0425: passive TP

https://github.com/ghacksuserjs/ghacks-user.js/issues/144#issuecomment-321980962
https://github.com/ghacksuserjs/ghacks-user.js/issues/144#issuecomment-322903835

README.md

@@ -11,7 +11,7 @@ INFORMATION IS POWER. So you can make informed decisions to better protect yours
 * Accessible (provide information and simpler, less-technical descriptions if possible)
 * Accountable (provide reputable references/sources, [test sites](https://github.com/ghacksuserjs/ghacks-user.js/wiki/Appendix-C:-Test-Sites), dispel bad advice)
 * Change trackable (yay! we're on github now, with commits)
-* Compatible (including a deprecated section, [releases](https://github.com/ghacksuserjs/ghacks-user.js/releases))
+* Compatible (including a [deprecated section](https://github.com/ghacksuserjs/ghacks-user.js/issues/123), [releases](https://github.com/ghacksuserjs/ghacks-user.js/releases))
 * Comprehensive (including enforcing defaults and future-proofing)
 * Current and up-to-date with stable (including [changelogs](https://github.com/ghacksuserjs/ghacks-user.js/search?q=label%3Achangelog&type=Issues&utf8=%E2%9C%93))
 * Detailed (preference versioning, hidden preference information, explanations, and more)

user.js

@@ -1,8 +1,8 @@
 /******
 * name: ghacks user.js
-* date: 14 June 2017
-* version 54: Pantsthumping
-*   "I get pulled down, but I get up again, you're never gonna keep me down"
+* date: 18 August 2017
+* version 55: There Must Be an Angel [Playing with My Pants]
+*   "I walk into an empty room, and suddenly my pants go boom"
 * authors: v52+ github | v51- www.ghacks.net
 * url: https://github.com/ghacksuserjs/ghacks-user.js
 
@@ -17,8 +17,9 @@
   2. READ this
      * https://github.com/ghacksuserjs/ghacks-user.js/wiki/1.3-Implementation
   3. If you skipped steps 1 and 2 above (shame on you), then here is the absolute minimum
-     * Auto-installing updates for Firefox and extensions/addon-ons are disabled (section 0302's)
-     * Some user data is erased (section 2800), namely history (browsing, form, download)
+     * Auto-installing updates for Firefox and extensions/add-ons are disabled (section 0302's)
+     * Some user data is erased on close (section 2800), namely history (browsing, form, download)
+     * Cookies (and thus logins) are denied by default (2701). Use site exceptions or an extension
      * Site breakage WILL happen
          - There are often trade-offs and conflicts between Security vs Privacy vs Anti-Fingerprinting
            and these need to be balanced against Functionality & Convenience & Breakage
@@ -26,8 +27,8 @@
          - Search this file for the "[SETUP]" tag to find SOME common items you could check
            before using to avoid unexpected surprises
          - Search this file for the "[WARNING]" tag to troubleshoot or prevent SOME common issues
-  4. BACKUP BACKUP BACKUP your profile folder before implementing (and/or test in a new profile)
-  5. Did you do a BACKUP?
+  4. BACKUP your profile folder before implementing (and/or test in a new/cloned profile)
+  5. KEEP UP TO DATE: https://github.com/ghacksuserjs/ghacks-user.js/wiki/1.5-Keeping-Up-To-Date
 
  ******/
 
@@ -69,9 +70,10 @@ user_pref("browser.shell.checkDefaultBrowser", false);
 
 /*** 0200: GEOLOCATION ***/
 user_pref("ghacks_user.js.parrot", "0200 syntax error: the parrot's definitely deceased!");
-/* 0201: disable location-aware browsing, but enforce Mozilla's service over Google's ***/
+/* 0201: disable location-aware browsing
+   [NOTE] Use Mozilla's API key if required ***/
 user_pref("geo.enabled", false);
-user_pref("geo.wifi.uri", "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%");
+user_pref("geo.wifi.uri", ""); // "https://location.services.mozilla.com/v1/geolocate?key=%MOZILLA_API_KEY%"
 user_pref("geo.wifi.xhr.timeout", 1); // reset this if you use geolocation
 user_pref("geo.wifi.logging.enabled", false); // (hidden pref)
 user_pref("browser.search.geoip.url", "");
@@ -85,8 +87,8 @@ user_pref("browser.search.region", "US"); // (hidden pref)
 user_pref("intl.locale.matchOS", false);
 /* 0204: set APP locale ***/
 user_pref("general.useragent.locale", "en-US");
-/* 0206: disable geographically specific results/search engines eg: "browser.search.*.US"
- * i.e ignore all of Mozilla's various search engines in multiple locales ***/
+/* 0206: disable geographically specific results/search engines e.g. "browser.search.*.US"
+ * i.e. ignore all of Mozilla's various search engines in multiple locales ***/
 user_pref("browser.search.geoSpecificDefaults", false);
 user_pref("browser.search.geoSpecificDefaults.url", "");
 /* 0207: set language to match ***/
@@ -94,10 +96,6 @@ user_pref("intl.accept_languages", "en-US, en");
 /* 0208: enforce US English locale regardless of the system locale
  * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=867501 ***/
 user_pref("javascript.use_us_english_locale", true); // (hidden pref)
-/* 0209: disable geolocation on non-secure origins (FF54+)
- * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1072859
- * [2] https://www.ghacks.net/2017/03/14/firefox-55-geolocation-requires-secure-origin/ ***/
-user_pref("geo.security.allowinsecure", false);
 
 /*** 0300: QUIET FOX
      We choose to not disable auto-CHECKs (0301's) but to disable auto-INSTALLs (0302's).
@@ -149,10 +147,11 @@ user_pref("extensions.webservice.discoverURL", "http://127.0.0.1");
  * [1] https://gecko.readthedocs.org/en/latest/toolkit/components/telemetry/telemetry/preferences.html ***/
 user_pref("toolkit.telemetry.unified", false);
 user_pref("toolkit.telemetry.enabled", false);
-/* 0331: remove url of server telemetry pings are sent to ***/
 user_pref("toolkit.telemetry.server", "");
-/* 0332: disable archiving pings locally - irrelevant if toolkit.telemetry.unified is false ***/
 user_pref("toolkit.telemetry.archive.enabled", false);
+user_pref("toolkit.telemetry.cachedClientID", "");
+user_pref("toolkit.telemetry.newProfilePing.enabled", false); // (FF55+)
+user_pref("toolkit.telemetry.shutdownPingSender.enabled", false); // (FF55+)
 /* 0333a: disable health report ***/
 user_pref("datareporting.healthreport.uploadEnabled", false);
 /* 0333b: disable about:healthreport page (which connects to Mozilla for locale/css+js+json)
@@ -163,20 +162,6 @@ user_pref("datareporting.healthreport.about.reportUrl", "data:text/plain,");
  * If disabled, no policy is shown or upload takes place, ever
  * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1195552 ***/
 user_pref("datareporting.policy.dataSubmissionEnabled", false);
-/* 0335: remove telemetry clientID ***/
-user_pref("toolkit.telemetry.cachedClientID", "");
-/* 0336: disable "Heartbeat" (Mozilla user rating telemetry)
- * [1] https://trac.torproject.org/projects/tor/ticket/18738 ***/
-user_pref("browser.selfsupport.enabled", false); // (hidden pref)
-user_pref("browser.selfsupport.url", "");
-/* 0340: disable experiments
- * [1] https://wiki.mozilla.org/Telemetry/Experiments ***/
-user_pref("experiments.enabled", false);
-user_pref("experiments.manifest.uri", "");
-user_pref("experiments.supported", false);
-user_pref("experiments.activeExperiment", false);
-/* 0341: disable Mozilla permission to silently opt you into tests ***/
-user_pref("network.allow-experiments", false);
 /* 0350: disable crash reports ***/
 user_pref("breakpad.reportURL", "");
 /* 0351: disable sending of crash reports (FF44+) ***/
@@ -185,25 +170,14 @@ user_pref("browser.crashReports.unsubmittedCheck.enabled", false); // (FF51+)
 user_pref("browser.crashReports.unsubmittedCheck.autoSubmit", false); // (FF51+)
 /* 0360: disable new tab tile ads & preload & marketing junk ***/
 user_pref("browser.newtab.preload", false);
-user_pref("browser.newtabpage.directory.ping", "data:text/plain,");
 user_pref("browser.newtabpage.directory.source", "data:text/plain,");
 user_pref("browser.newtabpage.enabled", false);
 user_pref("browser.newtabpage.enhanced", false);
 user_pref("browser.newtabpage.introShown", true);
-/* 0361: disable Activity Stream (system addon) (FF54+)
- * [1] https://wiki.mozilla.org/Firefox/Activity_Stream ***/
-user_pref("browser.newtabpage.activity-stream.enabled", false);
 /* 0370: disable "Snippets" (Mozilla content shown on about:home screen)
  * MUST use HTTPS - arbitrary content injected into this page via http opens up MiTM attacks
  * [1] https://wiki.mozilla.org/Firefox/Projects/Firefox_Start/Snippet_Service ***/
 user_pref("browser.aboutHomeSnippets.updateUrl", "https://127.0.0.1");
-/* 0373: disable "Pocket" (third party "save for later" service) & remove urls for good measure
- * [NOTE] Important: Remove the pocket icon from your toolbar first
- * [1] https://www.gnu.gl/blog/Posts/multiple-vulnerabilities-in-pocket/ ***/
-user_pref("extensions.pocket.enabled", false);
-user_pref("extensions.pocket.api", "");
-user_pref("extensions.pocket.site", "");
-user_pref("extensions.pocket.oAuthConsumerKey", "");
 /* 0374: disable "social" integration
  * [1] https://developer.mozilla.org/en-US/docs/Mozilla/Projects/Social_API ***/
 user_pref("social.whitelist", "");
@@ -213,19 +187,15 @@ user_pref("social.remote-install.enabled", false);
 user_pref("social.directories", "");
 user_pref("social.share.activationPanelEnabled", false);
 user_pref("social.enabled", false); // (hidden pref)
-/* 0376: disable FlyWeb, a set of APIs for advertising and discovering local-area web servers
- * [1] https://wiki.mozilla.org/FlyWeb
- * [2] https://www.ghacks.net/2016/07/26/firefox-flyweb/ ***/
-user_pref("dom.flyweb.enabled", false);
 
