v122 (#1764)

- remove group root/wheel check

README.md

@@ -7,7 +7,7 @@ A `user.js` is a configuration file that can control Firefox settings - for a mo
 
 The `arkenfox user.js` is a **template** which aims to provide as much privacy and enhanced security as possible, and to reduce tracking and fingerprinting as much as possible - while minimizing any loss of functionality and breakage (but it will happen).
 
-Everyone, experts included, should at least read the [wiki](https://github.com/arkenfox/user.js/wiki), as it contains important information regarding a few `user.js` settings.
+Everyone, experts included, should at least read the [wiki](https://github.com/arkenfox/user.js/wiki), as it contains important information regarding a few `user.js` settings. There is also an [interactive current release](https://arkenfox.github.io/gui/), thanks to [icpantsparti2](https://github.com/icpantsparti2).
 
 Note that we do *not* recommend connecting over Tor on Firefox. Use the [Tor Browser](https://www.torproject.org/projects/torbrowser.html.en) if your [threat model](https://2019.www.torproject.org/about/torusers.html) calls for it, or for accessing hidden services.
 

prefsCleaner.bat

@@ -3,17 +3,19 @@ TITLE prefs.js cleaner
 
 REM ### prefs.js cleaner for Windows
 REM ## author: @claustromaniac
-REM ## version: 2.5
+REM ## version: 2.7
 
 CD /D "%~dp0"
 
+IF /I "%~1"=="-unattended" (SET _ua=1)
+
 :begin
 ECHO:
 ECHO:
 ECHO                 ########################################
 ECHO                 ####  prefs.js cleaner for Windows  ####
 ECHO                 ####        by claustromaniac       ####
-ECHO                 ####              v2.5              ####
+ECHO                 ####              v2.7              ####
 ECHO                 ########################################
 ECHO:
 CALL :message "This script should be run from your Firefox profile directory."
@@ -22,18 +24,20 @@ CALL :message "This will allow inactive preferences to be reset to their default
 ECHO   This Firefox profile shouldn't be in use during the process.
 CALL :message ""
 TIMEOUT 1 /nobreak >nul
-CHOICE /C SHE /N /M "Start [S] Help [H] Exit [E]"
+
-CLS
+IF NOT DEFINED _ua (
-IF ERRORLEVEL 3 (EXIT /B)
+	CHOICE /C SHE /N /M "Start [S] Help [H] Exit [E]"
-IF ERRORLEVEL 2 (GOTO :showhelp)
+	CLS
+	IF ERRORLEVEL 3 (EXIT /B)
+	IF ERRORLEVEL 2 (GOTO :showhelp)
+)
 IF NOT EXIST "user.js" (CALL :abort "user.js not found in the current directory." 30)
 IF NOT EXIST "prefs.js" (CALL :abort "prefs.js not found in the current directory." 30)
 CALL :strlenCheck
 CALL :FFcheck
 
 CALL :message "Backing up prefs.js..."
-FOR /F "usebackq tokens=1,2 delims==" %%i IN (`wmic os get LocalDateTime /VALUE 2^>NUL`) DO IF '.%%i.'=='.LocalDateTime.' SET ldt=%%j
+FOR /F "delims=" %%# IN ('powershell get-date -format "{yyyyMMdd_HHmmss}"') DO @SET ldt=%%#
-SET ldt=%ldt:~0,8%_%ldt:~8,6%
 COPY /B /V /Y prefs.js "prefs-backup-%ldt%.js"
 
 CALL :message "Cleaning prefs.js..."

prefsCleaner.sh

@@ -2,33 +2,54 @@
 
 ## prefs.js cleaner for Linux/Mac
 ## author: @claustromaniac
-## version: 1.5
+## version: 2.1
 
 ## special thanks to @overdodactyl and @earthlng for a few snippets that I stol..*cough* borrowed from the updater.sh
 
-currdir=$(pwd)
+## DON'T GO HIGHER THAN VERSION x.9 !! ( because of ASCII comparison in update_prefsCleaner() )
+
+readonly CURRDIR=$(pwd)
 
 ## get the full path of this script (readlink for Linux, greadlink for Mac with coreutils installed)
-sfp=$(readlink -f "${BASH_SOURCE[0]}" 2>/dev/null || greadlink -f "${BASH_SOURCE[0]}" 2>/dev/null)
+SCRIPT_FILE=$(readlink -f "${BASH_SOURCE[0]}" 2>/dev/null || greadlink -f "${BASH_SOURCE[0]}" 2>/dev/null)
 
 ## fallback for Macs without coreutils
-if [ -z "$sfp" ]; then sfp=${BASH_SOURCE[0]}; fi
+[ -z "$SCRIPT_FILE" ] && SCRIPT_FILE=${BASH_SOURCE[0]}
 
-## change directory to the Firefox profile directory
+
-cd "$(dirname "${sfp}")"
+AUTOUPDATE=true
+QUICKSTART=false
+
+## download method priority: curl -> wget
+DOWNLOAD_METHOD=''
+if command -v curl >/dev/null; then
+	DOWNLOAD_METHOD='curl --max-redirs 3 -so'
+elif command -v wget >/dev/null; then
+	DOWNLOAD_METHOD='wget --max-redirect 3 --quiet -O'
+else
+	AUTOUPDATE=false
+	echo -e "No curl or wget detected.\nAutomatic self-update disabled!"
+fi
 
 fQuit() {
 	## change directory back to the original working directory
-	cd "${currdir}"
+	cd "${CURRDIR}"
 	[ "$1" -eq 0 ] && echo -e "\n$2" || echo -e "\n$2" >&2
 	exit $1
 }
 
 fUsage() {
-	echo -e "\nUsage: $0 [-s]"
+	echo -e "\nUsage: $0 [-ds]"
 	echo -e "
 Optional Arguments:
-    -s           Start immediately"
+    -s           Start immediately
+    -d           Don't auto-update prefsCleaner.sh"
+}
+
+download_file() { # expects URL as argument ($1)
+  declare -r tf=$(mktemp)
+
+  $DOWNLOAD_METHOD "${tf}" "$1" &>/dev/null && echo "$tf" || echo '' # return the temp-filename or empty string on error
 }
 
 fFF_check() {
@@ -40,6 +61,24 @@ fFF_check() {
 	done
 }
 
+## returns the version number of a prefsCleaner.sh file
+get_prefsCleaner_version() {
+	echo "$(sed -n '5 s/.*[[:blank:]]\([[:digit:]]*\.[[:digit:]]*\)/\1/p' "$1")"
+}
+
+## updates the prefsCleaner.sh file based on the latest public version
+update_prefsCleaner() {
+	declare -r tmpfile="$(download_file 'https://raw.githubusercontent.com/arkenfox/user.js/master/prefsCleaner.sh')"
+	[ -z "$tmpfile" ] && echo -e "Error! Could not download prefsCleaner.sh" && return 1 # check if download failed
+
+	[[ $(get_prefsCleaner_version "$SCRIPT_FILE") == $(get_prefsCleaner_version "$tmpfile") ]] && return 0
+
+	mv "$tmpfile" "$SCRIPT_FILE"
+	chmod u+x "$SCRIPT_FILE"
+	"$SCRIPT_FILE" "$@" -d
+	exit 0
+}
+
 fClean() {
 	# the magic happens here
 	prefs="@@"
@@ -78,19 +117,47 @@ fStart() {
 	fQuit 0 "All done!"
 }
 
+
+while getopts "sd" opt; do
+	case $opt in
+		s)
+			QUICKSTART=true
+			;;
+		d)
+			AUTOUPDATE=false
+			;;
+	esac
+done
+
+## change directory to the Firefox profile directory
+cd "$(dirname "${SCRIPT_FILE}")"
+
+# Check if running as root and if any files have the owner as root/wheel.
+if [ "${EUID:-"$(id -u)"}" -eq 0 ]; then
+	fQuit 1 "You shouldn't run this with elevated privileges (such as with doas/sudo)."
+elif [ -n "$(find ./ -user 0)" ]; then
+	printf 'It looks like this script was previously run with elevated privileges,
+you will need to change ownership of the following files to your user:\n'
+	find . -user 0
+	fQuit 1
+fi
+
+[ "$AUTOUPDATE" = true ] && update_prefsCleaner "$@"
+
 echo -e "\n\n"
 echo "                   ╔══════════════════════════╗"
 echo "                   ║     prefs.js cleaner     ║"
 echo "                   ║    by claustromaniac     ║"
-echo "                   ║           v1.5           ║"
+echo "                   ║           v2.1           ║"
 echo "                   ╚══════════════════════════╝"
 echo -e "\nThis script should be run from your Firefox profile directory.\n"
 echo "It will remove any entries from prefs.js that also exist in user.js."
 echo "This will allow inactive preferences to be reset to their default values."
 echo -e "\nThis Firefox profile shouldn't be in use during the process.\n"
-echo -e "\nIn order to proceed, select a command below by entering its corresponding number.\n"
 
-[ "$1" == '-s' ] && fStart
+[ "$QUICKSTART" = true ] && fStart
+
+echo -e "\nIn order to proceed, select a command below by entering its corresponding number.\n"
 
 select option in Start Help Exit; do
 	case $option in
@@ -114,3 +181,5 @@ select option in Start Help Exit; do
 			;;
 	esac
 done
+
+fQuit 0

scratchpad-scripts/arkenfox-cleanup.js

@@ -1,9 +1,12 @@
 /***
-  This will reset the preferences that have been
+  This will reset the preferences that since FF91 have been
   - removed from the arkenfox user.js
   - deprecated by Mozilla but listed in the arkenfox user.js in the past
 
-  Last updated: 19-November-2022
+  There is an archived version at https://github.com/arkenfox/user.js/issues/123
+  if you want the full list since jesus
+
+  Last updated: 2-November-2023
 
   Instructions:
   - [optional] close Firefox and backup your profile
@@ -32,8 +35,22 @@
 
