finalize 62

https://bugzilla.mozilla.org/show_bug.cgi?id=1363508

.gitattributes

@@ -1,14 +1,15 @@
-## * text=auto
+* text=auto
 
-*.js text=auto
-*.md text=auto
-*.yml text=auto
-*.txt text=auto
-*.sh text=auto
-*.bat eol=crlf
+*.js text
+*.md text
+*.yml text
+*.txt text
+*.sh text
+## *.bat text eol=crlf
+*.bat -text
 
 *.png binary
 
 .gitattributes export-ignore
 *.yml export-ignore
-wikipiki export-ignore
+/wikipiki export-ignore

README.md

@@ -14,7 +14,7 @@ Literally thousands of sources, references and suggestions. That said...
 * Martin Brinkmann at [ghacks](https://www.ghacks.net/) <sup>1</sup>
 * The ghacks community and commentators
 * [12bytes](http://12bytes.org/tech/firefox/firefoxgecko-configuration-guide-for-privacy-and-performance-buffs)
-   * The 12bytes article now uses this user.js and supplements it with an additonal JS hosted right [here](https://github.com/atomGit/Firefox-user.js) at github
+   * The 12bytes article now uses this user.js and supplements it with an additonal JS hosted at [GitLab](https://gitlab.com/labwrat/Firefox-user.js/tree/master)
 
 <sup>1</sup> The ghacks user.js was an independent project by [Thorin-Oakenpants](https://github.com/Thorin-Oakenpants) started in early 2015 and was [first published](https://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/) at ghacks in August 2015. With Martin Brinkmann's blessing, it will keep the ghacks name.
 

prefsCleaner.bat

@@ -3,7 +3,9 @@ TITLE prefs.js cleaner
 
 REM ### prefs.js cleaner for Windows
 REM ## author: @claustromaniac
-REM ## version: 2.1
+REM ## version: 2.2
+
+CD /D "%~dp0"
 
 :begin
 ECHO:
@@ -11,7 +13,7 @@ ECHO:
 ECHO                 ########################################
 ECHO                 ####  prefs.js cleaner for Windows  ####
 ECHO                 ####        by claustromaniac       ####
-ECHO                 ####              v2.1              ####
+ECHO                 ####              v2.2              ####
 ECHO                 ########################################
 ECHO:
 CALL :message "This script should be run from your Firefox profile directory."

scratchpad-scripts/ghacks-clear-[removed].js

@@ -1,7 +1,7 @@
 /***
  This will reset the preferences that have been removed completely from the ghacks user.js.
 
- Last updated: 27-May-2018
+ Last updated: 30-Sept-2018
 
  For instructions see:
  https://github.com/ghacksuserjs/ghacks-user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts]
@@ -90,13 +90,22 @@
     'browser.laterrun.enabled',
     'browser.offline-apps.notify',
     'browser.rights.3.shown',
-    'browser.slowStartup.maxSamples'
+    'browser.slowStartup.maxSamples',
     'browser.slowStartup.notificationDisabled',
     'browser.slowStartup.samples',
+    'browser.storageManager.enabled',
     'dom.allow_scripts_to_close_windows',
     'dom.disable_window_flip',
     'network.http.fast-fallback-to-IPv4',
     'offline-apps.quota.warn',
+    'services.blocklist.signing.enforced',
+    /* 62-beta */
+    'browser.urlbar.autoFill.typed',
+    'security.tls.version.fallback-limit',
+    /* 63-beta */
+    'extensions.webextensions.keepStorageOnUninstall',
+    'extensions.webextensions.keepUuidOnUninstall',
+    'privacy.trackingprotection.ui.enabled',
     /* reset parrot: check your open about:config after running the script */
     '_user.js.parrot'
   ]

updater.bat

@@ -3,11 +3,16 @@ TITLE ghacks user.js updater
 
 REM ## ghacks-user.js updater for Windows
 REM ## author: @claustromaniac
-REM ## version: 4.5
+REM ## version: 4.6
 REM ## instructions: https://github.com/ghacksuserjs/ghacks-user.js/wiki/3.3-Updater-Scripts
 
+SET v=4.7
+
+VERIFY ON
+CD /D "%~dp0"
 SET _myname=%~n0
 SET _myparams=%*
+
 :parse
 IF "%~1"=="" (GOTO endparse)
 IF /I "%~1"=="-unattended" (SET _ua=1)
@@ -20,17 +25,21 @@ IF /I "%~1"=="-singlebackup" (SET _singlebackup=1)
 SHIFT
 GOTO parse
 :endparse
+
 IF DEFINED _updateb (
 	REM The normal flow here goes from phase 1 to phase 2 and then phase 3.
 	IF NOT "!_myname:~0,9!"=="[updated]" (
 		IF EXIST "[updated]!_myname!.bat" (
 			REM ## Phase 3 ##: The new script, with the original name, will:
-			REM 	* Delete the [updated]*.bat script
+			REM 	* Delete the [updated]*.bat and *.bat.old scripts
 			REM 	* Begin the normal routine
+			FC "[updated]!_myname!.bat" "!_myname!.bat.old" >nul
+			IF NOT "!errorlevel!"=="0" (
+				CALL :message "Script updated to version !v!"
+				TIMEOUT 3 >nul
+			)
 			REN "[updated]!_myname!.bat" "[updated]!_myname!.bat.old"
-			DEL /F "[updated]!_myname!.bat.old"
-			CALL :message "Script updated^!"
-			TIMEOUT 3 >nul
+			DEL /F "!_myname!.bat.old" "[updated]!_myname!.bat.old"
 			GOTO begin
 		)
 		REM ## Phase 1 ##
@@ -38,10 +47,10 @@ IF DEFINED _updateb (
 		REM 	* Start that script in a new CMD window
 		REM 	* Exit
 		CALL :message "Updating script..."
-		REM Uncomment the next line and comment the powershell call for testing.
-		REM COPY /B /V /Y "!_myname!.bat" "[updated]!_myname!.bat"
+		REM Uncomment the next line and comment out the PowerShell call for testing.
+		REM COPY /B /Y "!_myname!.bat" "[updated]!_myname!.bat" >nul
 		(
-			powershell -Command "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ghacksuserjs/ghacks-user.js/master/updater.bat', '[updated]!_myname!.bat')"
+			PowerShell -Command "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ghacksuserjs/ghacks-user.js/master/updater.bat', '[updated]!_myname!.bat')"
 		) >nul 2>&1
 		IF EXIST "[updated]!_myname!.bat" (
 			START /min CMD /C "[updated]!_myname!.bat" !_myparams!
@@ -55,19 +64,17 @@ IF DEFINED _updateb (
 			TIMEOUT 300 >nul
 		) ELSE (
 			REM ## Phase 2 ##: The [updated]*.bat script will:
-			REM 	* Copy itself overwriting the original batch
-			REM 	* Start that script in a new CMD instance
+			REM 	* Rename the old script and make a copy of itself with the original name.
+			REM 	* Run that copy in a new CMD instance
 			REM 	* Exit
-			IF EXIST "!_myname:~9!.bat" (
-				REN "!_myname:~9!.bat" "!_myname:~9!.bat.old"
-				DEL /F "!_myname:~9!.bat.old"
-			)
-			COPY /B /V /Y "!_myname!.bat" "!_myname:~9!.bat"
+			IF EXIST "!_myname:~9!.bat" ( REN "!_myname:~9!.bat" "!_myname:~9!.bat.old" )
+			COPY /B /Y "!_myname!.bat" "!_myname:~9!.bat"
 			START CMD /C "!_myname:~9!.bat" !_myparams!
 		)
 	)
 	EXIT /B
 )
+
 :begin
 CLS
 ECHO:
@@ -75,7 +82,7 @@ ECHO:
 ECHO:                ########################################
 ECHO:                ####  user.js Updater for Windows   ####
 ECHO:                ####       by claustromaniac        ####
-ECHO:                ####             v4.5               ####
+ECHO:                ####             v!v!               ####
 ECHO:                ########################################
 ECHO:
 SET /A "_line=0"
@@ -121,7 +128,7 @@ IF DEFINED _log (
 IF EXIST user.js.new (DEL /F "user.js.new")
 CALL :message "Retrieving latest user.js file from github repository..."
 (
-	powershell -Command "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ghacksuserjs/ghacks-user.js/master/user.js', 'user.js.new')"
+	PowerShell -Command "(New-Object Net.WebClient).DownloadFile('https://raw.githubusercontent.com/ghacksuserjs/ghacks-user.js/master/user.js', 'user.js.new')"
 ) >nul 2>&1
 IF EXIST user.js.new (
 	IF DEFINED _multi (
@@ -129,18 +136,18 @@ IF EXIST user.js.new (
 		IF NOT ERRORLEVEL 1 (
 			IF DEFINED _merge (
 				CALL :message "Merging..."
-				COPY /B /V /Y user.js-overrides\*.js user-overrides-merged.js
+				COPY /B /Y user.js-overrides\*.js user-overrides-merged.js
 				CALL :merge user-overrides-merged.js
-				COPY /B /V /Y user.js.new+user-overrides-merged.js user.js.new
+				COPY /B /Y user.js.new+user-overrides-merged.js user.js.new
 				CALL :merge user.js.new
 			) ELSE (
 				CALL :message "Appending..."
-				COPY /B /V /Y user.js.new+"user.js-overrides\*.js" user.js.new
+				COPY /B /Y user.js.new+"user.js-overrides\*.js" user.js.new
 			)
 		) ELSE (CALL :message "No override files found.")
 	) ELSE (
 		IF EXIST "user-overrides.js" (
-			COPY /B /V /Y user.js.new+"user-overrides.js" "user.js.new"
+			COPY /B /Y user.js.new+"user-overrides.js" "user.js.new"
 			IF DEFINED _merge (
 				CALL :message "Merging user-overrides.js..."
 				CALL :merge user.js.new
@@ -169,6 +176,7 @@ IF EXIST user.js.new (
 		) ELSE (
 			REN user.js.new user.js
 			CALL :message "Update complete."
+			SET "_changed=true"
 		)
 	)
 ) ELSE (
@@ -176,7 +184,15 @@ IF EXIST user.js.new (
 	ECHO:  No changes were made.
 )
 IF NOT DEFINED _log (
-	IF NOT DEFINED _ua (PAUSE)
+	IF NOT DEFINED _ua (
+		IF EXIST prefsCleaner.bat (
+			IF "!_changed!"=="true" (
+				CALL :message "Would you like to run the prefsCleaner now?"
+				CHOICE /C YN /N /M "(Y/N) "
+				IF "1"=="!errorlevel!" ( START "" cmd.exe /C "prefsCleaner.bat" )
+			) ELSE (PAUSE)
+		) ELSE (PAUSE)
+	)
 )
 EXIT /B
 
