58-alpha release

- removed `network.cookie.thirdparty.sessionOnly` because it can't break sites
- added `permissions.default.shortcuts`

README.md

@@ -6,14 +6,14 @@ The `ghacks user.js` is a **template**, which, as provided, aims to provide as m
 
 Everyone, experts included, should at least read the [implementation](https://github.com/ghacksuserjs/ghacks-user.js/wiki/1.3-Implementation) wiki page, as it contains important information regarding a few `ghacks user.js` settings.
 
-Sitemap: [Releases](https://github.com/ghacksuserjs/ghacks-user.js/releases), [changelogs](https://github.com/ghacksuserjs/ghacks-user.js/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3Achangelog), [Wiki](https://github.com/ghacksuserjs/ghacks-user.js/wiki), [stickies](https://github.com/ghacksuserjs/ghacks-user.js/issues?q=is%3Aissue+is%3Aopen+label%3A%22sticky+topic%22)
+Sitemap: [Releases](https://github.com/ghacksuserjs/ghacks-user.js/releases), [changelogs](https://github.com/ghacksuserjs/ghacks-user.js/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3Achangelog), [Wiki](https://github.com/ghacksuserjs/ghacks-user.js/wiki), [stickies](https://github.com/ghacksuserjs/ghacks-user.js/issues?q=is%3Aissue+is%3Aopen+label%3A%22sticky+topic%22). [diffs](https://github.com/ghacksuserjs/ghacks-user.js/issues?q=is%3Aissue+label%3Adiffs)
 
 ### ![](https://github.com/ghacksuserjs/ghacks-user.js/blob/master/wikipiki/bullet01.png) acknowledgments
 Literally thousands of sources, references and suggestions. That said...
 
 * Martin Brinkmann at [ghacks](https://www.ghacks.net/) <sup>1</sup>
 * The ghacks community and commentators
-* [12bytes](http://12bytes.org/tech/firefoxgecko-configuration-guide-for-privacy-and-performance-buffs)
+* [12bytes](http://12bytes.org/tech/firefox/firefoxgecko-configuration-guide-for-privacy-and-performance-buffs)
    * The 12bytes article now uses this user.js and supplements it with an additonal JS hosted right [here](https://github.com/atomGit/Firefox-user.js) at github
 
 <sup>1</sup> The ghacks user.js was an independent project by [Thorin-Oakenpants](https://github.com/Thorin-Oakenpants) started in early 2015 and was [first published](https://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/) at ghacks in August 2015. With Martin Brinkmann's blessing, it will keep the ghacks name.