   const aPREFS = [
     /* DEPRECATED */
-    /* 103+ */
+    /* 116-128 */
+    'dom.webnotifications.serviceworker.enabled', // 117
+    'javascript.use_us_english_locale', // 119
+    'layout.css.font-visibility.private', // 118
+    'layout.css.font-visibility.resistFingerprinting', // 116
+    'layout.css.font-visibility.standard', // 118
+    'layout.css.font-visibility.trackingprotection', // 118
+    'network.dns.skipTRR-when-parental-control-enabled', // 119
+    'permissions.delegation.enabled', // 118
+    'security.family_safety.mode', // 117
+    /* 103-115 */
+    'browser.cache.offline.enable', // 115
+    'extensions.formautofill.heuristics.enabled', // 114
     'network.cookie.lifetimePolicy', // 103 [technically removed in 104]
+    'privacy.clearsitedata.cache.enabled', // 114
+    'privacy.resistFingerprinting.testGranularityMask', // 114
     'security.pki.sha1_enforcement_level', // 103
     /* 92-102 */
     'browser.urlbar.suggest.quicksuggest', // 95
@@ -48,199 +65,26 @@
     'security.csp.enable', // 99
     'security.password_lifetime', // 102
     'security.ssl3.rsa_des_ede3_sha', // 93
-    /* 79-91 */
-    'browser.cache.offline.storage.enable',
-    'browser.download.hide_plugins_without_extensions',
-    'browser.library.activity-stream.enabled',
-    'browser.search.geoSpecificDefaults',
-    'browser.search.geoSpecificDefaults.url',
-    'dom.ipc.plugins.flash.subprocess.crashreporter.enabled',
-    'dom.ipc.plugins.reportCrashURL',
-    'dom.w3c_pointer_events.enabled',
-    'intl.charset.fallback.override',
-    'network.ftp.enabled',
-    'plugin.state.flash',
-    'security.mixed_content.block_object_subrequest',
-    'security.ssl.errorReporting.automatic',
-    'security.ssl.errorReporting.enabled',
-    'security.ssl.errorReporting.url',
-    /* 69-78 */
-    'browser.newtabpage.activity-stream.telemetry.ping.endpoint',
-    'browser.tabs.remote.allowLinkedWebInFileUriProcess',
-    'browser.urlbar.oneOffSearches',
-    'devtools.webide.autoinstallADBExtension',
-    'devtools.webide.enabled',
-    'dom.indexedDB.enabled',
-    'extensions.blocklist.url',
-    'geo.wifi.logging.enabled',
-    'geo.wifi.uri',
-    'gfx.downloadable_fonts.woff2.enabled',
-    'media.autoplay.allow-muted',
-    'media.autoplay.enabled.user-gestures-needed',
-    'offline-apps.allow_by_default',
-    'plugins.click_to_play',
-    'privacy.userContext.longPressBehavior',
-    'toolkit.cosmeticAnimations.enabled',
-    'toolkit.telemetry.hybridContent.enabled',
-    'webgl.disable-extensions',
-    /* 61-68 */
-    'app.update.enabled',
-    'browser.aboutHomeSnippets.updateUrl',
-    'browser.chrome.errorReporter.enabled',
-    'browser.chrome.errorReporter.submitUrl',
-    'browser.chrome.favicons',
-    'browser.ctrlTab.previews',
-    'browser.fixup.hide_user_pass',
-    'browser.newtabpage.activity-stream.asrouter.userprefs.cfr',
-    'browser.newtabpage.activity-stream.disableSnippets',
-    'browser.onboarding.enabled',
-    'browser.search.countryCode',
-    'browser.urlbar.autocomplete.enabled',
-    'devtools.webide.adbAddonURL',
-    'devtools.webide.autoinstallADBHelper',
-    'dom.event.highrestimestamp.enabled',
-    'experiments.activeExperiment',
-    'experiments.enabled',
-    'experiments.manifest.uri',
-    'experiments.supported',
-    'lightweightThemes.update.enabled',
-    'media.autoplay.enabled',
-    'network.allow-experiments',
-    'network.cookie.lifetime.days',
-    'network.jar.block-remote-files',
-    'network.jar.open-unsafe-types',
-    'plugin.state.java',
-    'security.csp.enable_violation_events',
-    'security.csp.experimentalEnabled',
-    'shield.savant.enabled',
-    /* 60 or earlier */
-    'browser.bookmarks.showRecentlyBookmarked',
-    'browser.casting.enabled',
-    'browser.crashReports.unsubmittedCheck.autoSubmit',
-    'browser.formautofill.enabled',
-    'browser.formfill.saveHttpsForms',
-    'browser.fullscreen.animate',
-    'browser.history.allowPopState',
-    'browser.history.allowPushState',
-    'browser.history.allowReplaceState',
-    'browser.newtabpage.activity-stream.enabled',
-    'browser.newtabpage.directory.ping',
-    'browser.newtabpage.directory.source',
-    'browser.newtabpage.enhanced',
-    'browser.newtabpage.introShown',
-    'browser.pocket.api',
-    'browser.pocket.enabled',
-    'browser.pocket.oAuthConsumerKey',
-    'browser.pocket.site',
-    'browser.polaris.enabled',
-    'browser.safebrowsing.appRepURL',
-    'browser.safebrowsing.enabled',
-    'browser.safebrowsing.gethashURL',
-    'browser.safebrowsing.malware.reportURL',
-    'browser.safebrowsing.provider.google.appRepURL',
-    'browser.safebrowsing.reportErrorURL',
-    'browser.safebrowsing.reportGenericURL',
-    'browser.safebrowsing.reportMalwareErrorURL',
-    'browser.safebrowsing.reportMalwareMistakeURL',
-    'browser.safebrowsing.reportMalwareURL',
-    'browser.safebrowsing.reportPhishMistakeURL',
-    'browser.safebrowsing.reportURL',
-    'browser.safebrowsing.updateURL',
-    'browser.search.showOneOffButtons',
-    'browser.selfsupport.enabled',
-    'browser.selfsupport.url',
-    'browser.sessionstore.privacy_level_deferred',
-    'browser.tabs.animate',
-    'browser.trackingprotection.gethashURL',
-    'browser.trackingprotection.updateURL',
-    'browser.urlbar.unifiedcomplete',
-    'browser.usedOnWindows10.introURL',
-    'camera.control.autofocus_moving_callback.enabled',
-    'camera.control.face_detection.enabled',
-    'datareporting.healthreport.about.reportUrl',
-    'datareporting.healthreport.about.reportUrlUnified',
-    'datareporting.healthreport.documentServerURI',
-    'datareporting.healthreport.service.enabled',
-    'datareporting.policy.dataSubmissionEnabled.v2',
-    'devtools.webide.autoinstallFxdtAdapters',
-    'dom.archivereader.enabled',
-    'dom.beforeAfterKeyboardEvent.enabled',
-    'dom.disable_image_src_set',
-    'dom.disable_window_open_feature.scrollbars',
-    'dom.disable_window_status_change',
-    'dom.enable_user_timing',
-    'dom.flyweb.enabled',
-    'dom.idle-observers-api.enabled',
-    'dom.keyboardevent.code.enabled',
-    'dom.network.enabled',
-    'dom.push.udp.wakeupEnabled',
-    'dom.telephony.enabled',
-    'dom.vr.oculus050.enabled',
-    'dom.workers.enabled',
-    'dom.workers.sharedWorkers.enabled',
-    'extensions.formautofill.experimental',
-    'extensions.screenshots.system-disabled',
-    'extensions.shield-recipe-client.api_url',
-    'extensions.shield-recipe-client.enabled',
-    'full-screen-api.approval-required',
-    'general.useragent.locale',
-    'geo.security.allowinsecure',
-    'intl.locale.matchOS',
-    'loop.enabled',
-    'loop.facebook.appId',
-    'loop.facebook.enabled',
-    'loop.facebook.fallbackUrl',
-    'loop.facebook.shareUrl',
-    'loop.feedback.formURL',
-    'loop.feedback.manualFormURL',
-    'loop.logDomains',
-    'loop.server',
-    'media.block-play-until-visible',
-    'media.eme.apiVisible',
-    'media.eme.chromium-api.enabled',
-    'media.getusermedia.screensharing.allow_on_old_platforms',
-    'media.getusermedia.screensharing.allowed_domains',
-    'media.gmp-eme-adobe.autoupdate',
-    'media.gmp-eme-adobe.enabled',
-    'media.gmp-eme-adobe.visible',
-    'network.http.referer.userControlPolicy',
-    'network.http.sendSecureXSiteReferrer',
-    'network.http.spdy.enabled.http2draft',
-    'network.http.spdy.enabled.v3-1',
-    'network.websocket.enabled',
-    'pageThumbs.enabled',
-    'pfs.datasource.url',
-    'plugin.scan.Acrobat',
-    'plugin.scan.Quicktime',
-    'plugin.scan.WindowsMediaPlayer',
-    'plugins.enumerable_names',
-    'plugins.update.notifyUser',
-    'plugins.update.url',
-    'privacy.clearOnShutdown.passwords',
-    'privacy.donottrackheader.value',
-    'security.mixed_content.send_hsts_priming',
-    'security.mixed_content.use_hsts',
-    'security.ssl3.ecdhe_ecdsa_rc4_128_sha',
-    'security.ssl3.ecdhe_rsa_rc4_128_sha',
-    'security.ssl3.rsa_rc4_128_md5',
-    'security.ssl3.rsa_rc4_128_sha',
-    'security.tls.insecure_fallback_hosts.use_static_list',
-    'security.tls.unrestricted_rc4_fallback',
-    'security.xpconnect.plugin.unrestricted',
-    'social.directories',
-    'social.enabled',
-    'social.remote-install.enabled',
-    'social.share.activationPanelEnabled',
-    'social.shareDirectory',
-    'social.toast-notifications.enabled',
-    'social.whitelist',
-    'toolkit.telemetry.unifiedIsOptIn',
 