 /*** 0400: BLOCKLISTS / SAFE BROWSING / TRACKING PROTECTION
      This section has security & tracking protection implications vs privacy concerns vs effectiveness
      vs 3rd party 'censorship'. We DO NOT advocate no protection. If you disable Tracking Protection (TP)
      and/or Safe Browsing (SB), then SECTION 0400 REQUIRES YOU HAVE uBLOCK ORIGIN INSTALLED.
 
-     Safe Browsing is designed to protect users from malicious sites. Tracking Protection is designed to
-     lessen the impact of third parties on websites to reduce tracking and to speed up your browsing. They
-     do rely on 3rd parties: Google for safe browsing and Disconnect for tracking protection. but many steps,
+     Safe Browsing is designed to protect users from malicious sites. Tracking Protection is designed
+     to lessen the impact of third parties on websites to reduce tracking and to speed up your browsing.
+     These do rely on 3rd parties (Google for SB and Disconnect for TP), but many steps, which are
      continually being improved, have been taken to preserve privacy. Disable at your own risk.
 ***/
 user_pref("ghacks_user.js.parrot", "0400 syntax error: the parrot's passed on!");
@@ -313,8 +283,95 @@ user_pref("privacy.trackingprotection.ui.enabled", true);
 /* 0424: disable Mozilla's tracking protection and Flash blocklist updates ***/
    // user_pref("browser.safebrowsing.provider.mozilla.gethashURL", "");
    // user_pref("browser.safebrowsing.provider.mozilla.updateURL", "");
+/* 0425: disable passive Tracking Protection (FF53+)
+ * Passive TP annotates channels to lower the priority of network loads for resources on the tracking protection list
+ * [NOTE] It has no effect if TP is enabled, but keep in mind that by default TP is only enabled in Private Windows
+ * This is included for people who want to completely disable Tracking Protection.
+ * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1170190
+ * [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1141814 ***/
+   // user_pref("privacy.trackingprotection.annotate_channels", false);
+   // user_pref("privacy.trackingprotection.lower_network_priority", false);
 