@@ -188,6 +204,7 @@ ECHO:  %~1
 IF NOT "2"=="%_log%" (ECHO:)
 ENDLOCAL
 GOTO :EOF
+
 REM ############ Merge function ############
 :merge
 SETLOCAL DisableDelayedExpansion
@@ -226,6 +243,7 @@ FOR /F tokens^=2^,^*^ delims^=^' %%G IN ('FINDSTR /R /C:"^//// --- comment-out -
 MOVE /Y updatertempfile "%~1" >nul
 ENDLOCAL
 GOTO :EOF
+
 REM ############### Help ##################
 :showhelp
 MODE 80,46
@@ -260,4 +278,3 @@ CALL :message ""
 PAUSE
 MODE 80,25
 GOTO :begin
-REM #####################################

updater.sh

@@ -1,8 +1,8 @@
 #!/usr/bin/env bash
 
 ### ghacks-user.js updater for Mac/Linux
-## author: @overdodactyl
-## version: 1.3
+## author: @overdodactyl, @ema-pe
+## version: 1.4
 
 ## DON'T GO HIGHER THAN VERSION x.9 !! ( because of ASCII comparison in check_for_update() )
 
@@ -12,6 +12,15 @@ update_pref=${1:--ask}
 
 currdir=$(pwd)
 
+DOWNLOAD_TO_STDOUT="curl -s"
+DOWNLOAD_TO_FILE="curl -O"
+
+# Use wget if curl is not available.
+if [[ -z $(command -v "curl") ]]; then
+  DOWNLOAD_TO_STDOUT="wget --quiet --output-document=-"
+  DOWNLOAD_TO_FILE="wget"
+fi
+
 ## get the full path of this script (readlink for Linux, greadlink for Mac with coreutils installed)
 sfp=$(readlink -f "${BASH_SOURCE[0]}" 2>/dev/null || greadlink -f "${BASH_SOURCE[0]}" 2>/dev/null)
 
@@ -24,7 +33,7 @@ cd "$(dirname "${sfp}")"
 ## Used to check if a new version of updater.sh is available
 update_available="no"
 check_for_update () {
-  online_version="$(curl -s ${updater} | sed -n '5 s/.*[[:blank:]]\([[:digit:]]*\.[[:digit:]]*\)/\1/p')"
+  online_version="$($DOWNLOAD_TO_STDOUT ${updater} | sed -n '5 s/.*[[:blank:]]\([[:digit:]]*\.[[:digit:]]*\)/\1/p')"
   path_to_script="$(dirname "${sfp}")/updater.sh"
   current_version="$(sed -n '5 s/.*[[:blank:]]\([[:digit:]]*\.[[:digit:]]*\)/\1/p' "$path_to_script")"
   if [[ "$current_version" < "$online_version" ]]; then
@@ -36,8 +45,8 @@ check_for_update () {
 update_script () {
   echo -e "This script will be backed up and the latest version of updater.sh will be executed.\n"
   mv updater.sh "updater.sh.backup.$(date +"%Y-%m-%d_%H%M")"
-  curl -O ${updater} && echo -e "\nThe latest updater script has been downloaded\n"
-  
+  $DOWNLOAD_TO_FILE ${updater} && echo -e "\nThe latest updater script has been downloaded\n"
+
   # make new file executable
   chmod +x updater.sh
 
@@ -60,7 +69,7 @@ main () {
   if [ -e user.js ]; then
     echo "Your current user.js file for this profile will be backed up and the latest ghacks version from github will take its place."
     echo -e "\nIf currently using the ghacks user.js, please compare versions:"
-    echo "  Available online: $(curl -s ${ghacksjs} | sed -n '4p')"
+    echo "  Available online: $($DOWNLOAD_TO_STDOUT ${ghacksjs} | sed -n '4p')"
     echo "  Currently using:  $(sed -n '4p' user.js)"
   else
     echo "A user.js file does not exist in this profile. If you continue, the latest ghacks version from github will be downloaded."
@@ -80,7 +89,7 @@ main () {
 
     # download latest ghacks user.js
     echo "downloading latest ghacks user.js file"
-    curl -O ${ghacksjs} && echo "ghacks user.js has been downloaded"
+    $DOWNLOAD_TO_FILE ${ghacksjs} && echo "ghacks user.js has been downloaded"
 
     if [ -e user-overrides.js ]; then
       echo "user-overrides.js file found"
@@ -94,6 +103,7 @@ main () {
   cd "${currdir}"
 }
 
+
 update_pref="$(echo $update_pref | tr '[A-Z]' '[a-z]')"
 if [ $update_pref = "-donotupdate" ]; then
   main

user.js

@@ -1,8 +1,8 @@
 /******
 * name: ghacks user.js
-* date: 30 May 2018
-* version 60: Call Me Pants, Maybe
-*   "Your stare was holding, ripped JEANS, skin was showin'"
+* date: 10 October 2018
+* version 62: Total Eclipse of the Pants
+*   "Once upon a time there was light in my life, but now there's only pants in the dark"
 * authors: v52+ github | v51- www.ghacks.net
 * url: https://github.com/ghacksuserjs/ghacks-user.js
 * license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt
@@ -19,10 +19,7 @@
      * https://github.com/ghacksuserjs/ghacks-user.js/wiki/1.3-Implementation
   3. If you skipped steps 1 and 2 above (shame on you), then here is the absolute minimum
      * Auto-installing updates for Firefox and extensions are disabled (section 0302's)
-     * Some user data is erased on close (section 2800), namely history (browsing, form, download)
-     * Cookies are denied by default (2701), we use site exceptions. In Firefox 58 and lower, this breaks
-       extensions that use IndexedDB, so you need to allow exceptions for those as well: see [1] below
-       [1] https://github.com/ghacksuserjs/ghacks-user.js/wiki/4.1.1-Setting-Extension-Permission-Exceptions
+     * Some user data is erased on close (section 2800). Change this to suit your needs
      * EACH RELEASE check:
          - 4600s: reset prefs made redundant due to privacy.resistFingerprinting (RPF)
                   or enable them as an alternative to RFP or for ESR users
@@ -37,9 +34,9 @@
   4. BACKUP your profile folder before implementing (and/or test in a new/cloned profile)
   5. KEEP UP TO DATE: https://github.com/ghacksuserjs/ghacks-user.js/wiki#small_orange_diamond-maintenance
 
- ******/
+******/
 
-/* START: internal custom pref to test for syntax errors (thanks earthling)
+/* START: internal custom pref to test for syntax errors
  * [NOTE] In FF60+, not all syntax errors cause parsing to abort i.e. reaching the last debug
  * pref no longer necessarily means that all prefs have been applied. Check the console right
  * after startup for any warnings/error messages related to non-applied prefs
@@ -51,7 +48,6 @@ user_pref("general.warnOnAboutConfig", false);
 
 /* 0001: start Firefox in PB (Private Browsing) mode
  * [SETTING] Privacy & Security>History>Custom Settings>Always use private browsing mode
- * [SETTING-ESR52] Privacy>History>Custom Settings>Always use private browsing mode
  * [NOTE] In this mode *all* windows are "private windows" and the PB mode icon is not displayed
  * [NOTE] The P in PB mode is misleading: it means no "persistent" local storage of history,
  * caches, searches or cookies (which you can achieve in normal mode). In fact, it limits or
@@ -68,11 +64,18 @@ user_pref("_user.js.parrot", "0100 syntax error: the parrot's dead!");
 /* 0101: disable default browser check
  * [SETTING] General>Startup>Always check if Firefox is your default browser ***/
 user_pref("browser.shell.checkDefaultBrowser", false);
-/* 0102: set start page (0=blank, 1=home, 2=last visited page, 3=resume previous session)
+/* 0102: set START page (0=blank, 1=home, 2=last visited page, 3=resume previous session)
  * [SETTING] General>Startup>When Firefox starts ***/
-   // user_pref("browser.startup.page", 0);
-/* 0103: set your "home" page (see 0102) ***/
-   // user_pref("browser.startup.homepage", "https://www.example.com/");
+user_pref("browser.startup.page", 0);
+/* 0103: set HOME+NEWWINDOW page
+ * about:home=Activity Stream (default, see 0514), custom URL, about:blank
+ * [SETTING] Home>New Windows and Tabs>Homepage and new windows ***/
+user_pref("browser.startup.homepage", "about:blank");
+/* 0104: set NEWTAB page
+ * true=Activity Stream (default, see 0514), false=blank page
+ * [SETTING] Home>New Windows and Tabs>New tabs ***/
+user_pref("browser.newtabpage.enabled", false);
+user_pref("browser.newtab.preload", false);
 