     /* REMOVED */
-    /* 103+ */
+    /* 116-128 */
+    'browser.fixup.alternate.enabled',
+    'browser.taskbar.previews.enable',
+    'browser.urlbar.dnsResolveSingleWordsAfterSearch',
+    'media.gmp-widevinecdm.enabled',
+    'network.protocol-handler.external.ms-windows-store',
+    'privacy.partition.always_partition_third_party_non_cookie_storage',
+    'privacy.partition.always_partition_third_party_non_cookie_storage.exempt_sessionstorage',
+    'privacy.partition.serviceWorkers',
+    /* 103-115 */
+    'beacon.enabled',
+    'browser.startup.blankWindow',
     'browser.newtab.preload',
     'browser.newtabpage.activity-stream.feeds.discoverystreamfeed',
     'browser.newtabpage.activity-stream.feeds.snippets',
+    'browser.region.network.url',
+    'browser.region.update.enabled',
+    'browser.search.region',
     'browser.ssl_override_behavior',
     'browser.tabs.warnOnClose',
     'devtools.chrome.enabled',
@@ -252,6 +96,7 @@
     'extensions.formautofill.available',
     'extensions.formautofill.creditCards.available',
     'extensions.formautofill.creditCards.supported',
+    'middlemouse.contentLoadURL',
     'network.http.altsvc.oe',
     /* 92-102 */
     'browser.urlbar.trimURLs',
@@ -266,224 +111,6 @@
     'privacy.firstparty.isolate.use_site',
     'privacy.window.name.update.enabled',
     'security.insecure_connection_text.enabled',
-    /* 79-91 */
-    'alerts.showFavicons',
-    'browser.newtabpage.activity-stream.asrouter.providers.snippets',
-    'browser.send_pings.require_same_host',
-    'browser.urlbar.usepreloadedtopurls.enabled',
-    'dom.allow_cut_copy',
-    'dom.battery.enabled',
-    'dom.IntersectionObserver.enabled',
-    'dom.storage.enabled',
-    'dom.vibrator.enabled',
-    'extensions.screenshots.upload-disabled',
-    'general.warnOnAboutConfig',
-    'gfx.direct2d.disabled',
-    'layers.acceleration.disabled',
-    'media.getusermedia.audiocapture.enabled',
-    'media.getusermedia.browser.enabled',
-    'media.getusermedia.screensharing.enabled',
-    'media.gmp-widevinecdm.visible',
-    'media.media-capabilities.enabled',
-    'network.http.redirection-limit',
-    'privacy.partition.network_state',
-    'security.insecure_connection_icon.enabled',
-    'security.mixed_content.block_active_content',
-    'security.ssl.enable_ocsp_stapling',
-    'security.ssl3.dhe_rsa_aes_128_sha',
-    'security.ssl3.dhe_rsa_aes_256_sha',
-    'webgl.min_capability_mode',
-    /* 69-78 */
-    'browser.cache.disk_cache_ssl',
-    'browser.search.geoip.url',
-    'browser.search.region',
-    'browser.sessionhistory.max_entries',
-    'dom.push.connection.enabled',
-    'dom.push.serverURL',
-    'extensions.getAddons.discovery.api_url',
-    'extensions.htmlaboutaddons.discover.enabled',
-    'extensions.webservice.discoverURL',
-    'intl.locale.requested',
-    'intl.regional_prefs.use_os_locales',
-    'media.block-autoplay-until-in-foreground',
-    'middlemouse.paste',
-    'plugin.sessionPermissionNow.intervalInMinutes',
-    'privacy.usercontext.about_newtab_segregation.enabled',
-    'security.insecure_connection_icon.pbmode.enabled',
-    'security.insecure_connection_text.pbmode.enabled',
-    'webgl.dxgl.enabled',
-    /* 61-68 */
-    'app.update.service.enabled',
-    'app.update.silent',
-    'app.update.staging.enabled',
-    'browser.cache.disk.capacity',
-    'browser.cache.disk.smart_size.enabled',
-    'browser.cache.disk.smart_size.first_run',
-    'browser.cache.offline.insecure.enable',
-    'browser.contentblocking.enabled',
-    'browser.laterrun.enabled',
-    'browser.offline-apps.notify',
-    'browser.rights.3.shown',
-    'browser.safebrowsing.blockedURIs.enabled',
-    'browser.safebrowsing.downloads.remote.block_dangerous',
-    'browser.safebrowsing.downloads.remote.block_dangerous_host',
-    'browser.safebrowsing.provider.google.gethashURL',
-    'browser.safebrowsing.provider.google.reportMalwareMistakeURL',
-    'browser.safebrowsing.provider.google.reportPhishMistakeURL',
-    'browser.safebrowsing.provider.google.reportURL',
-    'browser.safebrowsing.provider.google.updateURL',
-    'browser.safebrowsing.provider.google4.dataSharing.enabled',
-    'browser.safebrowsing.provider.google4.dataSharingURL',
-    'browser.safebrowsing.provider.google4.gethashURL',
-    'browser.safebrowsing.provider.google4.reportMalwareMistakeURL',
-    'browser.safebrowsing.provider.google4.reportPhishMistakeURL',
-    'browser.safebrowsing.provider.google4.reportURL',
-    'browser.safebrowsing.provider.google4.updateURL',
-    'browser.safebrowsing.provider.mozilla.gethashURL',
-    'browser.safebrowsing.provider.mozilla.updateURL',
-    'browser.safebrowsing.reportPhishURL',
-    'browser.sessionhistory.max_total_viewers',
-    'browser.sessionstore.max_windows_undo',
-    'browser.slowStartup.maxSamples',
-    'browser.slowStartup.notificationDisabled',
-    'browser.slowStartup.samples',
-    'browser.storageManager.enabled',
-    'browser.urlbar.autoFill.typed',
-    'browser.urlbar.filter.javascript',
-    'browser.urlbar.maxHistoricalSearchSuggestions',
-    'browser.urlbar.userMadeSearchSuggestionsChoice',
-    'canvas.capturestream.enabled',
-    'dom.allow_scripts_to_close_windows',
-    'dom.disable_window_flip',
-    'dom.forms.datetime',
-    'dom.imagecapture.enabled',
-    'dom.popup_maximum',
-    'extensions.webextensions.keepStorageOnUninstall',
-    'extensions.webextensions.keepUuidOnUninstall',
-    'font.blacklist.underline_offset',
-    'font.name.monospace.x-unicode',
-    'font.name.monospace.x-western',
-    'font.name.sans-serif.x-unicode',
-    'font.name.sans-serif.x-western',
-    'font.name.serif.x-unicode',
-    'font.name.serif.x-western',
-    'gfx.offscreencanvas.enabled',
-    'javascript.options.shared_memory',
-    'layout.css.font-loading-api.enabled',
-    'media.gmp-gmpopenh264.autoupdate',
-    'media.gmp-gmpopenh264.enabled',
-    'media.gmp-manager.updateEnabled',
-    'media.gmp-manager.url',
-    'media.gmp-manager.url.override',
-    'media.gmp-widevinecdm.autoupdate',
-    'media.gmp.trial-create.enabled',
-    'media.navigator.video.enabled',
-    'media.peerconnection.ice.tcp',
-    'media.peerconnection.identity.enabled',
-    'media.peerconnection.identity.timeout',
-    'media.peerconnection.turn.disable',
-    'media.peerconnection.use_document_iceservers',
-    'media.peerconnection.video.enabled',
-    'network.auth.subresource-img-cross-origin-http-auth-allow',
-    'network.cookie.leave-secure-alone',
-    'network.cookie.same-site.enabled',
-    'network.dnsCacheEntries',
-    'network.dnsCacheExpiration',
-    'network.http.fast-fallback-to-IPv4',
-    'network.proxy.autoconfig_url.include_path',
-    'offline-apps.quota.warn',
-    'pdfjs.enableWebGL',
-    'plugin.default.state',
-    'plugin.defaultXpi.state',
-    'plugin.scan.plid.all',
-    'privacy.trackingprotection.annotate_channels',
-    'privacy.trackingprotection.lower_network_priority',
-    'privacy.trackingprotection.pbmode.enabled',
-    'privacy.trackingprotection.ui.enabled',
-    'security.data_uri.block_toplevel_data_uri_navigations',
-    'security.insecure_field_warning.contextual.enabled',
-    'security.insecure_password.ui.enabled',
-    'security.tls.version.fallback-limit',
-    'services.blocklist.addons.collection',
-    'services.blocklist.gfx.collection',
-    'services.blocklist.onecrl.collection',
-    'services.blocklist.plugins.collection',
-    'services.blocklist.signing.enforced',
-    'services.blocklist.update_enabled',
-    'signon.autofillForms.http',
-    'signon.storeWhenAutocompleteOff',
-    'toolkit.telemetry.cachedClientID',
-    'urlclassifier.trackingTable',
-    'xpinstall.whitelist.required',
-    /* 60 or lower */
-    'browser.migrate.automigrate.enabled',
-    'browser.search.geoip.timeout',
-    'browser.search.reset.enabled',
-    'browser.search.reset.whitelist',
-    'browser.stopReloadAnimation.enabled',
-    'browser.tabs.insertRelatedAfterCurrent',
-    'browser.tabs.loadDivertedInBackground',
-    'browser.tabs.loadInBackground',
-    'browser.tabs.selectOwnerOnClose',
-    'browser.urlbar.clickSelectsAll',
-    'browser.urlbar.doubleClickSelectsAll',
-    'device.storage.enabled',
-    'dom.keyboardevent.dispatch_during_composition',
-    'dom.presentation.controller.enabled',
-    'dom.presentation.discoverable',
-    'dom.presentation.discovery.enabled',
-    'dom.presentation.enabled',
-    'dom.presentation.receiver.enabled',
-    'dom.presentation.session_transport.data_channel.enable',
-    'dom.vr.oculus.enabled',
-    'dom.vr.openvr.enabled',
-    'dom.vr.osvr.enabled',
-    'extensions.pocket.api',
-    'extensions.pocket.oAuthConsumerKey',
-    'extensions.pocket.site',
-    'general.useragent.compatMode.firefox',
-    'geo.wifi.xhr.timeout',
-    'gfx.layerscope.enabled',
-    'media.flac.enabled',
-    'media.mediasource.enabled',
-    'media.mediasource.mp4.enabled',
-    'media.mediasource.webm.audio.enabled',
-    'media.mediasource.webm.enabled',
-    'media.mp4.enabled',
-    'media.ogg.enabled',
-    'media.ogg.flac.enabled',
-    'media.opus.enabled',
-    'media.raw.enabled',
-    'media.wave.enabled',
-    'media.webm.enabled',
-    'media.webspeech.recognition.enable',
-    'media.wmf.amd.vp9.enabled',
-    'media.wmf.enabled',
-    'media.wmf.vp9.enabled',
-    'network.dns.blockDotOnion',
-    'network.stricttransportsecurity.preloadlist',
-    'security.block_script_with_wrong_mime',
-    'security.fileuri.strict_origin_policy',
-    'security.sri.enable',
-    'services.sync.enabled',
-    'ui.submenuDelay',
-    'webextensions.storage.sync.enabled',
-    'webextensions.storage.sync.serverURL',
-    //  excluding these e10 settings
-       // 'browser.tabs.remote.autostart',
-       // 'browser.tabs.remote.autostart.2',
-       // 'browser.tabs.remote.force-enable',
-       // 'browser.tabs.remote.separateFileUriProcess',
-       // 'extensions.e10sBlocksEnabling',
-       // 'extensions.webextensions.remote',
-       // 'dom.ipc.processCount',
-       // 'dom.ipc.shims.enabledWarnings',
-       // 'dom.ipc.processCount.extension',
-       // 'dom.ipc.processCount.file',
-       // 'security.sandbox.content.level',
-       // 'dom.ipc.plugins.sandbox-level.default',
-       // 'dom.ipc.plugins.sandbox-level.flash',
-       // 'security.sandbox.logging.enabled',
 
     /* IMPORTANT: last active pref must not have a trailing comma */ 
     /* reset parrot: check your open about:config after running the script */

updater.bat

@@ -3,10 +3,10 @@ TITLE arkenfox user.js updater
 
 REM ## arkenfox user.js updater for Windows
 REM ## author: @claustromaniac
-REM ## version: 4.17
+REM ## version: 4.19
 REM ## instructions: https://github.com/arkenfox/user.js/wiki/5.1-Updater-[Options]#-windows
 
-SET v=4.17
+SET v=4.19
 
 VERIFY ON
 CD /D "%~dp0"
@@ -177,9 +177,8 @@ IF EXIST user.js.new (
 		IF DEFINED _singlebackup (
 			MOVE /Y user.js user.js.bak >nul
 		) ELSE (
-			FOR /F "usebackq tokens=1,2 delims==" %%i IN (`wmic os get LocalDateTime /VALUE 2^>NUL`) DO IF '.%%i.'=='.LocalDateTime.' SET ldt=%%j
+			FOR /F "delims=" %%# IN ('powershell get-date -format "{yyyyMMdd_HHmmss}"') DO @SET ldt=%%#
-			SET ldt=%ldt:~0,8%_%ldt:~8,6%
+			MOVE /Y user.js "user-backup-!ldt!.js" >nul
-			MOVE /Y user.js "user-backup-%ldt%.js" >nul
 		)
 		REN user.js.new user.js
 		CALL :message "Update complete."

updater.sh

@@ -2,12 +2,18 @@
 
 ## arkenfox user.js updater for macOS and Linux
 
-## version: 3.5
+## version: 4.0
 ## Author: Pat Johnson (@overdodactyl)
 ## Additional contributors: @earthlng, @ema-pe, @claustromaniac, @infinitewarp
 
 ## DON'T GO HIGHER THAN VERSION x.9 !! ( because of ASCII comparison in update_updater() )
 
+# Check if running as root
+if [ "${EUID:-"$(id -u)"}" -eq 0 ]; then
+	printf "You shouldn't run this with elevated privileges (such as with doas/sudo).\n"
+	exit 1
+fi
+
 readonly CURRDIR=$(pwd)
 
 SCRIPT_FILE=$(readlink -f "${BASH_SOURCE[0]}" 2>/dev/null || greadlink -f "${BASH_SOURCE[0]}" 2>/dev/null)
@@ -385,6 +391,17 @@ show_banner
 update_updater "$@"
 
 getProfilePath # updates PROFILE_PATH or exits on error
-cd "$PROFILE_PATH" && update_userjs
+cd "$PROFILE_PATH" || exit 1
+
+# Check if any files have the owner as root/wheel.
+if [ -n "$(find ./ -user 0)" ]; then
+	printf 'It looks like this script was previously run with elevated privileges,
+you will need to change ownership of the following files to your user:\n'
+	find . -user 0
+	cd "$CURRDIR"
+	exit 1
+fi
+
+update_userjs
 
 cd "$CURRDIR"

user.js

@@ -1,8 +1,9 @@
 /******
 *    name: arkenfox user.js
-*    date: 21 November 2022
+*    date: 5 February 2024
-* version: 107
+* version: 122
-*     url: https://github.com/arkenfox/user.js
+*    urls: https://github.com/arkenfox/user.js [repo]
+*        : https://arkenfox.github.io/gui/ [interactive]
 * license: MIT: https://github.com/arkenfox/user.js/blob/master/LICENSE.txt
 
 * README:
@@ -18,7 +19,6 @@
        * Some site breakage and unintended consequences will happen. Everyone's experience will differ
          e.g. some user data is erased on exit (section 2800), change this to suit your needs
        * While not 100% definitive, search for "[SETUP" tags
-         e.g. third party images/videos not loading on some sites? check 1601
   5. Some tag info
        [SETUP-SECURITY] it's one item, read it
             [SETUP-WEB] can cause some websites to break
@@ -27,42 +27,44 @@
 
 * RELEASES: https://github.com/arkenfox/user.js/releases
 
-  * It is best to use the arkenfox release that is optimized for and matches your Firefox version
+  * Use the arkenfox release that matches your Firefox version
-  * EVERYONE: each release
+    - DON'T wait for arkenfox to update Firefox, nothing major changes these days
-    - run prefsCleaner to reset prefs made inactive, including deprecated (9999s)
+  * Each release
-    ESR102
+    - run prefsCleaner to reset prefs made inactive, including deprecated (9999)
-    - If you are not using arkenfox v102-1... (not a definitive list)
+  * ESR
-      - 2815: clearOnShutdown cookies + offlineApps should be false
+    - It is recommended to not use the updater, or you will get a later version which may cause issues.
-      - 9999: switch the appropriate deprecated section(s) back on
+      So you should manually append your overrides (and keep a copy), and manually update when you
+      change ESR releases (arkenfox is already past that release)
+    - If you decide to keep updating, then the onus is on - also see section 9999
 