scratchpad-scripts/troubleshooter.js

@@ -0,0 +1,232 @@
+
+/*** ghacks-user.js troubleshooter.js v1.4 ***/
+
+(function() {
+
+  if("undefined" === typeof(Services)) {
+    alert("about:config needs to be the active tab!");
+    return;
+  }
+
+  function getMyList(arr) {
+    let aRet = [];
+    let dummy = 0;
+    for (let i = 0, len = arr.length; i < len; i++) {
+      if (Services.prefs.prefHasUserValue(arr[i])) {
+        dummy = Services.prefs.getPrefType(arr[i]);
+        switch (dummy) {
+          case 32: // string (see https://dxr.mozilla.org/mozilla-central/source/modules/libpref/nsIPrefBranch.idl#31)
+            dummy = Services.prefs.getCharPref(arr[i]);
+            aRet.push({'name':arr[i],'value': dummy,'type':32});
+            break;
+          case 64: // int
+            dummy = Services.prefs.getIntPref(arr[i]);
+            aRet.push({'name':arr[i],'value': dummy,'type':64});
+            break;
+          case 128: // boolean
+            dummy = Services.prefs.getBoolPref(arr[i]);
+            aRet.push({'name':arr[i],'value': dummy,'type':128});
+            break;
+          default:
+            console.log("error detecting pref-type for '"+arr[i]+"' !");
+        }
+      }
+    }
+    return aRet;
+  }
+
+  function reapply(arr) {
+    for (let i = 0, len = arr.length; i < len; i++) {
+      switch (arr[i].type) {
+        case 32: // string
+          Services.prefs.setCharPref(arr[i].name, arr[i].value);
+          break;
+        case 64: // int
+          Services.prefs.setIntPref(arr[i].name, arr[i].value);
+          break;
+        case 128: // boolean
+          Services.prefs.setBoolPref(arr[i].name, arr[i].value);
+          break;
+        default:
+          console.log("error re-appyling value for '"+arr[i].name+"' !"); // should never happen
+      }
+    }
+  }
+
+  function myreset(arr) {
+    for (let i = 0, len = arr.length; i < len; i++) {
+      Services.prefs.clearUserPref(arr[i].name);
+    }
+  }
+
+  let ops = [
+
+    /* known culprits */
+    'network.cookie.cookieBehavior',
+    'network.http.referer.XOriginPolicy',
+    'privacy.firstparty.isolate',
+    'privacy.resistFingerprinting',
+    'security.mixed_content.block_display_content',
+    'svg.disabled',
+
+    /* Storage + Cache */
+    'browser.cache.offline.enable',
+    'dom.indexedDB.enabled',
+    'dom.storage.enabled',
+    'browser.storageManager.enabled',
+    'dom.storageManager.enabled',
+
+    /* Workers, Web + Push Notifications */
+    'dom.caches.enabled',
+    'dom.push.connection.enabled',
+    'dom.push.enabled',
+    'dom.push.serverURL',
+    'dom.serviceWorkers.enabled',
+    'dom.workers.enabled',
+    'dom.webnotifications.enabled',
+    'dom.webnotifications.serviceworker.enabled',
+
+    /* Fonts */
+    'browser.display.use_document_fonts',
+    'font.blacklist.underline_offset',
+    'gfx.downloadable_fonts.woff2.enabled',
+    'gfx.font_rendering.graphite.enabled',
+    'gfx.font_rendering.opentype_svg.enabled',
+    'layout.css.font-loading-api.enabled',
+
+    /* Misc */
+    'browser.link.open_newwindow.restriction',
+    'canvas.capturestream.enabled',
+    'dom.event.clipboardevents.enabled',
+    'dom.event.contextmenu.enabled',
+    'dom.IntersectionObserver.enabled',
+    'dom.popup_allowed_events',
+    'full-screen-api.enabled',
+    'geo.wifi.uri',
+    'intl.accept_languages',
+    'javascript.options.asmjs',
+    'javascript.options.wasm',
+    'permissions.default.shortcuts',
+    'security.csp.experimentalEnabled',
+
+    /* Hardware */
+    'dom.vr.enabled',
+    'media.ondevicechange.enabled',
+
+    /* Audio + Video */
+    'dom.webaudio.enabled',
+    'media.autoplay.enabled',
+    'media.flac.enabled',
+    'media.mp4.enabled',
+    'media.ogg.enabled',
+    'media.opus.enabled',
+    'media.raw.enabled',
+    'media.wave.enabled',
+    'media.webm.enabled',
+    'media.wmf.enabled',
+
+    /* Forms */
+    'browser.formfill.enable',
+    'signon.autofillForms',
+    'signon.formlessCapture.enabled',
+
+    /* HTTPS */
+    'security.cert_pinning.enforcement_level',
+    'security.family_safety.mode',
+    'security.mixed_content.use_hsts',
+    'security.OCSP.require',
+    'security.pki.sha1_enforcement_level',
+    'security.ssl.require_safe_negotiation',
+    'security.ssl.treat_unsafe_negotiation_as_broken',
+    'security.ssl3.dhe_rsa_aes_128_sha',
+    'security.ssl3.dhe_rsa_aes_256_sha',
+    'security.ssl3.ecdhe_ecdsa_aes_128_sha',
+    'security.ssl3.ecdhe_rsa_aes_128_sha',
+    'security.ssl3.rsa_aes_128_sha',
+    'security.ssl3.rsa_aes_256_sha',
+    'security.ssl3.rsa_des_ede3_sha',
+    'security.tls.enable_0rtt_data',
+    'security.tls.version.max',
+    'security.tls.version.min',
+
+    /* Plugins + Flash */
+    'plugin.default.state',
+    'plugin.defaultXpi.state',
+    'plugin.sessionPermissionNow.intervalInMinutes',
+    'plugin.state.flash',
+
+    /* unlikely to cause problems */
+    'browser.tabs.remote.allowLinkedWebInFileUriProcess',
+    'dom.popup_maximum',
+    'layout.css.visited_links_enabled',
+    'mathml.disabled',
+    'network.auth.subresource-img-cross-origin-http-auth-allow',
+    'network.http.redirection-limit',
+    'network.protocol-handler.external.ms-windows-store',
+    'privacy.trackingprotection.enabled',
+    'security.data_uri.block_toplevel_data_uri_navigations',
+
+    /* FF User-Interface */
+    'browser.search.suggest.enabled',
+    'browser.urlbar.autoFill',
+    'browser.urlbar.autoFill.typed',
+    'browser.urlbar.oneOffSearches',
+    'browser.urlbar.suggest.searches',
+    'keyword.enabled',
+
+    'last.one.without.comma'
+  ]
+
+
+  // reset prefs that set the same value as FFs default value
+  let aTEMP = getMyList(ops);
+  myreset(aTEMP);
+  reapply(aTEMP);
+
+  const aBACKUP = getMyList(ops);
+  //console.log(aBACKUP.length, "user-set prefs from our list detected and their values stored.");
+
+  let myArr = aBACKUP;
+  let found = false;
+  let aDbg = [];
+  focus();
+  myreset(aBACKUP); // reset all detected prefs
+  if (confirm("all detected prefs reset.\n\n!! KEEP THIS PROMPT OPEN AND TEST THE SITE IN ANOTHER TAB !!\n\nIF the problem still exists, this script can't help you - click cancel to re-apply your values and exit.\n\nClick OK if your problem is fixed.")) {
+    aDbg = myArr;
+    reapply(aBACKUP);
+    myreset(myArr.slice(0, parseInt(myArr.length/2)));
+    while (myArr.length >= 2) {
+      alert("NOW TEST AGAIN !");
+      if (confirm("if the problem still exists click OK, otherwise click cancel.")) {
+        myArr = myArr.slice(parseInt(myArr.length/2));
+        if (myArr.length == 1) {
+          alert("The problem is caused by more than 1 pref !\n\nNarrowed it down to "+ aDbg.length.toString() +" prefs, check the console ...");
+          break;
+        }
+      } else {
+        myArr = myArr.slice(0, parseInt(myArr.length/2));
+        aDbg = myArr;
+        if (myArr.length == 1) { found = true; break; }
+      }
+      reapply(aBACKUP);
+      myreset(myArr.slice(0, parseInt(myArr.length/2))); // reset half of the remaining prefs
+    }
+    reapply(aBACKUP);
+  }
+  else {
+    reapply(aBACKUP);
+    return;
+  }
+
+  if (found) {
+    alert("narrowed it down to:\n\n"+myArr[0].name+"\n");
+    myreset(myArr); // reset the culprit
+  }
+  else {
+    console.log("the problem is caused by a combination of the following prefs:");
+    for (let i = 0, len = aDbg.length; i < len; i++) {
+      console.log(aDbg[i].name);
+    }
+  }
+
+})();

updater.bat

@@ -3,7 +3,7 @@ TITLE ghacks user.js updater
 
 REM ## ghacks-user.js updater for Windows
 REM ## author: @claustromaniac
-REM ## version: 4.2
+REM ## version: 4.3
 REM ## instructions: https://github.com/ghacksuserjs/ghacks-user.js/wiki/3.3-Updater-Scripts
 