-/*** 0600: BLOCK IMPLICIT OUTBOUND [not explicitly asked for - eg clicked on] ***/
+/*** 0500: SYSTEM ADD-ONS / EXPERIMENTS
+     System add-ons are a method for shipping extensions, considered to be
+     built-in features to Firefox, that are hidden from the about:addons UI.
+     To view your system add-ons go to about:support, they are listed under "Features"
+
+     Some system add-ons have no on-off prefs. Instead you can manually remove them. Note that app
+     updates will restore them. They may also be updated and possibly restored automatically (see 0505)
+     * Portable: "...\App\Firefox64\browser\features\" (or "App\Firefox\etc" for 32bit)
+     * Windows: "...\Program Files\Mozilla\browser\features" (or "Program Files (X86)\etc" for 32bit)
+     * Mac: "...\Applications\Firefox\Contents\Resources\browser\features\"
+            [NOTE] On Mac you can right-click on the application and select "Show Package Contents"
+
+     [1] https://gecko.readthedocs.io/en/latest/toolkit/mozapps/extensions/addon-manager/SystemAddons.html
+     [2] https://dxr.mozilla.org/mozilla-central/source/browser/extensions
+***/
+user_pref("ghacks_user.js.parrot", "0500 syntax error: the parrot's cashed in 'is chips!");
+/* 0501: disable experiments
+ * [1] https://wiki.mozilla.org/Telemetry/Experiments ***/
+user_pref("experiments.enabled", false);
+user_pref("experiments.manifest.uri", "");
+user_pref("experiments.supported", false);
+user_pref("experiments.activeExperiment", false);
+/* 0502: disable Mozilla permission to silently opt you into tests ***/
+user_pref("network.allow-experiments", false);
+/* 0505: block URL used for system add-on updates (FF44+)
+ * [NOTE] You will not get any system add-on updates except when you update Firefox ***/
+   // user_pref("extensions.systemAddon.update.url", "");
+/* 0510: disable Pocket (FF39+)
+ * Pocket is a third party (now owned by Mozilla) "save for later" cloud service
+ * [1] https://en.wikipedia.org/wiki/Pocket_(application)
+ * [2] https://www.gnu.gl/blog/Posts/multiple-vulnerabilities-in-pocket/ ***/
+user_pref("extensions.pocket.enabled", false);
+/* 0511: disable FlyWeb (FF49+)
+ * Flyweb is a set of APIs for advertising and discovering local-area web servers
+ * [1] https://flyweb.github.io/
+ * [2] https://wiki.mozilla.org/FlyWeb/Security_scenarios
+ * [3] https://www.ghacks.net/2016/07/26/firefox-flyweb/ ***/
+user_pref("dom.flyweb.enabled", false);
+/* 0512: disable Shield (FF53+)
+ * Shield is an telemetry system (including Heartbeat) that can also push and test "recipes"
+ * [1] https://wiki.mozilla.org/Firefox/Shield
+ * [2] https://github.com/mozilla/normandy ***/
+user_pref("extensions.shield-recipe-client.enabled", false);
+user_pref("extensions.shield-recipe-client.api_url", "");
+/* 0513: disable Follow On Search (FF53+)
+ * Just DELETE the XPI file in your system add-ons directory
+ * [1] https://blog.mozilla.org/data/2017/06/05/measuring-search-in-firefox/ ***/
+/* 0514: disable Activity Stream (FF54+)
+ * Activity Stream replaces "New Tab" with one based on metadata and browsing behavior,
+ * and includes telemetry as well as web content such as snippets and "spotlight"
+ * [1] https://wiki.mozilla.org/Firefox/Activity_Stream
+ * [2] https://www.ghacks.net/2016/02/15/firefox-mockups-show-activity-stream-new-tab-page-and-share-updates/ ***/
+user_pref("browser.newtabpage.activity-stream.enabled", false);
+/* 0515: disable Screenshots (FF54+)
+ * [1] https://github.com/mozilla-services/screenshots
+ * [2] https://www.ghacks.net/2017/05/28/firefox-screenshots-integrated-in-firefox-nightly/ ***/
+   // user_pref("extensions.screenshots.system-disabled", true); // (FF54+)
+   // user_pref("extensions.screenshots.disabled", true); // (FF55+)
+/* 0516: disable Onboarding (FF55+)
+ * Onboarding is an interactive tour/setup for new installs/profiles and features. Every time
+ * about:home or about:newtab is opened, the onboarding overlay is injected into that page
+ * [NOTE] Onboarding uses Google Analytics [2], and leaks resource://URIs [3]
+ * [1] https://wiki.mozilla.org/Firefox/Onboarding
+ * [2] https://github.com/mozilla/onboard/commit/db4d6c8726c89a5d6a241c1b1065827b525c5baf
+ * [3] https://bugzilla.mozilla.org/show_bug.cgi?id=863246#c154 ***/
+user_pref("browser.onboarding.enabled", false);
+/* 0517: disable Form Autofill (FF55+)
+ * [SETTING] Options>Privacy>Forms & Passwords>Enable Profile Autofill
+ * [NOTE] Stored data is NOT secure (uses a JSON file)
+ * [NOTE] Heuristics controls Form Autofill on forms without @autocomplete attributes
+ * [1] https://wiki.mozilla.org/Firefox/Features/Form_Autofill
+ * [2] https://www.ghacks.net/2017/05/24/firefoxs-new-form-autofill-is-awesome/ ***/
+user_pref("extensions.formautofill.addresses.enabled", false);
+user_pref("extensions.formautofill.experimental", false);
+user_pref("extensions.formautofill.heuristics.enabled", false);
+/* 0518: disable Web Compatibility Reporter (FF56+)
+ * Web Compatibility Reporter adds a "Report Site Issue" button to send data to Mozilla ***/
+user_pref("extensions.webcompat-reporter.enabled", false);
+
+/*** 0600: BLOCK IMPLICIT OUTBOUND [not explicitly asked for - e.g. clicked on] ***/
 user_pref("ghacks_user.js.parrot", "0600 syntax error: the parrot's no more!");
 /* 0601: disable link prefetching
  * [1] https://developer.mozilla.org/en-US/docs/Web/HTTP/Link_prefetching_FAQ ***/
@@ -362,18 +419,18 @@ user_pref("ghacks_user.js.parrot", "0800 syntax error: the parrot's ceased to be
 user_pref("keyword.enabled", false);
 /* 0802: disable location bar domain guessing - PRIVACY/SECURITY
  * domain guessing intercepts DNS "hostname not found errors" and resends a
- * request (eg by adding www or .com). This is inconsistent use (eg FQDNs), does not work
+ * request (e.g. by adding www or .com). This is inconsistent use (e.g. FQDNs), does not work
  * via Proxy Servers (different error), is a flawed use of DNS (TLDs: why treat .com
  * as the 411 for DNS errors?), privacy issues (why connect to sites you didn't
- * intend to), can leak sensitive data (eg query strings: eg Princeton attack),
- * and is a security risk (eg common typos & malicious sites set up to exploit this) ***/
+ * intend to), can leak sensitive data (e.g. query strings: e.g. Princeton attack),
+ * and is a security risk (e.g. common typos & malicious sites set up to exploit this) ***/
 user_pref("browser.fixup.alternate.enabled", false);
 /* 0803: display all parts of the url in the location bar - helps SECURITY ***/
 user_pref("browser.urlbar.trimURLs", false);
 /* 0804: limit history leaks via enumeration (PER TAB: back/forward) - PRIVACY
  * This is a PER TAB session history. You still have a full history stored under all history
  * default=50, minimum=1=currentpage, 2 is the recommended minimum as some pages
- * use it as a means of referral (eg hotlinking), 4 or 6 or 10 may be more practical ***/
+ * use it as a means of referral (e.g. hotlinking), 4 or 6 or 10 may be more practical ***/
 user_pref("browser.sessionhistory.max_entries", 10);
 /* 0805: disable CSS querying page history - CSS history leak - PRIVACY
  * [NOTE] This has NEVER been fully "resolved": in Mozilla/docs it is stated it's
@@ -396,7 +453,10 @@ user_pref("browser.urlbar.userMadeSearchSuggestionsChoice", true); // (FF41+)
 /* 0809: disable location bar suggesting "preloaded" top websites (FF54+)
  * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1211726 ***/
 user_pref("browser.urlbar.usepreloadedtopurls.enabled", false);
-/* 0850a: disable location bar autocomplete [controlled by 0850b]
+/* 0810: disable location bar making speculative connections (FF56+)
+ * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1348275 ***/
+user_pref("browser.urlbar.speculativeConnect.enabled", false);
+/* 0850a: disable location bar autocomplete [controlled by 0850b] ***/
    // user_pref("browser.urlbar.autocomplete.enabled", false);
 /* 0850b: disable location bar suggestion types [controls 0850a]
  * [SETTING] Options>Privacy>Location Bar>When using the location bar, suggest
@@ -412,7 +472,7 @@ user_pref("browser.urlbar.suggest.openpage", false);
  * be displayed (no we do not know how these are calculated or what the threshold is),
  * and this does not affect the search by search engine suggestion (see 0808)
  * [USAGE] This setting is only useful if you want to enable search engine keywords
- * (i.e at least one of 0850b must be true) but you want to *limit* suggestions shown ***/
+ * (i.e. at least one of 0850b must be true) but you want to *limit* suggestions shown ***/
    // user_pref("browser.urlbar.maxRichResults", 0);
 /* 0850d: disable location bar autofill
  * [1] http://kb.mozillazine.org/Inline_autocomplete ***/
@@ -424,20 +484,11 @@ user_pref("browser.urlbar.oneOffSearches", false);
 /* 0860: disable search and form history
  * [SETTING] Options>Privacy>History>Custom Settings>Remember search and form history
  * [NOTE] You can clear formdata on exiting Firefox (see 2803) ***/
-   // user_pref("browser.formfill.enable", false);
-/* 0861: disable saving form history on secure websites
- * For convenience & functionality, this is best left at default true,
- * especially as the web moves more and more to encrypted services
- * You can clear form history on exiting Firefox (see 2803) ***/
-   // user_pref("browser.formfill.saveHttpsForms", false);
+user_pref("browser.formfill.enable", false);
 /* 0862: disable browsing and download history
  * [SETTING] Options>Privacy>History>Custom Settings>Remember my browsing and download history
  * [NOTE] You can clear history and downloads on exiting Firefox (see 2803) ***/
    // user_pref("places.history.enabled", false);
-/* 0863: disable Form Autofill (FF54+)
- * [1] https://www.ghacks.net/2017/05/24/firefoxs-new-form-autofill-is-awesome/
- * [2] https://wiki.mozilla.org/Firefox/Features/Form_Autofill ***/
-user_pref("browser.formautofill.enabled", false);
 /* 0870: disable Windows jumplist [WINDOWS] ***/
 user_pref("browser.taskbar.lists.enabled", false);
 user_pref("browser.taskbar.lists.frequent.enabled", false);
@@ -475,8 +526,8 @@ user_pref("signon.storeWhenAutocompleteOff", true);
 /* 0907: display warnings for logins on non-secure (non HTTPS) pages
  * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1217156 ***/
 user_pref("security.insecure_password.ui.enabled", true);
-/* 0908: remove user & password info when attempting to fix an entered URL (i.e 0802 is true)
- * e.g //user:password@foo -> //user@(prefix)foo(suffix) NOT //user:password@(prefix)foo(suffix) ***/
+/* 0908: remove user & password info when attempting to fix an entered URL (i.e. 0802 is true)
+ * e.g. //user:password@foo -> //user@(prefix)foo(suffix) NOT //user:password@(prefix)foo(suffix) ***/
 user_pref("browser.fixup.hide_user_pass", true);
 /* 0909: disable formless login capture for Password Manager (FF51+) ***/
 user_pref("signon.formlessCapture.enabled", false);
@@ -486,6 +537,9 @@ user_pref("signon.formlessCapture.enabled", false);
  * [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1319119 ***/
 user_pref("signon.autofillForms.http", false);
 user_pref("security.insecure_field_warning.contextual.enabled", true);
+/* 0911: prevent cross-origin images from triggering an HTTP-Authentication prompt (FF55+)
+ * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1357835 ***/
+user_pref("network.auth.subresource-img-cross-origin-http-auth-allow", false);
 