 * INDEX:
 
   0100: STARTUP
-  0200: GEOLOCATION / LANGUAGE / LOCALE
+  0200: GEOLOCATION
   0300: QUIETER FOX
   0400: SAFE BROWSING
   0600: BLOCK IMPLICIT OUTBOUND
-  0700: DNS / DoH / PROXY / SOCKS / IPv6
+  0700: DNS / DoH / PROXY / SOCKS
   0800: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS
   0900: PASSWORDS
   1000: DISK AVOIDANCE
   1200: HTTPS (SSL/TLS / OCSP / CERTS / HPKP)
-  1400: FONTS
+  1600: REFERERS
-  1600: HEADERS / REFERERS
   1700: CONTAINERS
   2000: PLUGINS / MEDIA / WEBRTC
   2400: DOM (DOCUMENT OBJECT MODEL)
   2600: MISCELLANEOUS
   2700: ETP (ENHANCED TRACKING PROTECTION)
   2800: SHUTDOWN & SANITIZING
-  4500: RFP (RESIST FINGERPRINTING)
+  4000: FPP (fingerprintingProtection)
+  4500: RFP (resistFingerprinting)
   5000: OPTIONAL OPSEC
   5500: OPTIONAL HARDENING
   6000: DON'T TOUCH
   7000: DON'T BOTHER
   8000: DON'T BOTHER: FINGERPRINTING
   9000: NON-PROJECT RELATED
-  9999: DEPRECATED / REMOVED / LEGACY / RENAMED
+  9999: DEPRECATED / RENAMED
 
 ******/
 
@@ -99,7 +101,7 @@ user_pref("browser.newtabpage.activity-stream.showSponsoredTopSites", false); //
  * [NOTE] This does not block you from adding your own ***/
 user_pref("browser.newtabpage.activity-stream.default.sites", "");
 
-/*** [SECTION 0200]: GEOLOCATION / LANGUAGE / LOCALE ***/
+/*** [SECTION 0200]: GEOLOCATION ***/
 user_pref("_user.js.parrot", "0200 syntax error: the parrot's definitely deceased!");
 /* 0201: use Mozilla geolocation service instead of Google if permission is granted [FF74+]
  * Optionally enable logging to the console (defaults to false) ***/
@@ -108,24 +110,8 @@ user_pref("geo.provider.network.url", "https://location.services.mozilla.com/v1/
 /* 0202: disable using the OS's geolocation service ***/
 user_pref("geo.provider.ms-windows-location", false); // [WINDOWS]
 user_pref("geo.provider.use_corelocation", false); // [MAC]
-user_pref("geo.provider.use_gpsd", false); // [LINUX]
+user_pref("geo.provider.use_gpsd", false); // [LINUX] [HIDDEN PREF]
 user_pref("geo.provider.use_geoclue", false); // [FF102+] [LINUX]
-/* 0203: disable region updates
- * [1] https://firefox-source-docs.mozilla.org/toolkit/modules/toolkit_modules/Region.html ***/
-user_pref("browser.region.update.enabled", false); // [FF79+]
-   // user_pref("browser.region.network.url", ""); // [FF78+] Defense-in-depth
-/* 0204: set search region
- * [NOTE] May not be hidden if Firefox has changed your settings due to your region (0203) ***/
-   // user_pref("browser.search.region", "US"); // [HIDDEN PREF]
-/* 0210: set preferred language for displaying pages
- * [SETTING] General>Language and Appearance>Language>Choose your preferred language...
- * [TEST] https://addons.mozilla.org/about ***/
-user_pref("intl.accept_languages", "en-US, en");
-/* 0211: use en-US locale regardless of the system or region locale
- * [SETUP-WEB] May break some input methods e.g xim/ibus for CJK languages [1]
- * [TEST] https://arkenfox.github.io/TZP/tests/formatting.html
- * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=867501,1629630 ***/
-user_pref("javascript.use_us_english_locale", true); // [HIDDEN PREF]
 
 /*** [SECTION 0300]: QUIETER FOX ***/
 user_pref("_user.js.parrot", "0300 syntax error: the parrot's not pinin' for the fjords!");
@@ -139,6 +125,9 @@ user_pref("extensions.htmlaboutaddons.recommendations.enabled", false);
  * [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to make personalized extension recommendations
  * [1] https://support.mozilla.org/kb/personalized-extension-recommendations ***/
 user_pref("browser.discovery.enabled", false);
+/* 0323: disable shopping experience [FF116+]
+ * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1840156#c0 ***/
+user_pref("browser.shopping.experience2023.enabled", false); // [DEFAULT: false]
 
 /** TELEMETRY ***/
 /* 0330: disable new data submission [FF41+]
@@ -263,19 +252,8 @@ user_pref("browser.places.speculativeConnect.enabled", false);
  * [1] https://www.bleepingcomputer.com/news/software/major-browsers-to-prevent-disabling-of-click-tracking-privacy-risk/ ***/
    // user_pref("browser.send_pings", false); // [DEFAULT: false]
 
-/*** [SECTION 0700]: DNS / DoH / PROXY / SOCKS / IPv6 ***/
+/*** [SECTION 0700]: DNS / DoH / PROXY / SOCKS ***/
 user_pref("_user.js.parrot", "0700 syntax error: the parrot's given up the ghost!");
-/* 0701: disable IPv6
- * IPv6 can be abused, especially with MAC addresses, and can leak with VPNs: assuming
- * your ISP and/or router and/or website is IPv6 capable. Most sites will fall back to IPv4
- * [STATS] Firefox telemetry (Sept 2022) shows ~8% of successful connections are IPv6
- * [NOTE] This is an application level fallback. Disabling IPv6 is best done at an
- * OS/network level, and/or configured properly in VPN setups. If you are not masking your IP,
- * then this won't make much difference. If you are masking your IP, then it can only help.
- * [NOTE] PHP defaults to IPv6 with "localhost". Use "php -S 127.0.0.1:PORT"
- * [TEST] https://ipleak.org/
- * [1] https://www.internetsociety.org/tag/ipv6-security/ (Myths 2,4,5,6) ***/
-user_pref("network.dns.disableIPv6", true);
 /* 0702: set the proxy server to do any DNS lookups when using SOCKS
  * e.g. in Tor, this stops your local DNS server from knowing your Tor destination
  * as a remote Tor node will handle the DNS request
@@ -283,15 +261,15 @@ user_pref("network.dns.disableIPv6", true);
 user_pref("network.proxy.socks_remote_dns", true);
 /* 0703: disable using UNC (Uniform Naming Convention) paths [FF61+]
  * [SETUP-CHROME] Can break extensions for profiles on network shares
- * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26424 ***/
+ * [1] https://bugzilla.mozilla.org/1413868 ***/
 user_pref("network.file.disable_unc_paths", true); // [HIDDEN PREF]
 /* 0704: disable GIO as a potential proxy bypass vector
  * Gvfs/GIO has a set of supported protocols like obex, network, archive, computer,
- * dav, cdda, gphoto2, trash, etc. By default only sftp is accepted (FF87+)
+ * dav, cdda, gphoto2, trash, etc. From FF87-117, by default only sftp was accepted
  * [1] https://bugzilla.mozilla.org/1433507
  * [2] https://en.wikipedia.org/wiki/GVfs
  * [3] https://en.wikipedia.org/wiki/GIO_(software) ***/
-user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF]
+user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF] [DEFAULT: "" FF118+]
 /* 0705: disable proxy direct failover for system requests [FF91+]
  * [WARNING] Default true is a security feature against malicious extensions [1]
  * [SETUP-CHROME] If you use a proxy and you trust your extensions
@@ -302,55 +280,49 @@ user_pref("network.gio.supported-protocols", ""); // [HIDDEN PREF]
  * [WARNING] If false, this will break the fallback for some security features
  * [SETUP-CHROME] If you use a proxy and you understand the security impact
  * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1732792,1733994,1733481 ***/
-   // user_pref("network.proxy.allow_bypass", false); // [HIDDEN PREF FF95-96]
+   // user_pref("network.proxy.allow_bypass", false);
-/* 0710: disable DNS-over-HTTPS (DoH) rollout [FF60+]
+/* 0710: enable DNS-over-HTTPS (DoH) [FF60+]
- * 0=off by default, 2=TRR (Trusted Recursive Resolver) first, 3=TRR only, 5=explicitly off
+ * 0=default, 2=increased (TRR (Trusted Recursive Resolver) first), 3=max (TRR only), 5=off (no rollout)
  * see "doh-rollout.home-region": USA 2019, Canada 2021, Russia/Ukraine 2022 [3]
+ * [SETTING] Privacy & Security>DNS over HTTPS
  * [1] https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/
  * [2] https://wiki.mozilla.org/Security/DOH-resolver-policy
  * [3] https://support.mozilla.org/en-US/kb/firefox-dns-over-https
  * [4] https://www.eff.org/deeplinks/2020/12/dns-doh-and-odoh-oh-my-year-review-2020 ***/
-   // user_pref("network.trr.mode", 5);
+   // user_pref("network.trr.mode", 3);
+/* 0712: set DoH provider
+ * The custom uri is the value shown when you "Choose provider>Custom>"
+ * [NOTE] If you USE custom then "network.trr.uri" should be set the same
+ * [SETTING] Privacy & Security>DNS over HTTPS>Increased/Max>Choose provider ***/
+   // user_pref("network.trr.uri", "https://example.dns");
+   // user_pref("network.trr.custom_uri", "https://example.dns");
 
