70-beta

* simplify ciphers

- let's not encourage (remove options 1, 2) changing your cipher suite FP
- remove "it's quite technical ..." (everything is technical to someone), trim to one line
- add test link so users can just see that it's FP'able
- reinforce not to fuck with the cipher suite in the cipher's sub-section

README.md

@@ -8,7 +8,7 @@ Everyone, experts included, should at least read the [implementation](https://gi
 
 Note that we do *not* recommend connecting over Tor on Firefox. Use the [Tor Browser](https://www.torproject.org/projects/torbrowser.html.en) if your [threat model](https://www.torproject.org/about/torusers.html.en) calls for it, or for accessing hidden services. 
 
-Also be aware that this `user.js` is made specifically for Firefox. Using it as-is in other Gecko-based browsers can be counterproductive, especially in the Tor Browser.
+Also be aware that this `user.js` is made specifically for desktop Firefox. Using it as-is in other Gecko-based browsers can be counterproductive, especially in the Tor Browser.
 
 Sitemap: [Releases](https://github.com/ghacksuserjs/ghacks-user.js/releases), [changelogs](https://github.com/ghacksuserjs/ghacks-user.js/issues?utf8=%E2%9C%93&q=is%3Aissue+label%3Achangelog), [Wiki](https://github.com/ghacksuserjs/ghacks-user.js/wiki), [stickies](https://github.com/ghacksuserjs/ghacks-user.js/issues?q=is%3Aissue+is%3Aopen+label%3A%22sticky+topic%22). [diffs](https://github.com/ghacksuserjs/ghacks-user.js/issues?q=is%3Aissue+label%3Adiffs)
 
@@ -18,7 +18,7 @@ Literally thousands of sources, references and suggestions. That said...
 * Martin Brinkmann at [ghacks](https://www.ghacks.net/) <sup>1</sup>
 * The ghacks community and commentators
 * [12bytes](https://12bytes.org/articles/tech/firefox/firefoxgecko-configuration-guide-for-privacy-and-performance-buffs)
-   * The 12bytes article now uses this user.js and supplements it with an additional JS hosted at [GitLab](https://gitlab.com/labwrat/Firefox-user.js/tree/master)
+   * The 12bytes article now uses this user.js and supplements it with an additional JS hosted at [Codeberg](https://codeberg.org/12bytes.org/Firefox-user.js-supplement)
 
 <sup>1</sup> The ghacks user.js was an independent project by [Thorin-Oakenpants](https://github.com/Thorin-Oakenpants) started in early 2015 and was [first published](https://www.ghacks.net/2015/08/18/a-comprehensive-list-of-firefox-privacy-and-security-settings/) at ghacks in August 2015. With Martin Brinkmann's blessing, it will keep the ghacks name.
 

scratchpad-scripts/ghacks-clear-FF68inclusive-[RFP-alternatives].js

@@ -1,6 +1,6 @@
 /***
  This will reset the preferences that are under sections 4600 & 4700 in the ghacks user.js
- up to and including release 60-beta. These are the prefs that are no longer necessary,
+ up to and including Firefox/ESR 68. These are the prefs that are no longer necessary,
  or they conflict with, privacy.resistFingerprinting if you have that enabled.
 
  For instructions see:
@@ -22,6 +22,8 @@
     'dom.w3c_touch_events.enabled',
     'media.ondevicechange.enabled',
     'webgl.enable-debug-renderer-info',
+    'dom.w3c_pointer_events.enabled',
+    'ui.use_standins_for_native_colors',
     /* section 4700 */
     'general.useragent.override',
     'general.buildID.override',

scratchpad-scripts/ghacks-clear-FF68inclusive-[deprecated].js

@@ -1,6 +1,6 @@
 /***
  This will reset the preferences that have been deprecated by Mozilla
- and used in the ghacks user.js up to and including release 60-beta
+ and used in the ghacks user.js up to and including Firefox/ESR 68
 
  It is in reverse order, so feel free to remove sections that do not apply
 
@@ -12,8 +12,43 @@
   let ops = [
     /* deprecated */
 
-    /* ESR52.x users can remove sections 53-60 but it is not
-       crucial as your user.js will reinstate them */
+    /* 68 */
+    'browser.newtabpage.activity-stream.disableSnippets',
+    'browser.aboutHomeSnippets.updateUrl',
+    'lightweightThemes.update.enabled',
+    'security.csp.experimentalEnabled',
+    /* F67 */
+    'dom.event.highrestimestamp.enabled',
+    'browser.newtabpage.activity-stream.asrouter.userprefs.cfr',
+    /* 66 */
+    'browser.chrome.errorReporter.enabled',
+    'browser.chrome.errorReporter.submitUrl',
+    'network.allow-experiments',
+    /* 65 */
+    'browser.urlbar.autocomplete.enabled',
+    'browser.fixup.hide_user_pass',
+    /* 64 */
+    'browser.onboarding.enabled',
+    'devtools.webide.autoinstallADBHelper',
+    'devtools.webide.adbAddonURL',
+    'security.csp.enable_violation_events',
+    /* 63 */
+    'browser.search.countryCode',
+    'app.update.enabled',
+    'shield.savant.enabled',
+    'browser.chrome.favicons',
+    'media.autoplay.enabled',
+    'network.cookie.lifetime.days',
+    'browser.ctrlTab.previews',
+    /* 62 */
+    'plugin.state.java',
+    /* 61 */
+    'experiments.enabled',
+    'experiments.manifest.uri',
+    'experiments.supported',
+    'experiments.activeExperiment',
+    'network.jar.block-remote-files',
+    'network.jar.open-unsafe-types',
     /* 60 */
     'browser.newtabpage.directory.source',
     'browser.newtabpage.enhanced',
@@ -22,7 +57,6 @@
     'extensions.shield-recipe-client.api_url',
     'browser.newtabpage.activity-stream.enabled',
     'dom.workers.enabled',
-    'view_source.tab',
     /* 59 */
     'intl.locale.matchOS',
     'general.useragent.locale',
@@ -76,8 +110,6 @@
     'plugin.scan.WindowsMediaPlayer',
     'media.getusermedia.screensharing.allow_on_old_platforms',
     'dom.beforeAfterKeyboardEvent.enabled',
-    /* End of ESR52.x section */
-
     /* 52 */
     'network.http.sendSecureXSiteReferrer',
     'media.gmp-eme-adobe.enabled',