 SET _myname=%~n0
@@ -16,6 +16,7 @@ IF /I "%~1"=="-logp" (SET _log=1 & SET _logp=1)
 IF /I "%~1"=="-multioverrides" (SET _multi=1)
 IF /I "%~1"=="-merge" (SET _merge=1)
 IF /I "%~1"=="-updatebatch" (SET _updateb=1)
+IF /I "%~1"=="-singlebackup" (SET _singlebackup=1)
 SHIFT
 GOTO parse
 :endparse
@@ -76,14 +77,14 @@ ECHO:
 ECHO:                ########################################
 ECHO:                ####  user.js Updater for Windows   ####
 ECHO:                ####       by claustromaniac        ####
-ECHO:                ####             v4.2               ####
+ECHO:                ####             v4.3               ####
 ECHO:                ########################################
 ECHO:
 SET /A "_line=0"
 IF NOT EXIST user.js (
 	CALL :message "user.js not detected in the current directory."
 ) ELSE (
-	FOR /F "skip=1 tokens=1,2 delims=:" %%G IN (user.js) DO (
+	FOR /F "skip=1 tokens=1,* delims=:" %%G IN (user.js) DO (
 		SET /A "_line+=1"
 		IF !_line! GEQ 4 (GOTO exitloop)
 		IF !_line! EQU 1 (SET _name=%%H)
@@ -91,15 +92,11 @@ IF NOT EXIST user.js (
 		IF !_line! EQU 3 (SET _version=%%G)
 	)
 	:exitloop
-	IF !_line! GEQ 4 (
+	IF NOT "!_name!"=="" (
 		IF /I NOT "!_name!"=="!_name:ghacks=!" (
-			CALL :message "ghacks user.js !_version:~2!,!_date!"
-		) ELSE (
-			CALL :message "Current user.js version not recognised."
-		)
-	) ELSE (
-		CALL :message "Current user.js version not recognised."
-	)
+			CALL :message "!_name! !_version:~2!,!_date!"
+		) ELSE (CALL :message "Current user.js version not recognised.")
+	) ELSE (CALL :message "Current user.js version not recognised.")
 )
 ECHO:
 IF NOT DEFINED _ua (
@@ -123,17 +120,12 @@ IF DEFINED _log (
 	ECHO:##################################################################
 	CALL :message "%date%, %time%"
 )
-IF EXIST user.js.old.bak (DEL /F user.js.old.bak)
-IF EXIST user.js (
-	IF EXIST user.js.bak (REN user.js.bak user.js.old.bak)
-	REN user.js user.js.bak
-	CALL :message "Current user.js file backed up."
-)
+IF EXIST user.js.new (DEL /F "user.js.new")
 CALL :message "Retrieving latest user.js file from github repository..."
 (
-	powershell -Command "(New-Object Net.WebClient).DownloadFile('https://github.com/ghacksuserjs/ghacks-user.js/raw/master/user.js', 'user.js')"
+	powershell -Command "(New-Object Net.WebClient).DownloadFile('https://github.com/ghacksuserjs/ghacks-user.js/raw/master/user.js', 'user.js.new')"
 ) >nul 2>&1
-IF EXIST user.js (
+IF EXIST user.js.new (
 	IF DEFINED _multi (
 		FORFILES /P user.js-overrides /M *.js >nul 2>&1
 		IF NOT ERRORLEVEL 1 (
@@ -141,45 +133,49 @@ IF EXIST user.js (
 				CALL :message "Merging..."
 				COPY /B /V /Y user.js-overrides\*.js user-overrides-merged.js
 				CALL :merge user-overrides-merged.js
-				COPY /B /V /Y user.js+user-overrides-merged.js user.js
-				CALL :merge user.js
+				COPY /B /V /Y user.js.new+user-overrides-merged.js user.js.new
+				CALL :merge user.js.new
 			) ELSE (
 				CALL :message "Appending..."
-				COPY /B /V /Y user.js+"user.js-overrides\*.js" user.js
+				COPY /B /V /Y user.js.new+"user.js-overrides\*.js" user.js.new
 			)
 		) ELSE (CALL :message "No override files found.")
 		ECHO:
 	) ELSE (
 		IF EXIST "user-overrides.js" (
-			COPY /B /V /Y user.js+"user-overrides.js" "user.js"
+			COPY /B /V /Y user.js.new+"user-overrides.js" "user.js.new"
 			IF DEFINED _merge (
 				CALL :message "Merging user-overrides.js..."
-				CALL :merge user.js
+				CALL :merge user.js.new
 			) ELSE (
 				CALL :message "user-overrides.js appended."
 			)
 		) ELSE (CALL :message "user-overrides.js not found.")
 		ECHO:
 	)
-	CALL :message "Handling backups..."
-	SET "changed="
-	IF EXIST user.js.bak (
-		FC user.js.bak user.js >nul && SET "changed=false" || SET "changed=true"
+	IF EXIST user.js (
+		FC user.js.new user.js >nul && SET "_changed=false" || SET "_changed=true"
 	)
-	IF "!changed!"=="true" (
-		IF EXIST user.js.old.bak DEL /F user.js.old.bak
+	IF "!_changed!"=="true" (
+		CALL :message "Backing up..."
+		IF DEFINED _singlebackup (
+			MOVE /Y user.js user.js.bak >nul
+		) ELSE (
+			MOVE /Y user.js "user-backup-!date:/=-!_!time::=.!.js" >nul
+		)
+		REN user.js.new user.js
 		CALL :message "Update complete."
 	) ELSE (
-		IF "!changed!"=="false" (
-			DEL /F user.js.bak
-			IF EXIST user.js.old.bak REN user.js.old.bak user.js.bak
+		IF "!_changed!"=="false" (
+			DEL /F user.js.new >nul
 			CALL :message "Update completed without changes."
-		) ELSE (CALL :message "Update complete.")
+		) ELSE (
+			REN user.js.new user.js
+			CALL :message "Update complete."
+		)
 	)
 	ECHO:
 ) ELSE (
-	IF EXIST user.js.bak (REN user.js.bak user.js)
-	IF EXIST user.js.old.bak (REN user.js.old.bak user.js.bak)
 	CALL :message "Update failed. Make sure PowerShell is allowed internet access."
 	ECHO:   No changes were made.
 )
@@ -200,27 +196,27 @@ REM ############ Merge function ############
 :merge
 SETLOCAL DisableDelayedExpansion
 (
-	FOR /F "tokens=1,* delims=," %%G IN ('FINDSTR /B /I /C:"user_pref" "%~1"') DO (SET "%%G=%%H")
+	FOR /F tokens^=2^,^*^ delims^=^'^" %%G IN ('FINDSTR /B /R /C:"user_pref.*\)[ 	]*;" "%~1"') DO (IF NOT "%%H"=="" (SET "%%G=%%H"))
 	FOR /F "tokens=1,* delims=:" %%I IN ('FINDSTR /N "^" "%~1"') DO (
-		IF ""=="%%J" (
-			ECHO:
+		SET "_temp=%%J"
+		SETLOCAL EnableDelayedExpansion
+		IF NOT "!_temp:~0,9!"=="user_pref" (
+			ENDLOCAL & ECHO:%%J
 		) ELSE (
-			FOR /F "delims=," %%K IN ("%%J") DO (
-				IF NOT [user_pref("_user.js.parrot"]==[%%K] (
-					IF DEFINED %%K (
-						SETLOCAL EnableDelayedExpansion
-						FOR /F "delims=" %%L IN ("!%%K!") DO (
-							ENDLOCAL
-							IF NOT "%%L"=="ALREADY MERGED" (
-								ECHO:%%K,%%L
-								SET "%%K=ALREADY MERGED"
+			IF "!_temp:;=!"=="!_temp!" (
+				ENDLOCAL & ECHO:%%J
+			) ELSE (
+				ENDLOCAL
+				FOR /F tokens^=2^ delims^=^'^" %%K IN ("%%J") DO (
+					IF NOT "_user.js.parrot"=="%%K" (
+						IF DEFINED %%K (
+							SETLOCAL EnableDelayedExpansion
+							FOR /F "delims=" %%L IN ("!%%K!") DO (
+								ENDLOCAL & ECHO:user_pref("%%K"%%L
+								SET "%%K="
 							)
 						)
-					) ELSE (
-						ECHO:%%J
-					)
-				) ELSE (
-					ECHO:%%J
+					) ELSE (ECHO:%%J)
 				)
 			)
 		)
@@ -231,7 +227,7 @@ ENDLOCAL
 GOTO :EOF
 REM ############### Help ##################
 :showhelp
-MODE 80,43
+MODE 80,46
 CLS
 CALL :message "Available arguments (case-insensitive):"
 CALL :message "  -log"
@@ -239,7 +235,7 @@ ECHO:     Write the console output to a logfile (user.js-update-log.txt)
 CALL :message "  -logP"
 ECHO:     Like -log, but also open the logfile after updating.
 CALL :message "  -merge"
-ECHO:     Merge overrides instead of appending them. One-line comments and
+ECHO:     Merge overrides instead of appending them. Single-line comments and
 ECHO:     _user.js.parrot lines are appended normally. Overrides for inactive
 ECHO:     user.js prefs will be appended. When -Merge and -MultiOverrides are used
 ECHO:     together, a user-overrides-merged.js file is also generated in the root
@@ -254,6 +250,9 @@ ECHO:     instead of the default user-overrides.js file. Files are appended in
 ECHO:     alphabetical order.
 CALL :message "  -unattended"
 ECHO:     Run without user input.
+CALL :message "  -singleBackup"
+ECHO:     Use a single backup file and overwrite it on new updates, instead of
+ECHO:     cumulative backups. This was the default behaviour before v4.3.
 CALL :message "  -updatebatch"
 ECHO:     Update the script itself on execution, before the normal routine.
 CALL :message ""