 /*** [SECTION 0800]: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS ***/
 user_pref("_user.js.parrot", "0800 syntax error: the parrot's ceased to be!");
-/* 0801: disable location bar using search
+/* 0801: disable location bar making speculative connections [FF56+]
- * Don't leak URL typos to a search engine, give an error message instead
+ * [1] https://bugzilla.mozilla.org/1348275 ***/
- * Examples: "secretplace,com", "secretplace/com", "secretplace com", "secret place.com"
+user_pref("browser.urlbar.speculativeConnect.enabled", false);
- * [NOTE] This does not affect explicit user action such as using search buttons in the
+/* 0802: disable location bar contextual suggestions
- * dropdown, or using keyword search shortcuts you configure in options (e.g. "d" for DuckDuckGo)
+ * [SETTING] Privacy & Security>Address Bar>Suggestions from...
- * [SETUP-CHROME] Override this if you trust and use a privacy respecting search engine ***/
+ * [1] https://blog.mozilla.org/data/2021/09/15/data-and-firefox-suggest/ ***/
-user_pref("keyword.enabled", false);
+user_pref("browser.urlbar.suggest.quicksuggest.nonsponsored", false); // [FF95+]
-/* 0802: disable location bar domain guessing
+user_pref("browser.urlbar.suggest.quicksuggest.sponsored", false); // [FF92+]
- * domain guessing intercepts DNS "hostname not found errors" and resends a
+/* 0803: disable live search suggestions
- * request (e.g. by adding www or .com). This is inconsistent use (e.g. FQDNs), does not work
- * via Proxy Servers (different error), is a flawed use of DNS (TLDs: why treat .com
- * as the 411 for DNS errors?), privacy issues (why connect to sites you didn't
- * intend to), can leak sensitive data (e.g. query strings: e.g. Princeton attack),
- * and is a security risk (e.g. common typos & malicious sites set up to exploit this) ***/
-user_pref("browser.fixup.alternate.enabled", false); // [DEFAULT: false FF104+]
-/* 0804: disable live search suggestions
  * [NOTE] Both must be true for the location bar to work
  * [SETUP-CHROME] Override these if you trust and use a privacy respecting search engine
  * [SETTING] Search>Provide search suggestions | Show search suggestions in address bar results ***/
 user_pref("browser.search.suggest.enabled", false);
 user_pref("browser.urlbar.suggest.searches", false);
-/* 0805: disable location bar making speculative connections [FF56+]
+/* 0805: disable urlbar trending search suggestions [FF118+]
- * [1] https://bugzilla.mozilla.org/1348275 ***/
+ * [SETTING] Search>Search Suggestions>Show trending search suggestions (FF119) ***/
-user_pref("browser.urlbar.speculativeConnect.enabled", false);
+user_pref("browser.urlbar.trending.featureGate", false);
-/* 0806: disable location bar leaking single words to a DNS provider **after searching** [FF78+]
+/* 0806: disable urlbar suggestions ***/
- * 0=never resolve, 1=use heuristics, 2=always resolve
+user_pref("browser.urlbar.addons.featureGate", false); // [FF115+]
- * [1] https://bugzilla.mozilla.org/1642623 ***/
+user_pref("browser.urlbar.mdn.featureGate", false); // [FF117+] [HIDDEN PREF]
-user_pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", 0); // [DEFAULT: 0 FF104+]
+user_pref("browser.urlbar.pocket.featureGate", false); // [FF116+] [DEFAULT: false]
-/* 0807: disable location bar contextual suggestions [FF92+]
+user_pref("browser.urlbar.weather.featureGate", false); // [FF108+] [DEFAULT: false]
- * [SETTING] Privacy & Security>Address Bar>Suggestions from...
+/* 0807: disable urlbar clipboard suggestions [FF118+] ***/
- * [1] https://blog.mozilla.org/data/2021/09/15/data-and-firefox-suggest/ ***/
+   // user_pref("browser.urlbar.clipboard.featureGate", false); // [DEFAULT: false]
-user_pref("browser.urlbar.suggest.quicksuggest.nonsponsored", false); // [FF95+]
-user_pref("browser.urlbar.suggest.quicksuggest.sponsored", false);
-/* 0808: disable tab-to-search [FF85+]
- * Alternatively, you can exclude on a per-engine basis by unchecking them in Options>Search
- * [SETTING] Privacy & Security>Address Bar>When using the address bar, suggest>Search engines ***/
-   // user_pref("browser.urlbar.suggest.engines", false);
 /* 0810: disable search and form history
  * [SETUP-WEB] Be aware that autocomplete form data can be read by third parties [1][2]
  * [NOTE] We also clear formdata on exit (2811)
@@ -358,6 +330,10 @@ user_pref("browser.urlbar.suggest.quicksuggest.sponsored", false);
  * [1] https://blog.mindedsecurity.com/2011/10/autocompleteagain.html
  * [2] https://bugzilla.mozilla.org/381681 ***/
 user_pref("browser.formfill.enable", false);
+/* 0815: disable tab-to-search [FF85+]
+ * Alternatively, you can exclude on a per-engine basis by unchecking them in Options>Search
+ * [SETTING] Privacy & Security>Address Bar>When using the address bar, suggest>Search engines ***/
+   // user_pref("browser.urlbar.suggest.engines", false);
 /* 0820: disable coloring of visited links
  * [SETUP-HARDEN] Bulk rapid history sniffing was mitigated in 2010 [1][2]. Slower and more expensive
  * redraw timing attacks were largely mitigated in FF77+ [3]. Using RFP (4501) further hampers timing
@@ -369,6 +345,10 @@ user_pref("browser.formfill.enable", false);
  * [4] https://earthlng.github.io/testpages/visited_links.html (see github wiki APPENDIX A on how to use)
  * [5] https://lcamtuf.blogspot.com/2016/08/css-mix-blend-mode-is-bad-for-keeping.html ***/
    // user_pref("layout.css.visited_links_enabled", false);
+/* 0830: enable separate default search engine in Private Windows and its UI setting
+ * [SETTING] Search>Default Search Engine>Choose a different default search engine for Private Windows only ***/
+user_pref("browser.search.separatePrivateDefault", true); // [FF70+]
+user_pref("browser.search.separatePrivateDefault.ui.enabled", true); // [FF71+]
 
 /*** [SECTION 0900]: PASSWORDS
    [1] https://support.mozilla.org/kb/use-primary-password-protect-stored-logins-and-pas
@@ -411,7 +391,7 @@ user_pref("browser.sessionstore.privacy_level", 2);
 /* 1005: disable automatic Firefox start and session restore after reboot [FF62+] [WINDOWS]
  * [1] https://bugzilla.mozilla.org/603903 ***/
 user_pref("toolkit.winRegisterApplicationRestart", false);
-/* 1006: disable favicons in shortcuts
+/* 1006: disable favicons in shortcuts [WINDOWS]
  * URL shortcuts use a cached randomly named .ico file which is stored in your
  * profile/shortcutCache directory. The .ico remains after the shortcut is deleted
  * If set to false then the shortcuts use a generic Firefox icon ***/
@@ -432,7 +412,7 @@ user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!");
  * but the problem is that the browser can't know that. Setting this pref to true is the only way for the
  * browser to ensure there will be no unsafe renegotiations on the channel between the browser and the server
  * [SETUP-WEB] SSL_ERROR_UNSAFE_NEGOTIATION: is it worth overriding this for that one site?
- * [STATS] SSL Labs (Sept 2022) reports over 99.3% of top sites have secure renegotiation [4]
+ * [STATS] SSL Labs (Nov 2023) reports over 99.5% of top sites have secure renegotiation [4]
  * [1] https://wiki.mozilla.org/Security:Renegotiation
  * [2] https://datatracker.ietf.org/doc/html/rfc5746
  * [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
@@ -469,22 +449,15 @@ user_pref("security.OCSP.enabled", 1); // [DEFAULT: 1]
 user_pref("security.OCSP.require", true);
 
 /** CERTS / HPKP (HTTP Public Key Pinning) ***/
-/* 1221: disable Windows 8.1's Microsoft Family Safety cert [FF50+] [WINDOWS]
- * 0=disable detecting Family Safety mode and importing the root
- * 1=only attempt to detect Family Safety mode (don't import the root)
- * 2=detect Family Safety mode and import the root
- * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21686 ***/
-user_pref("security.family_safety.mode", 0);
 /* 1223: enable strict PKP (Public Key Pinning)
  * 0=disabled, 1=allow user MiTM (default; such as your antivirus), 2=strict
- * [SETUP-WEB] MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE: If you rely on an AV (antivirus) to protect
+ * [SETUP-WEB] MOZILLA_PKIX_ERROR_KEY_PINNING_FAILURE ***/
- * your web browsing by inspecting ALL your web traffic, then override to current default ***/
 user_pref("security.cert_pinning.enforcement_level", 2);
 /* 1224: enable CRLite [FF73+]
  * 0 = disabled
  * 1 = consult CRLite but only collect telemetry
  * 2 = consult CRLite and enforce both "Revoked" and "Not Revoked" results
- * 3 = consult CRLite and enforce "Not Revoked" results, but defer to OCSP for "Revoked" (FF99+, default FF100+)
+ * 3 = consult CRLite and enforce "Not Revoked" results, but defer to OCSP for "Revoked" (default)
  * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1429800,1670985,1753071
  * [2] https://blog.mozilla.org/security/tag/crlite/ ***/
 user_pref("security.remote_settings.crlite_filters.enabled", true);
@@ -493,12 +466,12 @@ user_pref("security.pki.crlite_mode", 2);
 /** MIXED CONTENT ***/
 /* 1241: disable insecure passive content (such as images) on https pages ***/
    // user_pref("security.mixed_content.block_display_content", true); // Defense-in-depth (see 1244)
-/* 1244: enable HTTPS-Only mode in all windows [FF76+]
+/* 1244: enable HTTPS-Only mode in all windows
  * When the top-level is HTTPS, insecure subresources are also upgraded (silent fail)
  * [SETTING] to add site exceptions: Padlock>HTTPS-Only mode>On (after "Continue to HTTP Site")
  * [SETTING] Privacy & Security>HTTPS-Only Mode (and manage exceptions)
  * [TEST] http://example.com [upgrade]
- * [TEST] http://httpforever.com/ [no upgrade] ***/
+ * [TEST] http://httpforever.com/ | http://http.rip [no upgrade] ***/
 user_pref("dom.security.https_only_mode", true); // [FF76+]
    // user_pref("dom.security.https_only_mode_pbm", true); // [FF80+]
 /* 1245: enable HTTPS-Only mode for local resources [FF77+] ***/
@@ -522,30 +495,13 @@ user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);
  * [TEST] https://expired.badssl.com/ ***/
 user_pref("browser.xul.error_pages.expert_bad_cert", true);
 
-/*** [SECTION 1400]: FONTS ***/
+/*** [SECTION 1600]: REFERERS
-user_pref("_user.js.parrot", "1400 syntax error: the parrot's bereft of life!");
-/* 1402: limit font visibility (Windows, Mac, some Linux) [FF94+]
- * Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts [1], bundled fonts are auto-allowed
- * In normal windows: uses the first applicable: RFP (4506) over TP over Standard
- * In Private Browsing windows: uses the most restrictive between normal and private
- * 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts
- * [1] https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc ***/
-   // user_pref("layout.css.font-visibility.private", 1);
-   // user_pref("layout.css.font-visibility.standard", 1);
-   // user_pref("layout.css.font-visibility.trackingprotection", 1);
-
-/*** [SECTION 1600]: HEADERS / REFERERS
                   full URI: https://example.com:8888/foo/bar.html?id=1234
      scheme+host+port+path: https://example.com:8888/foo/bar.html
           scheme+host+port: https://example.com:8888
    [1] https://feeding.cloud.geek.nz/posts/tweaking-referrer-for-privacy-in-firefox/
 ***/
 user_pref("_user.js.parrot", "1600 syntax error: the parrot rests in peace!");
-/* 1601: control when to send a cross-origin referer
- * 0=always (default), 1=only if base domains match, 2=only if hosts match
- * [SETUP-WEB] Breakage: older modems/routers and some sites e.g banks, vimeo, icloud, instagram
- * If "2" is too strict, then override to "0" and use Smart Referer extension (Strict mode + add exceptions) ***/
-user_pref("network.http.referer.XOriginPolicy", 2);
 /* 1602: control the amount of cross-origin information to send [FF52+]
  * 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/
 user_pref("network.http.referer.XOriginTrimmingPolicy", 2);
@@ -564,15 +520,6 @@ user_pref("privacy.userContext.ui.enabled", true);
 
 /*** [SECTION 2000]: PLUGINS / MEDIA / WEBRTC ***/
 user_pref("_user.js.parrot", "2000 syntax error: the parrot's snuffed it!");
-/* 2001: disable WebRTC (Web Real-Time Communication)
- * Firefox uses mDNS hostname obfuscation on desktop (except Windows7/8) and the
- * private IP is NEVER exposed, except if required in TRUSTED scenarios; i.e. after
- * you grant device (microphone or camera) access
- * [SETUP-HARDEN] Test first. Windows7/8 users only: behind a proxy who never use WebRTC
- * [TEST] https://browserleaks.com/webrtc
- * [1] https://groups.google.com/g/discuss-webrtc/c/6stQXi72BEU/m/2FwZd24UAQAJ
- * [2] https://datatracker.ietf.org/doc/html/draft-ietf-mmusic-mdns-ice-candidates#section-3.1.1 ***/
-   // user_pref("media.peerconnection.enabled", false);
 /* 2002: force WebRTC inside the proxy [FF70+] ***/
 user_pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true);
 /* 2003: force a single network interface for ICE candidates generation [FF42+]
@@ -587,47 +534,24 @@ user_pref("media.peerconnection.ice.default_address_only", true);
 /* 2020: disable GMP (Gecko Media Plugins)
  * [1] https://wiki.mozilla.org/GeckoMediaPlugins ***/
    // user_pref("media.gmp-provider.enabled", false);
-/* 2021: disable widevine CDM (Content Decryption Module)
- * [NOTE] This is covered by the EME master switch (2022) ***/
-   // user_pref("media.gmp-widevinecdm.enabled", false);
-/* 2022: disable all DRM content (EME: Encryption Media Extension)
- * Optionally hide the setting which also disables the DRM prompt
- * [SETUP-WEB] e.g. Netflix, Amazon Prime, Hulu, HBO, Disney+, Showtime, Starz, DirectTV
- * [SETTING] General>DRM Content>Play DRM-controlled content
- * [TEST] https://bitmovin.com/demos/drm
- * [1] https://www.eff.org/deeplinks/2017/10/drms-dead-canary-how-we-just-lost-web-what-we-learned-it-and-what-we-need-do-next ***/
-user_pref("media.eme.enabled", false);
-   // user_pref("browser.eme.ui.enabled", false);
 
