenfox-clear-removed.js
@@ -1,7 +1,7 @@
 /***
 This will reset the preferences that have been removed completely from the arkenfox user.js.
- Last updated: 2-Oct-2020
+ Last updated: 18-Oct-2020
 For instructions see:
 https://github.com/arkenfox/user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts]
@@ -225,6 +225,10 @@
    'browser.urlbar.usepreloadedtopurls.enabled',
    /* 80 */
    'dom.IntersectionObserver.enabled',
    /* 82-beta */
    'extensions.screenshots.upload-disabled',
    'security.ssl3.dhe_rsa_aes_128_sha',
    'security.ssl3.dhe_rsa_aes_256_sha',
    /* reset parrot: check your open about:config after running the script */
    '_user.js.parrot'
  ]
--- a/user.js
+++ b/user.js
@@ -5,40 +5,34 @@
 * url: https://github.com/arkenfox/user.js
 * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt
 * releases: These are end-of-stable-life-cycle legacy archives.
            *Always* use the master branch user.js for a current up-to-date version
       url: https://github.com/arkenfox/user.js/releases
 * README:
-  0. Consider using Tor Browser if it meets your needs or fits your threat model better
+  1. Consider using Tor Browser if it meets your needs or fits your threat model better
       * https://www.torproject.org/about/torusers.html.en
-  1. READ the full README
+  2. Required reading: Overview, Backing Up, Implementing, and Maintenance entries
-     * https://github.com/arkenfox/user.js/blob/master/README.md
+       * https://github.com/arkenfox/user.js/wiki
-  2. READ this
+  3. If you skipped step 2, return to step 2
-     * https://github.com/arkenfox/user.js/wiki/1.3-Implementation
+  4. Make changes
-  3. If you skipped steps 1 and 2 above (shame on you), then here is the absolute minimum
+       * There are often trade-offs and conflicts between security vs privacy vs anti-fingerprinting
-     * Real time binary checks with Google services are disabled (0412)
+         and these need to be balanced against functionality & convenience & breakage
-     * You will still get prompts to update Firefox, but auto-installing them is disabled (0302a)
+       * Some site breakage and unintended consequences will happen. Everyone's experience will differ
-     * Some user data is erased on close (section 2800). Change this to suit your needs
+         e.g. some user data is erased on close (section 2800), change this to suit your needs
-     * EACH RELEASE check:
+       * While not 100% definitive, search for "[SETUP" tags
-         - 4600s: reset prefs made redundant due to privacy.resistFingerprinting (RPF)
+       * Take the wiki link in step 2 and read the Troubleshooting entry
-                  or enable them as an alternative to RFP (or some of them for ESR users)
+  5. Some tag info
         - 9999s: reset deprecated prefs in about:config or enable the relevant section for ESR
     * Site breakage WILL happen
         - There are often trade-offs and conflicts between Security vs Privacy vs Anti-Fingerprinting
           and these need to be balanced against Functionality & Convenience & Breakage
     * You will need to make changes, and to troubleshoot at times (choose wisely, there is always a trade-off).