 /*** 1000: CACHE [SETUP] ***/
 user_pref("ghacks_user.js.parrot", "1000 syntax error: the parrot's gone to meet 'is maker!");
@@ -501,6 +555,7 @@ user_pref("browser.cache.disk_cache_ssl", false);
 /* 1003: disable memory cache
  * [NOTE] Not recommended due to performance issues ***/
    // user_pref("browser.cache.memory.enable", false);
+   // user_pref("browser.cache.memory.capacity", 0); // (hidden pref)
 /* 1004: disable offline cache ***/
 user_pref("browser.cache.offline.enable", false);
 /* 1005: disable fastback cache
@@ -537,7 +592,7 @@ user_pref("browser.sessionstore.resume_from_crash", false);
  * can help on older machines and some websites, as well as reducing writes, see [1]
  * Default is 15000 (15 secs). Try 30000 (30sec), 60000 (1min) etc
  * [WARNING] This can also affect entries in the "Recently Closed Tabs" feature:
- * i.e the longer the interval the more chance a quick tab open/close won't be captured.
+ * i.e. the longer the interval the more chance a quick tab open/close won't be captured.
  * This longer interval *may* affect history but we cannot replicate any history not recorded
  * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1304389 ***/
 user_pref("browser.sessionstore.interval", 30000);
@@ -561,6 +616,7 @@ user_pref("alerts.showFavicons", false);
      - any add-ons are missing the 'multiprocessCompatible' flag, then they *might* be disabled (FF53+)
      [1] https://blog.mozilla.org/addons/2017/02/16/the-road-to-firefox-57-compatibility-milestones/
 ***/
+user_pref("ghacks_user.js.parrot", "1100 syntax error: the parrot's bought the farm!");
 /* 1101: start the browser in e10s mode (FF48+)
  * about:support>Application Basics>Multiprocess Windows ***/
    // user_pref("browser.tabs.remote.autostart", true);
@@ -577,11 +633,17 @@ user_pref("alerts.showFavicons", false);
 /* 1104: enforce separate content process for file://URLs (FF53+)
  * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1147911
  * [2] https://www.ghacks.net/2016/11/27/firefox-53-exclusive-content-process-for-local-files/ ***/
-   // user_pref("browser.tabs.remote.separateFileUriProcess", true);
+user_pref("browser.tabs.remote.separateFileUriProcess", true);
 /* 1105: enable console shim warnings for add-ons with the 'multiprocessCompatible' flag as false ***/
 user_pref("dom.ipc.shims.enabledWarnings", true);
 /* 1106: control number of WebExtension processes ***/
    // user_pref("dom.ipc.processCount.extension", 1);
+/* 1107: control number of file processes ***/
+   // user_pref("dom.ipc.processCount.file", 1);
+/* 1108: block web content in file processes
+ * [WARNING] [SETUP] You may want to disable this for corporate or developer environments
+ * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1343184 ***/
+user_pref("browser.tabs.remote.allowLinkedWebInFileUriProcess", false);
 /* 1110: set sandbox level. DO NOT MEDDLE WITH THESE. They are included to inform you NOT to play
  * with them. The values are integers, but the code below deliberately contains a data mismatch
  * [1] https://wiki.mozilla.org/Sandbox
@@ -616,7 +678,7 @@ user_pref("ghacks_user.js.parrot", "1200 syntax error: the parrot's a stiff!");
 /* 1202: control TLS versions with min and max
  * 1=min version of TLS 1.0, 2=min version of TLS 1.1, 3=min version of TLS 1.2 etc
  * [NOTE] Jul-2017: Telemetry indicates approx 2% of TLS web traffic uses 1.0 or 1.1
- * [WARNING] If you get an "SSL_ERROR_NO_CYPHER_OVERLAP" error temporarily
+ * [WARNING] If you get an "SSL_ERROR_NO_CYPHER_OVERLAP" error, temporarily
  * set a lower value for 'security.tls.version.min' in about:config
  * [1] http://kb.mozillazine.org/Security.tls.version.*
  * [2] https://www.ssl.com/how-to/turn-off-ssl-3-0-and-tls-1-0-in-your-browser/
@@ -636,6 +698,10 @@ user_pref("security.ssl.disable_session_identifiers", true); // (hidden pref)
 user_pref("security.ssl.errorReporting.automatic", false);
 user_pref("security.ssl.errorReporting.enabled", false);
 user_pref("security.ssl.errorReporting.url", "");
+/* 1205: disable TLS1.3 0-RTT (round-trip time) (FF51+)
+ * [1] https://github.com/tlswg/tls13-spec/issues/1001
+ * [2] https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/ ***/
+user_pref("security.tls.enable_0rtt_data", false); // (FF55+ default true)
 /** OCSP (Online Certificate Status Protocol)
     #Required reading [#] https://scotthelme.co.uk/revocation-is-broken/ ***/
 /* 1210: enable OCSP Stapling
@@ -689,7 +755,7 @@ user_pref("security.mixed_content.block_active_content", true);
 /* 1242: enable Mixed-Content-Blocker to use the HSTS cache but disable the HSTS Priming requests (FF51+)
  * Allow resources from domains with an existing HSTS cache record or in the HSTS preload list
  * to be upgraded to HTTPS internally but disable sending out HSTS Priming requests, because
- * those may cause noticeable delays eg requests time out or are not handled well by servers
+ * those may cause noticeable delays e.g. requests time out or are not handled well by servers
  * [NOTE] If you want to use the priming requests make sure 'use_hsts' is also true
  * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1246540#c145 ***/
 user_pref("security.mixed_content.use_hsts", true);
@@ -701,7 +767,7 @@ user_pref("security.mixed_content.send_hsts_priming", false);
  * 2=deprecated option that now maps to 1
  * 3=only allowed for locally-added roots (e.g. anti-virus)
  * 4=only allowed for locally-added roots or for certs in 2015 and earlier
- * [WARNING] When disabled, some man-in-the-middle devices (eg security scanners and
+ * [WARNING] When disabled, some man-in-the-middle devices (e.g. security scanners and
  * antivirus products, may fail to connect to HTTPS sites. SHA-1 is *almost* obsolete.
  * [1] https://blog.mozilla.org/security/2016/10/18/phasing-out-sha-1-on-the-public-web/ ***/
 user_pref("security.pki.sha1_enforcement_level", 1);
@@ -732,7 +798,7 @@ user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);
 user_pref("browser.ssl_override_behavior", 1);
 /* 1272: display advanced information on Insecure Connection warning pages
  * only works when it's possible to add an exception
- * i.e doesn't work for HSTS discrepancies (https://subdomain.preloaded-hsts.badssl.com/)
+ * i.e. it doesn't work for HSTS discrepancies (https://subdomain.preloaded-hsts.badssl.com/)
  * [TEST] https://expired.badssl.com/ ***/
 user_pref("browser.xul.error_pages.expert_bad_cert", true);
 
@@ -835,7 +901,7 @@ user_pref("network.http.referer.hideOnionSource", true);
  * Don't encourage a setting that gives any legitimacy to 3rd parties being in control of your privacy.
  * Sending a DNT header *highly likely* raises entropy, especially in standard windows.
  * [SETTING] Options>Privacy>Use Tracking Protecting>manage your Do Not Track settings
- * [NOTE] DNT is enforced with TP (see 0420) regardless of this pref (eg in default PB Mode)
+ * [NOTE] DNT is enforced with TP (see 0420) regardless of this pref (e.g. in default PB Mode)
  * [NOTE] If you use NoScript MAKE SURE to set the pref noscript.doNotTrack.enabled to match ***/
 user_pref("privacy.donottrackheader.enabled", false);
 
@@ -844,7 +910,7 @@ user_pref("privacy.donottrackheader.enabled", false);
      [2] https://wiki.mozilla.org/Security/Contextual_Identity_Project/Containers
      [3] https://github.com/mozilla/testpilot-containers
 ***/
-user_pref("ghacks_user.js.parrot", "1700 syntax error: the parrot rests in peace!");
+user_pref("ghacks_user.js.parrot", "1700 syntax error: the parrot's bit the dust!");
 /* 1701: enable [SETTING] Options>Privacy>Container Tabs (FF50+)
  * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1279029 ***/
    // user_pref("privacy.userContext.ui.enabled", true);
@@ -862,7 +928,7 @@ user_pref("ghacks_user.js.parrot", "1700 syntax error: the parrot rests in peace
 