user.js

@@ -1,10 +1,11 @@
 /******
 * name: ghacks user.js
-* date: 20 November 2017
-* version 57: I Love Rock 'n' Pants
-*   "Singing, I love rock and pants. So put another dime in the jukebox, baby"
+* date: 3 February 2018
+* version 58: Pantslide
+*   "I took my pants, took em down, I climbed a mountain and I turned around"
 * authors: v52+ github | v51- www.ghacks.net
 * url: https://github.com/ghacksuserjs/ghacks-user.js
+* license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt
 
 * releases: These are end-of-stable-life-cycle legacy archives.
             *Always* use the master branch user.js for a current up-to-date version.
@@ -19,8 +20,8 @@
   3. If you skipped steps 1 and 2 above (shame on you), then here is the absolute minimum
      * Auto-installing updates for Firefox and extensions are disabled (section 0302's)
      * Some user data is erased on close (section 2800), namely history (browsing, form, download)
-     * Cookies are denied by default (2701), we use site exceptions. This breaks extensions
-       that use IndexedDB, so you need to allow exceptions for those as well: see [1] below
+     * Cookies are denied by default (2701), we use site exceptions. In Firefox 58 and lower, this breaks
+       extensions that use IndexedDB, so you need to allow exceptions for those as well: see [1] below
        [1] https://github.com/ghacksuserjs/ghacks-user.js/wiki/4.1.1-Setting-Extension-Permission-Exceptions
      * EACH RELEASE check:
          - 4600s: reset prefs made redundant due to privacy.resistFingerprinting (RPF)
@@ -44,6 +45,9 @@
  * [2] https://en.wikipedia.org/wiki/Warrant_canary ***/
 user_pref("_user.js.parrot", "START: Oh yes, the Norwegian Blue... what's wrong with it?");
 
+/* 0000: disable about:config warning ***/
+user_pref("general.warnOnAboutConfig", false);
+
 /* 0001: start Firefox in PB (Private Browsing) mode
  * [SETTING-56+] Options>Privacy & Security>History>Custom Settings>Always use private browsing mode
  * [SETTING-ESR] Options>Privacy>History>Custom Settings>Always use private browsing mode
@@ -91,6 +95,9 @@ user_pref("browser.search.geoip.url", "");
 user_pref("intl.locale.matchOS", false);
 /* 0204: set APP locale ***/
 user_pref("general.useragent.locale", "en-US");
+/* 0205: set OS & APP locale (replaces 0203 + 0204) (FF59+)
+ * If set to empty, the OS locales are used. If not set at all, default locale is used ***/
+user_pref("intl.locale.requested", "en-US"); // (hidden pref)
 /* 0206: disable geographically specific results/search engines e.g. "browser.search.*.US"
  * i.e. ignore all of Mozilla's various search engines in multiple locales ***/
 user_pref("browser.search.geoSpecificDefaults", false);
@@ -189,7 +196,8 @@ user_pref("breakpad.reportURL", "");
 /* 0351: disable sending of crash reports (FF44+) ***/
 user_pref("browser.tabs.crashReporting.sendReport", false);
 user_pref("browser.crashReports.unsubmittedCheck.enabled", false); // (FF51+)
-user_pref("browser.crashReports.unsubmittedCheck.autoSubmit", false); // (FF51+)
+user_pref("browser.crashReports.unsubmittedCheck.autoSubmit", false); // (FF51-57)
+user_pref("browser.crashReports.unsubmittedCheck.autoSubmit2", false); // (FF58+)
 /* 0360: disable new tab tile ads & preload & marketing junk ***/
 user_pref("browser.newtab.preload", false);
 user_pref("browser.newtabpage.directory.source", "data:text/plain,");
@@ -273,6 +281,9 @@ user_pref("browser.safebrowsing.provider.google4.reportPhishMistakeURL", ""); //
  * [TEST] see github wiki APPENDIX C: Test Sites: Section 5
  * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1226490 ***/
    // user_pref("browser.safebrowsing.allowOverride", false);
+/* 0417: disable data sharing (FF58+) ***/
+user_pref("browser.safebrowsing.provider.google4.dataSharing.enabled", false);
+user_pref("browser.safebrowsing.provider.google4.dataSharingURL", "");
 /** TRACKING PROTECTION (TP)
     There are NO privacy concerns here, but we strongly recommend to use uBlock Origin as well,
     as it offers more comprehensive and specialized lists. It also allows per domain control. ***/
@@ -591,7 +602,7 @@ user_pref("browser.cache.disk_cache_ssl", false);
  * [NOTE] Not recommended unless you know what you're doing
  * [1] http://kb.mozillazine.org/Browser.sessionhistory.max_total_viewers ***/
    // user_pref("browser.sessionhistory.max_total_viewers", 0);
-/* 1006: disable permissions manager from writing to disk (requires restart)
+/* 1006: disable permissions manager from writing to disk [RESTART]
  * [NOTE] This means any permission changes are session only
  * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=967812 ***/
    // user_pref("permissions.memory_only", true); // (hidden pref)
@@ -635,52 +646,6 @@ user_pref("browser.shell.shortcutFavicons", false);
 /* 1032: disable favicons in web notifications ***/
 user_pref("alerts.showFavicons", false);
 