       While not 100% definitive, search for "[SETUP". If required, add each pref to your overrides section at
       default values (or comment them out and reset them in about:config). Here are the main ones:
       [SETUP-SECURITY] it's one item, read it
            [SETUP-WEB] can cause some websites to break
-         [SETUP-CHROME] changes how Firefox itself behaves (i.e. NOT directly website related)
+         [SETUP-CHROME] changes how Firefox itself behaves (i.e. not directly website related)
           [SETUP-PERF] may impact performance
-         [SETUP-HARDEN] maybe you should consider using the Tor Browser
+              [WARNING] used sparingly, heed them
-     * [WARNING] tags are extra special and used sparingly, so heed them
+
-  4. BACKUP your profile folder before implementing (and/or test in a new/cloned profile)
+* RELEASES
-  5. KEEP UP TO DATE: https://github.com/arkenfox/user.js/wiki#small_orange_diamond-maintenance
+
  * Archive: https://github.com/arkenfox/user.js/releases
  * Use the correct release that matches your Firefox version
  * Each release
    - run the prefsCleaner or reset deprecated prefs (9999s) and prefs made redundant by RFP (4600s)
    - re-enable section 4600 if you don't use RFP
 * INDEX:
@@ -68,7 +62,7 @@
  4000: FPI (FIRST PARTY ISOLATION)
  4500: RFP (RESIST FINGERPRINTING)
  4600: RFP ALTERNATIVES
-  4700: RFP ALTERNATIVES (NAVIGATOR / USER AGENT (UA) SPOOFING)
+  4700: RFP ALTERNATIVES (USER AGENT SPOOFING)
  5000: PERSONAL
  9999: DEPRECATED / REMOVED / LEGACY / RENAMED
@@ -340,10 +334,8 @@ user_pref("extensions.systemAddon.update.url", ""); // [FF44+]
 /* 0506: disable PingCentre telemetry (used in several System Add-ons) [FF57+]
 * Currently blocked by 'datareporting.healthreport.uploadEnabled' (see 0340) ***/
 user_pref("browser.ping-centre.telemetry", false);
-/* 0515: disable Screenshots
+/* 0515: disable Screenshots ***/
 * alternatively in FF60+, disable uploading to the Screenshots server ***/
   // user_pref("extensions.screenshots.disabled", true); // [FF55+]
   // user_pref("extensions.screenshots.upload-disabled", true); // [FF60+]
 /* 0517: disable Form Autofill
 * [NOTE] Stored data is NOT secure (uses a JSON file)
 * [NOTE] Heuristics controls Form Autofill on forms without @autocomplete attributes
@@ -365,7 +357,7 @@ user_pref("network.prefetch-next", false);
 /* 0602: disable DNS prefetching
 * [1] https://developer.mozilla.org/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control ***/
 user_pref("network.dns.disablePrefetch", true);
-user_pref("network.dns.disablePrefetchFromHTTPS", true); // [DEFAULT: true FF70+]
+user_pref("network.dns.disablePrefetchFromHTTPS", true); // [DEFAULT: true]
 /* 0603: disable predictor / prefetching ***/
 user_pref("network.predictor.enabled", false);
 user_pref("network.predictor.enable-prefetch", false); // [FF48+]
@@ -417,8 +409,7 @@ user_pref("network.http.altsvc.oe", false);
 * as a remote Tor node will handle the DNS request
 * [1] https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers ***/
 user_pref("network.proxy.socks_remote_dns", true);
-/* 0708: disable FTP [FF60+]
+/* 0708: disable FTP [FF60+] ***/
 * [1] https://www.fxsitecompat.dev/en-CA/docs/2020/ftp-support-will-be-removed/ ***/
   // user_pref("network.ftp.enabled", false);
 /* 0709: disable using UNC (Uniform Naming Convention) paths [FF61+]
 * [SETUP-CHROME] Can break extensions for profiles on network shares
@@ -546,8 +537,7 @@ user_pref("signon.formlessCapture.enabled", false);
 * hardens against potential credentials phishing
 * 0=don't allow sub-resources to open HTTP authentication credentials dialogs
 * 1=don't allow cross-origin sub-resources to open HTTP authentication credentials dialogs
- * 2=allow sub-resources to open HTTP authentication credentials dialogs (default)
+ * 2=allow sub-resources to open HTTP authentication credentials dialogs (default) ***/
 * [1] https://www.fxsitecompat.com/en-CA/docs/2015/http-auth-dialog-can-no-longer-be-triggered-by-cross-origin-resources/ ***/
 user_pref("network.auth.subresource-http-auth-allow", 1);
 /*** [SECTION 1000]: CACHE / SESSION (RE)STORE / FAVICONS
@@ -648,7 +638,7 @@ user_pref("security.ssl.require_safe_negotiation", true);
 * [STATS] Firefox telemetry (June 2020) shows only 0.16% of SSL handshakes use 1.0 or 1.1
 * [WARNING] Leave these at default, otherwise you alter your TLS fingerprint.