 /*** 1800: PLUGINS ***/
 user_pref("ghacks_user.js.parrot", "1800 syntax error: the parrot's pushing up daisies!");
-/* 1801: set default plugin state (i.e new plugins on discovery) to never activate
+/* 1801: set default plugin state (i.e. new plugins on discovery) to never activate
  * 0=disabled, 1=ask to activate, 2=active - you can override individual plugins ***/
 user_pref("plugin.default.state", 0);
 user_pref("plugin.defaultXpi.state", 0);
@@ -871,7 +937,7 @@ user_pref("plugins.click_to_play", true);
 user_pref("plugin.sessionPermissionNow.intervalInMinutes", 0);
 /* 1803: set a plugin state: 0=deactivated 1=ask 2=enabled (Flash example)
  * you can set all these plugin.state's via Add-ons>Plugins or search for plugin.state in about:config
- * [NOTE] You can still over-ride individual sites eg youtube via site permissions
+ * [NOTE] You can still over-ride individual sites e.g. youtube via site permissions
  * [1] https://www.ghacks.net/2013/07/09/how-to-make-sure-that-a-firefox-plugin-never-activates-again/ ***/
    // user_pref("plugin.state.flash", 0);
 /* 1804: disable plugins using external/untrusted scripts with XPCOM or XPConnect ***/
@@ -885,6 +951,9 @@ user_pref("plugin.scan.plid.all", false);
  * [1] https://wiki.mozilla.org/GeckoMediaPlugins ***/
 user_pref("media.gmp-provider.enabled", false);
 user_pref("media.gmp.trial-create.enabled", false);
+user_pref("media.gmp-manager.url", "data:text/plain,");
+user_pref("media.gmp-manager.url.override", "data:text/plain,"); // (hidden pref)
+user_pref("media.gmp-manager.updateEnabled", false); // disable local fallback (hidden pref)
 /* 1825: disable widevine CDM (Content Decryption Module) [SETUP] ***/
 user_pref("media.gmp-widevinecdm.visible", false);
 user_pref("media.gmp-widevinecdm.enabled", false);
@@ -892,12 +961,11 @@ user_pref("media.gmp-widevinecdm.autoupdate", false);
 /* 1830: disable all DRM content (EME: Encryption Media Extension) [SETUP] ***/
 user_pref("media.eme.enabled", false); // Options>Content>Play DRM Content
 user_pref("browser.eme.ui.enabled", false); // hides "Play DRM Content" checkbox, restart required
+user_pref("media.eme.chromium-api.enabled", false); // (FF55+)
 /* 1840: disable the OpenH264 Video Codec by Cisco to "Never Activate"
- * and disable pings to the external update/download server
  * This is the bundled codec used for video chat in WebRTC ***/
 user_pref("media.gmp-gmpopenh264.enabled", false); // (hidden pref)
 user_pref("media.gmp-gmpopenh264.autoupdate", false);
-user_pref("media.gmp-manager.url", "data:text/plain,");
 
 /*** 2000: MEDIA / CAMERA / MIC ***/
 user_pref("ghacks_user.js.parrot", "2000 syntax error: the parrot's snuffed it!");
@@ -984,7 +1052,7 @@ user_pref("dom.disable_window_flip", true); // window z-order
 user_pref("dom.disable_window_move_resize", true);
 user_pref("dom.disable_window_open_feature.close", true);
 user_pref("dom.disable_window_open_feature.minimizable", true);
-user_pref("dom.disable_window_open_feature.personalbar", true); //bookmarks toolbar
+user_pref("dom.disable_window_open_feature.personalbar", true); // bookmarks toolbar
 user_pref("dom.disable_window_open_feature.titlebar", true);
 user_pref("dom.disable_window_status_change", true);
 user_pref("dom.allow_scripts_to_close_windows", false);
@@ -1002,13 +1070,13 @@ user_pref("browser.link.open_newwindow.restriction", 0);
 user_pref("dom.disable_beforeunload", true);
 
 /*** 2300: WEB WORKERS [SETUP]
-     A worker is a JS "background task" running in a global context, i.e it is different from
+     A worker is a JS "background task" running in a global context, i.e. it is different from
      the current window. Workers can spawn new workers (must be the same origin & scheme),
      including service and shared workers. Shared workers can be utilized by multiple scripts
      and communicate between browsing contexts (windows/tabs/iframes) and can even control your
      cache. Push and web notifications require service workers, which in turn require workers.
 
-     [WARNING] Disabling workers *will* break sites (eg Google Street View, Twitter).
+     [WARNING] Disabling workers *will* break sites (e.g. Google Street View, Twitter).
      It is recommended that you use a separate profile for these sorts of sites.
 
      [1]    Web Workers: https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API
@@ -1016,6 +1084,7 @@ user_pref("dom.disable_beforeunload", true);
      [3] Service Worker: https://developer.mozilla.org/en-US/docs/Web/API/ServiceWorker_API
      [4]   SharedWorker: https://developer.mozilla.org/en-US/docs/Web/API/SharedWorker
      [5]   ChromeWorker: https://developer.mozilla.org/en-US/docs/Web/API/ChromeWorker
+     [6]  Notifications: https://support.mozilla.org/en-US/questions/1165867#answer-981820
  ***/
 user_pref("ghacks_user.js.parrot", "2300 syntax error: the parrot's off the twig!");
 /* 2301: disable workers
@@ -1044,11 +1113,11 @@ user_pref("dom.push.connection.enabled", false);
 user_pref("dom.push.serverURL", "");
 user_pref("dom.push.userAgentID", "");
 