scratchpad-scripts/ghacks-clear-[removed].js

@@ -1,7 +1,7 @@
 /***
  This will reset the preferences that have been removed completely from the ghacks user.js.
 
- Last updated: 15-October-2019
+ Last updated: 11-November-2019
 
  For instructions see:
  https://github.com/ghacksuserjs/ghacks-user.js/wiki/3.1-Resetting-Inactive-Prefs-[Scripts]
@@ -204,13 +204,16 @@
     /* 70-beta */
     'browser.cache.disk_cache_ssl',
     'browser.sessionhistory.max_entries',
+    'dom.push.connection.enabled',
+    'dom.push.serverURL',
     'extensions.getAddons.discovery.api_url',
     'extensions.htmlaboutaddons.discover.enabled',
     'extensions.webservice.discoverURL',
     'intl.locale.requested',
     'intl.regional_prefs.use_os_locales',
-    'dom.push.connection.enabled',
-    'dom.push.serverURL',
+    'privacy.usercontext.about_newtab_segregation.enabled',
+    'security.insecure_connection_icon.pbmode.enabled',
+    'security.insecure_connection_text.pbmode.enabled',
     'webgl.dxgl.enabled',
     /* reset parrot: check your open about:config after running the script */
     '_user.js.parrot'

scratchpad-scripts/troubleshooter.js

@@ -1,65 +1,11 @@
 
-/*** ghacks-user.js troubleshooter.js v1.5.2 ***/
+/*** ghacks-user.js troubleshooter.js v1.6.0 ***/
 
 (function() {
 
-  if("undefined" === typeof(Services)) {
-    alert("about:config needs to be the active tab!");
-    return;
-  }
+  if ("undefined" === typeof(Services)) return alert('about:config needs to be the active tab!');
 
-  function getMyList(arr) {
-    let aRet = [];
-    let dummy = 0;
-    for (let i = 0, len = arr.length; i < len; i++) {
-      if (Services.prefs.prefHasUserValue(arr[i])) {
-        dummy = Services.prefs.getPrefType(arr[i]);
-        switch (dummy) {
-          case 32: // string (see https://dxr.mozilla.org/mozilla-central/source/modules/libpref/nsIPrefBranch.idl#31)
-            dummy = Services.prefs.getCharPref(arr[i]);
-            aRet.push({'name':arr[i],'value': dummy,'type':32});
-            break;
-          case 64: // int
-            dummy = Services.prefs.getIntPref(arr[i]);
-            aRet.push({'name':arr[i],'value': dummy,'type':64});
-            break;
-          case 128: // boolean
-            dummy = Services.prefs.getBoolPref(arr[i]);
-            aRet.push({'name':arr[i],'value': dummy,'type':128});
-            break;
-          default:
-            console.log("error detecting pref-type for '"+arr[i]+"' !");
-        }
-      }
-    }
-    return aRet;
-  }
-
-  function reapply(arr) {
-    for (let i = 0, len = arr.length; i < len; i++) {
-      switch (arr[i].type) {
-        case 32: // string
-          Services.prefs.setCharPref(arr[i].name, arr[i].value);
-          break;
-        case 64: // int
-          Services.prefs.setIntPref(arr[i].name, arr[i].value);
-          break;
-        case 128: // boolean
-          Services.prefs.setBoolPref(arr[i].name, arr[i].value);
-          break;
-        default:
-          console.log("error re-appyling value for '"+arr[i].name+"' !"); // should never happen
-      }
-    }
-  }
-
-  function myreset(arr) {
-    for (let i = 0, len = arr.length; i < len; i++) {
-      Services.prefs.clearUserPref(arr[i].name);
-    }
-  }
-
-  let ops = [
+  const aPREFS = [
 
     /* known culprits */
     'network.cookie.cookieBehavior',
@@ -160,56 +106,108 @@
     'last.one.without.comma'
   ]
 
+  // any runtime-set pref that everyone will have and that can be safely reset
+  const oFILLER = { type: 64, name: 'extensions.blocklist.pingCountTotal', value: -1 };
 