 /*** 0200: GEOLOCATION ***/
 user_pref("_user.js.parrot", "0200 syntax error: the parrot's definitely deceased!");
@@ -118,23 +121,20 @@ user_pref("geo.wifi.uri", "https://location.services.mozilla.com/v1/geolocate?ke
 user_pref("_user.js.parrot", "0300 syntax error: the parrot's not pinin' for the fjords!");
 /* 0301a: disable auto-update checks for Firefox
  * [NOTE] Firefox currently checks every 12 hrs and allows 8 day notification dismissal
- * [SETTING] General>Firefox Updates>Never check for updates
- * [SETTING-ESR52] Advanced>Update>Never check for updates ***/
+ * [SETTING] General>Firefox Updates>Never check for updates ***/
    // user_pref("app.update.enabled", false);
 /* 0301b: disable auto-update checks for extensions
  * [SETTING] about:addons>Extensions>[cog-wheel-icon]>Update Add-ons Automatically (toggle) ***/
    // user_pref("extensions.update.enabled", false);
 /* 0302a: disable auto update installing for Firefox (after the check in 0301a)
  * [SETTING] General>Firefox Updates>Check for updates but let you choose...
- * [SETTING-ESR52] Advanced>Update>Check for updates but let you choose...
  * [NOTE] The UI checkbox also controls the behavior for checking, the pref only controls auto installing ***/
 user_pref("app.update.auto", false);
 /* 0302b: disable auto update installing for extensions (after the check in 0301b)
  * [SETTING] about:addons>Extensions>[cog-wheel-icon]>Update Add-ons Automatically (toggle) ***/
 user_pref("extensions.update.autoUpdateDefault", false);
 /* 0303: disable background update service [WINDOWS]
- * [SETTING] General>Firefox Updates>Use a background service to install updates
- * [SETTING-ESR52] Advanced>Update>Use a background service to install updates ***/
+ * [SETTING] General>Firefox Updates>Use a background service to install updates ***/
 user_pref("app.update.service.enabled", false);
 /* 0304: disable background update staging ***/
 user_pref("app.update.staging.enabled", false);
@@ -147,8 +147,7 @@ user_pref("extensions.getAddons.cache.enabled", false);
 /* 0307: disable auto updating of personas (themes) ***/
 user_pref("lightweightThemes.update.enabled", false);
 /* 0308: disable search update
- * [SETTING] General>Firefox Update>Automatically update search engines
- * [SETTING-ESR52] Advanced>Update>Automatically update: Search Engines ***/
+ * [SETTING] General>Firefox Update>Automatically update search engines ***/
 user_pref("browser.search.update", false);
 /* 0309: disable sending Flash crash reports ***/
 user_pref("dom.ipc.plugins.flash.subprocess.crashreporter.enabled", false);
@@ -192,9 +191,6 @@ user_pref("browser.tabs.crashReporting.sendReport", false);
 user_pref("browser.crashReports.unsubmittedCheck.enabled", false); // (FF51+)
 user_pref("browser.crashReports.unsubmittedCheck.autoSubmit", false); // (FF51-57)
 user_pref("browser.crashReports.unsubmittedCheck.autoSubmit2", false); // (FF58+)
-/* 0360: disable new tab tile ads & preload & marketing junk ***/
-user_pref("browser.newtab.preload", false);
-user_pref("browser.newtabpage.enabled", false);
 /* 0370: disable "Snippets" (Mozilla content shown on about:home screen)
  * [1] https://wiki.mozilla.org/Firefox/Projects/Firefox_Start/Snippet_Service ***/
 user_pref("browser.aboutHomeSnippets.updateUrl", "data:,");
@@ -220,19 +216,19 @@ user_pref("_user.js.parrot", "0400 syntax error: the parrot's passed on!");
  * [NOTE] It includes updates for "revoked certificates"
  * [1] https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/
  * [2] https://trac.torproject.org/projects/tor/ticket/16931 ***/
-user_pref("extensions.blocklist.enabled", true);
+user_pref("extensions.blocklist.enabled", true); // default: true
 user_pref("extensions.blocklist.url", "https://blocklists.settings.services.mozilla.com/v1/blocklist/3/%APP_ID%/%APP_VERSION%/");
 /* 0402: enable Kinto blocklist updates (FF50+)
  * What is Kinto?: https://wiki.mozilla.org/Firefox/Kinto#Specifications
  * As Firefox transitions to Kinto, the blocklists have been broken down into entries for certs to be
  * revoked, extensions and plugins to be disabled, and gfx environments that cause problems or crashes ***/
 user_pref("services.blocklist.update_enabled", true);
-user_pref("services.blocklist.signing.enforced", true);
 /* 0403: disable individual unwanted/unneeded parts of the Kinto blocklists ***/
    // user_pref("services.blocklist.onecrl.collection", ""); // revoked certificates
    // user_pref("services.blocklist.addons.collection", "");
    // user_pref("services.blocklist.plugins.collection", "");
    // user_pref("services.blocklist.gfx.collection", "");
+
 /** SAFE BROWSING (SB)
     This sub-section has been redesigned to differentiate between "real-time"/"user initiated"
     data being sent to Google from all other settings such as using local blocklists/whitelists and
@@ -279,6 +275,7 @@ user_pref("browser.safebrowsing.provider.google4.reportPhishMistakeURL", ""); //
 /* 0417: disable data sharing (FF58+) ***/
 user_pref("browser.safebrowsing.provider.google4.dataSharing.enabled", false);
 user_pref("browser.safebrowsing.provider.google4.dataSharingURL", "");
+
 /** TRACKING PROTECTION (TP)
     There are NO privacy concerns here, but we strongly recommend to use uBlock Origin as well,
     as it offers more comprehensive and specialized lists. It also allows per domain control. ***/
@@ -288,13 +285,9 @@ user_pref("browser.safebrowsing.provider.google4.dataSharingURL", "");
  * [2] https://support.mozilla.org/kb/tracking-protection-firefox ***/
    // user_pref("privacy.trackingprotection.pbmode.enabled", true); // default: true
    // user_pref("privacy.trackingprotection.enabled", true);
-/* 0421: enable more Tracking Protection choices under Options>Privacy & Security>Use Tracking Protection
- * Displays three choices: "Always", "Only in private windows", "Never" ***/
-user_pref("privacy.trackingprotection.ui.enabled", true);
 /* 0422: set which Tracking Protection block list to use
  * [WARNING] We don't recommend enforcing this from here, as available block lists can change
- * [SETTING] Privacy & Security>Tracking Protection>Change Block List
- * [SETTING-ESR52] Privacy>Use Tracking Protection>Change Block List ***/
+ * [SETTING] Privacy & Security>Tracking Protection>Change Block List ***/
    // user_pref("urlclassifier.trackingTable", "test-track-simple,base-track-digest256"); // basic
 /* 0423: disable Mozilla's blocklist for known Flash tracking/fingerprinting (FF48+)
  * [1] https://www.ghacks.net/2016/07/18/firefox-48-blocklist-against-plugin-fingerprinting/
@@ -328,12 +321,6 @@ user_pref("privacy.trackingprotection.ui.enabled", true);
      [2] https://dxr.mozilla.org/mozilla-central/source/browser/extensions
 ***/
 user_pref("_user.js.parrot", "0500 syntax error: the parrot's cashed in 'is chips!");
-/* 0501: disable experiments
- * [1] https://wiki.mozilla.org/Telemetry/Experiments ***/
-user_pref("experiments.enabled", false);
-user_pref("experiments.manifest.uri", "");
-user_pref("experiments.supported", false);
-user_pref("experiments.activeExperiment", false);
 /* 0502: disable Mozilla permission to silently opt you into tests ***/
 user_pref("network.allow-experiments", false);
 /* 0503: disable Normandy/Shield (FF60+)
@@ -343,6 +330,7 @@ user_pref("network.allow-experiments", false);
 user_pref("app.normandy.enabled", false);
 user_pref("app.normandy.api_url", "");
 user_pref("app.shield.optoutstudies.enabled", false);
+user_pref("shield.savant.enabled", false); // (FF61+)
 /* 0505: disable System Add-on updates
  * [NOTE] In FF61 and lower, you will not get any System Add-on updates except when you update Firefox ***/
    // user_pref("extensions.systemAddon.update.enabled", false); // (FF62+)
@@ -383,7 +371,6 @@ user_pref("browser.library.activity-stream.enabled", false); // (FF57+)
 user_pref("browser.onboarding.enabled", false);
 /* 0517: disable Form Autofill (FF55+)
  * [SETTING] Privacy & Security>Forms & Passwords>Enable Profile Autofill
- * [SETTING-ESR52] Privacy>Forms & Passwords>Enable Profile Autofill
  * [NOTE] Stored data is NOT secure (uses a JSON file)
  * [NOTE] Heuristics controls Form Autofill on forms without @autocomplete attributes
  * [1] https://wiki.mozilla.org/Firefox/Features/Form_Autofill
@@ -432,16 +419,15 @@ user_pref("network.predictor.enable-prefetch", false);
 