-/*** 2400: DOM & JAVASCRIPT ***/
+/*** 2400: DOM (DOCUMENT OBJECT MODEL) & JAVASCRIPT ***/
 user_pref("ghacks_user.js.parrot", "2400 syntax error: the parrot's kicked the bucket!");
 /* 2402: disable website access to clipboard events/content
  * [WARNING] This will break some sites functionality such as pasting into facebook, wordpress
- * this applies to onCut, onCopy, onPaste events - i.e you have to interact with
+ * this applies to onCut, onCopy, onPaste events - i.e. you have to interact with
  * the website for it to look at the clipboard
  * [1] https://www.ghacks.net/2014/01/08/block-websites-reading-modifying-clipboard-contents-firefox/ ***/
 user_pref("dom.event.clipboardevents.enabled", false);
@@ -1056,17 +1125,9 @@ user_pref("dom.event.clipboardevents.enabled", false);
  * this disables document.execCommand("cut"/"copy") to protect your clipboard
  * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1170911 ***/
 user_pref("dom.allow_cut_copy", false); // (hidden pref)
-/* 2404: disable JS storing data permanently
- * This setting WAS under about:permissions>All Sites>Maintain Offline Storage
- * [NOTE] about:permissions is no longer available since FF46 but you can still override
- * individual domains: use info icon in urlbar etc or right click on a web page>view page info
- * [WARNING] [SETUP] If set as false (disabled), this WILL break some [old] add-ons and DOES
- * break a lot of sites' functionality. Applies to websites, add-ons and session data.
- * [1] https://addons.mozilla.org/en-US/firefox/addon/disable-indexeddb/ ***/
+/* 2404: disable JS storing data permanently [SETUP]
+ * [WARNING] This *may* break some add-ons and *will* break some sites ***/
 user_pref("dom.indexedDB.enabled", false);
-/* 2410: disable User Timing API
- * [1] https://trac.torproject.org/projects/tor/ticket/16336 ***/
-user_pref("dom.enable_user_timing", false);
 /* 2411: disable resource/navigation timing ***/
 user_pref("dom.enable_resource_timing", false);
 /* 2412: disable timing attacks - javascript performance fingerprinting
@@ -1077,7 +1138,7 @@ user_pref("dom.vibrator.enabled", false);
 /* 2415: set max popups from a single non-click event - default is 20! ***/
 user_pref("dom.popup_maximum", 3);
 /* 2415b: limit events that can cause a popup
- * default is "change click dblclick mouseup notificationclick reset submit touchend"
+ * default is "change click dblclick mouseup pointerup notificationclick reset submit touchend"
  * [1] http://kb.mozillazine.org/Dom.popup_allowed_events ***/
 user_pref("dom.popup_allowed_events", "click dblclick");
 /* 2416: disable idle observation ***/
@@ -1127,7 +1188,7 @@ user_pref("ghacks_user.js.parrot", "2500 syntax error: the parrot's shuffled off
  * [1] https://trac.torproject.org/projects/tor/ticket/13023 ***/
 user_pref("dom.gamepad.enabled", false);
 /* 2503: disable giving away network info (FF31+)
- * eg bluetooth, cellular, ethernet, wifi, wimax, other, mixed, unknown, none
+ * e.g. bluetooth, cellular, ethernet, wifi, wimax, other, mixed, unknown, none
  * [1] https://developer.mozilla.org/en-US/docs/Web/API/Network_Information_API
  * [2] https://wicg.github.io/netinfo/
  * [3] https://bugzilla.mozilla.org/show_bug.cgi?id=960426 ***/
@@ -1135,27 +1196,15 @@ user_pref("dom.netinfo.enabled", false);
 /* 2504: disable virtual reality devices
  * [1] https://developer.mozilla.org/en-US/docs/Web/API/WebVR_API ***/
 user_pref("dom.vr.enabled", false);
-user_pref("dom.vr.oculus.enabled", false);
-user_pref("dom.vr.osvr.enabled", false); // (FF49+)
-user_pref("dom.vr.openvr.enabled", false); // (FF51+)
 /* 2505: disable media device enumeration (FF29+)
  * [NOTE] media.peerconnection.enabled should also be set to false (see 2001)
  * [1] https://wiki.mozilla.org/Media/getUserMedia
  * [2] https://developer.mozilla.org/en-US/docs/Web/API/MediaDevices/enumerateDevices ***/
 user_pref("media.navigator.enabled", false);
 /* 2506: disable video statistics - JS performance fingerprinting (FF25+)
- * [1] https://trac.torproject.org/projects/tor/ticket/15757 ***/
+ * [1] https://trac.torproject.org/projects/tor/ticket/15757
+ * [2] https://bugzilla.mozilla.org/show_bug.cgi?id=654550 ***/
 user_pref("media.video_stats.enabled", false);
-/* 2507: disable keyboard fingerprinting (FF38+) (physical keyboards)
- * The Keyboard API allows tracking the "read parameter" of pressed keys in forms on
- * web pages. These parameters vary between types of keyboard layouts such as QWERTY,
- * AZERTY, Dvorak, and between various languages, eg German vs English.
- * [WARNING] Don't use if Android + physical keyboard
- * [UPDATE] This MAY be incorporated better under privacy.resistFingerprinting (see 2699)
- * [1] https://developer.mozilla.org/en-US/docs/Web/API/KeyboardEvent/code
- * [2] https://www.privacy-handbuch.de/handbuch_21v.htm ***/
-user_pref("dom.keyboardevent.code.enabled", false);
-user_pref("dom.keyboardevent.dispatch_during_composition", false);
 /* 2508: disable hardware acceleration to reduce graphics fingerprinting
  * [SETTING] Options>Advanced>General>Use hardware acceleration when available
  * [NOTE] Changing this option changes BOTH these preferences
@@ -1192,7 +1241,7 @@ user_pref("dom.presentation.receiver.enabled", false);
 user_pref("dom.presentation.session_transport.data_channel.enable", false);
 /* 2514: spoof (or limit?) number of CPU cores (also see 2699f) (FF48+)
  * [WARNING] *may* affect core chrome/Firefox performance, will affect content.
- * Highly recommended to leave this (dom) and use 2699f (navigator)
+ * Highly recommended to leave this (DOM) and use 2699f (navigator)
  * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1008453
  * [2] https://trac.torproject.org/projects/tor/ticket/21675
  * [3] https://trac.torproject.org/projects/tor/ticket/22127
@@ -1237,7 +1286,7 @@ user_pref("devtools.webide.autoinstallADBHelper", false);
 user_pref("devtools.webide.autoinstallFxdtAdapters", false);
 user_pref("devtools.debugger.remote-enabled", false);
 user_pref("devtools.webide.enabled", false);
-/* 2612: disable SimpleServiceDiscovery - which can bypass proxy settings - eg Roku
+/* 2612: disable SimpleServiceDiscovery - which can bypass proxy settings - e.g. Roku
  * [1] https://trac.torproject.org/projects/tor/ticket/16222 ***/
 user_pref("browser.casting.enabled", false);
 user_pref("gfx.layerscope.enabled", false);
@@ -1263,17 +1312,17 @@ user_pref("network.http.spdy.enabled.http2", false);
  *   [WHY USE true=open with or save to disk]
  * If you think a particular external app is more secure...
  *   [NOTE]
- * 1. See 2662 2: JS can still force a pdf to open in-browser by bundling it's own code (rare) ***/
+ * 1. See 2662 2: JS can still force a pdf to open in-browser by bundling its own code (rare) ***/
 user_pref("pdfjs.disabled", false);
 /* 2618: enforce the proxy server to do any DNS lookups when using SOCKS
- * eg in TOR, this stops your local DNS server from knowing your Tor destination
+ * e.g. in TOR, this stops your local DNS server from knowing your Tor destination
  * as a remote Tor node will handle the DNS request
  * [1] http://kb.mozillazine.org/Network.proxy.socks_remote_dns
  * [2] https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers ***/
 user_pref("network.proxy.socks_remote_dns", true);
 /* 2619: limit HTTP redirects (this does not control redirects with HTML meta tags or JS)
- * [WARNING] A low setting of 5 or under will probably break some sites (eg gmail logins)
- * To control HTML Meta tag and JS redirects, use an add-on (eg NoRedirect). Default is 20 ***/
+ * [WARNING] A low setting of 5 or under will probably break some sites (e.g. gmail logins)
+ * To control HTML Meta tag and JS redirects, use an add-on. Default is 20 ***/
 user_pref("network.http.redirection-limit", 10);
 /* 2620: disable middle mouse click opening links from clipboard
  * [1] https://trac.torproject.org/projects/tor/ticket/10089
@@ -1394,7 +1443,7 @@ user_pref("security.csp.experimentalEnabled", true);
  * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=583181 ***/
    // user_pref("general.buildID.override", "20100101"); // (hidden pref)
 /* 2697c: navigator.appName ***/
-   //user_pref("general.appname.override", "Netscape"); // (hidden pref)
+   // user_pref("general.appname.override", "Netscape"); // (hidden pref)
 /* 2697d: navigator.appVersion ***/
    // user_pref("general.appversion.override", "5.0 (Windows)"); // (hidden pref)
 /* 2697e: navigator.platform leaks in JS ***/
@@ -1404,28 +1453,17 @@ user_pref("security.csp.experimentalEnabled", true);
 /* 2697g: general.useragent.locale (related, see 0204) ***/
 