-  // reset prefs that set the same value as FFs default value
-  let aTEMP = getMyList(ops);
-  myreset(aTEMP);
-  reapply(aTEMP);
+  function getMyList(arr) {
+    const aRet = [];
+    for (const sPname of arr) {
+      if (Services.prefs.prefHasUserValue(sPname)) {
+        const ptype = Services.prefs.getPrefType(sPname);
+        switch (ptype) {
+          case 32: // string (see https://dxr.mozilla.org/mozilla-central/source/modules/libpref/nsIPrefBranch.idl#31)
+            aRet.push({'type':ptype,'name':sPname,'value':Services.prefs.getCharPref(sPname)});
+            break;
+          case 64: // int
+            aRet.push({'type':ptype,'name':sPname,'value':Services.prefs.getIntPref(sPname)});
+            break;
+          case 128: // boolean
+            aRet.push({'type':ptype,'name':sPname,'value':Services.prefs.getBoolPref(sPname)});
+            break;
+          default:
+            console.log("error detecting pref-type for '"+sPname+"' !");
+        }
+      }
+    }
+    return aRet;
+  }
 
-  const aBACKUP = getMyList(ops);
-  //console.log(aBACKUP.length, "user-set prefs from our list detected and their values stored.");
+  function reapply(arr) {
+    for (const oPref of arr) {
+      switch (oPref.type) {
+        case 32: // string
+          Services.prefs.setCharPref(oPref.name, oPref.value);
+          break;
+        case 64: // int
+          Services.prefs.setIntPref(oPref.name, oPref.value);
+          break;
+        case 128: // boolean
+          Services.prefs.setBoolPref(oPref.name, oPref.value);
+          break;
+        default:
+          console.log("error re-appyling value for '"+oPref.name+"' !"); // should never happen
+      }
+    }
+  }
 
-  let myArr = aBACKUP;
-  let found = false;
-  let aDbg = [];
-  focus();
-  myreset(aBACKUP); // reset all detected prefs
-  if (confirm("all detected prefs reset.\n\n!! KEEP THIS PROMPT OPEN AND TEST THE SITE IN ANOTHER TAB !!\n\nIF the problem still exists, this script can't help you - click cancel to re-apply your values and exit.\n\nClick OK if your problem is fixed.")) {
-    aDbg = myArr;
-    reapply(aBACKUP);
-    myreset(myArr.slice(0, parseInt(myArr.length/2)));
-    while (myArr.length >= 2) {
+  function myreset(arr) {
+    for (const oPref of arr) Services.prefs.clearUserPref(oPref.name);
+  }
+
+  function resetAllMatchingDefault(arr) {
+    const aTmp = getMyList(arr);
+    myreset(aTmp);
+    reapply(aTmp);
+  }
+
+  function _main(aALL) {
+    const _h = (arr) => Math.ceil(arr.length/2);
+
+    let aTmp = aALL, aDbg = aALL;
+    reapply(aALL);
+    myreset(aTmp.slice(0, _h(aTmp)));
+    while (aTmp.length) {
       alert("NOW TEST AGAIN !");
       if (confirm("if the problem still exists click OK, otherwise click cancel.")) {
-        myArr = myArr.slice(parseInt(myArr.length/2));
-        if (myArr.length == 1) {
-          alert("The problem is caused by more than 1 pref !\n\nNarrowed it down to "+ aDbg.length.toString() +" prefs, check the console ...");
-          break;
-        }
+        aTmp = aTmp.slice(_h(aTmp));
       } else {
-        myArr = myArr.slice(0, parseInt(myArr.length/2));
-        aDbg = myArr;
-        if (myArr.length == 1) { found = true; break; }
+        aTmp = aTmp.slice(0, _h(aTmp));
+        aDbg = aTmp; // update narrowed down list
+        if (aDbg.length == 1) break;
       }
-      reapply(aBACKUP);
-      myreset(myArr.slice(0, parseInt(myArr.length/2))); // reset half of the remaining prefs
+      reapply(aALL);
+      myreset(aTmp.slice(0, _h(aTmp))); // reset half of the remaining prefs
     }
-    reapply(aBACKUP);
+    reapply(aALL);
+
+    if (aDbg.length == 1) return alert("narrowed it down to:\n\n"+aDbg[0].name+"\n");
+    if (aDbg.length == aALL.length) {
+      let msg = "Failed to narrow it down beyond the initial "+aALL.length+" prefs. The problem is most likely caused by at least 2 prefs!\n\n";
+      msg += "Either those prefs are too far apart in the list or there are exactly 2 culprits and they just happen to be at the wrong place.\n\n";
+      msg += "In case it's the latter, the script can add a dummy pref and you can try again - Try again?";
+      if (confirm(msg)) return _main([...aALL, oFILLER]);
+    } else if (aDbg.length > 10 && confirm("Narrowed it down to "+aDbg.length+" prefs. Try narrowing it down further?")) {
+      return _main(aDbg.reverse());
+    }
+
+    alert("Narrowed it down to "+ aDbg.length.toString() +" prefs, check the console ...");
+    console.log("The problem is caused by 2 or more of these prefs:");
+    for (const oPref of aDbg) console.log(oPref.name);
   }
-  else {
-    reapply(aBACKUP);
+
+
+  resetAllMatchingDefault(aPREFS); // reset user-set prefs matching FFs default value
+
+  const aBAK = getMyList(aPREFS);
+  //console.log(aBAK.length, "user-set prefs from our list detected and their values stored.");
+
+  focus();
+  myreset(aBAK);
+  if (!confirm("all detected prefs reset.\n\n!! KEEP THIS PROMPT OPEN AND TEST THE SITE IN ANOTHER TAB !!\n\nIF the problem still exists, this script can't help you - click cancel to re-apply your values and exit.\n\nClick OK if your problem is fixed.")) {
+    reapply(aBAK);
     return;
   }
 