 * [1] https://www.ssllabs.com/ssl-pulse/ ***/
-   // user_pref("security.tls.version.min", 3); // [DEFAULT: 3 FF78+]
+   // user_pref("security.tls.version.min", 3); // [DEFAULT: 3]
   // user_pref("security.tls.version.max", 4);
 /* 1203: enforce TLS 1.0 and 1.1 downgrades as session only */
 user_pref("security.tls.version.enable-deprecated", false);
@@ -753,10 +743,6 @@ user_pref("security.mixed_content.block_object_subrequest", true);
 * [2] https://en.wikipedia.org/wiki/Meet-in-the-middle_attack
 * [3] https://www-archive.mozilla.org/projects/security/pki/nss/ssl/fips-ssl-ciphersuites.html ***/
   // user_pref("security.ssl3.rsa_des_ede3_sha", false);
 /* 1263: disable DHE (Diffie-Hellman Key Exchange)
 * [1] https://www.eff.org/deeplinks/2015/10/how-to-protect-yourself-from-nsa-attacks-1024-bit-DH ***/
   // user_pref("security.ssl3.dhe_rsa_aes_128_sha", false); // [DEFAULT: false FF78+]
   // user_pref("security.ssl3.dhe_rsa_aes_256_sha", false); // [DEFAULT: false FF78+]
 /* 1264: disable the remaining non-modern cipher suites as of FF78 (in order of preferred by FF) ***/
   // user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", false);
   // user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false);
@@ -783,7 +769,7 @@ user_pref("browser.ssl_override_behavior", 1);
 * [TEST] https://expired.badssl.com/ ***/
 user_pref("browser.xul.error_pages.expert_bad_cert", true);
 /* 1273: display "insecure" icon and "Not Secure" text on HTTP sites ***/
-   // user_pref("security.insecure_connection_icon.enabled", true); // [FF59+] [DEFAULT: true FF70+]
+   // user_pref("security.insecure_connection_icon.enabled", true); // [FF59+] [DEFAULT: true]
 user_pref("security.insecure_connection_text.enabled", true); // [FF60+]
 /*** [SECTION 1400]: FONTS ***/
@@ -819,9 +805,7 @@ user_pref("gfx.font_rendering.graphite.enabled", false);
            harden it a bit: set XOriginPolicy (1603) to 1 (as per the settings below)
       harden it a bit more: set XOriginPolicy (1603) to 2 (and optionally 1604 to 1 or 2), expect breakage
     ---
-     If you want any REAL control over referers and breakage, then use an extension. Either:
+     If you want any REAL control over referers and breakage, then use an extension
              uMatrix: limited by scope, all requests are spoofed or not-spoofed
       Smart Referrer: granular with source<->destination, whitelists
     ---
                    full URI: https://example.com:8888/foo/bar.html?id=1234
       scheme+host+port+path: https://example.com:8888/foo/bar.html
@@ -981,9 +965,6 @@ user_pref("dom.popup_allowed_events", "click dblclick");
     including service and shared workers. Shared workers can be utilized by multiple scripts and
     communicate between browsing contexts (windows/tabs/iframes) and can even control your cache.
     [NOTE] uMatrix 1.2.0+ allows a per-scope control for workers (2301-deprecated) and service workers (2302)
              #Required reading [#] https://github.com/gorhill/uMatrix/releases/tag/1.2.0
     [1]    Web Workers: https://developer.mozilla.org/docs/Web/API/Web_Workers_API
     [2]         Worker: https://developer.mozilla.org/docs/Web/API/Worker
     [3] Service Worker: https://developer.mozilla.org/docs/Web/API/Service_Worker_API
@@ -1065,7 +1046,6 @@ user_pref("javascript.options.asmjs", false);
   // user_pref("javascript.options.baselinejit", false);
   // user_pref("javascript.options.jit_trustedprincipals", true); // [FF75+] [HIDDEN PREF]
 /* 2422: disable WebAssembly [FF52+] [SETUP-PERF]
 * [NOTE] In FF71+ this no longer affects extensions (1576254)
 * [1] https://developer.mozilla.org/docs/WebAssembly ***/
 user_pref("javascript.options.wasm", false);