 /*** 0700: HTTP* / TCP/IP / DNS / PROXY / SOCKS etc ***/
 user_pref("_user.js.parrot", "0700 syntax error: the parrot's given up the ghost!");
-/* 0701: disable IPv6 (included for knowledge ONLY [WARNING] do not do this)
- * This is all about covert channels such as MAC addresses being included/abused in the
- * IPv6 protocol for tracking. If you want to mask your IP address, this is not the way
- * to do it. It's 2016, IPv6 is here. Here are some old links
- * 2010: https://christopher-parsons.com/ipv6-and-the-future-of-privacy/
- * 2011: https://iapp.org/news/a/2011-09-09-facing-the-privacy-implications-of-ipv6/
- * 2012: http://www.zdnet.com/article/security-versus-privacy-with-ipv6-deployment/
- * [NOTE] It is a myth that disabling IPv6 will speed up your internet connection
- * [1] https://www.howtogeek.com/195062/no-disabling-ipv6-probably-wont-speed-up-your-internet-connection/ ***/
-   // user_pref("network.dns.disableIPv6", true);
+/* 0701: disable IPv6
+ * IPv6 can be abused, especially regarding MAC addresses. They also do not play nice
+ * with VPNs. That's even assuming your ISP and/or router and/or website can handle it
+ * [WARNING] This is just an application level fallback. Disabling IPv6 is best done
+ * at an OS/network level, and/or configured properly in VPN setups
+ * [TEST] http://ipv6leak.com/
+ * [1] https://github.com/ghacksuserjs/ghacks-user.js/issues/437#issuecomment-403740626
+ * [2] https://www.internetsociety.org/tag/ipv6-security/ (see Myths 2,4,5,6) ***/
+user_pref("network.dns.disableIPv6", true);
 /* 0702: disable HTTP2 (which was based on SPDY which is now deprecated)
  * HTTP2 raises concerns with "multiplexing" and "server push", does nothing to enhance
  * privacy, and in fact opens up a number of server-side fingerprinting opportunities
@@ -471,13 +457,17 @@ user_pref("network.proxy.autoconfig_url.include_path", false); // default: false
  * TRR = Trusted Recursive Resolver
  * .mode: 0=off, 1=race, 2=TRR first, 3=TRR only, 4=race for stats, but always use native result
  * [WARNING] DoH bypasses hosts and gives info to yet another party (e.g. Cloudflare)
- * [1] https://www.ghacks.net/2018/04/02/configure-dns-over-https-in-firefox/ ***/
+ * [1] https://www.ghacks.net/2018/04/02/configure-dns-over-https-in-firefox/
+ * [2] https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/ ***/
    // user_pref("network.trr.mode", 0);
    // user_pref("network.trr.bootstrapAddress", "");
    // user_pref("network.trr.uri", "");
 /* 0708: disable FTP (FF60+)
  * [1] https://www.ghacks.net/2018/02/20/firefox-60-with-new-preference-to-disable-ftp/ ***/
    // user_pref("network.ftp.enabled", false);
+/* 0709: disable using UNC (Uniform Naming Convention) paths (FF61+)
+ * [1] https://trac.torproject.org/projects/tor/ticket/26424 ***/
+user_pref("network.file.disable_unc_paths", true); // (hidden pref)
 
 /*** 0800: LOCATION BAR / SEARCH BAR / SUGGESTIONS / HISTORY / FORMS [SETUP]
      If you are in a private environment (no unwanted eyeballs) and your device is private
@@ -486,7 +476,7 @@ user_pref("network.proxy.autoconfig_url.include_path", false); // default: false
      functionality. Likewise, you may want to check the items cleared on shutdown in section 2800.
      [NOTE] The urlbar is also commonly referred to as the location bar and address bar
      #Required reading [#] https://xkcd.com/538/
- ***/
+***/
 user_pref("_user.js.parrot", "0800 syntax error: the parrot's ceased to be!");
 /* 0801: disable location bar using search - PRIVACY
  * don't leak typos to a search engine, give an error message instead ***/
@@ -535,7 +525,6 @@ user_pref("browser.urlbar.speculativeConnect.enabled", false);
  *   - If *ALL* of the suggestion types are false, 'autocomplete' must also be false
  *   - If *ANY* of the suggestion types are true, 'autocomplete' must also be true
  * [SETTING] Privacy & Security>Address Bar>When using the address bar, suggest
- * [SETTING-ESR52] Privacy>Location Bar>When using the location bar, suggest
  * [WARNING] If all three suggestion types are false, search engine keywords are disabled ***/
 user_pref("browser.urlbar.autocomplete.enabled", false);
 user_pref("browser.urlbar.suggest.history", false);
@@ -552,7 +541,6 @@ user_pref("browser.urlbar.suggest.openpage", false);
 /* 0850d: disable location bar autofill
  * [1] http://kb.mozillazine.org/Inline_autocomplete ***/
 user_pref("browser.urlbar.autoFill", false);
-user_pref("browser.urlbar.autoFill.typed", false);
 /* 0850e: disable location bar one-off searches (FF51+)
  * [1] https://www.ghacks.net/2016/08/09/firefox-one-off-searches-address-bar/ ***/
 user_pref("browser.urlbar.oneOffSearches", false);
@@ -561,14 +549,16 @@ user_pref("browser.urlbar.oneOffSearches", false);
 user_pref("browser.urlbar.maxHistoricalSearchSuggestions", 0); // max. number of search suggestions
 /* 0860: disable search and form history
  * [SETTING] Privacy & Security>History>Custom Settings>Remember search and form history
- * [SETTING-ESR52] Privacy>History>Custom Settings>Remember search and form history
  * [NOTE] You can clear formdata on exiting Firefox (see 2803) ***/
 user_pref("browser.formfill.enable", false);
 /* 0862: disable browsing and download history
  * [SETTING] Privacy & Security>History>Custom Settings>Remember my browsing and download history
- * [SETTING-ESR52] Privacy>History>Custom Settings>Remember my browsing and download history
  * [NOTE] You can clear history and downloads on exiting Firefox (see 2803) ***/
    // user_pref("places.history.enabled", false);
+/* 0864: disable date/time picker (FF57+ default true)
+ * This can leak your locale if not en-US
+ * [1] https://trac.torproject.org/projects/tor/ticket/21787 ***/
+user_pref("dom.forms.datetime", false);
 /* 0870: disable Windows jumplist [WINDOWS] ***/
 user_pref("browser.taskbar.lists.enabled", false);
 user_pref("browser.taskbar.lists.frequent.enabled", false);
@@ -581,13 +571,11 @@ user_pref("browser.taskbar.previews.enable", false);
 user_pref("_user.js.parrot", "0900 syntax error: the parrot's expired!");
 /* 0901: disable saving passwords
  * [SETTING] Privacy & Security>Forms & Passwords>Remember logins and passwords for sites
- * [SETTING-ESR52] Security>Logins>Remember logins for sites
  * [NOTE] This does not clear any passwords already saved ***/
    // user_pref("signon.rememberSignons", false);
 /* 0902: use a master password (recommended if you save passwords)
  * There are no preferences for this. It is all handled internally.
  * [SETTING] Privacy & Security>Forms & Passwords>Use a master password
- * [SETTING-ESR52] Security>Logins>Use a master password
  * [1] https://support.mozilla.org/kb/use-master-password-protect-stored-logins ***/
 /* 0903: set how often Firefox should ask for the master password
  * 0=the first time (default), 1=every time it's needed, 2=every n minutes (as per the next pref) ***/
@@ -622,7 +610,18 @@ user_pref("security.insecure_field_warning.contextual.enabled", true);
  * [1] https://bugzilla.mozilla.org/1357835 ***/
 user_pref("network.auth.subresource-img-cross-origin-http-auth-allow", false);
 
-/*** 1000: CACHE [SETUP] ***/
+/*** 1000: CACHE [SETUP]
+     ETAG [1] and other [2][3] cache tracking/fingerprinting techniques can be averted by
+     disabling *BOTH* disk (1001) and memory (1003) cache. ETAGs can also be neutralized
+     by modifying response headers [4]. Another solution is to use a hardened configuration
+     with Temporary Containers [5]. Alternatively, you can *LIMIT* exposure by clearing
+     cache on close (2803). or on a regular basis manually or with an extension.
+     [1] https://en.wikipedia.org/wiki/HTTP_ETag#Tracking_using_ETags
+     [2] https://robertheaton.com/2014/01/20/cookieless-user-tracking-for-douchebags/
+     [3] https://www.grepular.com/Preventing_Web_Tracking_via_the_Browser_Cache
+     [4] https://github.com/ghacksuserjs/ghacks-user.js/wiki/4.2.4-Header-Editor
+     [5] https://medium.com/@stoically/enhance-your-privacy-in-firefox-with-temporary-containers-33925cd6cd21
+***/
 user_pref("_user.js.parrot", "1000 syntax error: the parrot's gone to meet 'is maker!");
 /** CACHE ***/
 /* 1001: disable disk cache ***/
@@ -648,9 +647,6 @@ user_pref("browser.cache.disk_cache_ssl", false);
  * [NOTE] This means any permission changes are session only
  * [1] https://bugzilla.mozilla.org/967812 ***/
    // user_pref("permissions.memory_only", true); // (hidden pref)
-/* 1007: disable randomized FF HTTP cache decay experiments
- * [1] https://trac.torproject.org/projects/tor/ticket/13575 ***/
-user_pref("browser.cache.frecency_experiment", -1);
 /* 1008: set DNS cache and expiration time (default 400 and 60, same as TBB) ***/
    // user_pref("network.dnsCacheEntries", 400);
    // user_pref("network.dnsCacheExpiration", 60);
@@ -675,6 +671,9 @@ user_pref("browser.sessionstore.resume_from_crash", false);
  * This longer interval *may* affect history but we cannot replicate any history not recorded
  * [1] https://bugzilla.mozilla.org/1304389 ***/
 user_pref("browser.sessionstore.interval", 30000);
+/* 1024: disable automatic Firefox start and session restore after reboot [WINDOWS] (FF62+)
+ * [1] https://bugzilla.mozilla.org/603903 ***/
+user_pref("toolkit.winRegisterApplicationRestart", false);
 /** FAVICONS ***/
 /* 1030: disable favicons in shortcuts
  * URL shortcuts use a cached randomly named .ico file which is stored in your
@@ -682,7 +681,7 @@ user_pref("browser.sessionstore.interval", 30000);
  * If set to false then the shortcuts use a generic Firefox icon ***/
 user_pref("browser.shell.shortcutFavicons", false);
 /* 1031: disable favicons in tabs and new bookmarks
- * bookmark favicons are stored as data blobs in places.sqlite>moz_favicons ***/
+ * bookmark favicons are stored as data blobs in favicons.sqlite ***/
    // user_pref("browser.chrome.site_icons", false);
    // user_pref("browser.chrome.favicons", false);
 /* 1032: disable favicons in web notifications ***/
@@ -700,7 +699,7 @@ user_pref("alerts.showFavicons", false); // default: false
              Optionally, disable the ciphers in 1264.
 