 /*** [SECTION 2400]: DOM (DOCUMENT OBJECT MODEL) ***/
 user_pref("_user.js.parrot", "2400 syntax error: the parrot's kicked the bucket!");
 /* 2402: prevent scripts from moving and resizing open windows ***/
 user_pref("dom.disable_window_move_resize", true);
-/* 2404: limit events that can cause a popup [SETUP-WEB] ***/
-user_pref("dom.popup_allowed_events", "click dblclick mousedown pointerdown");
 
 /*** [SECTION 2600]: MISCELLANEOUS ***/
 user_pref("_user.js.parrot", "2600 syntax error: the parrot's run down the curtain!");
-/* 2601: prevent accessibility services from accessing your browser [RESTART]
+/* 2603: remove temp files opened from non-PB windows with an external application
- * [1] https://support.mozilla.org/kb/accessibility-services ***/
+ * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=302433,1738574 ***/
-user_pref("accessibility.force_disabled", 1);
+user_pref("browser.download.start_downloads_in_tmp_dir", true); // [FF102+]
-/* 2602: disable sending additional analytics to web servers
- * [1] https://developer.mozilla.org/docs/Web/API/Navigator/sendBeacon ***/
-user_pref("beacon.enabled", false);
-/* 2603: remove temp files opened with an external application
- * [1] https://bugzilla.mozilla.org/302433 ***/
 user_pref("browser.helperApps.deleteTempFileOnExit", true);
-/* 2604: disable page thumbnail collection ***/
-user_pref("browser.pagethumbnails.capturing_disabled", true); // [HIDDEN PREF]
 /* 2606: disable UITour backend so there is no chance that a remote page can use it ***/
 user_pref("browser.uitour.enabled", false);
    // user_pref("browser.uitour.url", ""); // Defense-in-depth
 /* 2608: reset remote debugging to disabled
  * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/16222 ***/
 user_pref("devtools.debugger.remote-enabled", false); // [DEFAULT: false]
-/* 2611: disable middle mouse click opening links from clipboard
- * [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/10089 ***/
-user_pref("middlemouse.contentLoadURL", false);
 /* 2615: disable websites overriding Firefox's keyboard shortcuts [FF58+]
  * 0 (default) or 1=allow, 2=block
  * [SETTING] to add site exceptions: Ctrl+I>Permissions>Override Keyboard Shortcuts ***/
@@ -657,14 +581,8 @@ user_pref("network.IDN_show_punycode", true);
  * [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=pdf.js+firefox ***/
 user_pref("pdfjs.disabled", false); // [DEFAULT: false]
 user_pref("pdfjs.enableScripting", false); // [FF86+]
-/* 2621: disable links launching Windows Store on Windows 8/8.1/10 [WINDOWS] ***/
+/* 2624: disable middle click on new tab button opening URLs or searches using clipboard [FF115+] */
-user_pref("network.protocol-handler.external.ms-windows-store", false);
+user_pref("browser.tabs.searchclipboardfor.middleclick", false); // [DEFAULT: false NON-LINUX]
-/* 2623: disable permissions delegation [FF73+]
- * Currently applies to cross-origin geolocation, camera, mic and screen-sharing
- * permissions, and fullscreen requests. Disabling delegation means any prompts
- * for these will show/use their correct 3rd party origin
- * [1] https://groups.google.com/forum/#!topic/mozilla.dev.platform/BdFOMAuCGW8/discussion ***/
-user_pref("permissions.delegation.enabled", false);
 
 /** DOWNLOADS ***/
 /* 2651: enable user interaction for security by always asking where to download
@@ -680,13 +598,13 @@ user_pref("browser.download.manager.addToRecentDocs", false);
 user_pref("browser.download.always_ask_before_handling_new_types", true);
 
 /** EXTENSIONS ***/
-/* 2660: lock down allowed extension directories
+/* 2660: limit allowed extension directories
- * [SETUP-CHROME] This will break extensions, language packs, themes and any other
+ * 1=profile, 2=user, 4=application, 8=system, 16=temporary, 31=all
- * XPI files which are installed outside of profile and application directories
+ * The pref value represents the sum: e.g. 5 would be profile and application directories
- * [1] https://mike.kaply.com/2012/02/21/understanding-add-on-scopes/
+ * [SETUP-CHROME] Breaks usage of files which are installed outside allowed directories
- * [1] https://archive.is/DYjAM (archived) ***/
+ * [1] https://archive.is/DYjAM ***/
 user_pref("extensions.enabledScopes", 5); // [HIDDEN PREF]
-user_pref("extensions.autoDisableScopes", 15); // [DEFAULT: 15]
+   // user_pref("extensions.autoDisableScopes", 15); // [DEFAULT: 15]
 /* 2661: disable bypassing 3rd party extension install prompts [FF82+]
  * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1659530,1681331 ***/
 user_pref("extensions.postDownloadThirdPartyPrompt", false);
@@ -703,7 +621,7 @@ user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin
  * [1] https://blog.mozilla.org/security/2021/02/23/total-cookie-protection/
  * [SETTING] to add site exceptions: Urlbar>ETP Shield
  * [SETTING] to manage site exceptions: Options>Privacy & Security>Enhanced Tracking Protection>Manage Exceptions ***/
-user_pref("browser.contentblocking.category", "strict");
+user_pref("browser.contentblocking.category", "strict"); // [HIDDEN PREF]
 /* 2702: disable ETP web compat features [FF93+]
  * [SETUP-HARDEN] Includes skip lists, heuristics (SmartBlock) and automatic grants
  * Opener and redirect heuristics are granted for 30 days, see [3]
@@ -711,11 +629,6 @@ user_pref("browser.contentblocking.category", "strict");
  * [2] https://hg.mozilla.org/mozilla-central/rev/e5483fd469ab#l4.12
  * [3] https://developer.mozilla.org/en-US/docs/Web/Privacy/State_Partitioning#storage_access_heuristics ***/
    // user_pref("privacy.antitracking.enableWebcompat", false);
-/* 2710: enable state partitioning of service workers [FF96+] ***/
-user_pref("privacy.partition.serviceWorkers", true); // [DEFAULT: true FF105+]
-/* 2720: enable APS (Always Partitioning Storage) ***/
-user_pref("privacy.partition.always_partition_third_party_non_cookie_storage", true); // [FF104+] [DEFAULT: true FF109+}
-user_pref("privacy.partition.always_partition_third_party_non_cookie_storage.exempt_sessionstorage", false); // [FF105+] [DEFAULT: false FF109+]
 
 /*** [SECTION 2800]: SHUTDOWN & SANITIZING ***/
 user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!");
@@ -750,10 +663,6 @@ user_pref("privacy.clearOnShutdown.sessions", true);  // [DEFAULT: true]
  * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Settings ***/
 user_pref("privacy.clearOnShutdown.cookies", true); // Cookies
 user_pref("privacy.clearOnShutdown.offlineApps", true); // Site Data
-/* 2816: set cache to clear on exit [FF96+]
- * [NOTE] We already disable disk cache (1001) and clear on exit (2811) which is more robust
- * [1] https://bugzilla.mozilla.org/1671182 ***/
-   // user_pref("privacy.clearsitedata.cache.enabled", true);
 
 /** SANITIZE MANUAL: IGNORES "ALLOW" SITE EXCEPTIONS ***/
 /* 2820: reset default items to clear with Ctrl-Shift-Del [SETUP-CHROME]
@@ -778,21 +687,44 @@ user_pref("privacy.cpd.cookies", false);
  * which will display a blank value, and are not guaranteed to work ***/
 user_pref("privacy.sanitize.timeSpan", 0);
 
-/*** [SECTION 4500]: RFP (RESIST FINGERPRINTING)
+/*** [SECTION 4000]: FPP (fingerprintingProtection)
-   RFP covers a wide range of ongoing fingerprinting solutions.
+   RFP (4501) overrides FPP
+
+   In FF118+ FPP is on by default in private windows (4001) and in FF119+ is controlled
+   by ETP (2701). FPP will also use Remote Services in future to relax FPP protections
+   on a per site basis for compatibility (pref coming).
+
+   1826408 - restrict fonts to system (kBaseFonts + kLangPackFonts) (Windows, Mac, some Linux)
+      https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc
+   1858181 - subtly randomize canvas per eTLD+1, per session and per window-mode (FF120+)
+***/
+user_pref("_user.js.parrot", "1400 syntax error: the parrot's bereft of life!");
+/* 4001: enable FPP in PB mode [FF114+]
+ * [NOTE] In FF119+, FPP for all modes (7106) is enabled with ETP Strict (2701) ***/
+   // user_pref("privacy.fingerprintingProtection.pbmode", true); // [DEFAULT: true FF118+]
+/* 4002: set global FPP overrides [FF114+]
+ * Controls what protections FPP uses globally, including "RFPTargets" (despite the name these are
+ * not used by RFP) e.g. "+AllTargets,-CSSPrefersColorScheme" or "-AllTargets,+CanvasRandomization"
+ * [NOTE] Be aware that not all RFP protections are necessarily in RFPTargets
+ * [WARNING] Not recommended. Either use RFP or FPP at defaults
+ * [1] https://searchfox.org/mozilla-central/source/toolkit/components/resistfingerprinting/RFPTargets.inc ***/
+   // user_pref("privacy.fingerprintingProtection.overrides", "");
+
+/*** [SECTION 4500]: RFP (resistFingerprinting)
+   RFP overrides FPP (4000)
+
    It is an all-or-nothing buy in: you cannot pick and choose what parts you want
+   [TEST] https://arkenfox.github.io/TZP/tzp.html
 