 /* 2429: enable (limited but sufficient) window.opener protection [FF65+]
@@ -1250,14 +1230,13 @@ user_pref("security.dialog_enable_delay", 700);
 user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin' choir invisible!");
 /* 2701: disable 3rd-party cookies and site-data [SETUP-WEB]
 * 0=Accept cookies and site data, 1=(Block) All third-party cookies, 2=(Block) All cookies,
- * 3=(Block) Cookies from unvisited websites, 4=(Block) Cross-site and social media trackers (FF63+) (default FF69+)
+ * 3=(Block) Cookies from unvisited websites, 4=(Block) Cross-site and social media trackers (default)
 * [NOTE] You can set exceptions under site permissions or use an extension
 * [NOTE] Enforcing category to custom ensures ETP related prefs are always honored
 * [SETTING] Privacy & Security>Enhanced Tracking Protection>Custom>Cookies ***/
 user_pref("network.cookie.cookieBehavior", 1);
 user_pref("browser.contentblocking.category", "custom");
-/* 2702: set third-party cookies (i.e ALL) (if enabled, see 2701) to session-only
+/* 2702: set third-party cookies (if enabled, see 2701) to session-only
   and (FF58+) set third-party non-secure (i.e HTTP) cookies to session-only
   [NOTE] .sessionOnly overrides .nonsecureSessionOnly except when .sessionOnly=false and
   .nonsecureSessionOnly=true. This allows you to keep HTTPS cookies, but session-only HTTP ones
 * [1] https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/ ***/
@@ -1388,72 +1367,67 @@ user_pref("privacy.firstparty.isolate", true);
 user_pref("privacy.partition.network_state", true);
 /*** [SECTION 4500]: RFP (RESIST FINGERPRINTING)
-   This master switch will be used for a wide range of items, many of which will
+   RFP covers a wide range of ongoing fingerprinting solutions.
-   **override** existing prefs from FF55+, often providing a **better** solution
+   It is an all-or-nothing buy in: you cannot pick and choose what parts you want
-   IMPORTANT: As existing prefs become redundant, and some of them WILL interfere
+   [WARNING] Do NOT use extensions to alter RFP protected metrics
-   with how RFP works, they will be moved to section 4600 and made inactive
+   [WARNING] Do NOT use prefs in section 4600 with RFP as they can interfere
- ** 418986 - limit window.screen & CSS media queries leaking identifiable info (FF41+)
+ FF41+
-      [NOTE] Info only: To set a size, open a XUL (chrome) page (such as about:config) which is at
+    418986 - limit window.screen & CSS media queries leaking identifiable info
      100% zoom, hit Shift+F4 to open the scratchpad, type window.resizeTo(1366,768), hit Ctrl+R to run.
      Test your window size, do some math, resize to allow for all the non inner window elements
      [TEST] https://arkenfox.github.io/TZP/tzp.html#screen
- ** 1281949 - spoof screen orientation (FF50+)
+ FF50+
- ** 1281963 - hide the contents of navigator.plugins and navigator.mimeTypes (FF50+)
+   1281949 - spoof screen orientation
-      FF53: Fixes GetSupportedNames in nsMimeTypeArray and nsPluginArray (1324044)
+   1281963 - hide the contents of navigator.plugins and navigator.mimeTypes (FF50+)
- ** 1330890 - spoof timezone as UTC 0 (FF55+)
+ FF55+
-      FF58: Date.toLocaleFormat deprecated (818634)
+   1330890 - spoof timezone as UTC 0
-      FF60: Date.toLocaleDateString and Intl.DateTimeFormat fixed (1409973)
+   1360039 - spoof navigator.hardwareConcurrency as 2 (see 4601)
- ** 1360039 - spoof navigator.hardwareConcurrency as 2 (see 4601) (FF55+)
+   1217238 - reduce precision of time exposed by javascript
-      This spoof *shouldn't* affect core chrome/Firefox performance
+ FF56+
- ** 1217238 - reduce precision of time exposed by javascript (FF55+)
+   1369303 - spoof/disable performance API (see 4602, 4603)