    [1] https://www.securityartwork.es/2017/02/02/tls-client-fingerprinting-with-bro/
- ***/
+***/
 user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!");
 /** SSL (Secure Sockets Layer) / TLS (Transport Layer Security) ***/
 /* 1201: disable old SSL/TLS - vulnerable to a MiTM attack
@@ -716,7 +715,6 @@ user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!");
  * [2] https://www.ssl.com/how-to/turn-off-ssl-3-0-and-tls-1-0-in-your-browser/
  * [2] archived: https://archive.is/hY2Mm ***/
 user_pref("security.tls.version.min", 3);
-user_pref("security.tls.version.fallback-limit", 3);
 user_pref("security.tls.version.max", 4); // 4 = allow up to and including TLS 1.3
 /* 1203: disable SSL session tracking (FF36+)
  * SSL Session IDs speed up HTTPS connections (no need to renegotiate) and last for 48hrs.
@@ -734,6 +732,7 @@ user_pref("security.ssl.errorReporting.url", "");
  * [1] https://github.com/tlswg/tls13-spec/issues/1001
  * [2] https://blog.cloudflare.com/tls-1-3-overview-and-q-and-a/ ***/
 user_pref("security.tls.enable_0rtt_data", false); // (FF55+ default true)
+
 /** OCSP (Online Certificate Status Protocol)
     #Required reading [#] https://scotthelme.co.uk/revocation-is-broken/ ***/
 /* 1210: enable OCSP Stapling
@@ -754,6 +753,7 @@ user_pref("security.OCSP.enabled", 1);
  * [1] https://blog.mozilla.org/security/2013/07/29/ocsp-stapling-in-firefox/
  * [2] https://www.imperialviolet.org/2014/04/19/revchecking.html ***/
 user_pref("security.OCSP.require", true);
+
 /** CERTS / HSTS (HTTP Strict Transport Security) / HPKP (HTTP Public Key Pinning) ***/
 /* 1220: disable Windows 8.1's Microsoft Family Safety cert [WINDOWS] (FF50+)
  * 0=disable detecting Family Safety mode and importing the root
@@ -775,12 +775,14 @@ user_pref("security.family_safety.mode", 0);
  * by inspecting ALL your web traffic, then leave at current default=1
  * [1] https://trac.torproject.org/projects/tor/ticket/16206 ***/
 user_pref("security.cert_pinning.enforcement_level", 2);
+
 /** MIXED CONTENT ***/
 /* 1240: disable insecure active content on https pages - mixed content
  * [1] https://trac.torproject.org/projects/tor/ticket/21323 ***/
-user_pref("security.mixed_content.block_active_content", true);
+user_pref("security.mixed_content.block_active_content", true); // default: true
 /* 1241: disable insecure passive content (such as images) on https pages - mixed context ***/
 user_pref("security.mixed_content.block_display_content", true);
+
 /** CIPHERS [see the section 1200 intro] ***/
 /* 1260: disable or limit SHA-1
  * 0=all SHA1 certs are allowed
@@ -809,6 +811,7 @@ user_pref("security.pki.sha1_enforcement_level", 1);
  * [NOTE] Commented out because it still breaks too many sites ***/
    // user_pref("security.ssl3.rsa_aes_128_sha", false);
    // user_pref("security.ssl3.rsa_aes_256_sha", false);
+
 /** UI (User Interface) ***/
 /* 1270: display warning (red padlock) for "broken security"
  * [1] https://wiki.mozilla.org/Security:Renegotiation ***/
@@ -834,12 +837,10 @@ user_pref("_user.js.parrot", "1400 syntax error: the parrot's bereft of life!");
  * If you disallow fonts, this drastically limits/reduces font
  * enumeration (by JS) which is a high entropy fingerprinting vector.
  * [SETTING] General>Language and Appearance>Advanced>Allow pages to choose...
- * [SETTING-ESR52] Content>Font & Colors>Advanced>Allow pages to choose...
  * [SETUP] Disabling fonts can uglify the web a fair bit. ***/
 user_pref("browser.display.use_document_fonts", 0);
 /* 1402: set more legible default fonts [SETUP]
  * [SETTING] General>Language and Appearance>Fonts & Colors>Advanced>Serif|Sans-serif|Monospace
- * [SETTING-ESR52] Content>Fonts & Colors>Advanced>Serif|Sans-serif|Monospace
  * [NOTE] Example below for Windows/Western only ***/
    // user_pref("font.name.serif.x-unicode", "Georgia");
    // user_pref("font.name.serif.x-western", "Georgia"); // default: Times New Roman
@@ -888,7 +889,7 @@ user_pref("gfx.font_rendering.graphite.enabled", false);
             scheme+host+port: https://example.com:8888
 
      #Required reading [#] https://feeding.cloud.geek.nz/posts/tweaking-referrer-for-privacy-in-firefox/
- ***/
+***/
 user_pref("_user.js.parrot", "1600 syntax error: the parrot rests in peace!");
 /* 1601: ALL: control when images/links send a referer
  * 0=never, 1=send only when links are clicked, 2=for links and images (default) ***/
@@ -920,7 +921,6 @@ user_pref("network.http.referer.defaultPolicy.pbmode", 2); // (FF59+) default: 2
 user_pref("network.http.referer.hideOnionSource", true);
 /* 1610: ALL: enable the DNT (Do Not Track) HTTP header
  * [SETTING] Privacy & Security>Tracking Protecting>Send websites a "Do Not Track"...
- * [SETTING-ESR52] Privacy>Use Tracking Protecting>manage your Do Not Track settings
  * [NOTE] DNT is enforced with TP (see 0420) regardless of this pref ***/
 user_pref("privacy.donottrackheader.enabled", true);
 
@@ -934,11 +934,10 @@ user_pref("_user.js.parrot", "1700 syntax error: the parrot's bit the dust!");
  * [1] https://bugzilla.mozilla.org/1279029 ***/
    // user_pref("privacy.userContext.ui.enabled", true);
 /* 1702: enable Container Tabs (FF50+)
- * [SETTING] Privacy & Security>Tabs>Enable Container Tabs
- * [SETTING-ESR52] Privacy>Container Tabs>Enable Container Tabs ***/
+ * [SETTING] Privacy & Security>Tabs>Enable Container Tabs ***/
    // user_pref("privacy.userContext.enabled", true);
 /* 1703: enable a private container for thumbnail loads (FF51+) ***/
-   // user_pref("privacy.usercontext.about_newtab_segregation.enabled", true);
+   // user_pref("privacy.usercontext.about_newtab_segregation.enabled", true); // default: true in FF61+
 /* 1704: set long press behaviour on "+ Tab" button to display container menu (FF53+)
  * 0=disables long press, 1=when clicked, the menu is shown
  * 2=the menu is shown after X milliseconds
@@ -955,14 +954,12 @@ user_pref("plugin.defaultXpi.state", 0);
 /* 1802: enable click to play and set to 0 minutes ***/
 user_pref("plugins.click_to_play", true);
 user_pref("plugin.sessionPermissionNow.intervalInMinutes", 0);
-/* 1803: disable NPAPI plugins (Add-ons>Plugins)
+/* 1803: disable Flash plugin (Add-ons>Plugins)
  * 0=deactivated, 1=ask, 2=enabled
  * ESR52.x is the last branch to *fully* support NPAPI, FF52+ stable only supports Flash
- * [NOTE] ESR52 users should check plugin.state* for other installed NPAPI plugins
- * [NOTE] You can still over-ride individual sites e.g. youtube via site permissions
+ * [NOTE] You can still override individual sites via site permissions
  * [1] https://www.ghacks.net/2013/07/09/how-to-make-sure-that-a-firefox-plugin-never-activates-again/ ***/
 user_pref("plugin.state.flash", 0);
-user_pref("plugin.state.java", 0);
 /* 1805: disable scanning for plugins [WINDOWS]
  * [1] http://kb.mozillazine.org/Plugin_scanning
  * plid.all = whether to scan the directories specified in the Windows registry for PLIDs.
@@ -1026,15 +1023,15 @@ user_pref("media.getusermedia.audiocapture.enabled", false);
  * [SETTING] to manage site exceptions: Options>Privacy & Security>Permissions>Camera/Microphone>Settings ***/
    // user_pref("permissions.default.camera", 2);
    // user_pref("permissions.default.microphone", 2);
-/* 2026: disable canvas capture stream
+/* 2026: disable canvas capture stream (FF41+)
  * [1] https://developer.mozilla.org/docs/Web/API/HTMLCanvasElement/captureStream ***/
 user_pref("canvas.capturestream.enabled", false);
-/* 2027: disable camera image capture
+/* 2027: disable camera image capture (FF35+)
  * [1] https://trac.torproject.org/projects/tor/ticket/16339 ***/
-user_pref("dom.imagecapture.enabled", false);
-/* 2028: disable offscreen canvas
+user_pref("dom.imagecapture.enabled", false); // default: false
+/* 2028: disable offscreen canvas (FF44+)
  * [1] https://developer.mozilla.org/docs/Web/API/OffscreenCanvas ***/
-user_pref("gfx.offscreencanvas.enabled", false);
+user_pref("gfx.offscreencanvas.enabled", false); // default: false
 /* 2030: disable auto-play of HTML5 media
  * [WARNING] This may break video playback on various sites ***/
 user_pref("media.autoplay.enabled", false);
@@ -1070,8 +1067,7 @@ user_pref("browser.link.open_newwindow.restriction", 0);
  * [TEST] https://developer.mozilla.org/samples/domref/fullscreen.html ***/
 user_pref("full-screen-api.enabled", false);
 /* 2210: block popup windows
- * [SETTING] Privacy & Security>Permissions>Block pop-up windows
- * [SETTING-ESR52] Content>Pop-ups>Block pop-up windows ***/
+ * [SETTING] Privacy & Security>Permissions>Block pop-up windows ***/
 user_pref("dom.disable_open_during_load", true);
 /* 2211: set max popups from a single non-click event - default is 20! ***/
 user_pref("dom.popup_maximum", 3);
@@ -1086,7 +1082,7 @@ user_pref("dom.popup_allowed_events", "click dblclick");
      including service and shared workers. Shared workers can be utilized by multiple scripts and
      communicate between browsing contexts (windows/tabs/iframes) and can even control your cache.
 