-  if (found) {
-    alert("narrowed it down to:\n\n"+myArr[0].name+"\n");
-    myreset(myArr); // reset the culprit
-  }
-  else {
-    console.log("the problem is caused by a combination of the following prefs:");
-    for (let i = 0, len = aDbg.length; i < len; i++) {
-      console.log(aDbg[i].name);
-    }
-  }
+  _main(aBAK);
 
 })();

user.js

@@ -1,8 +1,8 @@
 /******
 * name: ghacks user.js
-* date: 20 September 2019
-* version 69: Pants One More Time
-*   "When I'm not with pants I lose my mind. Give me a sign. Hit me, pants, one more time."
+* date: 24 November 2019
+* version 70-beta: Pinpants Wizard
+*   "Ever since I was a young pants, I've played the silver ball"
 * authors: v52+ github | v51- www.ghacks.net
 * url: https://github.com/ghacksuserjs/ghacks-user.js
 * license: MIT: https://github.com/ghacksuserjs/ghacks-user.js/blob/master/LICENSE.txt
@@ -246,8 +246,7 @@ user_pref("datareporting.healthreport.uploadEnabled", false);
  * [1] https://bugzilla.mozilla.org/1195552 ***/
 user_pref("datareporting.policy.dataSubmissionEnabled", false);
 /* 0342: disable Studies (see 0503)
- * [NOTE] This pref has no effect when Health Reports (0340) are disabled
- * [SETTING] Privacy & Security>Firefox Data Collection & Use>...>Allow Firefox to install and run studies ***/
+ * [SETTING] Privacy & Security>Firefox Data Collection & Use>Allow Firefox to install and run studies ***/
 user_pref("app.shield.optoutstudies.enabled", false);
 /* 0343: disable personalized Extension Recommendations in about:addons and AMO [FF65+]
  * [NOTE] This pref has no effect when Health Reports (0340) are disabled
@@ -375,7 +374,7 @@ user_pref("network.prefetch-next", false);
  * [1] https://www.ghacks.net/2013/04/27/firefox-prefetching-what-you-need-to-know/
  * [2] https://developer.mozilla.org/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control ***/
 user_pref("network.dns.disablePrefetch", true);
-user_pref("network.dns.disablePrefetchFromHTTPS", true); // [HIDDEN PREF]
+user_pref("network.dns.disablePrefetchFromHTTPS", true); // [HIDDEN PREF ESR] [DEFAULT: true FF70+]
 /* 0603: disable predictor / prefetching ***/
 user_pref("network.predictor.enabled", false);
 user_pref("network.predictor.enable-prefetch", false); // [FF48+]
@@ -428,16 +427,6 @@ user_pref("network.http.altsvc.oe", false);
  * as a remote Tor node will handle the DNS request
  * [1] https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/WebBrowsers ***/
 user_pref("network.proxy.socks_remote_dns", true);
-/* 0707: disable (or setup) DNS-over-HTTPS (DoH) [FF60+]
- * TRR = Trusted Recursive Resolver
- * 0=off by default, 1=race (removed in FF69), 2=TRR first, 3=TRR only,
- * 4=race for stats but always use native result (removed in FF69), 5=explicitly off
- * [WARNING] DoH bypasses hosts and gives info to yet another party (e.g. Cloudflare)
- * [1] https://www.ghacks.net/2018/04/02/configure-dns-over-https-in-firefox/
- * [2] https://hacks.mozilla.org/2018/05/a-cartoon-intro-to-dns-over-https/ ***/
-   // user_pref("network.trr.mode", 0);
-   // user_pref("network.trr.bootstrapAddress", "");
-   // user_pref("network.trr.uri", "");
 /* 0708: disable FTP [FF60+]
  * [1] https://www.ghacks.net/2018/02/20/firefox-60-with-new-preference-to-disable-ftp/ ***/
    // user_pref("network.ftp.enabled", false);
@@ -596,7 +585,7 @@ user_pref("browser.cache.disk.enable", false);
 /* 1003: disable memory cache
 /* capacity: -1=determine dynamically (default), 0=none, n=memory capacity in kilobytes ***/
    // user_pref("browser.cache.memory.enable", false);
-   // user_pref("browser.cache.memory.capacity", 0); // [HIDDEN PREF]
+   // user_pref("browser.cache.memory.capacity", 0); // [HIDDEN PREF ESR]
 /* 1006: disable permissions manager from writing to disk [RESTART]
  * [NOTE] This means any permission changes are session only
  * [1] https://bugzilla.mozilla.org/967812 ***/
@@ -637,28 +626,20 @@ user_pref("browser.shell.shortcutFavicons", false);
 user_pref("alerts.showFavicons", false); // [DEFAULT: false]
 