-/*** 1100: MULTI-PROCESS (e10s)
-     We recommend you let Firefox handle this. Until e10s is enforced, if
-     - all your legacy extensions have the 'multiprocessCompatible' flag as true, then FF = e10s
-     - any legacy extensions have 'multiprocessCompatible' flag as false, then FF != e10s
-     - any legacy extensions are missing the 'multiprocessCompatible' flag, then they *might* be disabled
-     [1] https://blog.mozilla.org/addons/2017/02/16/the-road-to-firefox-57-compatibility-milestones/
-***/
-user_pref("_user.js.parrot", "1100 syntax error: the parrot's bought the farm!");
-/* 1101: start the browser in e10s mode (FF48+)
- * about:support>Application Basics>Multiprocess Windows ***/
-   // user_pref("browser.tabs.remote.autostart", true);
-   // user_pref("browser.tabs.remote.autostart.2", true); // (FF49+) (hidden pref)
-   // user_pref("browser.tabs.remote.force-enable", true); // (hidden pref)
-   // user_pref("extensions.e10sBlocksEnabling", false);
-/* 1102: control number of content rendering processes
- * [SETTING] Options>General>Performance>Custom>Content process limit
- * [1] https://www.ghacks.net/2016/02/15/change-how-many-processes-multi-process-firefox-uses/
- * [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1207306 ***/
-   // user_pref("dom.ipc.processCount", 4);
-/* 1103: enable extension code to run in a separate process (webext-oop) (FF53+)
- * [1] https://wiki.mozilla.org/WebExtensions/Implementing_APIs_out-of-process ***/
-   // user_pref("extensions.webextensions.remote", true);
-/* 1104: enforce separate content process for file://URLs (FF53+)
- * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1147911
- * [2] https://www.ghacks.net/2016/11/27/firefox-53-exclusive-content-process-for-local-files/ ***/
-user_pref("browser.tabs.remote.separateFileUriProcess", true);
-/* 1105: enable console shim warnings for legacy extensions with the 'multiprocessCompatible' flag as false ***/
-user_pref("dom.ipc.shims.enabledWarnings", true);
-/* 1106: control number of extension processes ***/
-   // user_pref("dom.ipc.processCount.extension", 1);
-/* 1107: control number of file processes ***/
-   // user_pref("dom.ipc.processCount.file", 1);
-/* 1108: block web content in file processes (FF55+)
- * [WARNING] [SETUP] You may want to disable this for corporate or developer environments
- * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1343184 ***/
-user_pref("browser.tabs.remote.allowLinkedWebInFileUriProcess", false);
-/* 1110: set sandbox level. DO NOT MEDDLE WITH THESE. They are included to inform you NOT to play
- * with them. The values are integers, but the code below deliberately contains a data mismatch
- * [1] https://wiki.mozilla.org/Security/Sandbox
- * [2] https://www.ghacks.net/2017/01/23/how-to-change-firefoxs-sandbox-security-level/#comment-4105173 ***/
-   // user_pref("security.sandbox.content.level", "donotuse");
-   // user_pref("dom.ipc.plugins.sandbox-level.default", "donotuse");
-   // user_pref("dom.ipc.plugins.sandbox-level.flash", "donotuse");
-/* 1111: enable sandbox logging ***/
-   // user_pref("security.sandbox.logging.enabled", true);
-
 /*** 1200: HTTPS ( SSL/TLS / OCSP / CERTS / HSTS / HPKP / CIPHERS )
    Note that your cipher and other settings can be used server side as a fingerprint attack
    vector, see [1] (It's quite technical but the first part is easy to understand
@@ -732,17 +697,20 @@ user_pref("security.tls.enable_0rtt_data", false); // (FF55+ default true)
 /* 1210: enable OCSP Stapling
  * [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ ***/
 user_pref("security.ssl.enable_ocsp_stapling", true);
-/* 1211: control use of OCSP responder servers to confirm current validity of certificates
- * 0=disable, 1=validate only certificates that specify an OCSP service URL (default)
- * 2=enable and use values in security.OCSP.URL and security.OCSP.signing.
+/* 1211: control when to use OCSP fetching (to confirm current validity of certificates)
+ * 0=disabled, 1=enabled (default), 2=enabled for EV certificates only
  * OCSP (non-stapled) leaks information about the sites you visit to the CA (cert authority)
  * It's a trade-off between security (checking) and privacy (leaking info to the CA)
+ * [NOTE] This pref only controls OCSP fetching and does not affect OCSP stapling
  * [1] https://en.wikipedia.org/wiki/Ocsp ***/
 user_pref("security.OCSP.enabled", 1);
-/* 1212: enable OCSP revocation. When a CA cannot be reached to validate a cert, Firefox currently
- * continues the connection. With OCSP revocation, Firefox terminates the connection instead.
- * [WARNING] Since FF44 the default is false. If set to true, this will cause some site breakage
- * [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/ ***/
+/* 1212: set OCSP fetch failures (non-stapled, see 1211) to hard-fail
+ * When a CA cannot be reached to validate a cert, Firefox just continues the connection (=soft-fail)
+ * Setting this pref to true tells Firefox to instead terminate the connection (=hard-fail)
+ * It is pointless to soft-fail when an OCSP fetch fails: you cannot confirm a cert is still valid (it
+ * could have been revoked) and/or you could be under attack (e.g. malicious blocking of OCSP servers)
+ * [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
+ * [2] https://www.imperialviolet.org/2014/04/19/revchecking.html ***/
 user_pref("security.OCSP.require", true);
 /** CERTS / HSTS (HTTP Strict Transport Security) / HPKP (HTTP Public Key Pinning) ***/
 /* 1220: disable Windows 8.1's Microsoft Family Safety cert [WINDOWS] (FF50+)
@@ -751,7 +719,7 @@ user_pref("security.OCSP.require", true);
  * 2=detect Family Safety mode and import the root
  * [1] https://trac.torproject.org/projects/tor/ticket/21686 ***/
 user_pref("security.family_safety.mode", 0);
-/* 1221: disable intermediate certificate caching (fingerprinting attack vector)
+/* 1221: disable intermediate certificate caching (fingerprinting attack vector) [RESTART]
  * [NOTE] This may be better handled under FPI (ticket 1323644, part of Tor Uplift)