-     [WARNING] Disabling workers *will* break sites (e.g. Google Street View, Twitter).
+     [WARNING] Disabling "web workers" might break sites
      [UPDATE] uMatrix 1.2.0+ allows a per-scope control for workers (2301-deprecated) and service workers (2302)
               #Required reading [#] https://github.com/gorhill/uMatrix/releases/tag/1.2.0
 
@@ -1096,7 +1092,7 @@ user_pref("dom.popup_allowed_events", "click dblclick");
      [4]   SharedWorker: https://developer.mozilla.org/docs/Web/API/SharedWorker
      [5]   ChromeWorker: https://developer.mozilla.org/docs/Web/API/ChromeWorker
      [6]  Notifications: https://support.mozilla.org/questions/1165867#answer-981820
- ***/
+***/
 user_pref("_user.js.parrot", "2300 syntax error: the parrot's off the twig!");
 /* 2302: disable service workers
  * Service workers essentially act as proxy servers that sit between web apps, and the browser
@@ -1175,6 +1171,13 @@ user_pref("javascript.options.shared_memory", false);
 
 /*** 2500: HARDWARE FINGERPRINTING ***/
 user_pref("_user.js.parrot", "2500 syntax error: the parrot's shuffled off 'is mortal coil!");
+/* 2502: disable Battery Status API
+ * Initially a Linux issue (high precision readout) that was fixed.
+ * However, it is still another metric for fingerprinting, used to raise entropy.
+ * e.g. do you have a battery or not, current charging status, charge level, times remaining etc
+ * [NOTE] From FF52+ Battery Status API is only available in chrome/privileged code. see [1]
+ * [1] https://bugzilla.mozilla.org/1313580 ***/
+   // user_pref("dom.battery.enabled", false);
 /* 2504: disable virtual reality devices
  * [WARNING] [SETUP] Optional protection depending on your connected devices
  * [1] https://developer.mozilla.org/docs/Web/API/WebVR_API ***/
@@ -1186,7 +1189,6 @@ user_pref("_user.js.parrot", "2500 syntax error: the parrot's shuffled off 'is m
 user_pref("media.navigator.enabled", false);
 /* 2508: disable hardware acceleration to reduce graphics fingerprinting
  * [SETTING] General>Performance>Custom>Use hardware acceleration when available
- * [SETTING-ESR52] Advanced>General>Use hardware acceleration when available
  * [WARNING] [SETUP] Affects text rendering (fonts will look different), impacts video performance,
  * and parts of Quantum that utilize the GPU will also be affected as they are rolled out
  * [1] https://wiki.mozilla.org/Platform/GFX/HardwareAcceleration ***/
@@ -1242,12 +1244,6 @@ user_pref("mathml.disabled", true);
  * [1] https://trac.torproject.org/projects/tor/ticket/10089
  * [2] http://kb.mozillazine.org/Middlemouse.contentLoadURL ***/
 user_pref("middlemouse.contentLoadURL", false);
-/* 2612: disable remote JAR files being opened, regardless of content type (FF42+)
- * [1] https://bugzilla.mozilla.org/1173171
- * [2] https://www.fxsitecompat.com/en-CA/docs/2015/jar-protocol-support-has-been-disabled-by-default/ ***/
-user_pref("network.jar.block-remote-files", true);
-/* 2613: disable JAR from opening Unsafe File Types ***/
-user_pref("network.jar.open-unsafe-types", false);
 /* 2614: limit HTTP redirects (this does not control redirects with HTML meta tags or JS)
  * [WARNING] A low setting of 5 or under will probably break some sites (e.g. gmail logins)
  * To control HTML Meta tag and JS redirects, use an extension. Default is 20 ***/
@@ -1276,7 +1272,6 @@ user_pref("ui.use_standins_for_native_colors", true); // (hidden pref)
 user_pref("network.IDN_show_punycode", true);
 /* 2620: enable Firefox's built-in PDF reader [SETUP]
  * [SETTING] General>Applications>Portable Document Format (PDF)
- * [SETTING-ESR52] Applications>Portable Document Format (PDF)
  * This setting controls if the option "Display in Firefox" in the above setting is available
  *   and by effect controls whether PDFs are handled in-browser or externally ("Ask" or "Open With")
  * PROS: pdfjs is lightweight, open source, and as secure/vetted as any pdf reader out there (more than most)
@@ -1292,8 +1287,7 @@ user_pref("pdfjs.disabled", false);
  * [SETTING] To set your default "downloads": General>Downloads>Save files to ***/
 user_pref("browser.download.folderList", 2);
 /* 2651: enforce user interaction for security by always asking the user where to download
- * [SETTING] General>Downloads>Always ask you where to save files
- * [SETTING-ESR52] General>Downloads>Always ask me where to save files ***/
+ * [SETTING] General>Downloads>Always ask you where to save files ***/
 user_pref("browser.download.useDownloadDir", false);
 /* 2652: disable adding downloads to the system's "recent documents" list ***/
 user_pref("browser.download.manager.addToRecentDocs", false);
@@ -1313,18 +1307,11 @@ user_pref("browser.download.forbid_open_with", true);
  * [1] archived: https://archive.is/DYjAM ***/
 user_pref("extensions.enabledScopes", 1); // (hidden pref)
 user_pref("extensions.autoDisableScopes", 15);
-/* 2661: clear localStorage and UUID when an extension is uninstalled
- * [NOTE] Both preferences must be the same
- * [1] https://developer.mozilla.org/Add-ons/WebExtensions/API/storage/local
- * [2] https://bugzilla.mozilla.org/1213990 ***/
-user_pref("extensions.webextensions.keepStorageOnUninstall", false);
-user_pref("extensions.webextensions.keepUuidOnUninstall", false);
 /* 2662: disable webextension restrictions on certain mozilla domains (also see 4503) (FF60+)
  * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/
    // user_pref("extensions.webextensions.restrictedDomains", "");
 /* 2663: enable warning when websites try to install add-ons
- * [SETTING] Privacy & Security>Permissions>Warn you when websites try to install add-ons
- * [SETTING-ESR52] Security>General>Warn me when sites try to install add-ons ***/
+ * [SETTING] Privacy & Security>Permissions>Warn you when websites try to install add-ons ***/
 user_pref("xpinstall.whitelist.required", true); // default: true
 
 /** SECURITY ***/
@@ -1341,7 +1328,7 @@ user_pref("security.csp.experimentalEnabled", true);
  * [1] https://bugzilla.mozilla.org/1331351
  * [2] https://www.wordfence.com/blog/2017/01/gmail-phishing-data-uri/
  * [3] https://www.fxsitecompat.com/en-CA/docs/2017/data-url-navigations-on-top-level-window-will-be-blocked/ ***/
-user_pref("security.data_uri.block_toplevel_data_uri_navigations", true);
+user_pref("security.data_uri.block_toplevel_data_uri_navigations", true); // default: true in FF59+
 /* 2684: enforce a security delay on some confirmation dialogs such as install, open/save
  * [1] http://kb.mozillazine.org/Disable_extension_install_delay_-_Firefox
  * [2] https://www.squarefree.com/2004/07/01/race-conditions-in-security-dialogs/ ***/
@@ -1354,17 +1341,16 @@ user_pref("security.dialog_enable_delay", 700); // default: 1000 (milliseconds)
           indexedDB : profile\storage\default
            appCache : profile\OfflineCache
      serviceWorkers :
- ***/
+***/
 user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin' choir invisible!");
-/* 2701: disable cookies on all sites [SETUP]
+/* 2701: disable 3rd-party cookies and site-data [SETUP]
  * You can set exceptions under site permissions or use an extension
  * 0=allow all 1=allow same host 2=disallow all 3=allow 3rd party if it already set a cookie
  * [SETTING] Privacy & Security>History>Custom Settings>Accept cookies from sites
- * [SETTING-ESR52] Privacy>History>Custom Settings>Accept cookies from sites
  * [NOTE] Blocking 3rd party controls 3rd party access to localStorage, IndexedDB, Cache API and Service Worker Cache.
  * Blocking 1st party controls access to localStorage and IndexedDB (note: Service Workers can still use IndexedDB).
  * [1] https://www.fxsitecompat.com/en-CA/docs/2015/web-storage-indexeddb-cache-api-now-obey-third-party-cookies-preference/ ***/
-user_pref("network.cookie.cookieBehavior", 2);
+user_pref("network.cookie.cookieBehavior", 1);
 /* 2702: set third-party cookies (i.e ALL) (if enabled, see above pref) to session-only
    and (FF58+) set third-party non-secure (i.e HTTP) cookies to session-only
    [NOTE] .sessionOnly overrides .nonsecureSessionOnly except when .sessionOnly=false and
@@ -1375,8 +1361,7 @@ user_pref("network.cookie.thirdparty.sessionOnly", true);
 user_pref("network.cookie.thirdparty.nonsecureSessionOnly", true); // (FF58+)
 /* 2703: set cookie lifetime policy
  * 0=until they expire (default), 2=until you close Firefox, 3=for n days (see next pref)
- * [SETTING] Privacy & Security>History>Custom Settings>Accept cookies from sites>Keep until
- * [SETTING-ESR52] Privacy>History>Custom Settings>Accept cookies from sites>Keep until ***/
+ * [SETTING] Privacy & Security>History>Custom Settings>Accept cookies from sites>Keep until ***/
    // user_pref("network.cookie.lifetimePolicy", 0);
 /* 2704: set cookie lifetime in days (see above pref) - default is 90 days ***/
    // user_pref("network.cookie.lifetime.days", 90);
@@ -1389,20 +1374,23 @@ user_pref("network.cookie.leave-secure-alone", true); // default: true
  * [3] https://www.sjoerdlangkemper.nl/2016/04/14/preventing-csrf-with-samesite-cookie-attribute/ ***/
    // user_pref("network.cookie.same-site.enabled", true); // default: true
 /* 2710: disable DOM (Document Object Model) Storage
- * [WARNING] This will break a LOT of sites' functionality.
+ * [WARNING] This will break a LOT of sites' functionality AND extensions!
  * You are better off using an extension for more granular control ***/
    // user_pref("dom.storage.enabled", false);
-/* 2720: disable JS storing data permanently [SETUP]
- * [WARNING] This BREAKS uBlock Origin [1.14.0+] and other extensions that require IndexedDB
- * [1] https://github.com/gorhill/uBlock/releases/tag/1.14.0
- * [WARNING] This *will* break other extensions including legacy, and *will* break some sites ***/
-   // user_pref("dom.indexedDB.enabled", false);
+/* 2720: enforce IndexedDB (IDB) as enabled
+ * IDB is required for extensions and Firefox internals (even before FF63 in [1])
+ * To control *website* IDB data, control allowing cookies and service workers, or use
+ * Temporary Containers. To mitigate *website* IDB, FPI helps (4001), and/or sanitize
+ * on close (Offline Website Data, see 2800) or on-demand (Ctrl-Shift-Del), or automatically
+ * via an extenion. Note that IDB currently cannot be sanitized by host.
+ * [1] https://blog.mozilla.org/addons/2018/08/03/new-backend-for-storage-local-api/ ***/
+user_pref("dom.indexedDB.enabled", true); // default: true
 /* 2730: disable offline cache
- * [NOTE] For FF60 and under, this is required 'true' for Storage API (2750) ***/
-   // user_pref("browser.cache.offline.enable", false);
+ * [NOTE] For FF51-FF60 (ESR not included), this is required 'true' for Storage API (2750) ***/
+user_pref("browser.cache.offline.enable", false);
 /* 2730b: disable offline cache on insecure sites (FF60+)
  * [1] https://blog.mozilla.org/security/2018/02/12/restricting-appcache-secure-contexts/ ***/
-user_pref("browser.cache.offline.insecure.enable", false);
+user_pref("browser.cache.offline.insecure.enable", false); // default: false in FF62+
 /* 2731: enforce websites to ask to store data for offline use
  * [1] https://support.mozilla.org/questions/1098540
  * [2] https://bugzilla.mozilla.org/959985 ***/
@@ -1410,39 +1398,35 @@ user_pref("offline-apps.allow_by_default", false);
 /* 2740: disable service workers cache and cache storage
  * [1] https://w3c.github.io/ServiceWorker/#privacy ***/
 user_pref("dom.caches.enabled", false);
-/* 2750: disable Storage API
+/* 2750: disable Storage API (FF51+)
  * The API gives sites the ability to find out how much space they can use, how much
  * they are already using, and even control whether or not they need to be alerted
  * before the user agent disposes of site data in order to make room for other things.
- * [NOTE] For FF60 and under, if Storage API is enabled, then Offline Cache (2730) must be also be enabled
+ * [NOTE] For FF51-FF60 (ESR not included), if Storage API is enabled, then Offline Cache (2730) must be also be enabled
  * [1] https://developer.mozilla.org/docs/Web/API/StorageManager
  * [2] https://developer.mozilla.org/docs/Web/API/Storage_API
  * [3] https://blog.mozilla.org/l10n/2017/03/07/firefox-l10n-report-aurora-54/ ***/
-   // user_pref("dom.storageManager.enabled", false); // (FF51+)
-   // user_pref("browser.storageManager.enabled", false); // controls "Site Data" UI visibility (FF53+)
+   // user_pref("dom.storageManager.enabled", false);
 