 /*** [SECTION 1200]: HTTPS (SSL/TLS / OCSP / CERTS / HPKP / CIPHERS)
-   Note that your cipher and other settings can be used server side as a fingerprint attack
-   vector, see [1] (It's quite technical but the first part is easy to understand
-   and you can stop reading when you reach the second section titled "Enter Bro")
-
-   Option 1: Use defaults for ciphers (1260's). There is nothing *weak* about these, but
-             due to breakage, browsers can't deprecate them until the web stops using them
-   Option 2: Disable the ciphers in 1261, 1262 and 1263. These shouldn't break anything.
-             Optionally, disable the ciphers in 1264.
-
+   Your cipher and other settings can be used in server side fingerprinting
+   [TEST] https://www.ssllabs.com/ssltest/viewMyClient.html
    [1] https://www.securityartwork.es/2017/02/02/tls-client-fingerprinting-with-bro/
 ***/
 user_pref("_user.js.parrot", "1200 syntax error: the parrot's a stiff!");
 /** SSL (Secure Sockets Layer) / TLS (Transport Layer Security) ***/
-/* 1201: disable old SSL/TLS "insecure" renegotiation (vulnerable to a MiTM attack)
- * [SETUP-WEB] <2% of secure sites do NOT support the newer "secure" renegotiation, see [2]
- * [1] https://wiki.mozilla.org/Security:Renegotiation
- * [2] https://www.ssllabs.com/ssl-pulse/ ***/
+/* 1201: disable old SSL/TLS "insecure" negotiation (vulnerable to a MiTM attack)
+ * [1] https://wiki.mozilla.org/Security:Renegotiation ***/
 user_pref("security.ssl.require_safe_negotiation", true);
 /* 1202: control TLS versions with min and max
  * 1=TLS 1.0, 2=TLS 1.1, 3=TLS 1.2, 4=TLS 1.3
  * [WARNING] Leave these at default, otherwise you alter your TLS fingerprint.
- * Firefox telemetry (April 2019) shows only 0.5% of TLS web traffic uses 1.0 or 1.1 ***/
+ * Firefox telemetry (April 2019) shows only 0.5% of TLS web traffic uses 1.0 or 1.1
+ * [1] https://www.ssllabs.com/ssl-pulse/ ***/
    // user_pref("security.tls.version.min", 3);
    // user_pref("security.tls.version.max", 4);
 /* 1203: disable SSL session tracking [FF36+]
@@ -740,7 +721,7 @@ user_pref("security.mixed_content.block_display_content", true);
  * [1] https://bugzilla.mozilla.org/1190623 ***/
 user_pref("security.mixed_content.block_object_subrequest", true);
 
-/** CIPHERS [see the section 1200 intro] ***/
+/** CIPHERS [WARNING: do not meddle with your cipher suite: see the section 1200 intro] ***/
 /* 1261: disable 3DES (effective key size < 128)
  * [1] https://en.wikipedia.org/wiki/3des#Security
  * [2] https://en.wikipedia.org/wiki/Meet-in-the-middle_attack
@@ -771,10 +752,8 @@ user_pref("browser.ssl_override_behavior", 1);
  * [TEST] https://expired.badssl.com/ ***/
 user_pref("browser.xul.error_pages.expert_bad_cert", true);
 /* 1273: display "insecure" icon and "Not Secure" text on HTTP sites ***/
-user_pref("security.insecure_connection_icon.enabled", true); // [FF59+]
+user_pref("security.insecure_connection_icon.enabled", true); // [FF59+] [DEFAULT: true FF70+]
 user_pref("security.insecure_connection_text.enabled", true); // [FF60+]
-   // user_pref("security.insecure_connection_icon.pbmode.enabled", true); // [FF59+] private windows only
-   // user_pref("security.insecure_connection_text.pbmode.enabled", true); // [FF60+] private windows only
 