  * [WARNING] This affects login/cert/key dbs. The effect is all credentials are session-only.
  * Saved logins and passwords are not available. Reset the pref and restart to return them.
@@ -774,9 +742,8 @@ user_pref("network.stricttransportsecurity.preloadlist", true);
 /* 1240: disable insecure active content on https pages - mixed content
  * [1] https://trac.torproject.org/projects/tor/ticket/21323 ***/
 user_pref("security.mixed_content.block_active_content", true);
-/* 1241: disable insecure passive content (such as images) on https pages - mixed context
- * [WARNING] When set to true, this will visually break many sites (March 2017) ***/
-   // user_pref("security.mixed_content.block_display_content", true);
+/* 1241: disable insecure passive content (such as images) on https pages - mixed context ***/
+user_pref("security.mixed_content.block_display_content", true);
 /* 1242: enable Mixed-Content-Blocker to use the HSTS cache but disable the HSTS Priming requests (FF51+)
  * Allow resources from domains with an existing HSTS cache record or in the HSTS preload list
  * to be upgraded to HTTPS internally but disable sending out HSTS Priming requests, because
@@ -818,7 +785,7 @@ user_pref("security.pki.sha1_enforcement_level", 1);
  * [1] https://wiki.mozilla.org/Security:Renegotiation ***/
 user_pref("security.ssl.treat_unsafe_negotiation_as_broken", true);
 /* 1271: control "Add Security Exception" dialog on SSL warnings
- * 0=do neither 1=pre-populate url 2+pre-populate url + pre-fetch cert (default)
+ * 0=do neither 1=pre-populate url 2=pre-populate url + pre-fetch cert (default)
  * [1] https://github.com/pyllyukko/user.js/issues/210 ***/
 user_pref("browser.ssl_override_behavior", 1);
 /* 1272: display advanced information on Insecure Connection warning pages
@@ -855,12 +822,12 @@ user_pref("gfx.downloadable_fonts.enabled", true);
 /* 1404: disable rendering of SVG OpenType fonts
  * [1] https://wiki.mozilla.org/SVGOpenTypeFonts - iSECPartnersReport recommends to disable this ***/
 user_pref("gfx.font_rendering.opentype_svg.enabled", false);
-/* 1405: disable WOFF2 (Web Open Font Format) ***/
+/* 1405: disable WOFF2 (Web Open Font Format) (FF35+) ***/
 user_pref("gfx.downloadable_fonts.woff2.enabled", false);
 /* 1406: disable CSS Font Loading API
  * [SETUP] Disabling fonts can uglify the web a fair bit. ***/
 user_pref("layout.css.font-loading-api.enabled", false);
-/* 1407: disable special underline handling for a few fonts which you will probably never use.
+/* 1407: disable special underline handling for a few fonts which you will probably never use [RESTART]
  * Any of these fonts on your system can be enumerated for fingerprinting. Requires restart.
  * [1] http://kb.mozillazine.org/Font.blacklist.underline_offset ***/
 user_pref("font.blacklist.underline_offset", "");
@@ -868,7 +835,7 @@ user_pref("font.blacklist.underline_offset", "");
  * In the past it had security issues. Update: This continues to be the case, see [1]
  * [1] https://www.mozilla.org/security/advisories/mfsa2017-15/#CVE-2017-7778 ***/
 user_pref("gfx.font_rendering.graphite.enabled", false);
-/* 1409: limit system font exposure to a whitelist (FF52+) [SETUP]
+/* 1409: limit system font exposure to a whitelist (FF52+) [SETUP] [RESTART]
  * If the whitelist is empty, then whitelisting is considered disabled and all fonts are allowed.
  * [NOTE] Creating your own probably highly-unique whitelist will raise your entropy. If
  * you block sites choosing fonts in 1401, this preference is irrelevant. In future,
@@ -905,7 +872,8 @@ user_pref("network.http.sendRefererHeader", 2);
 user_pref("network.http.referer.trimmingPolicy", 0);
 /* 1603: CROSS ORIGIN: control when to send a referer [SETUP]
  * 0=always (default), 1=only if base domains match, 2=only if hosts match
- * [NOTE] 1=less breakage, possible leakage 2=less leakage, more breakage ***/
+ * [NOTE] 1=less breakage, possible leakage 2=less leakage, more breakage
+ * [WARNING] Reset to default 0 if you have issues accessing your modem/router ***/
 user_pref("network.http.referer.XOriginPolicy", 1);
 /* 1604: CROSS ORIGIN: control the amount of information to send (FF52+)
  * 0=send full URI (default) 1=scheme+host+path+port 2=scheme+host+port ***/
@@ -992,7 +960,7 @@ user_pref("media.gmp-widevinecdm.autoupdate", false);
 /* 1830: disable all DRM content (EME: Encryption Media Extension) [SETUP]
  * [1] https://www.eff.org/deeplinks/2017/10/drms-dead-canary-how-we-just-lost-web-what-we-learned-it-and-what-we-need-do-next ***/
 user_pref("media.eme.enabled", false); // Options>Content>Play DRM Content
-user_pref("browser.eme.ui.enabled", false); // hides "Play DRM Content" checkbox, restart required
+user_pref("browser.eme.ui.enabled", false); // hides "Play DRM Content" checkbox [RESTART]
 /* 1840: disable the OpenH264 Video Codec by Cisco to "Never Activate"
  * This is the bundled codec used for video chat in WebRTC ***/
 user_pref("media.gmp-gmpopenh264.enabled", false); // (hidden pref)
@@ -1038,6 +1006,12 @@ user_pref("media.getusermedia.browser.enabled", false);
 user_pref("media.getusermedia.audiocapture.enabled", false);
 /* 2023: disable camera stuff ***/
 user_pref("camera.control.face_detection.enabled", false);
+/* 2024: set a default permission for Camera/Microphone (FF58+)
+ * 0=always ask (default), 1=allow, 2=block
+ * [SETTING] to add site exceptions: Page Info>Permissions>Use the Camera/Microphone
+ * [SETTING] to manage site exceptions: Options>Privacy>Permissions>Camera/Microphone>Settings ***/
+   // user_pref("permissions.default.camera", 2);
+   // user_pref("permissions.default.microphone", 2);
 /* 2026: disable canvas capture stream
  * [1] https://developer.mozilla.org/docs/Web/API/HTMLCanvasElement/captureStream ***/
 user_pref("canvas.capturestream.enabled", false);
@@ -1095,7 +1069,8 @@ user_pref("dom.disable_beforeunload", true);
      communicate between browsing contexts (windows/tabs/iframes) and can even control your cache.
 