 /*** 2800: SHUTDOWN [SETUP]
-     You should set the values to what suits you best. Be aware that the settings below clear
-     browsing, download and form history, but not cookies (use exceptions or an extension).
+     You should set the values to what suits you best.
      - "Offline Website Data" includes appCache (2730), localStorage (2710),
        Service Worker cache (2740), and QuotaManager (IndexedDB (2720), asm-cache)
      - In both 2803 + 2804, the 'download' and 'history' prefs are combined in the
        Firefox interface as "Browsing & Download History" and their values will be synced
- ***/
+***/
 user_pref("_user.js.parrot", "2800 syntax error: the parrot's bleedin' demised!");
 /* 2802: enable Firefox to clear history items on shutdown
- * [SETTING] Privacy & Security>History>Clear history when Firefox closes
- * [SETTING-ESR52] Privacy>Clear history when Firefox closes ***/
+ * [SETTING] Privacy & Security>History>Clear history when Firefox closes ***/
 user_pref("privacy.sanitize.sanitizeOnShutdown", true);
 /* 2803: set what history items to clear on shutdown
  * [SETTING] Privacy & Security>History>Clear history when Firefox closes>Settings
- * [SETTING-ESR52] Privacy>Clear history when Firefox closes>Settings
  * [NOTE] If 'history' is true, downloads will also be cleared regardless of the value
  * but if 'history' is false, downloads can still be cleared independently
  * However, this may not always be the case. The interface combines and syncs these
  * prefs when set from there, and the sanitize code may change at any time ***/
 user_pref("privacy.clearOnShutdown.cache", true);
-user_pref("privacy.clearOnShutdown.cookies", false);
+user_pref("privacy.clearOnShutdown.cookies", true);
 user_pref("privacy.clearOnShutdown.downloads", true); // see note above
 user_pref("privacy.clearOnShutdown.formdata", true); // Form & Search History
 user_pref("privacy.clearOnShutdown.history", true); // Browsing & Download History
@@ -1455,7 +1439,7 @@ user_pref("privacy.clearOnShutdown.siteSettings", false); // Site Preferences
  * [NOTE] Regardless of what you set privacy.cpd.downloads to, as soon as the dialog
  * for "Clear Recent History" is opened, it is synced to the same as 'history' ***/
 user_pref("privacy.cpd.cache", true);
-user_pref("privacy.cpd.cookies", false);
+user_pref("privacy.cpd.cookies", true);
    // user_pref("privacy.cpd.downloads", true); // not used, see note above
 user_pref("privacy.cpd.formdata", true); // Form & Search History
 user_pref("privacy.cpd.history", true); // Browsing & Download History
@@ -1489,6 +1473,7 @@ user_pref("privacy.sanitize.timeSpan", 0);
  ** 1337893 - isolate DNS cache (FF55+)
  ** 1344170 - isolate blob: URI (FF55+)
  ** 1300671 - isolate data:, about: URLs (FF55+)
+ ** 1473247 - isolate IP addresses (FF63+)
 
  NOTE: FPI has some issues depending on your Firefox release
  ** 1418931 - [fixed in FF58+] IndexedDB (Offline Website Data) with FPI Origin Attributes
@@ -1540,7 +1525,7 @@ user_pref("privacy.firstparty.isolate.restrict_opener_access", true);
  ** 1337161 - hide gamepads from content (see 4606) (FF56+)
  ** 1372072 - spoof network information API as "unknown" (see 4607) (FF56+)
  ** 1333641 - reduce fingerprinting in WebSpeech API (see 4608) (FF56+)
- ** 1372069 & 1403813 - block geolocation requests (same as if you deny a site permission) (see 0201, 0211) (FF56+)
+ ** 1372069 & 1403813 & 1441295 - block geolocation requests (same as denying a site permission) (see 0201, 0211) (FF56-62)
  ** 1369309 - spoof media statistics (see 4610) (FF57+)
  ** 1382499 - reduce screen co-ordinate fingerprinting in Touch API (see 4611) (FF57+)
  ** 1217290 & 1409677 - enable fingerprinting resistance for WebGL (see 2010-12) (FF57+)
@@ -1558,6 +1543,7 @@ user_pref("privacy.firstparty.isolate.restrict_opener_access", true);
       FF60: Fix keydown/keyup events (1438795)
  ** 1337157 - disable WebGL debug renderer info (see 4613) (FF60+)
  ** 1459089 - disable OS locale in HTTP Accept-Language headers [ANDROID] (FF62+)
+ ** 1363508 - spoof/suppress Pointer Events (FF64+)
 ***/
 user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs");
 /* 4501: enable privacy.resistFingerprinting (FF41+)
@@ -1575,6 +1561,10 @@ user_pref("privacy.resistFingerprinting", true); // (hidden pref) (not hidden FF
  * to sanitize or clear extensions.webextensions.restrictedDomains (see 2662) to keep that side-effect
  * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1384330,1406795,1415644,1453988 ***/
 user_pref("privacy.resistFingerprinting.block_mozAddonManager", true); // (hidden pref)
+/* 4504: disable showing about:blank as soon as possible during startup (FF60+)
+ * When default true (FF62+) this no longer masks the RFP resizing activity
+ * [1] https://bugzilla.mozilla.org/1448423 ***/
+user_pref("browser.startup.blankWindow", false);
 
 /*** 4600: RFP (4500) ALTERNATIVES [SETUP]
    * IF you DO use RFP (see 4500) then you DO NOT need these redundant prefs. In fact,
@@ -1654,36 +1644,30 @@ user_pref("webgl.enable-debug-renderer-info", false);
 // ***/
 