    [WARNING] DO NOT USE extensions to alter RFP protected metrics
 
     418986 - limit window.screen & CSS media queries (FF41)
-      [TEST] https://arkenfox.github.io/TZP/tzp.html#screen
    1281949 - spoof screen orientation (FF50)
    1330890 - spoof timezone as UTC0 (FF55)
    1360039 - spoof navigator.hardwareConcurrency as 2 (FF55)
  FF56
-   1369303 - spoof/disable performance API
    1333651 - spoof User Agent & Navigator API
-      version: android version spoofed as ESR
+      version: android version spoofed as ESR (FF119 or lower)
       OS: JS spoofed as Windows 10, OS 10.15, Android 10, or Linux | HTTP Headers spoofed as Windows or Android
    1369319 - disable device sensor API
    1369357 - disable site specific zoom
@@ -803,7 +735,6 @@ user_pref("privacy.sanitize.timeSpan", 0);
    1369309 - spoof media statistics
    1382499 - reduce screen co-ordinate fingerprinting in Touch API
    1217290 & 1409677 - enable some fingerprinting resistance for WebGL
-   1382545 - reduce fingerprinting in Animation API
    1354633 - limit MediaError.message to a whitelist
  FF58+
    1372073 - spoof/block fingerprinting in MediaDevices API (FF59)
@@ -824,18 +755,23 @@ user_pref("privacy.sanitize.timeSpan", 0);
    1595823 - return audioContext sampleRate as 44100 (FF72)
    1607316 - spoof pointer as coarse and hover as none (ANDROID) (FF74)
    1621433 - randomize canvas (previously FF58+ returned an all-white canvas) (FF78)
+   1506364 - return "no-preference" with prefers-contrast (FF80)
    1653987 - limit font visibility to bundled and "Base Fonts" (Windows, Mac, some Linux) (FF80)
    1461454 - spoof smooth=true and powerEfficient=false for supported media in MediaCapabilities (FF82)
     531915 - use fdlibm's sin, cos and tan in jsmath (FF93, ESR91.1)
-   1756280 - enforce navigator.pdfViewerEnabled as true and plugins/mimeTypes as hard-coded values (FF100)
+   1756280 - enforce navigator.pdfViewerEnabled as true and plugins/mimeTypes as hard-coded values (FF100-115)
    1692609 - reduce JS timing precision to 16.67ms (previously FF55+ was 100ms) (FF102)
+   1422237 - return "srgb" with color-gamut (FF110)
+   1794628 - return "none" with inverted-colors (FF114)
 ***/
 user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs");
-/* 4501: enable privacy.resistFingerprinting [FF41+]
+/* 4501: enable RFP
- * [SETUP-WEB] RFP can cause some website breakage: mainly canvas, use a site exception via the urlbar
+ * [SETUP-WEB] RFP can cause some website breakage: mainly canvas, use a canvas site exception via the urlbar.
- * RFP also has a few side effects: mainly timezone is UTC0, and websites will prefer light theme
+ * RFP also has a few side effects: mainly timezone is UTC, and websites will prefer light theme
+ * [NOTE] pbmode applies if true and the original pref is false
  * [1] https://bugzilla.mozilla.org/418986 ***/
-user_pref("privacy.resistFingerprinting", true);
+user_pref("privacy.resistFingerprinting", true); // [FF41+]
+   // user_pref("privacy.resistFingerprinting.pbmode", true); // [FF114+]
 /* 4502: set new window size rounding max values [FF55+]
  * [SETUP-CHROME] sizes round down in hundreds: width to 200s and height to 100s, to fit your screen
  * [1] https://bugzilla.mozilla.org/1330882 ***/
@@ -844,7 +780,7 @@ user_pref("privacy.window.maxInnerHeight", 900);
 /* 4503: disable mozAddonManager Web API [FF57+]
  * [NOTE] To allow extensions to work on AMO, you also need 2662
  * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/
-user_pref("privacy.resistFingerprinting.block_mozAddonManager", true); // [HIDDEN PREF]
+user_pref("privacy.resistFingerprinting.block_mozAddonManager", true);
 /* 4504: enable RFP letterboxing [FF67+]
  * Dynamically resizes the inner window by applying margins in stepped ranges [2]
  * If you use the dimension pref, then it will only apply those resolutions.
@@ -860,13 +796,6 @@ user_pref("privacy.resistFingerprinting.letterboxing", true); // [HIDDEN PREF]
  * [WARNING] DO NOT USE unless testing, see [1] comment 12
  * [1] https://bugzilla.mozilla.org/1635603 ***/
    // user_pref("privacy.resistFingerprinting.exemptedDomains", "*.example.invalid");
-   // user_pref("privacy.resistFingerprinting.testGranularityMask", 0);
-/* 4506: set RFP's font visibility level (1402) [FF94+] ***/
-   // user_pref("layout.css.font-visibility.resistFingerprinting", 1); // [DEFAULT: 1]
-/* 4507: disable showing about:blank as soon as possible during startup [FF60+]
- * When default true this no longer masks the RFP chrome resizing activity
- * [1] https://bugzilla.mozilla.org/1448423 ***/
-user_pref("browser.startup.blankWindow", false);
 /* 4510: disable using system colors
  * [SETTING] General>Language and Appearance>Fonts and Colors>Colors>Use system colors ***/
 user_pref("browser.display.use_system_colors", false); // [DEFAULT: false NON-WINDOWS]
@@ -901,7 +830,7 @@ user_pref("_user.js.parrot", "5000 syntax error: the parrot's taken 'is last bow
  * caches, searches, cookies, localStorage, IndexedDB etc (which you can achieve in normal mode).
  * In fact, PB mode limits or removes the ability to control some of these, and you need to quit
  * Firefox to clear them. PB is best used as a one off window (Menu>New Private Window) to provide
- * a temporary self-contained new session. Close all Private Windows to clear the PB mode session.
+ * a temporary self-contained new session. Close all private windows to clear the PB session.
  * [SETTING] Privacy & Security>History>Custom Settings>Always use private browsing mode
  * [1] https://wiki.mozilla.org/Private_Browsing
  * [2] https://support.mozilla.org/kb/common-myths-about-private-browsing ***/
@@ -958,21 +887,29 @@ user_pref("_user.js.parrot", "5000 syntax error: the parrot's taken 'is last bow
    // user_pref("browser.taskbar.lists.frequent.enabled", false);
    // user_pref("browser.taskbar.lists.recent.enabled", false);
    // user_pref("browser.taskbar.lists.tasks.enabled", false);
-/* 5015: disable Windows taskbar preview [WINDOWS] ***/
-   // user_pref("browser.taskbar.previews.enable", false); // [DEFAULT: false]
 /* 5016: discourage downloading to desktop
- * 0=desktop, 1=downloads (default), 2=last used
+ * 0=desktop, 1=downloads (default), 2=custom
- * [SETTING] To set your default "downloads": General>Downloads>Save files to ***/
+ * [SETTING] To set your custom default "downloads": General>Downloads>Save files to ***/
    // user_pref("browser.download.folderList", 2);
 /* 5017: disable Form Autofill
  * If .supportedCountries includes your region (browser.search.region) and .supported
  * is "detect" (default), then the UI will show. Stored data is not secure, uses JSON
- * [NOTE] Heuristics controls Form Autofill on forms without @autocomplete attributes
  * [SETTING] Privacy & Security>Forms and Autofill>Autofill addresses
  * [1] https://wiki.mozilla.org/Firefox/Features/Form_Autofill ***/
    // user_pref("extensions.formautofill.addresses.enabled", false); // [FF55+]
    // user_pref("extensions.formautofill.creditCards.enabled", false); // [FF56+]
-   // user_pref("extensions.formautofill.heuristics.enabled", false); // [FF55+]
+/* 5018: limit events that can cause a pop-up ***/
+   // user_pref("dom.popup_allowed_events", "click dblclick mousedown pointerdown");
+/* 5019: disable page thumbnail collection ***/
+   // user_pref("browser.pagethumbnails.capturing_disabled", true); // [HIDDEN PREF]
+/* 5020: disable Windows native notifications and use app notications instead [FF111+] [WINDOWS] ***/
+   // user_pref("alerts.useSystemBackend.windows.notificationserver.enabled", false);
+/* 5021: disable location bar using search
+ * Don't leak URL typos to a search engine, give an error message instead
+ * Examples: "secretplace,com", "secretplace/com", "secretplace com", "secret place.com"
+ * [NOTE] This does not affect explicit user action such as using search buttons in the
+ * dropdown, or using keyword search shortcuts you configure in options (e.g. "d" for DuckDuckGo) ***/
+   // user_pref("keyword.enabled", false);
 
 /*** [SECTION 5500]: OPTIONAL HARDENING
    Not recommended. Overriding these can cause breakage and performance issues,
@@ -1006,13 +943,37 @@ user_pref("_user.js.parrot", "5500 syntax error: this is an ex-parrot!");
  * Vulnerabilities [1] have increasingly been found, including those known and fixed
  * in native programs years ago [2]. WASM has powerful low-level access, making
  * certain attacks (brute-force) and vulnerabilities more possible
- * [STATS] ~0.2% of websites, about half of which are for crytopmining / malvertising [2][3]
+ * [STATS] ~0.2% of websites, about half of which are for cryptomining / malvertising [2][3]
  * [1] https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=wasm
  * [2] https://spectrum.ieee.org/tech-talk/telecom/security/more-worries-over-the-security-of-web-assembly
  * [3] https://www.zdnet.com/article/half-of-the-websites-using-webassembly-use-it-for-malicious-purposes ***/
    // user_pref("javascript.options.wasm", false);
 /* 5507: disable rendering of SVG OpenType fonts ***/
    // user_pref("gfx.font_rendering.opentype_svg.enabled", false);
+/* 5508: disable all DRM content (EME: Encryption Media Extension)
+ * Optionally hide the UI setting which also disables the DRM prompt
+ * [SETTING] General>DRM Content>Play DRM-controlled content
+ * [TEST] https://bitmovin.com/demos/drm
+ * [1] https://www.eff.org/deeplinks/2017/10/drms-dead-canary-how-we-just-lost-web-what-we-learned-it-and-what-we-need-do-next ***/
+   // user_pref("media.eme.enabled", false);
+   // user_pref("browser.eme.ui.enabled", false);
+/* 5509: disable IPv6 if using a VPN
+ * This is an application level fallback. Disabling IPv6 is best done at an OS/network
+ * level, and/or configured properly in system wide VPN setups.
+ * [SETUP-WEB] PR_CONNECT_RESET_ERROR
+ * [NOTE] PHP defaults to IPv6 with "localhost". Use "php -S 127.0.0.1:PORT"
+ * [TEST] https://ipleak.org/
+ * [1] https://www.internetsociety.org/tag/ipv6-security/ (Myths 2,4,5,6) ***/
+   // user_pref("network.dns.disableIPv6", true);
+/* 5510: control when to send a cross-origin referer
+ * 0=always (default), 1=only if base domains match, 2=only if hosts match
+ * [NOTE] Will cause breakage: older modems/routers and some sites e.g banks, vimeo, icloud, instagram ***/
+   // user_pref("network.http.referer.XOriginPolicy", 2);
+/* 5511: set DoH bootstrap address [FF89+]
+ * Firefox uses the system DNS to initially resolve the IP address of your DoH server.
+ * When set to a valid, working value that matches your "network.trr.uri" (0712) Firefox
+ * won't use the system DNS. If the IP doesn't match then DoH won't work ***/
+   // user_pref("network.trr.bootstrapAddr", "10.0.0.1"); // [HIDDEN PREF]
 
 /*** [SECTION 6000]: DON'T TOUCH ***/
 user_pref("_user.js.parrot", "6000 syntax error: the parrot's 'istory!");
@@ -1027,43 +988,38 @@ user_pref("network.http.referer.spoofSource", false); // [DEFAULT: false]
  * [1] https://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/ ***/
 user_pref("security.dialog_enable_delay", 1000); // [DEFAULT: 1000]
 /* 6008: enforce no First Party Isolation [FF51+]
- * [WARNING] Replaced with network partitioning (FF85+) and TCP (2701),
+ * [WARNING] Replaced with network partitioning (FF85+) and TCP (2701), and enabling FPI
- * and enabling FPI disables those. FPI is no longer maintained ***/
+ * disables those. FPI is no longer maintained except at Tor Project for Tor Browser's config ***/
 user_pref("privacy.firstparty.isolate", false); // [DEFAULT: false]
-/* 6009: enforce SmartBlock shims [FF81+]
+/* 6009: enforce SmartBlock shims (about:compat) [FF81+]
- * In FF96+ these are listed in about:compat
  * [1] https://blog.mozilla.org/security/2021/03/23/introducing-smartblock/ ***/
-user_pref("extensions.webcompat.enable_shims", true); // [DEFAULT: true]
+user_pref("extensions.webcompat.enable_shims", true); // [HIDDEN PREF] [DEFAULT: true]
-/* 6010: enforce/reset TLS 1.0/1.1 downgrades to session only
+/* 6010: enforce no TLS 1.0/1.1 downgrades
- * [NOTE] In FF97+ the TLS 1.0/1.1 downgrade UX was removed
  * [TEST] https://tls-v1-1.badssl.com:1010/ ***/
 user_pref("security.tls.version.enable-deprecated", false); // [DEFAULT: false]
 /* 6011: enforce disabling of Web Compatibility Reporter [FF56+]
  * Web Compatibility Reporter adds a "Report Site Issue" button to send data to Mozilla
  * [WHY] To prevent wasting Mozilla's time with a custom setup ***/
 user_pref("extensions.webcompat-reporter.enabled", false); // [DEFAULT: false]
-/* 6050: prefsCleaner: reset items removed from arkenfox FF102+ ***/
+/* 6012: enforce Quarantined Domains [FF115+]
-   // user_pref("browser.newtab.preload", "");
+ * [WHY] https://support.mozilla.org/kb/quarantined-domains */
-   // user_pref("browser.newtabpage.activity-stream.feeds.discoverystreamfeed", "");
+user_pref("extensions.quarantinedDomains.enabled", true); // [DEFAULT: true]
-   // user_pref("browser.newtabpage.activity-stream.feeds.snippets", "");
+/* 6050: prefsCleaner: previously active items removed from arkenfox 115-127 ***/
-   // user_pref("browser.ssl_override_behavior", "");
+   // user_pref("accessibility.force_disabled", "");
-   // user_pref("devtools.chrome.enabled", "");
+   // user_pref("browser.urlbar.dnsResolveSingleWordsAfterSearch", "");
-   // user_pref("dom.disable_beforeunload", "");
+   // user_pref("network.protocol-handler.external.ms-windows-store", "");
-   // user_pref("dom.disable_open_during_load", "");
+   // user_pref("privacy.partition.always_partition_third_party_non_cookie_storage", "");
-   // user_pref("extensions.formautofill.available", "");
+   // user_pref("privacy.partition.always_partition_third_party_non_cookie_storage.exempt_sessionstorage", "");
-   // user_pref("extensions.formautofill.addresses.supported", "");
+   // user_pref("privacy.partition.serviceWorkers", "");
-   // user_pref("extensions.formautofill.creditCards.available", "");
-   // user_pref("extensions.formautofill.creditCards.supported", "");
 