      [WARNING] Disabling workers *will* break sites (e.g. Google Street View, Twitter).
-     It is recommended that you use a separate profile for these sorts of sites.
+     [UPDATE] uMatrix 1.2.0+ allows a per-scope control for workers (2301) and service workers (2302)
+              #Required reading [#] https://github.com/gorhill/uMatrix/releases/tag/1.2.0
 
      [1]    Web Workers: https://developer.mozilla.org/docs/Web/API/Web_Workers_API
      [2]         Worker: https://developer.mozilla.org/docs/Web/API/Worker
@@ -1116,11 +1091,14 @@ user_pref("dom.workers.enabled", false);
  * [NOTE] Service workers only run over HTTPS. Service Workers have no DOM access. ***/
 user_pref("dom.serviceWorkers.enabled", false);
 /* 2304: disable web notifications
- * [NOTE] You can still override individual domains under site permissions (FF44+)
  * [1] https://developer.mozilla.org/docs/Web/API/Notifications_API ***/
-user_pref("dom.webnotifications.enabled", false);
-user_pref("dom.webnotifications.serviceworker.enabled", false);
-/* 2305: disable push notifications (FF44+)
+user_pref("dom.webnotifications.enabled", false); // (FF22+)
+user_pref("dom.webnotifications.serviceworker.enabled", false); // (FF44+)
+/* 2305: set a default permission for Notifications (see 2304) (FF58+)
+ * [SETTING] to add site exceptions: Page Info>Permissions>Receive Notifications
+ * [SETTING] to manage site exceptions: Options>Privacy>Permissions>Notifications>Settings ***/
+   // user_pref("permissions.default.desktop-notification", 2); // 0=always ask (default), 1=allow, 2=block
+/* 2306: disable push notifications (FF44+)
  * web apps can receive messages pushed to them from a server, whether or
  * not the web app is in the foreground, or even currently loaded
  * [1] https://developer.mozilla.org/docs/Web/API/Push_API ***/
@@ -1154,10 +1132,11 @@ user_pref("dom.idle-observers-api.enabled", false);
 /* 2418: disable full-screen API
  * false=block, true=ask ***/
 user_pref("full-screen-api.enabled", false);
-/* 2420: disable support for asm.js ( http://asmjs.org/ )
+/* 2420: disable asm.js (http://asmjs.org/) (FF22+)
  * [1] https://www.mozilla.org/security/advisories/mfsa2015-29/
  * [2] https://www.mozilla.org/security/advisories/mfsa2015-50/
- * [3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2712 ***/
+ * [3] https://www.mozilla.org/security/advisories/mfsa2017-01/#CVE-2017-5375
+ * [4] https://www.mozilla.org/security/advisories/mfsa2017-05/#CVE-2017-5400 ***/
 user_pref("javascript.options.asmjs", false);
 /* 2421: disable Ion and baseline JIT to help harden JS against exploits such as CVE-2015-0817
  * [WARNING] Causes the odd site issue and there is also a performance loss
@@ -1175,6 +1154,10 @@ user_pref("javascript.options.wasm", false);
  * [2] https://w3c.github.io/IntersectionObserver/
  * [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1243846 ***/
 user_pref("dom.IntersectionObserver.enabled", false);
+/* 2427: disable Shared Memory (Spectre mitigation)
+ * [1] https://github.com/tc39/ecmascript_sharedmem/blob/master/TUTORIAL.md
+ * [2] https://blog.mozilla.org/security/2018/01/03/mitigations-landing-new-class-timing-attack/ ***/
+user_pref("javascript.options.shared_memory", false);
 
 /*** 2500: HARDWARE FINGERPRINTING ***/
 user_pref("_user.js.parrot", "2500 syntax error: the parrot's shuffled off 'is mortal coil!");
@@ -1201,16 +1184,6 @@ user_pref("dom.webaudio.enabled", false);
  * [1] https://developer.mozilla.org/docs/Web/Events/devicechange
  * [2] https://developer.mozilla.org/docs/Web/API/MediaDevices/ondevicechange ***/
 user_pref("media.ondevicechange.enabled", false);
-/* 2513: disable Presentation API
- * [WARNING] [SETUP] Optional protection depending on your connected devices
- * [1] https://wiki.mozilla.org/WebAPI/PresentationAPI
- * [2] https://www.w3.org/TR/presentation-api/ ***/
-   // user_pref("dom.presentation.enabled", false);
-   // user_pref("dom.presentation.controller.enabled", false);
-   // user_pref("dom.presentation.discoverable", false);
-   // user_pref("dom.presentation.discovery.enabled", false);
-   // user_pref("dom.presentation.receiver.enabled", false);
-   // user_pref("dom.presentation.session_transport.data_channel.enable", false);
 
 /*** 2600: MISC - LEAKS / FINGERPRINTING / PRIVACY / SECURITY ***/
 user_pref("_user.js.parrot", "2600 syntax error: the parrot's run down the curtain!");
@@ -1321,10 +1294,18 @@ user_pref("browser.uitour.url", "");
 /* 2629: disable remote JAR files being opened, regardless of content type (FF42+)
  * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1173171 ***/
 user_pref("network.jar.block-remote-files", true);
-/* 2630: prevent accessibility services from accessing your browser
+/* 2630: prevent accessibility services from accessing your browser [RESTART]
  * [SETTING] Options>Privacy & Security>Permissions>Prevent accessibility services from accessing your browser
  * [1] https://support.mozilla.org/kb/accessibility-services ***/
 user_pref("accessibility.force_disabled", 1);
+/* 2631: block web content in file processes (FF55+)
+ * [WARNING] [SETUP] You may want to disable this for corporate or developer environments
+ * [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1343184 ***/
+user_pref("browser.tabs.remote.allowLinkedWebInFileUriProcess", false);
+/* 2632: disable websites overriding Firefox's keyboard shortcuts (FF58+)
+ * [SETTING] to add site exceptions: Page Info>Permissions>Override Keyboard Shortcuts
+ * [NOTE] At the time of writing, causes issues with delete and backspace keys ***/
+   // user_pref("permissions.default.shortcuts", 2); //  0 (default) or 1=allow, 2=block
 /* 2662: disable "open with" in download dialog (FF50+)
  * This is very useful to enable when the browser is sandboxed (e.g. via AppArmor)
  * in such a way that it is forbidden to run external applications.
@@ -1407,10 +1388,14 @@ user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin
  * [NOTE] This also controls access to 3rd party Web Storage, IndexedDB, Cache API and Service Worker Cache
  * [1] https://www.fxsitecompat.com/en-CA/docs/2015/web-storage-indexeddb-cache-api-now-obey-third-party-cookies-preference/ ***/
 user_pref("network.cookie.cookieBehavior", 2);
-/* 2702: set third-party cookies (if enabled, see above pref) to session-only
+/* 2702: set third-party cookies (i.e ALL) (if enabled, see above pref) to session-only
+   and (FF58+) set third-party non-secure (i.e HTTP) cookies to session-only
+   [NOTE] .sessionOnly overrides .nonsecureSessionOnly except when .sessionOnly=false and
+   .nonsecureSessionOnly=true. This allows you to keep HTTPS cookies, but session-only HTTP ones
  * [1] https://feeding.cloud.geek.nz/posts/tweaking-cookies-for-privacy-in-firefox/
  * [2] http://kb.mozillazine.org/Network.cookie.thirdparty.sessionOnly ***/
 user_pref("network.cookie.thirdparty.sessionOnly", true);
+user_pref("network.cookie.thirdparty.nonsecureSessionOnly", true); // (FF58+)
 /* 2703: set cookie lifetime policy
  * 0=until they expire (default), 2=until you close Firefox, 3=for n days (see next pref)
  * [SETTING-56+] Options>Privacy & Security>History>Custom Settings>Accept cookies from sites>Keep until
@@ -1433,7 +1418,7 @@ user_pref("extensions.webextensions.keepStorageOnUninstall", false);
 user_pref("extensions.webextensions.keepUuidOnUninstall", false);
 /* 2720: disable JS storing data permanently [SETUP]
  * [WARNING] This BREAKS uBlock Origin [1.14.0+] and other extensions that require IndexedDB
- * [1] https://github.com/gorhill/uBlock/releases/tag/1.14.0 
+ * [1] https://github.com/gorhill/uBlock/releases/tag/1.14.0
  * [WARNING] This *will* break other extensions including legacy, and *will* break some sites ***/
    // user_pref("dom.indexedDB.enabled", false);
 /* 2730: disable offline cache ***/
@@ -1531,10 +1516,10 @@ user_pref("privacy.sanitize.timeSpan", 0);
  ** 1344170 - isolate blob: URI (FF55+)
  ** 1300671 - isolate data:, about: URLs (FF55+)
 