- ** 1369303 - spoof/disable performance API (see 2410-deprecated, 4602, 4603) (FF56+)
+   1333651 - spoof User Agent & Navigator API (see section 4700)
- ** 1333651 & 1383495 & 1396468 - spoof User Agent & Navigator API (see section 4700) (FF56+)
+      JS: FF78+ the version is spoofed as 78, and the OS as Windows 10, OS 10.15, Android 9, or Linux
-      FF56: Version: rounded down to the nearest multiple of 10
+      HTTP Headers: spoofed as Windows or Android
-      FF57: Version: match current ESR (1393283, 1418672, 1418162, 1511763)
+   1369319 - disable device sensor API (see 4604)
-      FF59: OS: Windows, OSX, Android, or Linux (to reduce breakage) (1404608)
+   1369357 - disable site specific zoom (see 4605)
-      FF66: OS: HTTP Headers reduced to Windows or Android (1509829)
+   1337161 - hide gamepads from content (see 4606)
-      FF68: OS: updated to Windows 10, OS 10.14, and Android 8.1 (1511434)
+   1372072 - spoof network information API as "unknown" when dom.netinfo.enabled = true (see 4607)
-      FF78: OS: updated to OS 10.15 and Android 9.0 (1635011)
+   1333641 - reduce fingerprinting in WebSpeech API (see 4608)
- ** 1369319 - disable device sensor API (see 4604) (FF56+)
+ FF57+
- ** 1369357 - disable site specific zoom (see 4605) (FF56+)
+   1369309 - spoof media statistics (see 4610)
- ** 1337161 - hide gamepads from content (see 4606) (FF56+)
+   1382499 - reduce screen co-ordinate fingerprinting in Touch API (see 4611)
- ** 1372072 - spoof network information API as "unknown" when dom.netinfo.enabled = true (see 4607) (FF56+)
+   1217290 & 1409677 - enable fingerprinting resistance for WebGL (see 2010-12)
- ** 1333641 - reduce fingerprinting in WebSpeech API (see 4608) (FF56+)
+   1382545 - reduce fingerprinting in Animation API
- ** 1372069 & 1403813 & 1441295 - block geolocation requests (same as denying a site permission) (see 0201, 0202) (FF56-62)
+   1354633 - limit MediaError.message to a whitelist
- ** 1369309 - spoof media statistics (see 4610) (FF57+)
+   1382533 - enable fingerprinting resistance for Presentation API
 ** 1382499 - reduce screen co-ordinate fingerprinting in Touch API (see 4611) (FF57+)
 ** 1217290 & 1409677 - enable fingerprinting resistance for WebGL (see 2010-12) (FF57+)
 ** 1382545 - reduce fingerprinting in Animation API (FF57+)
 ** 1354633 - limit MediaError.message to a whitelist (FF57+)
 ** 1382533 - enable fingerprinting resistance for Presentation API (FF57+)
      This blocks exposure of local IP Addresses via mDNS (Multicast DNS)
- **  967895 - spoof canvas and enable site permission prompt before allowing canvas data extraction (FF58+)
+ FF58+
-      FF59: Added to site permissions panel (1413780) Only prompt when triggered by user input (1376865)
+    967895 - spoof canvas and enable site permission prompt before allowing canvas data extraction
- ** 1372073 - spoof/block fingerprinting in MediaDevices API (FF59+)
+ FF59+
   1372073 - spoof/block fingerprinting in MediaDevices API
      Spoof: enumerate devices reports one "Internal Camera" and one "Internal Microphone" if
             media.navigator.enabled is true (see 2505 which we chose to keep disabled)
      Block: suppresses the ondevicechange event (see 4612)
- ** 1039069 - warn when language prefs are set to non en-US (see 0210, 0211) (FF59+)
+   1039069 - warn when language prefs are set to non en-US (see 0210, 0211)
- ** 1222285 & 1433592 - spoof keyboard events and suppress keyboard modifier events (FF59+)
+   1222285 & 1433592 - spoof keyboard events and suppress keyboard modifier events
      Spoofing mimics the content language of the document. Currently it only supports en-US.
      Modifier events suppressed are SHIFT and both ALT keys. Chrome is not affected.