 /*** [SECTION 1400]: FONTS ***/
 user_pref("_user.js.parrot", "1400 syntax error: the parrot's bereft of life!");
@@ -827,7 +806,7 @@ user_pref("_user.js.parrot", "1600 syntax error: the parrot rests in peace!");
    // user_pref("network.http.referer.trimmingPolicy", 0); // [DEFAULT: 0]
 /* 1603: CROSS ORIGIN: control when to send a referer
  * 0=always (default), 1=only if base domains match, 2=only if hosts match
- * [SETUP-WEB] Known to cause issues with older modems/routers and some sites e.g vimeo ***/
+ * [SETUP-WEB] Known to cause issues with older modems/routers and some sites e.g vimeo, icloud ***/
 user_pref("network.http.referer.XOriginPolicy", 1);
 /* 1604: CROSS ORIGIN: control the amount of information to send [FF52+]
  * 0=send full URI (default), 1=scheme+host+port+path, 2=scheme+host+port ***/
@@ -869,8 +848,6 @@ user_pref("privacy.userContext.ui.enabled", true);
 /* 1702: enable Container Tabs [FF50+]
  * [SETTING] General>Tabs>Enable Container Tabs ***/
 user_pref("privacy.userContext.enabled", true);
-/* 1703: enable a private container for thumbnail loads [FF51+] ***/
-user_pref("privacy.usercontext.about_newtab_segregation.enabled", true); // [DEFAULT: true in FF61+]
 /* 1704: set behaviour on "+ Tab" button to display container menu [FF53+] [SETUP-CHROME]
  * 0=no menu (default), 1=show when clicked, 2=show on long press
  * [1] https://bugzilla.mozilla.org/1328756 ***/
@@ -905,11 +882,14 @@ user_pref("_user.js.parrot", "2000 syntax error: the parrot's snuffed it!");
  * [1] https://www.privacytools.io/#webrtc ***/
 user_pref("media.peerconnection.enabled", false);
 /* 2002: limit WebRTC IP leaks if using WebRTC
+ * In FF70+ these settings match Mode 4 (Mode 3 in older versions) (see [3])
  * [TEST] https://browserleaks.com/webrtc
- * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1189041,1297416
- * [2] https://wiki.mozilla.org/Media/WebRTC/Privacy ***/
+ * [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1189041,1297416,1452713
+ * [2] https://wiki.mozilla.org/Media/WebRTC/Privacy
+ * [3] https://tools.ietf.org/html/draft-ietf-rtcweb-ip-handling-12#section-5.2 ***/
 user_pref("media.peerconnection.ice.default_address_only", true);
 user_pref("media.peerconnection.ice.no_host", true); // [FF51+]
+user_pref("media.peerconnection.ice.proxy_only_if_behind_proxy", true); // [FF70+]
 /* 2010: disable WebGL (Web Graphics Library)
  * [SETUP-WEB] When disabled, may break some websites. When enabled, provides high entropy,
  * especially with readPixels(). Some of the other entropy is lessened with RFP (see 4501)
@@ -1065,6 +1045,7 @@ user_pref("javascript.options.asmjs", false);
    // user_pref("javascript.options.ion", false);
    // user_pref("javascript.options.baselinejit", false);
 /* 2422: disable WebAssembly [FF52+] [SETUP-PERF]
+ * [NOTE] In FF71+ this no longer affects extensions (1576254)
  * [1] https://developer.mozilla.org/docs/WebAssembly ***/
 user_pref("javascript.options.wasm", false);
 /* 2426: disable Intersection Observer API [FF55+]
@@ -1139,13 +1120,14 @@ user_pref("devtools.chrome.enabled", false);
 /* 2608: disable WebIDE to prevent remote debugging and ADB extension download
  * [1] https://trac.torproject.org/projects/tor/ticket/16222 ***/
 user_pref("devtools.debugger.remote-enabled", false);
-user_pref("devtools.webide.enabled", false);
+user_pref("devtools.webide.enabled", false); // [DEFAULT: false FF70+]
 user_pref("devtools.webide.autoinstallADBExtension", false); // [FF64+]
 /* 2609: disable MathML (Mathematical Markup Language) [FF51+] [SETUP-HARDEN]
  * [TEST] https://ghacksuserjs.github.io/TorZillaPrint/TorZillaPrint.html#misc
  * [1] https://bugzilla.mozilla.org/1173199 ***/
    // user_pref("mathml.disabled", true);
 /* 2610: disable in-content SVG (Scalable Vector Graphics) [FF53+]
+ * [NOTE] In FF70+ and ESR68.1.0+ this no longer affects extensions (1564208)
  * [WARNING] Expect breakage incl. youtube player controls. Best left for a "hardened" profile.
  * [1] https://bugzilla.mozilla.org/1216893 ***/
    // user_pref("svg.disabled", true);
@@ -1174,7 +1156,7 @@ user_pref("webchannel.allowObject.urlWhitelist", "");
  * [3] CVE-2017-5383: https://www.mozilla.org/security/advisories/mfsa2017-02/
  * [4] https://www.xudongz.com/blog/2017/idn-phishing/ ***/
 user_pref("network.IDN_show_punycode", true);
-/* 2620: enable Firefox's built-in PDF reader [SETUP-CHROME]
+/* 2620: enforce Firefox's built-in PDF reader [SETUP-CHROME]
  * This setting controls if the option "Display in Firefox" is available in the setting below
  *   and by effect controls whether PDFs are handled in-browser or externally ("Ask" or "Open With")
  * PROS: pdfjs is lightweight, open source, and as secure/vetted as any pdf reader out there (more than most)
@@ -1222,7 +1204,8 @@ user_pref("extensions.autoDisableScopes", 15); // [DEFAULT: 15]
    // user_pref("extensions.webextensions.restrictedDomains", "");
 