 /*** 2698: FIRST PARTY ISOLATION (FPI)
- ** isolate favicons (FF52+)
-   [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1277803
- ** isolate OCSP cache (FF52+)
-   [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1264562
- ** isolate Shared Workers (FF52+)
-   [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1268726
- ** isolate SSL session cache (FF52+)
-   [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1316283
- ** isolate media cache (FF53+)
-   [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1317927
- ** isolate HSTS and HPKP (FF54+)
-   [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1323644
- ** isolate HTTP Alternative Services (FF54+)
-   [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1334690
- ** isolate SPDY/HTTP2 (FF55+)
-   [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1334693
- ** isolate DNS cache (FF55+)
-   [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1337893
- ** isolate blob: URI (FF55+)
-   [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1344170
- ** isolate data://, about: URLs (FF55+)
-   [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1300671
+ ** 1277803 - isolate favicons (FF52+)
+ ** 1264562 - isolate OCSP cache (FF52+)
+ ** 1268726 - isolate Shared Workers (FF52+)
+ ** 1316283 - isolate SSL session cache (FF52+)
+ ** 1317927 - isolate media cache (FF53+)
+ ** 1323644 - isolate HSTS and HPKP (FF54+)
+ ** 1334690 - isolate HTTP Alternative Services (FF54+)
+ ** 1334693 - isolate SPDY/HTTP2 (FF55+)
+ ** 1337893 - isolate DNS cache (FF55+)
+ ** 1344170 - isolate blob: URI (FF55+)
+ ** 1300671 - isolate data://, about: URLs (FF55+)
 ***/
 /* 2698a: enable First Party Isolation (FF51+)
  * [WARNING] May break cross-domain logins and site functionality until perfected
@@ -1439,7 +1477,7 @@ user_pref("privacy.firstparty.isolate.restrict_opener_access", true);
 /*** 2699: privacy.resistFingerprinting
    This master switch will be used for a wide range of items,
    many of which will **override** existing prefs from FF55+
- ** limit window.screen & CSS media queries leaking identifiable info (FF41+)
+ ** 418986 - limit window.screen & CSS media queries leaking identifiable info (FF41+)
      [POC] http://ip-check.info/?lang=en (screen, usable screen, and browser window will match)
      [NOTE] Does not cover everything yet - https://bugzilla.mozilla.org/show_bug.cgi?id=1216800
      [NOTE] This will probably make your values pretty unique until you resize or snap the
@@ -1448,46 +1486,39 @@ user_pref("privacy.firstparty.isolate.restrict_opener_access", true);
      Shift+F4 to open the scratchpad, type window.resizeTo(1366,768), hit Ctrl+R to run. Test
      your window size, do some math, resize to allow for all the non inner window elements
      [TEST] http://browserspy.dk/screen.php
-   [1] https://bugzilla.mozilla.org/show_bug.cgi?id=418986
- ** spoof screen orientation (FF50+)
-   [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1281949
- ** hide the contents of navigator.plugins and navigator.mimeTypes (FF50+)
-   [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1281963
- ** spoof timezone as UTC 0 (FF55+)
-   [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1330890
- ** spoof navigator.hardwareConcurrency as 2 (also see 2514) (FF55+)
+ ** 1281949 - spoof screen orientation (FF50+)
+ ** 1281963 - hide the contents of navigator.plugins and navigator.mimeTypes (FF50+)
+ ** 1330890 - spoof timezone as UTC 0 (FF55+)
+ ** 1360039 - spoof navigator.hardwareConcurrency as 2 (also see 2514) (FF55+)
       This spoof *shouldn't* affect core chrome/Firefox performance
-   [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1360039
- ** reduce precision of time exposed by javascript (FF55+)
-   [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1217238
- ** spoof/disable performance API (see 2410-deprecated, 2411, 2412) (FF56+)
-   [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1369303
- ** spoof Navigator API (see section 2697) (FF56+)
-   The version number will be rounded to the "nearest" multiple of 10
-   [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1333651
- ** disable device sensor API (see 2512) (FF56+)
-   [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1369319
- ** disable site specific zoom (see 2515) (FF56+)
-   [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1369357
- ** disable gamepad API (see 2501) (FF56+)
-   [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1337161
- ** spoof network information API as "unknown" (see 2503) (FF56+)
-   [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1372072
+ ** 1217238 - reduce precision of time exposed by javascript (FF55+)
+ ** 1369303 - spoof/disable performance API (see 2410-deprecated, 2411, 2412) (FF56+)
+ ** 1333651 & 1383495 - spoof Navigator API (see section 2697) (FF56+)
+      The version number will be rounded down to the nearest multiple of 10
+ ** 1369319 - disable device sensor API (see 2512) (FF56+)
+ ** 1369357 - disable site specific zoom (see 2515) (FF56+)
+ ** 1337161 - disable gamepad API (see 2501) (FF56+)
+ ** 1372072 - spoof network information API as "unknown" (see 2503) (FF56+)
+ ** 1372069 - disable geolocation API (see 0201) (FF56+)
+ ** 1333641 - disable WebSpeech API (see 2021) (FF56+)
+ ** 1369309 - spoof media statistics to 0 (see 2506) (FF57+)
+ ** 1382499 - reduce screen co-ordinate fingerprinting in Touch API (see 2509) (FF57+)
 ***/
 /* 2699a: enable privacy.resistFingerprinting (FF41+)
  * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=418986 ***/
 user_pref("privacy.resistFingerprinting", true); // (hidden pref) (not hidden FF55+)
 /* 2699b: set new window sizes to round to hundreds (FF55+) [SETUP]
- * [NOTE] If override values are too big, the code determines it for you
+ * [NOTE] Width will round to multiples of 200s and height to 100s, to fit your screen.
+ * The override values are a starting point to round from if you want some control
  * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1330882
  * [2] https://metrics.mozilla.com/firefox-hardware-report/ ***/
-   // user_pref("privacy.window.maxInnerWidth", 1366);
-   // user_pref("privacy.window.maxInnerHeight", 768);
+   // user_pref("privacy.window.maxInnerWidth", 1600); // (hidden pref)
+   // user_pref("privacy.window.maxInnerHeight", 900); // (hidden pref)
 
 /*** 2700: COOKIES & DOM STORAGE ***/
 user_pref("ghacks_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin' choir invisible!");
 /* 2701: disable cookies on all sites [SETUP]
- * You can set exceptions under site permissions or use an extension (eg Cookie Controller)
+ * You can set exceptions under site permissions or use an extension
  * 0=allow all 1=allow same host 2=disallow all 3=allow 3rd party if it already set a cookie
  * [SETTING] Options>Privacy>History>Custom Settings>Accept cookies from sites
  * [NOTE] This also controls access to 3rd party Web Storage, IndexedDB, Cache API and Service Worker Cache
@@ -1503,7 +1534,7 @@ user_pref("network.cookie.thirdparty.sessionOnly", true);
    // user_pref("network.cookie.lifetimePolicy", 0);
 /* 2704: set cookie lifetime in days (see above pref) - default is 90 days ***/
    // user_pref("network.cookie.lifetime.days", 90);
-/* 2705: disable dom storage
+/* 2705: disable DOM (Document Object Model) Storage
  * [WARNING] This will break a LOT of sites' functionality.
  * You are better off using an extension for more granular control ***/
    // user_pref("dom.storage.enabled", false);
@@ -1530,7 +1561,7 @@ user_pref("network.cookie.leave-secure-alone", true);
      You should set the values to what suits you best. Be aware that the settings below clear
      browsing, download and form history, but not cookies (we expect you to use an extension).
      [NOTE] In both 2803 + 2804, the 'download' and 'history' prefs are combined in the
-     firefox interface as "Browsing & Download History" and their values will be synced
+     Firefox interface as "Browsing & Download History" and their values will be synced
  ***/
 user_pref("ghacks_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!");
 /* 2802: enable Firefox to clear history items on shutdown
@@ -1570,7 +1601,7 @@ user_pref("privacy.cpd.siteSettings", false); // Site Preferences
    // user_pref("privacy.cpd.openWindows", true);
 /* 2806: reset default 'Time range to clear' for 'Clear Recent History' (see 2804)
  * Firefox remembers your last choice. This will reset the value when you start Firefox.
- * 0=everything, 1=last hour, 2=last two hours, 3=last four hours
+ * 0=everything, 1=last hour, 2=last two hours, 3=last four hours,
  * 4=today, 5=last five minutes, 6=last twenty-four hours
  * [NOTE] The values 5 + 6 are not listed in the dropdown, which will display a
  * blank value if they are used, but they do work as advertised ***/
@@ -1603,13 +1634,10 @@ user_pref("browser.backspace_action", 2);
  * 1=current window, 2=new window, 3=most recent window
  * [SETTING] Options>General>Tabs>Open new windows in a new tab instead ***/
 user_pref("browser.link.open_newwindow", 3);
-/* 3009: enable APZ (Async Pan/Zoom) - requires e10s
- * [1] https://www.ghacks.net/2015/07/28/scrolling-in-firefox-to-get-a-lot-better-thanks-to-apz/ ***/
-   // user_pref("layers.async-pan-zoom.enabled", true);
 /* 3010: enable ctrl-tab previews ***/
 user_pref("browser.ctrlTab.previews", true);
 /* 3011: don't open "page/selection source" in a tab. The window used instead is cleaner
- * and easier to use and move around (eg developers/multi-screen). ***/
+ * and easier to use and move around (e.g. developers/multi-screen). ***/
 user_pref("view_source.tab", false);
 /* 3012: control spellchecking: 0=none, 1-multi-line controls, 2=multi-line & single-line controls ***/
 user_pref("layout.spellcheckDefault", 1);
@@ -1617,11 +1645,9 @@ user_pref("layout.spellcheckDefault", 1);
  * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=620472
  * [2] https://developer.mozilla.org/en-US/docs/Online_and_offline_events ***/
 user_pref("network.manage-offline-status", false);
-/* 3015: disable tab animation, speed things up a little ***/
-user_pref("browser.tabs.animate", false);
-/* 3016: disable fullscreeen animation. Test using F11.
- * Animation is smother but is annoyingly slow, while no animation can be startling ***/
-user_pref("browser.fullscreen.animate", false);
+/* 3015: disable animations
+ * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1352069 ***/
+   // user_pref("toolkit.cosmeticAnimations.enabled", false);
 /* 3017: set submenu delay in milliseconds. 0=instant while a small number allows
  * a mouse pass over menu items without any submenus alarmingly shooting out ***/
 user_pref("ui.submenuDelay", 150); // (hidden pref)
@@ -1660,6 +1686,7 @@ user_pref("browser.bookmarks.showRecentlyBookmarked", false);
    // user_pref("media.wave.enabled", false);
    // user_pref("media.webm.enabled", false);
    // user_pref("media.wmf.enabled", false); // https://www.youtube.com/html5 - for the two H.264 entries
+   // user_pref("media.wmf.vp9.enabled", false);
 /* 3026: disable "Reader View" ***/
    // user_pref("reader.parse-on-load.enabled", false);
 /* 3027: decode URLs on copy from the urlbar (FF53+)
@@ -1667,19 +1694,16 @@ user_pref("browser.bookmarks.showRecentlyBookmarked", false);
 user_pref("browser.urlbar.decodeURLsOnCopy", true);
 /* 3028: disable middle-click enabling auto-scrolling [WINDOWS] [MAC] ***/
    // user_pref("general.autoScroll", false);
-/* 3029: disable Firefox Screenshots (FF54+)
- * [1] https://www.ghacks.net/2017/05/28/firefox-screenshots-integrated-in-firefox-nightly/
- * [2] https://github.com/mozilla-services/screenshots ***/
-   // user_pref("extensions.screenshots.system-disabled", true);
 