 /*** [SECTION 7000]: DON'T BOTHER ***/
 user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies!");
 /* 7001: disable APIs
- * Location-Aware Browsing, Full Screen, offline cache (appCache)
+ * Location-Aware Browsing, Full Screen
- * [WHY] The API state is easily fingerprintable. Geo is behind a prompt (7002).
+ * [WHY] The API state is easily fingerprintable.
- * appCache storage capability was removed in FF90. Full screen requires user interaction ***/
+ * Geo is behind a prompt (7002). Full screen requires user interaction ***/
    // user_pref("geo.enabled", false);
    // user_pref("full-screen-api.enabled", false);
-   // user_pref("browser.cache.offline.enable", false);
 /* 7002: set default permissions
  * Location, Camera, Microphone, Notifications [FF58+] Virtual Reality [FF73+]
  * 0=always ask (default), 1=allow, 2=block
@@ -1079,8 +1035,8 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies
 /* 7003: disable non-modern cipher suites [1]
  * [WHY] Passive fingerprinting. Minimal/non-existent threat of downgrade attacks
  * [1] https://browserleaks.com/ssl ***/
-   // user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false); // [DEFAULT: false FF109+]
+   // user_pref("security.ssl3.ecdhe_ecdsa_aes_128_sha", false);
-   // user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", false); // [DEFAULT: false FF109+]
+   // user_pref("security.ssl3.ecdhe_ecdsa_aes_256_sha", false);
    // user_pref("security.ssl3.ecdhe_rsa_aes_128_sha", false);
    // user_pref("security.ssl3.ecdhe_rsa_aes_256_sha", false);
    // user_pref("security.ssl3.rsa_aes_128_gcm_sha256", false); // no PFS
@@ -1100,7 +1056,7 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies
    // user_pref("dom.securecontext.allowlist_onions", true); // [FF97+] 1382359/1744006
    // user_pref("network.http.referer.hideOnionSource", true); // 1305144
 /* 7007: referers
- * [WHY] Only cross-origin referers (1600s) need control ***/
+ * [WHY] Only cross-origin referers (1602, 5510) matter ***/
    // user_pref("network.http.sendRefererHeader", 2);
    // user_pref("network.http.referer.trimmingPolicy", 0);
 /* 7008: set the default Referrer Policy [FF59+]
@@ -1132,12 +1088,14 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies
  * [WHY] DNT is enforced with Tracking Protection which is used in ETP Strict (2701) ***/
    // user_pref("privacy.donottrackheader.enabled", true);
 /* 7016: customize ETP settings
+ * [NOTE] FPP (fingerprintingProtection) is ignored when RFP (4501) is enabled
  * [WHY] Arkenfox only supports strict (2701) which sets these at runtime ***/
-   // user_pref("network.cookie.cookieBehavior", 5); // [DEFAULT: 5 FF103+]
+   // user_pref("network.cookie.cookieBehavior", 5); // [DEFAULT: 5]
+   // user_pref("privacy.fingerprintingProtection", true); // [FF114+] [ETP FF119+]
    // user_pref("network.http.referer.disallowCrossSiteRelaxingDefault", true);
    // user_pref("network.http.referer.disallowCrossSiteRelaxingDefault.top_navigation", true); // [FF100+]
-   // user_pref("privacy.partition.network_state.ocsp_cache", true);
+   // user_pref("privacy.partition.network_state.ocsp_cache", true); // [DEFAULT: true FF123+]
-   // user_pref("privacy.query_stripping.enabled", true); // [FF101+] [ETP FF102+]
+   // user_pref("privacy.query_stripping.enabled", true); // [FF101+]
    // user_pref("privacy.trackingprotection.enabled", true);
    // user_pref("privacy.trackingprotection.socialtracking.enabled", true);
    // user_pref("privacy.trackingprotection.cryptomining.enabled", true); // [DEFAULT: true]
@@ -1145,16 +1103,22 @@ user_pref("_user.js.parrot", "7000 syntax error: the parrot's pushing up daisies
 /* 7017: disable service workers
  * [WHY] Already isolated with TCP (2701) behind a pref (2710) ***/
    // user_pref("dom.serviceWorkers.enabled", false);
-/* 7018: disable Web Notifications
+/* 7018: disable Web Notifications [FF22+]
  * [WHY] Web Notifications are behind a prompt (7002)
  * [1] https://blog.mozilla.org/en/products/firefox/block-notification-requests/ ***/
-   // user_pref("dom.webnotifications.enabled", false); // [FF22+]
+   // user_pref("dom.webnotifications.enabled", false);
-   // user_pref("dom.webnotifications.serviceworker.enabled", false); // [FF44+]
 /* 7019: disable Push Notifications [FF44+]
  * [WHY] Push requires subscription
  * [NOTE] To remove all subscriptions, reset "dom.push.userAgentID"
  * [1] https://support.mozilla.org/kb/push-notifications-firefox ***/
    // user_pref("dom.push.enabled", false);
+/* 7020: disable WebRTC (Web Real-Time Communication)
+ * [WHY] Firefox desktop uses mDNS hostname obfuscation and the private IP is never exposed until
+ * required in TRUSTED scenarios; i.e. after you grant device (microphone or camera) access
+ * [TEST] https://browserleaks.com/webrtc
+ * [1] https://groups.google.com/g/discuss-webrtc/c/6stQXi72BEU/m/2FwZd24UAQAJ
+ * [2] https://datatracker.ietf.org/doc/html/draft-ietf-mmusic-mdns-ice-candidates#section-3.1.1 ***/
+   // user_pref("media.peerconnection.enabled", false);
 
 /*** [SECTION 8000]: DON'T BOTHER: FINGERPRINTING
    [WHY] They are insufficient to help anti-fingerprinting and do more harm than good
@@ -1188,29 +1152,64 @@ user_pref("_user.js.parrot", "8000 syntax error: the parrot's crossed the Jordan
 /*** [SECTION 9000]: NON-PROJECT RELATED ***/
 user_pref("_user.js.parrot", "9000 syntax error: the parrot's cashed in 'is chips!");
 /* 9001: disable welcome notices ***/
-user_pref("browser.startup.homepage_override.mstone", "ignore");
+user_pref("browser.startup.homepage_override.mstone", "ignore"); // [HIDDEN PREF]
 /* 9002: disable General>Browsing>Recommend extensions/features as you browse [FF67+] ***/
 user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false);
 user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false);
 /* 9003: disable What's New toolbar icon [FF69+] ***/
 user_pref("browser.messaging-system.whatsNewPanel.enabled", false);
+/* 9004: disable search terms [FF110+]
+ * [SETTING] Search>Search Bar>Use the address bar for search and navigation>Show search terms instead of URL... ***/
+user_pref("browser.urlbar.showSearchTerms.enabled", false);
 
-/*** [SECTION 9999]: DEPRECATED / REMOVED / LEGACY / RENAMED
+/*** [SECTION 9999]: DEPRECATED / RENAMED ***/
-   Documentation denoted as [-]. Items deprecated prior to FF91 have been archived at [1]
-   [1] https://github.com/arkenfox/user.js/issues/123
-***/
 user_pref("_user.js.parrot", "9999 syntax error: the parrot's shuffled off 'is mortal coil!");
-/* ESR102.x still uses all the following prefs
+/* ESR115.x still uses all the following prefs
-// [NOTE] replace the * with a slash in the line above to re-enable them
+// [NOTE] replace the * with a slash in the line above to re-enable active ones
-// FF103
+// FF116
-   // 2801: delete cookies and site data on exit - replaced by sanitizeOnShutdown* (2810)
+// 4506: set RFP's font visibility level (1402) [FF94+]
-   // 0=keep until they expire (default), 2=keep until you close Firefox
+   // [-] https://bugzilla.mozilla.org/1838415
-   // [SETTING] Privacy & Security>Cookies and Site Data>Delete cookies and site data when Firefox is closed
+   // user_pref("layout.css.font-visibility.resistFingerprinting", 1); // [DEFAULT: 1]
-   // [-] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1681493,1681495,1681498,1759665,1764761
+// FF117
-user_pref("network.cookie.lifetimePolicy", 2);
+// 1221: disable Windows Microsoft Family Safety cert [FF50+] [WINDOWS]
-// 6012: disable SHA-1 certificates
+   // 0=disable detecting Family Safety mode and importing the root
-   // [-] https://bugzilla.mozilla.org/1766687
+   // 1=only attempt to detect Family Safety mode (don't import the root)
-   // user_pref("security.pki.sha1_enforcement_level", 1); // [DEFAULT: 1]
+   // 2=detect Family Safety mode and import the root
+   // [1] https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/21686
+   // [-] https://bugzilla.mozilla.org/1844908
+user_pref("security.family_safety.mode", 0);
+// 7018: disable service worker Web Notifications [FF44+]
+   // [WHY] Web Notifications are behind a prompt (7002)
+   // [1] https://blog.mozilla.org/en/products/firefox/block-notification-requests/
+   // [-] https://bugzilla.mozilla.org/1842457
+   // user_pref("dom.webnotifications.serviceworker.enabled", false);
+// FF118
+// 1402: limit font visibility (Windows, Mac, some Linux) [FF94+]
+   // Uses hardcoded lists with two parts: kBaseFonts + kLangPackFonts [1], bundled fonts are auto-allowed
+   // In normal windows: uses the first applicable: RFP over TP over Standard
+   // In Private Browsing windows: uses the most restrictive between normal and private
+   // 1=only base system fonts, 2=also fonts from optional language packs, 3=also user-installed fonts
+   // [1] https://searchfox.org/mozilla-central/search?path=StandardFonts*.inc
+   // [-] https://bugzilla.mozilla.org/1847599
+   // user_pref("layout.css.font-visibility.private", 1);
+   // user_pref("layout.css.font-visibility.standard", 1);
+   // user_pref("layout.css.font-visibility.trackingprotection", 1);
+// 2623: disable permissions delegation [FF73+]
+   // Currently applies to cross-origin geolocation, camera, mic and screen-sharing
+   // permissions, and fullscreen requests. Disabling delegation means any prompts
+   // for these will show/use their correct 3rd party origin
+   // [1] https://groups.google.com/forum/#!topic/mozilla.dev.platform/BdFOMAuCGW8/discussion
+   // [-] https://bugzilla.mozilla.org/1697151
+   // user_pref("permissions.delegation.enabled", false);
+// FF119
+// 0211: use en-US locale regardless of the system or region locale
+   // [SETUP-WEB] May break some input methods e.g xim/ibus for CJK languages [1]
+   // [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=867501,1629630
+   // [-] https://bugzilla.mozilla.org/1846224
+   // user_pref("javascript.use_us_english_locale", true); // [HIDDEN PREF]
+// 0711: disable skipping DoH when parental controls are enabled [FF70+]
+   // [-] https://bugzilla.mozilla.org/1586941
+user_pref("network.dns.skipTRR-when-parental-control-enabled", false);
 // ***/
 
 /* END: internal custom pref to test for syntax errors ***/