 /** SECURITY ***/
-/* 2680: enable CSP (Content Security Policy)
+/* 2680: enforce CSP (Content Security Policy)
+ * [WARNING] CSP is a very important and widespread security feature. Don't disable it!
  * [1] https://developer.mozilla.org/docs/Web/HTTP/CSP ***/
 user_pref("security.csp.enable", true); // [DEFAULT: true]
 /* 2684: enforce a security delay on some confirmation dialogs such as install, open/save
@@ -1246,7 +1229,7 @@ user_pref("security.dialog_enable_delay", 700);
 user_pref("_user.js.parrot", "2700 syntax error: the parrot's joined the bleedin' choir invisible!");
 /* 2701: disable 3rd-party cookies and site-data [SETUP-WEB]
  * 0=Accept cookies and site data, 1=(Block) All third-party cookies, 2=(Block) All cookies,
- * 3=(Block) Cookies from unvisited sites, 4=(Block) Third-party trackers (FF63+) (default FF69+)
+ * 3=(Block) Cookies from unvisited websites, 4=(Block) Cross-site and social media trackers (FF63+) (default FF69+)
  * [NOTE] You can set exceptions under site permissions or use an extension
  * [SETTING] Privacy & Security>Content Blocking>Custom>Choose what to block>Cookies ***/
 user_pref("network.cookie.cookieBehavior", 1);
@@ -1337,6 +1320,7 @@ user_pref("privacy.cpd.sessions", true); // Active Logins
 user_pref("privacy.cpd.siteSettings", false); // Site Preferences
 /* 2805: clear Session Restore data when sanitizing on shutdown or manually [FF34+]
  * [NOTE] Not needed if Session Restore is not used (see 0102) or is already cleared with history (see 2803)
+ * [NOTE] privacy.clearOnShutdown.openWindows prevents resuming from crashes (see 1022)
  * [NOTE] privacy.cpd.openWindows has a bug that causes an additional window to open ***/
    // user_pref("privacy.clearOnShutdown.openWindows", true);
    // user_pref("privacy.cpd.openWindows", true);
@@ -1366,6 +1350,7 @@ user_pref("privacy.sanitize.timeSpan", 0);
  ** 1542309 - isolate top-level domain URLs when host is in the public suffix list (FF68+)
  ** 1506693 - isolate pdfjs range-based requests (FF68+)
  ** 1330467 - isolate site permissions (FF69+)
+ ** 1534339 - isolate IPv6 (coming soon)
 ***/
 user_pref("_user.js.parrot", "4000 syntax error: the parrot's pegged out");
 /* 4001: enable First Party Isolation [FF51+]
@@ -1381,7 +1366,7 @@ user_pref("privacy.firstparty.isolate", true);
  * [2] https://bugzilla.mozilla.org/1492607
  * [3] https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage ***/
 user_pref("privacy.firstparty.isolate.restrict_opener_access", true); // [DEFAULT: true]
-   // user_pref("privacy.firstparty.isolate.block_post_message", true); // [HIDDEN PREF]
+   // user_pref("privacy.firstparty.isolate.block_post_message", true); // [HIDDEN PREF ESR]
 
 /*** [SECTION 4500]: RFP (RESIST FINGERPRINTING)
    This master switch will be used for a wide range of items, many of which will
@@ -1445,6 +1430,7 @@ user_pref("privacy.firstparty.isolate.restrict_opener_access", true); // [DEFAUL
  ** 1540726 - return "light" with prefers-color-scheme (FF67+)
       [1] https://developer.mozilla.org/en-US/docs/Web/CSS/@media/prefers-color-scheme
  ** 1564422 - spoof audioContext outputLatency (FF70+)
+ ** 1595823 - spoof audioContext sampleRate (FF72+)
 ***/
 user_pref("_user.js.parrot", "4500 syntax error: the parrot's popped 'is clogs");
 /* 4501: enable privacy.resistFingerprinting [FF41+]
@@ -1633,16 +1619,18 @@ user_pref("_user.js.parrot", "5000 syntax error: this is an ex-parrot!");
    // user_pref("general.autoScroll", false); // middle-click enabling auto-scrolling [WINDOWS] [MAC]
    // user_pref("ui.key.menuAccessKey", 0); // disable alt key toggling the menu bar [RESTART]
    // user_pref("view_source.tab", false); // view "page/selection source" in a new window [FF68+, FF59 and under]
+/* UX: FEATURES: disable and hide the icons and menus ***/
+   // user_pref("browser.messaging-system.whatsNewPanel.enabled", false); // What's New [FF69+]
+   // user_pref("extensions.pocket.enabled", false); // Pocket Account [FF46+]
+   // user_pref("identity.fxaccounts.enabled", false); // Firefox Accounts & Sync [FF60+] [RESTART]
+   // user_pref("reader.parse-on-load.enabled", false); // Reader View
 /* OTHER ***/
    // user_pref("browser.bookmarks.max_backups", 2);
    // user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.addons", false); // disable CFR [FF67+]
       // [SETTING] General>Browsing>Recommend extensions as you browse
    // user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr.features", false); // disable CFR [FF67+]
       // [SETTING] General>Browsing>Recommend features as you browse
-   // user_pref("extensions.pocket.enabled", false); // disable and hide Pocket [FF46+]
-   // user_pref("identity.fxaccounts.enabled", false); // disable and hide Firefox Accounts and Sync [FF60+] [RESTART]
    // user_pref("network.manage-offline-status", false); // see bugzilla 620472
-   // user_pref("reader.parse-on-load.enabled", false); // "Reader View"
    // user_pref("xpinstall.signatures.required", false); // enforced extension signing (Nightly/ESR)
 