 /* END: internal custom pref to test for syntax errors ***/
 user_pref("ghacks_user.js.parrot", "No no he's not dead, he's, he's restin'! Remarkable bird, the Norwegian Blue");
 
 /*** 9999: DEPRECATED / REMOVED / LEGACY / RENAMED
      Documentation denoted as [-]. Numbers may be re-used. See [1] for a link-clickable,
-     viewer-friendly version of the deprecated bugzilla tickets. To enable a section
-     change /* FFxx to // FFxx. The original state of each pref has been preserved,
-     or changed to match the current setup, but you are advised to review them.
+     viewer-friendly version of the deprecated bugzilla tickets. The original state of each pref
+     has been preserved, or changed to match the current setup, but you are advised to review them.
+     [NOTE] Up to FF53, to enable a section change /* FFxx to // FFxx
+     For FF53 on, we have bundled releases to cater for ESR. Change /* to // on the first line
      [1] https://github.com/ghacksuserjs/ghacks-user.js/issues/123
 ***/
 /* FF42 and older
@@ -1771,18 +1795,18 @@ user_pref("datareporting.healthreport.documentServerURI", ""); // (hidden pref)
 // 0334b: disable FHR (Firefox Health Report) v2 data being sent to Mozilla servers
    // [-] https://bugzilla.mozilla.org/show_bug.cgi?id=1234522
 user_pref("datareporting.policy.dataSubmissionEnabled.v2", false);
-// 0373: disable "Pocket" - replaced by extensions.pocket.*
-   // [-] https://bugzilla.mozilla.org/show_bug.cgi?id=1215694
-user_pref("browser.pocket.enabled", false);
-user_pref("browser.pocket.api", "");
-user_pref("browser.pocket.site", "");
-user_pref("browser.pocket.oAuthConsumerKey", "");
 // 0414: disable safebrowsing pref - replaced by browser.safebrowsing.downloads.remote.url
    // [-] https://bugzilla.mozilla.org/show_bug.cgi?id=1239587
 user_pref("browser.safebrowsing.appRepURL", ""); // Google application reputation check
 // 0420: disable polaris (part of Tracking Protection, never used in stable)
    // [-] https://bugzilla.mozilla.org/show_bug.cgi?id=1235565
    // user_pref("browser.polaris.enabled", false);
+// 0510: disable "Pocket" - replaced by extensions.pocket.*
+   // [-] https://bugzilla.mozilla.org/show_bug.cgi?id=1215694
+user_pref("browser.pocket.enabled", false);
+user_pref("browser.pocket.api", "");
+user_pref("browser.pocket.site", "");
+user_pref("browser.pocket.oAuthConsumerKey", "");
 // ***/
 /* FF47
 // 0330b: set unifiedIsOptIn to make sure telemetry respects OptIn choice and that telemetry
@@ -1878,7 +1902,7 @@ user_pref("media.gmp-eme-adobe.autoupdate", false);
 user_pref("dom.telephony.enabled", false);
 // 2502: disable Battery Status API. Initially a Linux issue (high precision readout) that
    // was fixed. However, it is still another metric for fingerprinting, used to raise entropy.
-   // eg: do you have a battery or not, current charging status, charge level, times remaining etc
+   // e.g. do you have a battery or not, current charging status, charge level, times remaining etc
    // [1] http://techcrunch.com/2015/08/04/battery-attributes-can-be-used-to-track-web-users/
    // [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1124127
    // [3] https://www.w3.org/TR/battery-status/
@@ -1887,7 +1911,10 @@ user_pref("dom.telephony.enabled", false);
    // [-] https://bugzilla.mozilla.org/show_bug.cgi?id=1313580
 user_pref("dom.battery.enabled", false);
 // ***/
-/* FF53
+
+/* ESR52 still needs all the following prefs
+// [NOTE] replace the * with a slash in the line above to re-enable them if you're using ESR52.x.x
+// FF53
 // 1265: block rc4 fallback
    // [-] https://bugzilla.mozilla.org/show_bug.cgi?id=1130670
 user_pref("security.tls.unrestricted_rc4_fallback", false);
@@ -1904,8 +1931,8 @@ user_pref("media.getusermedia.screensharing.allow_on_old_platforms", false);
 // 2507: disable keyboard fingerprinting
    // [-] https://bugzilla.mozilla.org/show_bug.cgi?id=1322736
 user_pref("dom.beforeAfterKeyboardEvent.enabled", false);
-// ***/
-/* FF54
+// * * * /
+// FF54
 // 0415: disable reporting URLs (safe browsing)
    // [-] https://bugzilla.mozilla.org/show_bug.cgi?id=1288633
 user_pref("browser.safebrowsing.reportMalwareMistakeURL", "");
@@ -1914,7 +1941,47 @@ user_pref("browser.safebrowsing.reportPhishMistakeURL", "");
    // [-] https://bugzilla.mozilla.org/show_bug.cgi?id=1242321
 user_pref("media.eme.apiVisible", false);
 // 2425: disable Archive Reader API
-   // i.e reading archive contents directly in the browser, through DOM file objects
+   // i.e. reading archive contents directly in the browser, through DOM file objects
    // [-] https://bugzilla.mozilla.org/show_bug.cgi?id=1342361
 user_pref("dom.archivereader.enabled", false);
+// * * * /
+// FF55
+// 0209: disable geolocation on non-secure origins (FF54+)
+   // [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1269531
+   // [-] https://bugzilla.mozilla.org/show_bug.cgi?id=1072859
+user_pref("geo.security.allowinsecure", false);
+// 0336: disable "Heartbeat" (Mozilla user rating telemetry) (FF37+)
+   // [1] https://trac.torproject.org/projects/tor/ticket/18738
+   // [-] https://bugzilla.mozilla.org/show_bug.cgi?id=1361578
+user_pref("browser.selfsupport.enabled", false); // (hidden pref)
+user_pref("browser.selfsupport.url", "");
+// 0360: disable new tab "pings"
+   // [-] https://bugzilla.mozilla.org/show_bug.cgi?id=1241390
+user_pref("browser.newtabpage.directory.ping", "data:text/plain,");
+// 0861: disable saving form history on secure websites
+   // [-] https://bugzilla.mozilla.org/show_bug.cgi?id=1361220
+user_pref("browser.formfill.saveHttpsForms", false);
+// 0863: disable Form Autofill (FF54+) - replaced by extensions.formautofill.*
+   // [-] https://bugzilla.mozilla.org/show_bug.cgi?id=1364334
+user_pref("browser.formautofill.enabled", false);
+// 2410: disable User Timing API
+   // [1] https://trac.torproject.org/projects/tor/ticket/16336
+   // [-] https://bugzilla.mozilla.org/show_bug.cgi?id=1344669
+user_pref("dom.enable_user_timing", false);
+// 2507: disable keyboard fingerprinting (FF38+) (physical keyboards)
+   // The Keyboard API allows tracking the "read parameter" of pressed keys in forms on
+   // web pages. These parameters vary between types of keyboard layouts such as QWERTY,
+   // AZERTY, Dvorak, and between various languages, e.g. German vs English.
+   // [WARNING] Don't use if Android + physical keyboard
+   // [1] https://developer.mozilla.org/en-US/docs/Web/API/KeyboardEvent/code
+   // [2] https://www.privacy-handbuch.de/handbuch_21v.htm
+   // [-] https://bugzilla.mozilla.org/show_bug.cgi?id=1352949
+user_pref("dom.keyboardevent.code.enabled", false);
+// 3015: disable tab animation - replaced by toolkit.cosmeticAnimations.enabled
+   // [-] https://bugzilla.mozilla.org/show_bug.cgi?id=1352069
+user_pref("browser.tabs.animate", false);
+// 3016: disable fullscreeen animation - replaced by toolkit.cosmeticAnimations.enabled
+   // [-] https://bugzilla.mozilla.org/show_bug.cgi?id=1352069
+user_pref("browser.fullscreen.animate", false);
+// * * * /
 // ***/