-      FF60: Fix keydown/keyup events (1438795)
+ FF60-67
- ** 1337157 - disable WebGL debug renderer info (see 4613) (FF60+)
+   1337157 - disable WebGL debug renderer info (see 4613) (FF60+)
- ** 1459089 - disable OS locale in HTTP Accept-Language headers (ANDROID) (FF62+)
+   1459089 - disable OS locale in HTTP Accept-Language headers (ANDROID) (FF62+)
- ** 1479239 - return "no-preference" with prefers-reduced-motion (see 4614) (FF63+)
+   1479239 - return "no-preference" with prefers-reduced-motion (see 4614) (FF63+)
- ** 1363508 - spoof/suppress Pointer Events (see 4615) (FF64+)
+   1363508 - spoof/suppress Pointer Events (see 4615) (FF64+)
      FF65: pointerEvent.pointerid (1492766)
- ** 1485266 - disable exposure of system colors to CSS or canvas (see 4616) (FF67+)
+   1485266 - disable exposure of system colors to CSS or canvas (see 4616) (FF67+)
- ** 1407366 - enable inner window letterboxing (see 4504) (FF67+)
+   1407366 - enable inner window letterboxing (see 4504) (FF67+)
- ** 1494034 - return "light" with prefers-color-scheme (see 4617) (FF67+)
+   1494034 - return "light" with prefers-color-scheme (see 4617) (FF67+)
-      [1] https://developer.mozilla.org/en-US/docs/Web/CSS/@media/prefers-color-scheme
+ FF68-77
- ** 1564422 - spoof audioContext outputLatency (FF70+)
+   1564422 - spoof audioContext outputLatency (FF70+)
- ** 1595823 - spoof audioContext sampleRate (FF72+)
+   1595823 - spoof audioContext sampleRate (FF72+)
- ** 1607316 - spoof pointer as coarse and hover as none (ANDROID) (FF74+)
+   1607316 - spoof pointer as coarse and hover as none (ANDROID) (FF74+)
- ** 1621433 - randomize canvas (previously FF58+ returned an all-white canvas) (FF78+)
+ FF78+
- ** 1653987 - limit font visibility to bundled and "Base Fonts" (see 4618) (non-ANDROID) (FF80+)
+   1621433 - randomize canvas (previously FF58+ returned an all-white canvas) (FF78+)
   1653987 - limit font visibility to bundled and "Base Fonts" (see 4618) (non-ANDROID) (FF80+)
 ***/
 user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs");
 /* 4501: enable privacy.resistFingerprinting [FF41+]
@@ -1470,22 +1444,22 @@ user_pref("privacy.resistFingerprinting", true);
   // user_pref("privacy.window.maxInnerWidth", 1000);
   // user_pref("privacy.window.maxInnerHeight", 1000);
 /* 4503: disable mozAddonManager Web API [FF57+]
- * [NOTE] As a side-effect in FF57-59 this allowed extensions to work on AMO. In FF60+ you also need
+ * [NOTE] To allow extensions to work on AMO, you also need 2662
 * to sanitize or clear extensions.webextensions.restrictedDomains (see 2662) to keep that side-effect
 * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/
 user_pref("privacy.resistFingerprinting.block_mozAddonManager", true); // [HIDDEN PREF]
 /* 4504: enable RFP letterboxing [FF67+]
- * Dynamically resizes the inner window (FF67; 200w x100h: FF68+; stepped ranges) by applying letterboxing,
+ * Dynamically resizes the inner window by applying margins in stepped ranges, see [2]
- * using dimensions which waste the least content area, If you use the dimension pref, then it will only apply
+ * If you use the dimension pref, then it will only apply those resolutions. The format is
- * those resolutions. The format is "width1xheight1, width2xheight2, ..." (e.g. "800x600, 1000x1000, 1600x900")
+ * "width1xheight1, width2xheight2, ..." (e.g. "800x600, 1000x1000, 1600x900")
- * [SETUP-WEB] This does NOT require RFP (see 4501) **for now**, so if you're not using 4501, or you are but you're
+ * [SETUP-WEB] This does NOT require RFP (see 4501) **for now**, so if you're not using 4501, or you are but
- * not taking anti-fingerprinting seriously and a little visual change upsets you, then feel free to flip this pref
+ * dislike margins being applied, then flip this pref, keeping in mind that it is effectively fingerprintable
 * [WARNING] The dimension pref is only meant for testing, and we recommend you DO NOT USE it
- * [1] https://bugzilla.mozilla.org/1407366 ***/
+ * [1] https://bugzilla.mozilla.org/1407366
 * [2] https://hg.mozilla.org/mozilla-central/rev/6d2d7856e468#l2.32 ***/
 user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF]
   // user_pref("privacy.resistFingerprinting.letterboxing.dimensions", ""); // [HIDDEN PREF]
 /* 4510: disable showing about:blank as soon as possible during startup [FF60+]
- * When default true (FF62+) this no longer masks the RFP chrome resizing activity
+ * When default true this no longer masks the RFP chrome resizing activity
 * [1] https://bugzilla.mozilla.org/1448423 ***/
 user_pref("browser.startup.blankWindow", false);
 /* 4520: disable chrome animations [FF77+] [RESTART]
@@ -1493,15 +1467,7 @@ user_pref("browser.startup.blankWindow", false);
 user_pref("ui.prefersReducedMotion", 1); // [HIDDEN PREF]
 /*** [SECTION 4600]: RFP ALTERNATIVES
-   * non-RFP users:
+     [WARNING] Do NOT use prefs in this section with RFP as they can interfere
       Enable the whole section (see the SETUP tag below)
   * RFP users:
       Make sure these are reset in about:config. They are redundant. In fact, some
       even cause RFP to not behave as you would expect and alter your fingerprint
   * ESR RFP users:
       Reset those *up to and including* your version. Add those *after* your version
       as active prefs in your overrides. This is assuming that the patch wasn't also
       backported to Firefox ESR. Backporting RFP patches to ESR is rare.