 /*** 4700: RFP (4500) ALTERNATIVES - NAVIGATOR / USER AGENT (UA) SPOOFING
-     Spoofing your UA to *LOWER* entropy *does* *not* *work*. It may even cause site breakage
-     depending on your values. Even if you spoof, like TBB (Tor Browser Bundle) does, as the
-     latest ESR, it still *does* *not* *work*. There are two main reasons for this.
-       1. Many of the components that make up your UA can be derived by other means. And when
-          those values differ, you provide more bits and raise entropy. Examples of leaks include
-          navigator objects, date locale/formats, iframes, headers, resource://URIs,
-          feature detection and more.
-       2. You are not in a controlled set of significant numbers, where the values are enforced
-          by default. It works for TBB because for TBB, the spoofed values ARE their default.
-     * We do not recommend UA spoofing yourself, leave it to privacy.resistFingerprinting (see 4500)
-       which is already plugging leaks (see 1 above) the prefs below do not address
-     * Values below are for example only based on the current TBB at the time of writing
+     This is FYI ONLY. These prefs are INSUFFICIENT(a) on their own, you need
+     to use RFP (4500) or an extension, in which case they become POINTLESS.
+     (a) Many of the components that make up your UA can be derived by other means.
+         And when those values differ, you provide more bits and raise entropy.
+         Examples of leaks include navigator objects, date locale/formats, iframes,
+         headers, tcp/ip attributes, feature detection, and **many** more.
+     ALL values below intentionally left blank - use RFP, or get a vetted, tested
+         extension and mimic RFP values to *lower* entropy, or randomize to *raise* it
 ***/
 user_pref("_user.js.parrot", "4700 syntax error: the parrot's taken 'is last bow");
-/* 4701: navigator.userAgent leaks in JS
- * [NOTE] Setting this will break any UA spoofing extension whitelisting ***/
-   // user_pref("general.useragent.override", "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"); // (hidden pref)
-/* 4702: navigator.buildID (see gecko.buildID in about:config) reveals build time
- * down to the second which defeats user agent spoofing and can compromise OS etc
+/* 4701: navigator.userAgent ***/
+   // user_pref("general.useragent.override", ""); // (hidden pref)
+/* 4702: navigator.buildID (
+ * reveals build time down to the second
  * [1] https://bugzilla.mozilla.org/583181 ***/
-   // user_pref("general.buildID.override", "20100101"); // (hidden pref)
+   // user_pref("general.buildID.override", ""); // (hidden pref)
 /* 4703: navigator.appName ***/
-   // user_pref("general.appname.override", "Netscape"); // (hidden pref)
+   // user_pref("general.appname.override", ""); // (hidden pref)
 /* 4704: navigator.appVersion ***/
-   // user_pref("general.appversion.override", "5.0 (Windows)"); // (hidden pref)
-/* 4705: navigator.platform leaks in JS ***/
-   // user_pref("general.platform.override", "Win32"); // (hidden pref)
-/* 4706: navigator.oscpu leaks in JS ***/
-   // user_pref("general.oscpu.override", "Windows NT 6.1"); // (hidden pref)
-/* 4707: general.useragent.locale (related, see 0204-deprecated FF59+) ***/
+   // user_pref("general.appversion.override", ""); // (hidden pref)
+/* 4705: navigator.platform ***/
+   // user_pref("general.platform.override", ""); // (hidden pref)
+/* 4706: navigator.oscpu ***/
+   // user_pref("general.oscpu.override", ""); // (hidden pref)
 
 /*** 5000: PERSONAL [SETUP]
      Non-project related but useful. If any of these interest you, add them to your overrides ***/
@@ -1923,22 +1907,8 @@ user_pref("media.gmp-eme-adobe.autoupdate", false);
    // [1] https://wiki.mozilla.org/WebAPI/Security/WebTelephony
    // [-] https://bugzilla.mozilla.org/1309719
 user_pref("dom.telephony.enabled", false);
-// 2502: disable Battery Status API
-   // Initially a Linux issue (high precision readout) that was fixed.
-   // However, it is still another metric for fingerprinting, used to raise entropy.
-   // e.g. do you have a battery or not, current charging status, charge level, times remaining etc
-   // [1] https://techcrunch.com/2015/08/04/battery-attributes-can-be-used-to-track-web-users/
-   // [2] https://bugzilla.mozilla.org/1124127
-   // [3] https://www.w3.org/TR/battery-status/
-   // [4] https://www.theguardian.com/technology/2016/aug/02/battery-status-indicators-tracking-online
-   // [NOTE] From FF52+ Battery Status API is only available in chrome/privileged code.
-   // [-] https://bugzilla.mozilla.org/1313580
-user_pref("dom.battery.enabled", false);
 // ***/
-
-/* ESR52.x still uses all the following prefs
-// [NOTE] replace the * with a slash in the line above to re-enable them
-// FF53
+/* FF53
 // 1265: block rc4 fallback
    // [-] https://bugzilla.mozilla.org/1130670
 user_pref("security.tls.unrestricted_rc4_fallback", false);
@@ -1953,8 +1923,8 @@ user_pref("media.getusermedia.screensharing.allow_on_old_platforms", false);
 // 2507: disable keyboard fingerprinting
    // [-] https://bugzilla.mozilla.org/1322736
 user_pref("dom.beforeAfterKeyboardEvent.enabled", false);
-// * * * /
-// FF54
+// ***/
+/* FF54
 // 0415: disable reporting URLs (safe browsing)
    // [-] https://bugzilla.mozilla.org/1288633
 user_pref("browser.safebrowsing.reportMalwareMistakeURL", "");
@@ -1966,8 +1936,8 @@ user_pref("media.eme.apiVisible", false);
    // i.e. reading archive contents directly in the browser, through DOM file objects
    // [-] https://bugzilla.mozilla.org/1342361
 user_pref("dom.archivereader.enabled", false);
-// * * * /
-// FF55
+// ***/
+/* FF55
 // 0209: disable geolocation on non-secure origins (FF54+)
    // [1] https://bugzilla.mozilla.org/1269531
    // [-] https://bugzilla.mozilla.org/1072859
@@ -2005,16 +1975,16 @@ user_pref("browser.tabs.animate", false);
 // 5016: disable fullscreeen animation - replaced by toolkit.cosmeticAnimations.enabled
    // [-] https://bugzilla.mozilla.org/1352069
 user_pref("browser.fullscreen.animate", false);
-// * * * /
-// FF56
+// ***/
+/* FF56
 // 0515: disable Screenshots (rollout pref only) (FF54+)
    // [-] https://bugzilla.mozilla.org/1386333
    // user_pref("extensions.screenshots.system-disabled", true);
 // 0517: disable Form Autofill (FF55+) - replaced by extensions.formautofill.available
    // [-] https://bugzilla.mozilla.org/1385201
 user_pref("extensions.formautofill.experimental", false);
-// * * * /
-// FF57
+// ***/
+/* FF57
 // 0374: disable "social" integration
    // [1] https://developer.mozilla.org/docs/Mozilla/Projects/Social_API
    // [-] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1388902,1406193 (some leftovers were removed in FF58)
@@ -2039,8 +2009,8 @@ user_pref("browser.casting.enabled", false);
 // 5022: hide recently bookmarked items (you still have the original bookmarks) (FF49+)
    // [-] https://bugzilla.mozilla.org/1401238
 user_pref("browser.bookmarks.showRecentlyBookmarked", false);
-// * * * /
-// FF59
+// ***/
+/* FF59
 // 0203: disable using OS locale, force APP locale - replaced by intl.locale.requested
    // [-] https://bugzilla.mozilla.org/1414390
 user_pref("intl.locale.matchOS", false);
@@ -2059,6 +2029,10 @@ user_pref("datareporting.healthreport.about.reportUrl", "data:text/plain,");
    // [3] https://www.ghacks.net/2016/07/26/firefox-flyweb/
    // [-] https://bugzilla.mozilla.org/1374574
 user_pref("dom.flyweb.enabled", false);
+// 1007: disable randomized FF HTTP cache decay experiments
+   // [1] https://trac.torproject.org/projects/tor/ticket/13575
+   // [-] https://bugzilla.mozilla.org/1430197
+user_pref("browser.cache.frecency_experiment", -1);
 // 1242: enable Mixed-Content-Blocker to use the HSTS cache but disable the HSTS Priming requests (FF51+)
    // Allow resources from domains with an existing HSTS cache record or in the HSTS preload list
    // to be upgraded to HTTPS internally but disable sending out HSTS Priming requests, because
@@ -2086,8 +2060,8 @@ user_pref("dom.disable_window_status_change", true);
 // 2416: disable idle observation
    // [-] (part7) https://bugzilla.mozilla.org/1416703#c21
 user_pref("dom.idle-observers-api.enabled", false);
-// * * * /
-// FF60
+// ***/
+/* FF60
 // 0360: disable new tab tile ads & preload & marketing junk
    // [-] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1370930,1433133
 user_pref("browser.newtabpage.directory.source", "data:text/plain,");
@@ -2104,12 +2078,38 @@ user_pref("extensions.shield-recipe-client.api_url", "");
    // [-] https://bugzilla.mozilla.org/1433324
 user_pref("browser.newtabpage.activity-stream.enabled", false);
 // 2301: disable workers
+   // [WARNING] Disabling workers *will* break sites (e.g. Google Street View, Twitter)
    // [NOTE] CVE-2016-5259, CVE-2016-2812, CVE-2016-1949, CVE-2016-5287 (fixed)
    // [-] https://bugzilla.mozilla.org/1434934
 user_pref("dom.workers.enabled", false);
 // 5000's: open "page/selection source" in a new window
    // [-] https://bugzilla.mozilla.org/1418403
    // user_pref("view_source.tab", false);
+// ***/
+
+/* ESR60.x still uses all the following prefs
+// [NOTE] replace the * with a slash in the line above to re-enable them
+// FF61
+// 0501: disable experiments
+   // [1] https://wiki.mozilla.org/Telemetry/Experiments
+   // [-] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1420908,1450801
+user_pref("experiments.enabled", false);
+user_pref("experiments.manifest.uri", "");
+user_pref("experiments.supported", false);
+user_pref("experiments.activeExperiment", false);
+// 2612: disable remote JAR files being opened, regardless of content type (FF42+)
+   // [1] https://bugzilla.mozilla.org/1173171
+   // [2] https://www.fxsitecompat.com/en-CA/docs/2015/jar-protocol-support-has-been-disabled-by-default/
+   // [-] https://bugzilla.mozilla.org/1427726
+user_pref("network.jar.block-remote-files", true);
+// 2613: disable JAR from opening Unsafe File Types
+   // [-] https://bugzilla.mozilla.org/1427726
+user_pref("network.jar.open-unsafe-types", false);
+// * * * /
+// FF62
+// 1803: disable Java plugin
+   // [-] (part5) https://bugzilla.mozilla.org/1461243
+user_pref("plugin.state.java", 0);
 // * * * /
 // ***/