- NOTE: FPI has some unresolved issues
- ** 1381197 - extensions cannot control cookies with FPI Origin Attributes
- ** 1418931 - IndexedDB (Offline Website Data) with FPI Origin Attributes
+ NOTE: FPI has some issues depending on your Firefox release
+ ** 1418931 - [fixed in FF58+] IndexedDB (Offline Website Data) with FPI Origin Attributes
       are not removed with "Clear All/Recent History" or "On Close"
+ ** 1381197 - [fixed in FF59+] extensions cannot control cookies with FPI Origin Attributes
 ***/
 user_pref("_user.js.parrot", "4000 syntax error: the parrot's pegged out");
 /* 4001: enable First Party Isolation (FF51+)
@@ -1569,26 +1554,30 @@ user_pref("privacy.firstparty.isolate.restrict_opener_access", true);
       This spoof *shouldn't* affect core chrome/Firefox performance
  ** 1217238 - reduce precision of time exposed by javascript (FF55+)
  ** 1369303 - spoof/disable performance API (see 2410-deprecated, 4602, 4603) (FF56+)
- ** 1333651 & 1383495 & 1396468 & 1393283 - spoof Navigator API (see section 4700) (FF56+)
+ ** 1333651 & 1383495 & 1396468 & 1393283 & 1404608 - spoof Navigator API (see section 4700) (FF56+)
       FF56: The version number will be rounded down to the nearest multiple of 10
       FF57+: The version number will match current ESR
+      FF59+: The OS will be reported as Windows, OSX, Android, or Linux (to reduce breakage)
  ** 1369319 - disable device sensor API (see 4604) (FF56+)
  ** 1369357 - disable site specific zoom (see 4605) (FF56+)
  ** 1337161 - hide gamepads from content (see 4606) (FF56+)
  ** 1372072 - spoof network information API as "unknown" (see 4607) (FF56+)
  ** 1333641 - reduce fingerprinting in WebSpeech API (see 4608) (FF56+)
- ** 1372069 & 1403813 - block geolocation requests (same as if you deny a site permission) (see 4609) (FF56+)
+ ** 1372069 & 1403813 - block geolocation requests (same as if you deny a site permission) (see 4609, 4612) (FF56+)
  ** 1369309 - spoof media statistics (see 4610) (FF57+)
  ** 1382499 - reduce screen co-ordinate fingerprinting in Touch API (see 4611) (FF57+)
  ** 1217290 - enable fingerprinting resistance for WebGL (see 2010-12) (FF57+)
  ** 1382545 - reduce fingerprinting in Animation API (FF57+)
  ** 1354633 - limit MediaError.message to a whitelist (FF57+)
- ** 1382533 - enable fingerprinting resistance for Presentation API (see 2513) (FF57+)
+ ** 1382533 - enable fingerprinting resistance for Presentation API (FF57+)
       This blocks exposure of local IP Addresses via mDNS (Multicast DNS)
  **  967895 - enable site permission prompt before allowing canvas data extraction (FF58+)
       In FF59+ this is controllable via the site permissions panel, see 1413780 (FF59+)
  ** 1372073 - spoof/block fingerprinting in MediaDevices API (FF59+)
  ** 1039069 - warn when language prefs are set to non en-US (see 0207, 0208) (FF59+)
+ ** 1222285 - spoof keyboard events and suppress keyboard modifier events (FF59+)
+      Spoofing mimics the content language of the document. Currently it only supports en-US.
+      Modifier events suppressed are SHIFT, CTRL and both ALT keys. Chrome is not affected.
 ***/
 user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs");
 /* 4501: enable privacy.resistFingerprinting (FF41+)
@@ -1672,6 +1661,12 @@ user_pref("media.video_stats.enabled", false);
    // [2] https://trac.torproject.org/projects/tor/ticket/10286
    // user_pref("dom.w3c_touch_events.enabled", 0);
 // * * * /
+// FF58+
+// 4612: [new] set a default permission for Location (FF58+)
+   // [SETTING] to add site exceptions: Page Info>Permissions>Access Your Location
+   // [SETTING] to manage site exceptions: Options>Privacy>Permissions>Location>Settings
+   // user_pref("permissions.default.geo", 2); // 0=always ask (default), 1=allow, 2=block
+// * * * /
 // ***/
 
 /*** 4700: RFP (4500) ALTERNATIVES - NAVIGATOR / USER AGENT (UA) SPOOFING
@@ -1704,14 +1699,13 @@ user_pref("_user.js.parrot", "4700 syntax error: the parrot's taken 'is last bow
    // user_pref("general.platform.override", "Win32"); // (hidden pref)
 /* 4706: navigator.oscpu leaks in JS ***/
    // user_pref("general.oscpu.override", "Windows NT 6.1"); // (hidden pref)
-/* 4707: general.useragent.locale (related, see 0204) ***/
+/* 4707: general.useragent.locale (related, see 0204 deprecated FF59+) ***/
 
 /*** 5000: PERSONAL SETTINGS [SETUP]
      Settings that are handy to migrate and/or are not in the Options interface. Users
      can put their own non-security/privacy/fingerprinting/tracking stuff here ***/
 user_pref("_user.js.parrot", "5000 syntax error: this is an ex-parrot!");
 /* 5001: disable annoying warnings ***/
-user_pref("general.warnOnAboutConfig", false);
 user_pref("browser.tabs.warnOnClose", false);
 user_pref("browser.tabs.warnOnCloseOtherTabs", false);
 user_pref("browser.tabs.warnOnOpen", false);