 ***/
 user_pref("_user.js.parrot", "4600 syntax error: the parrot's crossed the Jordan");
 /* [SETUP-non-RFP] Non-RFP users replace the * with a slash on this line to enable these
@@ -1600,32 +1566,22 @@ user_pref("layout.css.font-visibility.level", 1);
 // * * * /
 // ***/
-/*** [SECTION 4700]: RFP ALTERNATIVES (NAVIGATOR / USER AGENT (UA) SPOOFING)
+/*** [SECTION 4700]: RFP ALTERNATIVES (USER AGENT SPOOFING)
-     This is FYI ONLY. These prefs are INSUFFICIENT(a) on their own, you need
+     These prefs are insufficient and leak. Use RFP and **nothing else**
-     to use RFP (4500) or an extension, in which case they become POINTLESS.
+     - Many of the user agent components can be derived by other means. When those
-     (a) Many of the components that make up your UA can be derived by other means.
+       values differ, you provide more bits and raise entropy. Examples include
-         And when those values differ, you provide more bits and raise entropy.
+       workers, iframes, headers, tcp/ip attributes, feature detection, and many more
-         Examples of leaks include workers, navigator objects, date locale/formats,
+     - Web extensions also lack APIs to fully protect spoofing
         iframes, headers, tcp/ip attributes, feature detection, and **many** more.
     ALL values below intentionally left blank - use RFP, or get a vetted, tested
         extension and mimic RFP values to *lower* entropy, or randomize to *raise* it
 ***/
 user_pref("_user.js.parrot", "4700 syntax error: the parrot's taken 'is last bow");
-/* 4701: navigator.userAgent ***/
+/* 4701: navigator DOM object overrides
-   // user_pref("general.useragent.override", ""); // [HIDDEN PREF]
+ * [WARNING] DO NOT USE ***/
 /* 4702: navigator.buildID
 * Revealed build time down to the second. In FF64+ it now returns a fixed timestamp
 * [1] https://bugzilla.mozilla.org/583181
 * [2] https://www.fxsitecompat.com/en-CA/docs/2018/navigator-buildid-now-returns-a-fixed-timestamp/ ***/
   // user_pref("general.buildID.override", ""); // [HIDDEN PREF]
 /* 4703: navigator.appName ***/
   // user_pref("general.appname.override", ""); // [HIDDEN PREF]
 /* 4704: navigator.appVersion ***/
   // user_pref("general.appversion.override", ""); // [HIDDEN PREF]
-/* 4705: navigator.platform ***/
+   // user_pref("general.buildID.override", ""); // [HIDDEN PREF]
   // user_pref("general.platform.override", ""); // [HIDDEN PREF]
 /* 4706: navigator.oscpu ***/
   // user_pref("general.oscpu.override", ""); // [HIDDEN PREF]
   // user_pref("general.platform.override", ""); // [HIDDEN PREF]
   // user_pref("general.useragent.override", ""); // [HIDDEN PREF]
 /*** [SECTION 5000]: PERSONAL
     Non-project related but useful. If any of these interest you, add them to your overrides ***/