 /*** [SECTION 9999]: DEPRECATED / REMOVED / LEGACY / RENAMED
@@ -1651,9 +1639,7 @@ user_pref("_user.js.parrot", "5000 syntax error: this is an ex-parrot!");
      [1] https://github.com/ghacksuserjs/ghacks-user.js/issues/123
 ***/
 user_pref("_user.js.parrot", "9999 syntax error: the parrot's deprecated!");
-/* ESR60.x still uses all the following prefs
-// [NOTE] replace the * with a slash in the line above to re-enable them
-// FF61
+/* FF61
 // 0501: disable experiments
    // [1] https://wiki.mozilla.org/Telemetry/Experiments
    // [-] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1420908,1450801
@@ -1669,13 +1655,13 @@ user_pref("network.jar.block-remote-files", true);
 // 2613: disable JAR from opening Unsafe File Types
    // [-] https://bugzilla.mozilla.org/1427726
 user_pref("network.jar.open-unsafe-types", false);
-// * * * /
-// FF62
+// ***/
+/* FF62
 // 1803: disable Java plugin
    // [-] (part5) https://bugzilla.mozilla.org/1461243
 user_pref("plugin.state.java", 0);
-// * * * /
-// FF63
+// ***/
+/* FF63
 // 0205: disable GeoIP-based search results
    // [NOTE] May not be hidden if Firefox has changed your settings due to your locale
    // [-] https://bugzilla.mozilla.org/1462015
@@ -1700,8 +1686,8 @@ user_pref("media.autoplay.enabled", false);
 // 5000's: enable "Ctrl+Tab cycles through tabs in recently used order" - replaced by browser.ctrlTab.recentlyUsedOrder
    // [-] https://bugzilla.mozilla.org/1473595
    // user_pref("browser.ctrlTab.previews", true);
-// * * * /
-// FF64
+// ***/
+/* FF64
 // 0516: disable Onboarding [FF55+]
    // Onboarding is an interactive tour/setup for new installs/profiles and features. Every time
    // about:home or about:newtab is opened, the onboarding overlay is injected into that page
@@ -1720,8 +1706,8 @@ user_pref("devtools.webide.adbAddonURL", "");
    // [1] https://developer.mozilla.org/docs/Web/API/SecurityPolicyViolationEvent
    // [-] https://bugzilla.mozilla.org/1488165
 user_pref("security.csp.enable_violation_events", false);
-// * * * /
-// FF65
+// ***/
+/* FF65
 // 0850a: disable location bar autocomplete and suggestion types
    // If you enforce any of the suggestion types (see the other 0850a), you MUST enforce 'autocomplete'
    //   - If *ALL* of the suggestion types are false, 'autocomplete' must also be false
@@ -1732,8 +1718,8 @@ user_pref("browser.urlbar.autocomplete.enabled", false);
    // e.g. //user:password@foo -> //user@(prefix)foo(suffix) NOT //user:password@(prefix)foo(suffix)
    // [-] https://bugzilla.mozilla.org/1510580
 user_pref("browser.fixup.hide_user_pass", true); // [DEFAULT: true]
-// * * * /
-// FF66
+// ***/
+/* FF66
 // 0380: disable Browser Error Reporter [FF60+]
    // [1] https://support.mozilla.org/en-US/kb/firefox-nightly-error-collection
    // [2] https://firefox-source-docs.mozilla.org/browser/browser/BrowserErrorReporter.html
@@ -1743,8 +1729,8 @@ user_pref("browser.chrome.errorReporter.submitUrl", "");
 // 0502: disable Mozilla permission to silently opt you into tests
    // [-] https://bugzilla.mozilla.org/1415625
 user_pref("network.allow-experiments", false);
-// * * * /
-// FF67
+// ***/
+/* FF67
 // 2428: enforce DOMHighResTimeStamp API
    // [WARNING] Required for normalization of timestamps and any timer resolution mitigations
    // [-] https://bugzilla.mozilla.org/1485264
@@ -1754,8 +1740,8 @@ user_pref("dom.event.highrestimestamp.enabled", true); // [DEFAULT: true]
    // [1] https://support.mozilla.org/en-US/kb/extension-recommendations
    // [-] https://bugzilla.mozilla.org/1528953
    // user_pref("browser.newtabpage.activity-stream.asrouter.userprefs.cfr", false);
-// * * * /
-// FF68
+// ***/
+/* FF68
 // 0105b: disable Activity Stream Legacy Snippets
    // [-] https://bugzilla.mozilla.org/buglist.cgi?bug_id=1546190,1540939
 user_pref("browser.newtabpage.activity-stream.disableSnippets", true);
@@ -1770,7 +1756,6 @@ user_pref("lightweightThemes.update.enabled", false);
    // [1] https://bugzilla.mozilla.org/buglist.cgi?bug_id=855326,883975
    // [-] https://bugzilla.mozilla.org/1386214
 user_pref("security.csp.experimentalEnabled", true);
-// * * * /
 // ***/
 
 /* ESR68.x still uses all the following prefs
@@ -1781,7 +1766,7 @@ user_pref("security.csp.experimentalEnabled", true);
    // user_pref("gfx.downloadable_fonts.woff2.enabled", false);
 // 1802: enforce click-to-play for plugins
    // [-] https://bugzilla.mozilla.org/1519434
-user_pref("plugins.click_to_play", true); // [DEFAULT: true in FF25+]
+user_pref("plugins.click_to_play", true); // [DEFAULT: true FF25+]
 // 2033: disable autoplay for muted videos [FF63+] - replaced by 'media.autoplay.default' options (2030)
    // [-] https://bugzilla.mozilla.org/1562331
    // user_pref("media.autoplay.allow-muted", false);